Topic 13B

Question 1

Brute force

Answer 1

Smashing a hardware device to perform physical denial of service (DoS).

Breaking into premises or cabinets by forcing a lock or gateway

Question 2

environmental attack

Answer 2

A physical threat directed against power, cooling, or fire suppression systems

Question 3

RFID cloning

Answer 3

refers to making one or more copies of an existing card. A lost or stolen card with no cryptographic protections can be physically duplicated

Question 4

RFID skimming

Answer 4

refers to using a counterfeit reader to capture card or badge details, which are then used to program a duplicate.

Question 5

Reconnaissance

Answer 5

Uses scanning

Fingerprinting identifies the application types and versions of the software operating each port, and potentially of the operating system running on the host, and its device type

Rapid scanning generates a large amount of distinctive network traffic that can be detected and reported as an intrusion event

Hard to differentiate malicious and non malicious scanning

Question 6

Weaponization, delivery, and breach

Answer 6

refer to techniques that allow a threat actor to get access without having to authenticate.

typically involves various types of malicious code being directed at a vulnerable application host or service over the network, or sending code concealed in file attachments, and tricking a user into running it.

Question 7

Command and control (C2 or C&C), beaconing, and persistence

Answer 7

techniques and malicious code that allow a threat actor to operate a compromised host remotely, and maintain access to it over a period of time

The threat actor has to disguise the incoming command and outgoing beaconing activity as part of the network’s regular traffic, such as by using encrypted HTTPS connections.

Question 8

Lateral movement, pivoting, and privilege escalation

Answer 8

techniques that allow the threat actor to move from host to host within a network or from one network segment to another, and to obtain wider and higher permissions for systems and services across the network.

These types of attacks are detected via anomalous account logins and privilege use, but detection usually depends on machine learning-backed software, as it is typically difficult to differentiate anomalous behavior from normal behavior.

Question 9

Data exfiltration

Answer 9

refers to obtaining an information asset and copying it to the attacker’s remote machine.

Anomalous large data transfers might be an indicator for exfiltration, but a threat actor could perform the attack stealthily, by only moving small amounts of data at any one time.

Question 10

distributed DoS (DDoS)

Answer 10

DoS attacks against network hosts and gateways

the attack is launched from multiple hosts simultaneously

Some types of DDoS attacks simply aim to consume network bandwidth, denying it to legitimate hosts, by using overwhelming numbers of bots making ordinary requests. Others cause resource exhaustion on the victim host by bombarding them with requests, which consume CPU cycles and memory.

Question 11

SYN flood attack

Answer 11

works by withholding the client’s ACK packet during TCP’s three-way handshake. A server, router, or firewall can maintain a queue of pending connections, recorded in its state table. When it does not receive an ACK packet from the client, it resends the SYN/ACK packet a set number of times before timing out the connection. This can fill up the pending connections, not allowing other connections to respond.

Question 12

distributed reflected DoS (DRDoS)

Answer 12

the threat actor spoofs the victim’s IP address and attempts to open connections with multiple third-party servers. Those servers direct their SYN/ACK responses to the victim host.

This is done because assembling a botnet large enough to disrupt can be costly.

Question 13

amplification attack

Answer 13

a type of reflected attack that targets weaknesses in specific application protocols to make the attack more effective at consuming target bandwidth.

Exploits protocols in a way that forces the target to respond with large amounts of data.

Protocols commonly targeted include domain name system (DNS), Network Time Protocol (NTP), and Connectionless Lightweight Directory Access Protocol (CLDAP).

Question 14

DDoS indicator

Answer 14

A large traffic spike is an indicator of a denial of service attack. If the source addresses are spoofed it can be difficult to stop the attack.

Question 15

on-path attack

Answer 15

where the threat actor gains a position between two hosts, and transparently captures, monitors, and relays all communication between them

could also be used to covertly modify the traffic. For example, an on-path host could present a workstation with a spoofed website form to try to capture the user credential.

Also known as an adversary-in-the-middle (AitM) attack.

Question 16

ARP

Answer 16

Address Resolution Protocol

identifies the MAC address of a host on the local segment that owns an IPv4 address

Question 17

ARP poisoning

Answer 17

uses a packet crafter, such as Ettercap, to broadcast unsolicited ARP reply packets.

Because ARP has no security mechanism, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address.

Question 18

typosquatting

Answer 18

cause victims to confuse malicious sites with legitimate ones.

Question 19

DNS poisoning

Answer 19

An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing.

Question 20

DNS Client Cache Poisoning

Answer 20

Even though most name resolution now functions through DNS, the HOSTS file is still present and most operating systems check the file before using DNS. Its contents are loaded into a cache of known name:IP mappings, and the client only contacts a DNS server if the name is not cached.

Therefore, if an attacker is able to place a false name:IP address mapping in the HOSTS file and effectively poison the DNS cache, they will be able to redirect traffic

Requires administrator access to modify HOSTS file.

Question 21

DNS server cache poisoning

Answer 21

aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers

Question 22

DNS event logs can hold a variety of information that may supply useful security intelligence and attack indicators, such as the following:

Answer 22

The types of queries a host has made to DNS.

Hosts that are in communication with suspicious IP address ranges or domains.

Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications.

Question 23

A rogue access point

Answer 23

one that has been installed on the network without authorization, whether with malicious intent or not.

A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an access point by accident

There are also various Wi-Fi analyzers and wireless intrusion protection systems that can detect rogue access points

access points are usually connected to switches. Monitoring can detect any that are not and flag them as potential rogues

Question 24

evil twin

Answer 24

A rogue access point masquerading as a legitimate one

the attacker might use some DoS technique to overcome the legitimate access point. In the case, they could spoof both the SSID and the basic SSID (BSSID)

Question 25

disassociation attack

Answer 25

Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.

One way, injects management frames that spoof the MAC address of a single victim station in a disassociation notification, causing it to be disconnected from the network.

Another variant of the attack broadcasts spoofed frames to disconnect all stations

Question 26

KRACK attack

Answer 26

uses a replay mechanism that targets the WPA and WPA2 4-way handshake. KRACK is effective regardless of whether the authentication mechanism is personal or enterprise.

It is important to ensure both clients and access points are fully patched against such attacks.

Question 27

An offline password attack

Answer 27

the attacker has managed to obtain a database of password hashes, such as %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store) or /etc/shadow

The only indicator of this type of attack (other than misuse of the account in the event of a successful attack) is a file system audit log that records the malicious account accessing one of these files.

Threat actors can also read credentials from host memory, in which case the only reliable indicator might be the presence of attack tools on a host.

Question 28

A dictionary attack

Answer 28

A type of password attack that compares encrypted passwords against a predetermined list of possible password values.

Question 29

hybrid password attack

Answer 29

uses a combination of dictionary and brute force attacks. It is principally targeted against naive passwords with inadequate complexity, such as james1

Question 30

Password spraying

Answer 30

a horizontal brute force online attack. This means that the attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames.

Question 31

Credential replay attack

Answer 31

An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.

This can allow attackers to perform lateral movement across hosts.