Threats, Attacks & Vulnerabilities Flashcards
Indicator of Compromise (IOC)
Indications that a system has been compromised.
Network Traffic IOC (5 types)
-Unusual outbound traffic
-Geographical irregularities
-Unusual DNS requests
-Mismatched port-application traffic
-Web traffic with non-human behavior
Account Traffic IOC (3 types)
- Anomalies in privileged user account activity
- Account login red flags
- Mobile device profile changes
Data IOC (5 types)
- Large database read volumes
- HTML response sizes
- Large numbers of requests for the same file,
- Suspicious registry or system file changes
- Bundles of data in the wrong place
Crypto Malware/Ransomware
Malware that encrypts files on a system.
Virus
Malicious programs that self-copy and self-replicate.
Non-memory-resident virus
Executes, spreads, and then shut down the system.
Boot sector virus
- Reside inside the boot sector of a drive.
- Executes before the computer has fully booted.
Worm
- Self Replicates
- Self installs (do not require interaction)
- Can spread via many methods
E-mail Virus
Spread via email either as attachments
Macro Virus
Use macros or code inside word processing software or other tools to spread
Fileless Virus
Do not require file storage
Trojan
- Disguised as legitimate software (requires interaction)
RAT (Remote Access Trojan)
- A Trojan that allows for remote access
Note: Can be confused with legitimate RAT software creating false positives in anti-malware software.
E-mail Worm
- Creates and sends outbound messages to all the addresses in a user’s contact list.
- The messages include a malicious executable file that infects the new system when the recipient opens it.
File-Sharing Worm
- File-sharing worms copy themselves into shared folders and spread through peer-to-peer file-sharing networks.
Note: often target industrial environments, including power utilities, water supply services and sewage plants.
Crypto Worm
Perpetrators can use this type of worm in ransomware attacks
Instant Messaging Worm
Like email worms, instant messaging worms are masked by attachments or links
Internet Worm
- Specifically target popular websites with poor security. 7
- If they can infect the site, they can infect a computer accessing the site.
Rootkit
Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor.
Keylogger
Captures input. Keyboard, Mouse, touchscreen, swipes.
Spyware
Spyware is malware that is designed to obtain information about an individual, organization, or system.
Adware
Spreads advertisement on infected system.
Bots
- Bots are remotely controlled systems or devices that have a malware infection.
- Can be organized into Botnets.
Command & Control System
- Many botnet command and control (C&C) systems operate in a client-server mode, which provide commands and updates.
- Many modern botnets rely on secure HTTP (HTTPS) traffic to help hide C&C traffic and to prevent it from easily being monitored.
Logic Bomb
Functions or code that are placed inside other programs that will activate when set conditions are met.
Backdoor
- Provide access that bypasses normal authentication and authorization procedures.
- Backdoors can be hardware or software based.
Whaling
Targeting CEO or C-suite individual.
Spear Phishing
Targeting specific roles/individuals.
Phishing
Often focused on obtaining credentials like usernames and passwords. Often via E-mail.
Vishing
Phishing using phone.
Smishing
Phishing using SMS.
Impersonation
Social Engineering technique pretending to be someone else.
Dumpster Diving
Procuring sensitive data in the trash.
Credential Harvesting
- Often via Phishing.
- Can be achieved through acquisition of user databases and passwords.
Watering Hole Attack
Where an attacker uses a well-known website that they infect with malware.
Typosquatting
Using similar DNS to catch traffic from individuals making a typo.
DOS
- Denial of Service (Overload)
- DoS attacks are done by exploiting a vulnerability in a specific application, operating system, or protocol.
Man-In-The-Middle (MITM)
An attacker intercepts a conversation/traffic between two users.
DDOS
- Distributed denial-of-service attacks.
- Use botnets/malware to take down big targets.
Buffer Overflow
A large amount of data than allowed is inserted into an application, resulting in data overflow into the adjacent memory and memory corruption.
Injection
Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.
Cross Site Scripting (XSS Injection)
- Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website.
- Allow an attacker to take the place of a victim user, do anything the user is able to do, and access any of the user’s data.
- If the user who is being attacked has privileged access inside the program, the attacker may be able to take full control of the data and functions of the application.
SQL Injection
- SQL injection is a weakness in web security that could let an attacker change the SQL queries that are run on the database.
- This can be used to get sensitive information like the structure of the database, its tables, columns, and data set.
Code Injection
An application has a code injection vulnerability if an attacker can present application code as user input and convince the server to execute it.
OS Command Injection
- In most cases, they will inject this instruction into the program via an input method such as HTTP parameters, cookies, or form fields.. -
-Attackers are able to run certain commands on the host machine and start attacking the network from the infected system.
Privilege Escalation
- Vertical and Horizontal
- Vertical privilege escalation involves a user accessing files or functions that are normally associated with accounts that have higher privileges.
- Horizontal privilege escalation allows users to access resources in other accounts with similar privilege levels as they have.
Spoofing
Using someones identity
ARP Poisoning
An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows attackers to intercept communication between network devices.
Pharming
Re-directing traffic from a website to another
Amplification
Amplification attacks generate a high volume of packets that are used to overwhelm the target website without alerting the intermediary.
DNS Poisoning
Domain Name System (DNS) poisoning happens when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website.
Domain Hijacking
Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges on domain hosting and domain registrar systems.
Man In The Browser (MITB)
Man-in-the-Browser Attack: An MITB attack injects malicious software (malware) into a victim’s web browser.
Zero Day
After a attacker uncover a vulnerability, they do not disclose it but rather store it in a vulnerability repository for later use.
Pass The Hash
A Pass-the-Hash (PtH) attack is a technique where an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access to other networked systems.
Clickjacking
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.
