Threats, Attacks & Vulnerabilities Flashcards

1
Q

Indicator of Compromise (IOC)

A

Indications that a system has been compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Network Traffic IOC (5 types)

A

-Unusual outbound traffic
-Geographical irregularities
-Unusual DNS requests
-Mismatched port-application traffic
-Web traffic with non-human behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Account Traffic IOC (3 types)

A
  • Anomalies in privileged user account activity
  • Account login red flags
  • Mobile device profile changes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data IOC (5 types)

A
  • Large database read volumes
  • HTML response sizes
  • Large numbers of requests for the same file,
  • Suspicious registry or system file changes
  • Bundles of data in the wrong place
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Crypto Malware/Ransomware

A

Malware that encrypts files on a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Virus

A

Malicious programs that self-copy and self-replicate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Non-memory-resident virus

A

Executes, spreads, and then shut down the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Boot sector virus

A
  • Reside inside the boot sector of a drive.
  • Executes before the computer has fully booted.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Worm

A
  • Self Replicates
  • Self installs (do not require interaction)
  • Can spread via many methods
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

E-mail Virus

A

Spread via email either as attachments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Macro Virus

A

Use macros or code inside word processing software or other tools to spread

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Fileless Virus

A

Do not require file storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Trojan

A
  • Disguised as legitimate software (requires interaction)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

RAT (Remote Access Trojan)

A
  • A Trojan that allows for remote access

Note: Can be confused with legitimate RAT software creating false positives in anti-malware software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

E-mail Worm

A
  • Creates and sends outbound messages to all the addresses in a user’s contact list.
  • The messages include a malicious executable file that infects the new system when the recipient opens it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

File-Sharing Worm

A
  • File-sharing worms copy themselves into shared folders and spread through peer-to-peer file-sharing networks.

Note: often target industrial environments, including power utilities, water supply services and sewage plants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Crypto Worm

A

Perpetrators can use this type of worm in ransomware attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Instant Messaging Worm

A

Like email worms, instant messaging worms are masked by attachments or links

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Internet Worm

A
  • Specifically target popular websites with poor security. 7
  • If they can infect the site, they can infect a computer accessing the site.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Rootkit

A

Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Keylogger

A

Captures input. Keyboard, Mouse, touchscreen, swipes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Spyware

A

Spyware is malware that is designed to obtain information about an individual, organization, or system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Adware

A

Spreads advertisement on infected system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Bots

A
  • Bots are remotely controlled systems or devices that have a malware infection.
  • Can be organized into Botnets.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Command & Control System

A
  • Many botnet command and control (C&C) systems operate in a client-server mode, which provide commands and updates.
  • Many modern botnets rely on secure HTTP (HTTPS) traffic to help hide C&C traffic and to prevent it from easily being monitored.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Logic Bomb

A

Functions or code that are placed inside other programs that will activate when set conditions are met.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Backdoor

A
  • Provide access that bypasses normal authentication and authorization procedures.
  • Backdoors can be hardware or software based.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Whaling

A

Targeting CEO or C-suite individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Spear Phishing

A

Targeting specific roles/individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Phishing

A

Often focused on obtaining credentials like usernames and passwords. Often via E-mail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Vishing

A

Phishing using phone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Smishing

A

Phishing using SMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Impersonation

A

Social Engineering technique pretending to be someone else.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Dumpster Diving

A

Procuring sensitive data in the trash.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Credential Harvesting

A
  • Often via Phishing.
  • Can be achieved through acquisition of user databases and passwords.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Watering Hole Attack

A

Where an attacker uses a well-known website that they infect with malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Typosquatting

A

Using similar DNS to catch traffic from individuals making a typo.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

DOS

A
  • Denial of Service (Overload)
  • DoS attacks are done by exploiting a vulnerability in a specific application, operating system, or protocol.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Man-In-The-Middle (MITM)

A

An attacker intercepts a conversation/traffic between two users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

DDOS

A
  • Distributed denial-of-service attacks.
  • Use botnets/malware to take down big targets.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Buffer Overflow

A

A large amount of data than allowed is inserted into an application, resulting in data overflow into the adjacent memory and memory corruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Injection

A

Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Cross Site Scripting (XSS Injection)

A
  • Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website.
  • Allow an attacker to take the place of a victim user, do anything the user is able to do, and access any of the user’s data.
  • If the user who is being attacked has privileged access inside the program, the attacker may be able to take full control of the data and functions of the application.
41
Q

SQL Injection

A
  • SQL injection is a weakness in web security that could let an attacker change the SQL queries that are run on the database.
  • This can be used to get sensitive information like the structure of the database, its tables, columns, and data set.
42
Q

Code Injection

A

An application has a code injection vulnerability if an attacker can present application code as user input and convince the server to execute it.

