Topic 13B Flashcards
Brute force
Smashing a hardware device to perform physical denial of service (DoS).
Breaking into premises or cabinets by forcing a lock or gateway
environmental attack
A physical threat directed against power, cooling, or fire suppression systems
RFID cloning
refers to making one or more copies of an existing card. A lost or stolen card with no cryptographic protections can be physically duplicated
RFID skimming
refers to using a counterfeit reader to capture card or badge details, which are then used to program a duplicate.
Reconnaissance
Uses scanning
Fingerprinting identifies the application types and versions of the software operating each port, and potentially of the operating system running on the host, and its device type
Rapid scanning generates a large amount of distinctive network traffic that can be detected and reported as an intrusion event
Hard to differentiate malicious and non malicious scanning
Weaponization, delivery, and breach
refer to techniques that allow a threat actor to get access without having to authenticate.
typically involves various types of malicious code being directed at a vulnerable application host or service over the network, or sending code concealed in file attachments, and tricking a user into running it.
Command and control (C2 or C&C), beaconing, and persistence
techniques and malicious code that allow a threat actor to operate a compromised host remotely, and maintain access to it over a period of time
The threat actor has to disguise the incoming command and outgoing beaconing activity as part of the network’s regular traffic, such as by using encrypted HTTPS connections.
Lateral movement, pivoting, and privilege escalation
techniques that allow the threat actor to move from host to host within a network or from one network segment to another, and to obtain wider and higher permissions for systems and services across the network.
These types of attacks are detected via anomalous account logins and privilege use, but detection usually depends on machine learning-backed software, as it is typically difficult to differentiate anomalous behavior from normal behavior.
Data exfiltration
refers to obtaining an information asset and copying it to the attacker’s remote machine.
Anomalous large data transfers might be an indicator for exfiltration, but a threat actor could perform the attack stealthily, by only moving small amounts of data at any one time.
distributed DoS (DDoS)
DoS attacks against network hosts and gateways
the attack is launched from multiple hosts simultaneously
Some types of DDoS attacks simply aim to consume network bandwidth, denying it to legitimate hosts, by using overwhelming numbers of bots making ordinary requests. Others cause resource exhaustion on the victim host by bombarding them with requests, which consume CPU cycles and memory.
SYN flood attack
works by withholding the client’s ACK packet during TCP’s three-way handshake. A server, router, or firewall can maintain a queue of pending connections, recorded in its state table. When it does not receive an ACK packet from the client, it resends the SYN/ACK packet a set number of times before timing out the connection. This can fill up the pending connections, not allowing other connections to respond.
distributed reflected DoS (DRDoS)
the threat actor spoofs the victim’s IP address and attempts to open connections with multiple third-party servers. Those servers direct their SYN/ACK responses to the victim host.
This is done because assembling a botnet large enough to disrupt can be costly.
amplification attack
a type of reflected attack that targets weaknesses in specific application protocols to make the attack more effective at consuming target bandwidth.
Exploits protocols in a way that forces the target to respond with large amounts of data.
Protocols commonly targeted include domain name system (DNS), Network Time Protocol (NTP), and Connectionless Lightweight Directory Access Protocol (CLDAP).
DDoS indicator
A large traffic spike is an indicator of a denial of service attack. If the source addresses are spoofed it can be difficult to stop the attack.
on-path attack
where the threat actor gains a position between two hosts, and transparently captures, monitors, and relays all communication between them
could also be used to covertly modify the traffic. For example, an on-path host could present a workstation with a spoofed website form to try to capture the user credential.
Also known as an adversary-in-the-middle (AitM) attack.
ARP
Address Resolution Protocol
identifies the MAC address of a host on the local segment that owns an IPv4 address
ARP poisoning
uses a packet crafter, such as Ettercap, to broadcast unsolicited ARP reply packets.
Because ARP has no security mechanism, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address.
typosquatting
cause victims to confuse malicious sites with legitimate ones.
DNS poisoning
An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing.
DNS Client Cache Poisoning
Even though most name resolution now functions through DNS, the HOSTS file is still present and most operating systems check the file before using DNS. Its contents are loaded into a cache of known name:IP mappings, and the client only contacts a DNS server if the name is not cached.
Therefore, if an attacker is able to place a false name:IP address mapping in the HOSTS file and effectively poison the DNS cache, they will be able to redirect traffic
Requires administrator access to modify HOSTS file.
DNS server cache poisoning
aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers
DNS event logs can hold a variety of information that may supply useful security intelligence and attack indicators, such as the following:
The types of queries a host has made to DNS.
Hosts that are in communication with suspicious IP address ranges or domains.
Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications.
A rogue access point
one that has been installed on the network without authorization, whether with malicious intent or not.
A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an access point by accident
There are also various Wi-Fi analyzers and wireless intrusion protection systems that can detect rogue access points
access points are usually connected to switches. Monitoring can detect any that are not and flag them as potential rogues
evil twin
A rogue access point masquerading as a legitimate one
the attacker might use some DoS technique to overcome the legitimate access point. In the case, they could spoof both the SSID and the basic SSID (BSSID)
disassociation attack
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
One way, injects management frames that spoof the MAC address of a single victim station in a disassociation notification, causing it to be disconnected from the network.
Another variant of the attack broadcasts spoofed frames to disconnect all stations
KRACK attack
uses a replay mechanism that targets the WPA and WPA2 4-way handshake. KRACK is effective regardless of whether the authentication mechanism is personal or enterprise.
It is important to ensure both clients and access points are fully patched against such attacks.
An offline password attack
the attacker has managed to obtain a database of password hashes, such as %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store) or /etc/shadow
The only indicator of this type of attack (other than misuse of the account in the event of a successful attack) is a file system audit log that records the malicious account accessing one of these files.
Threat actors can also read credentials from host memory, in which case the only reliable indicator might be the presence of attack tools on a host.
A dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
hybrid password attack
uses a combination of dictionary and brute force attacks. It is principally targeted against naive passwords with inadequate complexity, such as james1
Password spraying
a horizontal brute force online attack. This means that the attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames.
Credential replay attack
An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
This can allow attackers to perform lateral movement across hosts.