Session Hijacking
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
Refactoring
Sophisticated attackers may reach down into device drivers and manipulate them in ways that undermine security.
MAC spoofing
MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device.
IP spoofing
IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender, to impersonate another computer system, or both.
Replay
A replay attack occurs when a cybercriminal eavesdrops on a secure network communication, intercepts it, and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants.
Evil Twin
An evil twin attack is a cyberattack that works by tricking users into connecting to a fake Wi-Fi access point.
Rogue AP
A rogue access point is an access point installed on a network without the network owner’s permission.
Jamming
A jamming attack is an attack in which an attacker transfers interfering signals on a wireless network intentionally.
Bluejacking
Bluejacking is a Bluetooth attack in which a hacker spams your device with unsolicited phishing messages.
Bluesnarfing
Bluesnarfing is a hacking technique in which a hacker accesses a wireless device through a Bluetooth connection.
Known Plain Text/Cipher Attack
In the known plaintext attack, the hacker has access both the ciphertext and its corresponding plaintext.
Birthday Attack
This is named after the “birthday paradox,” which describes the high (50%) probability that two individuals (in a group of 23 or more) will share a birthday.
Rainbow Table Attack
- Rainbow tables are an easily searchable database of precomputed hashes using the same hashing methodology as the captured password file (length, complexity etc).
Brute Force Attack
Brute force is a process that involves trying different variations until it succeeds.
Dictionary Attack
A form of brute-force attack that uses a list of words for their attempts.
Downgrade Attack
A downgrade attack is an attack in which the attacker tries to force two hosts on a network (for example, a client (browser) and a website server) to use an insecure or weakly protected data transmission protocol (such as HTTP instead of HTTPS, or SSL instead of TLS).
Collission Attack
Collision attacks are a type of attack in which an attacker generates two or more different messages that produce the same hash value when hashed using a cryptographic hashing algorithm like SHA-1 or SHA-2.
Active Reconnaissance
Used during phone calls, email, and other means of contact to elicit more information about a target than is publicly available.
Passive Reconnaissance
Passive reconnaissance is the process of gathering information about the target without directly interacting with it.
Pivot
In penetration testing, pivoting is the act of using a compromised system to spread between different computer systems once inside the network, simulating the behavior of a real attacker.
Escalation of Privilege
Privilege escalation attacks exploit weaknesses and security vulnerabilities with the goal of elevating access to a network, applications, and mission-critical systems.
Initial Exploitation
Once the tester is armed with the knowledge of vulnerabilities present in the system, they will start exploiting them. This will help in identifying the nature of the security gaps and the effort required to exploit them.
Persistence
When a threat actor discreetly maintains long-term access
Black Box Pentest
The tester here has no knowledge of the system and designs the test as an uninformed attacker.
Gray Box Pentest
As suggested by the name, this approach stands midway between white box pentesting and black box testing.
White Box Pentest
In a white box test, the testers have complete knowledge of the system and complete access.
Pen testing vs. vulnerability scanning
- Vulnerability assessment is focused on detecting and categorizing vulnerabilities in a system.
- Penetration testing involves exploiting vulnerabilities to draw insights about them.
End of Life Vulnerability
End-of-life refers to a system that is no longer functioning as intended. This could be because the original vendor doesn’t support it anymore.
Missconfiguration/Weak Configuration Vulnerability
This refers to any kind of configuration that weakens the security posture of an organization or its systems. This might be leaving default credentials as-is.
Default configuration Vulnerability
Default configuration is “the configuration that a system enters upon start, upon recovering from an error, and at times when operating.”
Resource exhaustion Vulnerability
If a program runs out of memory, or needs more bandwidth, the program might run into errors or crash.
Improperly configured accounts Vulnerability
If a database is configured with overly permissive access rights, or if it is exposed to the public internet without proper authentication, then it could be vulnerable to attack.
Weak cipher suites and implementations Vulnerability
Weak ciphers are those encryption algorithms vulnerable to attack, often as a result of an insufficient key length.
Memory/buffer vulnerability
If you ask for user input, but do not verify or limit the length of the input, it could result in a buffer overflow. This means that other areas in memory will be overwritten.
Zero Day Vulnerability
A zero day is a vulnerability that is new and not yet covered by a patch.
Threat Intelligence
Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.
OSINT
Open Source Intelligence. Can be governmental or vendor based.
Vulnerability databases
Reports of vulnerabilities certainly help direct an organization’s defensive efforts, but they also provide valuable insight into the types of exploit being discovered by researchers.
Closed source intelligence
Commercial security vendors, government organizations, and other security-centric organizations also create and make use of proprietary, or closed-source intelligence.
Threat Map
Threat maps provide a geographic view of threat intelligence.
Assessing Threat Intelligence (3 concepts)
Is it timely, accurate and relevant.
Structured Threat Information eXpression (STIX)
XML language originally sponsored by the U.S. Department of Homeland Security.
Indicator Management
To allow threat information to be processed and used in automated ways.
Shadow IT
Unauthorized technology installed or used on corporate devices.
Open Indicators of Compromise (OpenIOC)
A typical IOC includes metadata like the author, the name of the IOC, and a description of the indicator. The full definition of the IOC may also include details of the actual compromise(s) that led to the indicator’s discovery.
Trusted Automated eXchange of Indicator Information (TAXII) protocol.
TAXII is intended to allow cyber threat information to be communicated at the application layer via HTTPS. TAXII is specifically designed to support STIX data exchange.
CISA
Cybersecurity and Infrastructure Security Agency
SANS
SANS Institute. SANS is the world’s largest cybersecurity research and training organization
Information Sharing and Analysis Centers (ISACs)
Organization to help infrastructure owners and operators share threat information and provide tools and assistance to their members.
