Threats, Attack and Vulnerabilities Flashcards
Virus
Replicates, requires user action
Trojan
Hidden as something else
Worm
Self-replicating
Logic bomb
Virus with specific activation logic
Polymorphic virus
avoid signature-based detection by self-mutation
Armored virus
Decompilation-resistant
ARP poisoning is commonly used in
MITM
The ARP cache
maps IPs to MAC addresses
Replay attack
Sniffing and resubmission
Transitive Access Attack
Capture credentials through access of honeypot shared folder
Spoofing
Masquerade as a trusted system
DNS Poisoning
redirects to malicious server, either local or through DNS provider
Smurfing
ICMP Flood with a spoofed header
Sniffer attack
Used for recon, based on network examination
XMAS scan
Each packet has 3/6 flags to hide the scan
Hybrid password attack
Bruteforce and dictionary
Birthday attack
Bruteforce hash collision
Pharming attack
Malicious site through DNS Poisoning
Spearfishing
Directed phishing from a fake trusted person
Vishing
Telephone Phishing
Whaling
Phishing for high-level targets
War chalking
War driving, sniffing unprotected networks en masse
Rogue access point
Fake access point
Evil twin
A rogue WAP with similar SSID
Session hijacking
Disconnects session (DoS) and impersonates the user
Static environment
Hardware that is out of direct control, as processors.
Bluesnarfing
Bluetooth hijack for information retrieval
Bluebugging
Using bluesnarfing for installing a backdoor
MAC Flooding
Overloads CAM on switch leading to traffic being sent on all ports
Vishing
Voice phishing with spoofed caller ID
Authority Principle
Using an authority figure to pressure in SE attack
Threat to act belligerently on an SE attack
Intimidation principle
Using an authority figure to pressure in SE attack
Authority Principle
Be personable or create a bond for SE attack
Familiarity Principle
Citing professional credentials or organizational status for SE attack
Trust Principle
Make a social connection claiming someone else can vouch for them in an SE attack
Social Proof Principle
Claiming something is urgent in an SE attack
Urgency Principle
Claiming you don’t have time for verifying your identity in an SE attack
Scarcity Principle
Companion virus
Disguised as a legitimate program but with different extension
File Infector Viruses
They infect files .com or .exe
Macro Viruses
Excel and word macros, VBA
Stealth Viruses
Hijack system calls to not reveal corrupted files
Metamorphic Virus
Polymorphic but also changes memory payload
Pass the hash
Authenticate using hashing credentials that had been intercepted
Password spraying
Using very common passwords and testing it against a lot of user accounts to find matches. It exploits the weakest link in the chain, and can be more efficient than bruteforce.
Logic bombs usually pass AV detection because they are usually
simple scripts
Data Emanation
Interception of data due to EM leakage. Applies to WLAN.
Bluejacking
Sending unwanted messages to BL devices for spam.
Bluetooth Security Modes
Nonsecure, Service-level, Link-level
Bluesnarfing can be prevented by using ____-____ mode
link-level
Link-level mode protects Bluetooth by
Authentication on the link level, managed by hardware
Service-level mode protects bluetooth
Through app policies
Other name for a deauth attack
Disassociation attack
Tool for WPS attack
Reaper
On-path attack
General form of MITM usually with modification of content
You can detect a rogue WAP by
A slightly different SSID or the lack of authentication
Most severe WEP attack
IV Attack
WEP IV
Initialization Vector
Most common WPA attack
TKIP
TKIP Attack mitigation
WPA2 with AES
Classical attack on WPA2
Deauth, capture handshake and bruteforce or dictionary attack
Ping attack
DoS through ICMP pings
SYN Flood
Forged SYN packets that leave target waiting for ACK, halting the system meanwhile.
DNS Amplification
Request sent to open DNS server with wrong source address, sending response to target
Most common way to do MAC spoofing
ARP poisoning
Main use of IP Spoofing (in DoS)
Confusing sysadmins, making tracing more difficult
Use of IP Spoofing in internal network
Appearing as a trusted system
ARP poisoning can be mitigated by
Implementing DHCP
Common utility to forge packets
hping3
Smurf attack use modified ICMP packets directed to
Broadcast addresses
Smurf attacks can be mitigated by disabling
IP Broadcast Addressing
Mitigation for TCP/IP Hijacking
Authenticated encryption, ex: IPSec
The new exam calls MITM
On-path attack
A mitigation for man-in-the-browser attacks is
Out-of-band transaction verification
Domain Kiting
Registering a domain repeatedly on a grace period
Domain Testing
Using Domain Kiting to test whether a domain is valuable by checking traffic
ISACs
Information Sharing and Analysis Centers
ISACs/ISAOs usually provide…
threat intelligence
AIS
Automated Indicator Sharing
TAXII, STIX and CybOX are examples of
Automated Indicator Sharing (AIS) Specifications
Threat Hunting is the practice of
Theat Hunting uses Threat Intelligence to actively search for threat actors
Threat Hunting and other security activities can be automated by using a ___ platform
SOAR (Security, Orchestration, Automation and Response)
SIEM
Security Information and Event Management System
SOAR
Security, Orchestration, Automation and Response
SIEM vs SOAR
SOAR also assigns criticality and carries automated response once events are detected
Third party platforms can increase unmanaged _____ _____
attack surface
To reduce third-party risks, an organization needs to perform _____ _____
vendor management
Shadow IT
Assets that are not known to the IT team and pose a possible unmanaged attack surface
A(n) __________ is a security weakness that could be exploited by a threat.
vulnerability
Term that describes the level of harm that results from a threat exploiting a vulnerability
Impact
Network Mapper
Determine hosts, OSs and other types of network information through ICMP sweeps and other type of scans. Doesn’t scan ports.
After systems have been identified with a network mapper, usually a ___ ____ follows.
port scan
SMTP port
25
FTP ports
20/21
Telnet port
23
Port 23
Telnet
Port 25
SMTP
Ports 20/21
FTP
LDAP port
389
389 Port
LDAP
Three most common types of port-scanning
TCP, SYN (TCP with SYN flag), UDP
CVE
Common Vulnerabilities and Exposures
CVSS
Common Vulnerability Scoring System
CVSS is based on vulnerability ______.
criticality
CVSS vs CVE
CVSS scores a particular CVE by criticality
OVAL
Open Vulnerability and Assessment Language
An important consideration of SIEM configuration is server _______.
synchronization
Alternative terms for white, gray and black box testing
Known, Partially Known and Unknown Environment Testing
While known, partially known and unkown environments describe the knowledge of an attacker or pentester, to describe intent we use the terms
authorized, semi-authorized, unauthorized
Red team vs Pentest
Pentest is more strictly defined in scope and duration
Purple Team
Mix between blue and red, information sharing during the exercise
White team
leads and adjudicates an exercise