43
Q

OS Command Injection

A
  • In most cases, they will inject this instruction into the program via an input method such as HTTP parameters, cookies, or form fields.. -

-Attackers are able to run certain commands on the host machine and start attacking the network from the infected system.

44
Q

Privilege Escalation

A
  • Vertical and Horizontal
  • Vertical privilege escalation involves a user accessing files or functions that are normally associated with accounts that have higher privileges.
  • Horizontal privilege escalation allows users to access resources in other accounts with similar privilege levels as they have.
45
Q

Spoofing

A

Using someones identity

46
Q

ARP Poisoning

A

An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows attackers to intercept communication between network devices.

47
Q

Pharming

A

Re-directing traffic from a website to another

48
Q

Amplification

A

Amplification attacks generate a high volume of packets that are used to overwhelm the target website without alerting the intermediary.

49
Q

DNS Poisoning

A

Domain Name System (DNS) poisoning happens when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website.

50
Q

Domain Hijacking

A

Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges on domain hosting and domain registrar systems.

51
Q

Man In The Browser (MITB)

A

Man-in-the-Browser Attack: An MITB attack injects malicious software (malware) into a victim’s web browser.

52
Q

Zero Day

A

After a attacker uncover a vulnerability, they do not disclose it but rather store it in a vulnerability repository for later use.

53
Q

Pass The Hash

A

A Pass-the-Hash (PtH) attack is a technique where an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access to other networked systems.

54
Q

Clickjacking

A

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

55
Q

Session Hijacking

A

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

56
Q

Refactoring

A

Sophisticated attackers may reach down into device drivers and manipulate them in ways that undermine security.

57
Q

MAC spoofing

A

MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device.

58
Q

IP spoofing

A

IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender, to impersonate another computer system, or both.

59
Q

Replay

A

A replay attack occurs when a cybercriminal eavesdrops on a secure network communication, intercepts it, and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants.

60
Q

Evil Twin

A

An evil twin attack is a cyberattack that works by tricking users into connecting to a fake Wi-Fi access point.

60
Q

Rogue AP

A

A rogue access point is an access point installed on a network without the network owner’s permission.

61
Q

Jamming

A

A jamming attack is an attack in which an attacker transfers interfering signals on a wireless network intentionally.

62
Q

Bluejacking

A

Bluejacking is a Bluetooth attack in which a hacker spams your device with unsolicited phishing messages.

63
Q

Bluesnarfing

A

Bluesnarfing is a hacking technique in which a hacker accesses a wireless device through a Bluetooth connection.

64
Q

Known Plain Text/Cipher Attack

A

In the known plaintext attack, the hacker has access both the ciphertext and its corresponding plaintext.

65
Q

Birthday Attack

A

This is named after the “birthday paradox,” which describes the high (50%) probability that two individuals (in a group of 23 or more) will share a birthday.

66
Q

Rainbow Table Attack

A
  • Rainbow tables are an easily searchable database of precomputed hashes using the same hashing methodology as the captured password file (length, complexity etc).
67
Q

Brute Force Attack

A

Brute force is a process that involves trying different variations until it succeeds.

68
Q

Dictionary Attack

A

A form of brute-force attack that uses a list of words for their attempts.

68
Q

Downgrade Attack

A

A downgrade attack is an attack in which the attacker tries to force two hosts on a network (for example, a client (browser) and a website server) to use an insecure or weakly protected data transmission protocol (such as HTTP instead of HTTPS, or SSL instead of TLS).

69
Q

Collission Attack

A

Collision attacks are a type of attack in which an attacker generates two or more different messages that produce the same hash value when hashed using a cryptographic hashing algorithm like SHA-1 or SHA-2.

70
Q

Active Reconnaissance

A

Used during phone calls, email, and other means of contact to elicit more information about a target than is publicly available.

