Udemy Sections 1-3: Overview, Malware, and Malware Infections

Question 1

The act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure, corruption, and destruction

Answer 1

Information security

Question 2

The act of protecting the systems that hold and process critical data

Answer 2

Information systems security

Question 3

CIA stands for

Answer 3

Confidentiality, Integrity, Availability

Question 4

Information has not been disclosed to unauthorized people

Answer 4

Confidentiality

Question 5

Information has not been modified or altered w/out proper authorization

Answer 5

Integrity

Question 6

Information is able to be stored, accessed, or protected at all times

Answer 6

Availability

Question 7

When a person’s identity is established w/ proof and confirmed by a system

Answer 7

Authentication

Question 8

AAA stands for

Answer 8

Authentication, Authorization, Accounting

Question 9

5 methods of authentication

Answer 9

Something you know
Something you have
Something you are
Something you do
Somewhere you are

Question 10

Occurs when a user is given access to a certain piece of data or certain areas of a building

Answer 10

Authorization

Question 11

Tracking of data, computer usage, and network resources

Answer 11

Accounting

Question 12

The most cost effective security control to use

Answer 12

User training

Question 13

Hackers who find and exploit vulnerabilities before anyone else does

Answer 13

Elite hackers

Question 14

Hackers with little to no skill who only use the tools and exploits written by others

Answer 14

Script kiddies

Question 15

Hackers who are driven by a cause like social change, political agendas, or terrorism

Answer 15

Hacktivists

Question 16

Hackers who are a part of a crime group that is well-funded and highly sophisticated

Answer 16

Organized crime

Question 17

Highly trained and funded groups of hackers (often by nation states) w/ covert and open-source intelligence at their disposal

Answer 17

APT (Advanced Persistent Threats)

Question 18

Property of an intelligence source that ensures it is up-to-date

Answer 18

Timeliness

Question 19

Property of an intelligence source that ensures it matches the use cases intended for it

Answer 19

Relevancy

Question 20

Property of an intelligence source that ensures it produces effective results

Answer 20

Accuracy

Question 21

Property of an intelligence source that ensures it produces qualified statements about reliability

Answer 21

Confidence levels

Question 22

Threat intelligence that comes as a commercial service offering, where access to updates and research is subject to a subscription fee

Answer 22

Proprietary

Question 23

Data that is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized

Answer 23

Closed-source

Question 24

Data that is available to use w/out a subscription, which may include threat feeds similar to the commercial providers, and may contain reputation lists and malware signature databases

Answer 24

Open-source

Question 25

Knowledge you can write down, see, feel, and touch

Answer 25

Explicit

Question 26

Knowledge gained from experience

Answer 26

Implicit knowledge

Question 27

A proactive cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring

Answer 27

Threat hunting

Question 28

What must you assume when threat hunting?

Answer 28

That the existing rules you’ve put in place to prevent compromise have failed.

Question 29

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion

Answer 29

Kill chain

Question 30

The 7 linear steps of the kill chain

Answer 30

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
C2 (command and control)
Actions on objectives

Question 31

The kill chain step in which the attacker determines what methods to use to complete the phases of the attack

Answer 31

Reconnaissance

Question 32

The kill chain step in which the attacker couples payload code that will enable access w/ exploit code that will use a vulnerability to execute on the target system. The attacker is merely writing the code; it has not yet been delivered or executed.

Answer 32

Weaponization

Question 33

The kill chain step in which the attacker identifies a vector by which to transmit the weaponized code to the target environment

Answer 33

Delivery

Question 34

The kill chain step in which the weaponized code is executed on the target system

Answer 34

Exploitation

Question 35

The kill chain step in which the mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system

Answer 35

Installation

Question 36

The kill chain step in which the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

Answer 36

C2 (command and control)

Question 37

The kill chain step in which the attacker typically uses the access they’ve achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives

Answer 37

Actions on objectives

Question 38

A method used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage

Answer 38

Kill chain analysis

Question 39

A free, open-source knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures

Answer 39

MITRE ATT&CK Framework

Question 40

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.

Answer 40

Diamond model of intrusion analysis

Question 41

The 4 core features of the Diamond model of intrusion analysis

Answer 41

Adversary
Capability
Infrastructure
Victim

Question 42

Software designed to infiltrate a computer system and possibly damage it without the user’s knowledge or consent

Answer 42

Malware

Question 43

Malicious code that runs on a machine w/out the user’s knowledge and infects the computer when executed. Requires a user action to reproduce and spread.

