Threats, Attacks & Vulnerabilities Flashcards
Indicator of Compromise (IOC)
Indications that a system has been compromised.
Network Traffic IOC (5 types)
-Unusual outbound traffic
-Geographical irregularities
-Unusual DNS requests
-Mismatched port-application traffic
-Web traffic with non-human behavior
Account Traffic IOC (3 types)
- Anomalies in privileged user account activity
- Account login red flags
- Mobile device profile changes
Data IOC (5 types)
- Large database read volumes
- HTML response sizes
- Large numbers of requests for the same file,
- Suspicious registry or system file changes
- Bundles of data in the wrong place
Crypto Malware/Ransomware
Malware that encrypts files on a system.
Virus
Malicious programs that self-copy and self-replicate.
Non-memory-resident virus
Executes, spreads, and then shut down the system.
Boot sector virus
- Reside inside the boot sector of a drive.
- Executes before the computer has fully booted.
Worm
- Self Replicates
- Self installs (do not require interaction)
- Can spread via many methods
E-mail Virus
Spread via email either as attachments
Macro Virus
Use macros or code inside word processing software or other tools to spread
Fileless Virus
Do not require file storage
Trojan
- Disguised as legitimate software (requires interaction)
RAT (Remote Access Trojan)
- A Trojan that allows for remote access
Note: Can be confused with legitimate RAT software creating false positives in anti-malware software.
E-mail Worm
- Creates and sends outbound messages to all the addresses in a user’s contact list.
- The messages include a malicious executable file that infects the new system when the recipient opens it.
File-Sharing Worm
- File-sharing worms copy themselves into shared folders and spread through peer-to-peer file-sharing networks.
Note: often target industrial environments, including power utilities, water supply services and sewage plants.
Crypto Worm
Perpetrators can use this type of worm in ransomware attacks
Instant Messaging Worm
Like email worms, instant messaging worms are masked by attachments or links
Internet Worm
- Specifically target popular websites with poor security. 7
- If they can infect the site, they can infect a computer accessing the site.
Rootkit
Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor.
Keylogger
Captures input. Keyboard, Mouse, touchscreen, swipes.
Spyware
Spyware is malware that is designed to obtain information about an individual, organization, or system.
Adware
Spreads advertisement on infected system.
Bots
- Bots are remotely controlled systems or devices that have a malware infection.
- Can be organized into Botnets.
Command & Control System
- Many botnet command and control (C&C) systems operate in a client-server mode, which provide commands and updates.
- Many modern botnets rely on secure HTTP (HTTPS) traffic to help hide C&C traffic and to prevent it from easily being monitored.
Logic Bomb
Functions or code that are placed inside other programs that will activate when set conditions are met.
Backdoor
- Provide access that bypasses normal authentication and authorization procedures.
- Backdoors can be hardware or software based.
Whaling
Targeting CEO or C-suite individual.
Spear Phishing
Targeting specific roles/individuals.
Phishing
Often focused on obtaining credentials like usernames and passwords. Often via E-mail.
Vishing
Phishing using phone.
Smishing
Phishing using SMS.
Impersonation
Social Engineering technique pretending to be someone else.
Dumpster Diving
Procuring sensitive data in the trash.
Credential Harvesting
- Often via Phishing.
- Can be achieved through acquisition of user databases and passwords.
Watering Hole Attack
Where an attacker uses a well-known website that they infect with malware.
Typosquatting
Using similar DNS to catch traffic from individuals making a typo.
DOS
- Denial of Service (Overload)
- DoS attacks are done by exploiting a vulnerability in a specific application, operating system, or protocol.
Man-In-The-Middle (MITM)
An attacker intercepts a conversation/traffic between two users.
DDOS
- Distributed denial-of-service attacks.
- Use botnets/malware to take down big targets.
Buffer Overflow
A large amount of data than allowed is inserted into an application, resulting in data overflow into the adjacent memory and memory corruption.
Injection
Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.