71
Q

Passive Reconnaissance

A

Passive reconnaissance is the process of gathering information about the target without directly interacting with it.

72
Q

Pivot

A

In penetration testing, pivoting is the act of using a compromised system to spread between different computer systems once inside the network, simulating the behavior of a real attacker.

73
Q

Escalation of Privilege

A

Privilege escalation attacks exploit weaknesses and security vulnerabilities with the goal of elevating access to a network, applications, and mission-critical systems.

73
Q

Initial Exploitation

A

Once the tester is armed with the knowledge of vulnerabilities present in the system, they will start exploiting them. This will help in identifying the nature of the security gaps and the effort required to exploit them.

74
Q

Persistence

A

When a threat actor discreetly maintains long-term access

75
Q

Black Box Pentest

A

The tester here has no knowledge of the system and designs the test as an uninformed attacker.

76
Q

Gray Box Pentest

A

As suggested by the name, this approach stands midway between white box pentesting and black box testing.

77
Q

White Box Pentest

A

In a white box test, the testers have complete knowledge of the system and complete access.

78
Q

Pen testing vs. vulnerability scanning

A
  • Vulnerability assessment is focused on detecting and categorizing vulnerabilities in a system.
  • Penetration testing involves exploiting vulnerabilities to draw insights about them.
79
Q

End of Life Vulnerability

A

End-of-life refers to a system that is no longer functioning as intended. This could be because the original vendor doesn’t support it anymore.

80
Q

Missconfiguration/Weak Configuration Vulnerability

A

This refers to any kind of configuration that weakens the security posture of an organization or its systems. This might be leaving default credentials as-is.

81
Q

Default configuration Vulnerability

A

Default configuration is “the configuration that a system enters upon start, upon recovering from an error, and at times when operating.”

82
Q

Resource exhaustion Vulnerability

A

If a program runs out of memory, or needs more bandwidth, the program might run into errors or crash.

83
Q

Improperly configured accounts Vulnerability

A

If a database is configured with overly permissive access rights, or if it is exposed to the public internet without proper authentication, then it could be vulnerable to attack.

83
Q

Weak cipher suites and implementations Vulnerability

A

Weak ciphers are those encryption algorithms vulnerable to attack, often as a result of an insufficient key length.

84
Q

Memory/buffer vulnerability

A

If you ask for user input, but do not verify or limit the length of the input, it could result in a buffer overflow. This means that other areas in memory will be overwritten.

85
Q

Zero Day Vulnerability

A

A zero day is a vulnerability that is new and not yet covered by a patch.

86
Q

Threat Intelligence

A

Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.

87
Q

OSINT

A

Open Source Intelligence. Can be governmental or vendor based.

88
Q

Vulnerability databases

A

Reports of vulnerabilities certainly help direct an organization’s defensive efforts, but they also provide valuable insight into the types of exploit being discovered by researchers.

89
Q

Closed source intelligence

A

Commercial security vendors, government organizations, and other security-centric organizations also create and make use of proprietary, or closed-source intelligence.

90
Q

Threat Map

A

Threat maps provide a geographic view of threat intelligence.

91
Q

Assessing Threat Intelligence (3 concepts)

A

Is it timely, accurate and relevant.

92
Q

Structured Threat Information eXpression (STIX)

A

XML language originally sponsored by the U.S. Department of Homeland Security.

93
Q

Indicator Management

A

To allow threat information to be processed and used in automated ways.

94
Q

Shadow IT

A

Unauthorized technology installed or used on corporate devices.

95
Q

Open Indicators of Compromise (OpenIOC)

A

A typical IOC includes metadata like the author, the name of the IOC, and a description of the indicator. The full definition of the IOC may also include details of the actual compromise(s) that led to the indicator’s discovery.

96
Q

Trusted Automated eXchange of Indicator Information (TAXII) protocol.

A

TAXII is intended to allow cyber threat information to be communicated at the application layer via HTTPS. TAXII is specifically designed to support STIX data exchange.

97
Q

CISA

A

Cybersecurity and Infrastructure Security Agency

98
Q

SANS

A

SANS Institute. SANS is the world’s largest cybersecurity research and training organization

99
Q

Information Sharing and Analysis Centers (ISACs)

A

Organization to help infrastructure owners and operators share threat information and provide tools and assistance to their members.