Answer 43

Virus

Question 44

A type of virus stored in the first sector of a hard drive and are loaded into memory upon boot up.

Difficult to detect because it is installed BEFORE the OS boots up. Requires an antivirus that specifically looks for this type of virus.

Answer 44

Boot sector virus

Question 45

Virus embedded into a document and is executed when the document is opened by the user

Answer 45

Macro

Question 46

A type of virus that infects an executable or application

Answer 46

Program virus

Question 47

A virus that combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer.

This gives the virus persistence; if you are able to delete the program virus portion, the boot sector portion reinstalls it.

Answer 47

Multipartite virus

Question 48

An advanced version of an encrypted virus that changes its code every time it’s executed by altering the decryption module to avoid detection

Answer 48

Polymorphic virus

Question 49

A virus that encrypts its code to avoid detection

Answer 49

Encrypted virus

Question 50

A virus that is able to rewrite itself entirely before it attempts to infect a file. An advanced version of a polymorphic virus.

Answer 50

Metamorphic virus

Question 51

A type of virus that uses techniques to avoid detection by antivirus software.

Answer 51

Stealth virus

Question 52

A type of virus that has a layer of protection to confuse a program or a person analyzing it.

Answer 52

Armored virus

Question 53

A form of social engineering when a website or scam caller claims that you have a virus, and gives you a number to call or program to install in order to get rid of it.

Answer 53

Hoax virus

Question 54

Malicious software that is able to replicate itself without user interaction

Answer 54

Worm

Question 55

Malicious software disguised as a piece of harmless or desirable software. It performs the desired function, but also a secret malicious function.

Answer 55

Trojan horse

Question 56

A Trojan that provides the attacker with remote control of a victim computer and is the most commonly used type of trojan

Answer 56

RAT (Remote Access Trojan)

Question 57

Malware that restricts access to a victim’s computer or files until a ransom is received

Answer 57

Ransomware

Question 58

Malware that secretly gathers info about the user w/out their consent

Answer 58

Spyware

Question 59

A type of spyware that captures keystrokes made by the victim and takes screenshots that are sent to the attacker

Answer 59

Keylogger

Question 60

A type of spyware that displays advertisements based upon its spying on you

Answer 60

Adware

Question 61

Software that isn’t benign nor malicious and tends to behave improperly without serious consequences. For example, this can make the user jump to random places on the screen or turn the screen upside-down. It can be used as a prank.

Answer 61

Grayware

Question 62

Malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime. This keeps the computer from understanding that it has malicious code installed.

It works by using a shim between the OS and the DLL. The shim will redirect the call between them with malicious code embedded in them.

Answer 62

DLL injection

Question 63

Software designed to gain administrative level control over a system without detection

Answer 63

Rootkit

Question 64

The method used commonly used by rootkits to maintain their persistent control

Answer 64

DLL injection

Question 65

An attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level

Answer 65

Driver manipulation

Question 66

A piece of software code that is placed between two components to intercept calls and redirect them. This is used by both DLL injection and driver manipulation.

Answer 66

Shim

Question 67

Rootkits are known for using which two methods?

Answer 67

DLL injection and driver manipulation

Question 68

What is the best way to detect a rootkit?

Answer 68

Boot from an external device and scan the internal hard drive

Question 69

Activity that abuses electronic messaging systems, most commonly through email

Answer 69

Spam

Question 70

Why can’t we just block spammers’ email servers?

Answer 70

Spammers exploit reputable companies’ open mail relays to send their messages.

Question 71

A function of an email server that allows the server to send mail on the behalf of other organizations.

Answer 71

Open mail relay

Question 72

An governmental act made to put a stop to spammers exploiting companies’ open mail relays

Answer 72

CAN-SPAM

Question 73

Code that infects a computer when a file is opened or executed

Answer 73

Virus

Question 74

Method used by an attacker to access a victim’s machine

Answer 74

Threat vector

Question 75

Method used by an attacker to gain access to a computer in order to infect it with malware

Answer 75

Attack vector

Question 76

Difference between threat vector and attack vector?

Answer 76

Threat vector is how to get to the machine itself.

Attack vector includes both how to gain access to the machine and how to infect it.

Question 77

Malware placed on a website that you know your potential victims will access as part of routine activities

Answer 77

Watering hole

Question 78

Registering a domain name as a misspelled version of a well-known domain, hoping that a victim will type the URL incorrectly to access the attacker’s site.

Answer 78

Typosquatting

Question 79

A collection of compromised computers under the control of a master node

Answer 79

Botnet

Question 80

Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them

Answer 80

Active interception

Question 81

Occurs when an attacker is able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn’t able to access

Answer 81

Privilege escalation

Question 82

Used to bypass normal security and authentication functions

Answer 82

Backdoor

Question 83

A type of malware that works like a backdoor (maintaining persistent access)

Answer 83

RAT (Remote Access Trojan)

Question 84

Non-malicious code that when invoked, displays an insider joke, hidden message, or secret feature

Answer 84

Easter egg

Question 85

If Easter eggs are harmless, why are they dangerous?

Answer 85

Easter eggs are usually put in at the last second. They are additional code that have not gone through the rigorous testing and security practices.

Question 86

Malicious code that has been inserted inside a program and will execute only when certain conditions have been met

Answer 86

Logic bomb

Question 87

T/F: Logic bombs, easter eggs, and backdoors are all against security best practices and should not be found in your code.

Answer 87

True

Question 88

Symptoms of infection

Answer 88

Strange behavior
Hard drives, files, or apps not accessible
Strange noises
Unusual error messages
Display looks strange
Jumbled printouts
New or disappearing icons on desktop
Double file extensions
Antivirus won’t run
New files or folders
Corrupted/missing files or folders
System Restore will not function

Question 89

First action to take if you suspect your computer is infected

Answer 89

Scan with antimalware

Question 90

What should you do before you take action to clean up a virus?

Answer 90

Make a backup of your system

Question 91

7 steps to take care of a computer infection

Answer 91

Identify symptoms
Quarantine the infected systems
Disable System Restore (if using Windows)
Remediate the infected system
Schedule automatic updates and scans
Reenable System Restore and create a new restore point
Provide end user security awareness training

Question 92

How do you scan for a boot sector virus?

Answer 92

Reboot the computer from an external device and scan it.

This is because if you boot from the internal hard drive, the virus is loaded up before you can do anything from it.

OR you can move the hard drive to another computer and scan in there.

Question 93

A type of malware that acts as a go-between for the OS and the kernel

Answer 93

Rootkit

Question 94

How to prevent spammers from using your mail servers to send spam

Answer 94

Verify your email servers aren’t configured as open mail relays or SMTP open relays

Question 95

3 main ways to prevent malware

Answer 95

Install and continually update reputable antimalware
Update and patch your OS
End user training

Question 96

Describes the specific method by which malware code infects a target host

Answer 96

Exploit technique

Question 97

A type of malware that is executed directly as a script or a piece of shellcode that creates a process in the system memory without having to use the local file system

Answer 97

Fileless

Question 98

The 5 steps that APTs use to operate modern malware

Answer 98

Dropper or downloader
Maintain access
Strengthen access
Actions on objectives
Concealment

Question 99

Malware designed to install/run other types of malware embedded in a payload on an infected host

Answer 99

Dropper

Question 100

A piece of code that connects to the internet to retrieve additional tools after the initial infection by a dropper

Answer 100

Downloader

Question 101

Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code

Answer 101

Shellcode

Question 102

Exploit technique that runs malicious code with the identification number of a legitimate process

Answer 102

Code injection

Question 103

When an attacker’s dropper replaces a victim’s genuine executable with a malicious one

Answer 103

Masquerading

Question 104

When an attacker’s dropper forces a malicious process to run as part of the DLL

Answer 104

DLL injection

Question 105

When an attacker’s dropper exploits a vulnerability in a legitimate program’s manifest to load a malicious DLL at runtime

Answer 105

DLL sideloading

Question 106

When an attacker’s dropper starts a process in a suspended state, and then rewrites the memory locations containing the process code with the malware code

Answer 106

Process hollowing

Question 107

Anti-forensic techniques that droppers implement

Answer 107

Encrypting payloads
Compressing payloads
Obfuscating payloads

Question 108

Exploit techniques that uses the victim’s standard system tools (for example, PowerShell or BASH) and packages to perform intrusions. Makes it incredibly hard to find the attacker using this technique.

Answer 108

Living off the land

Question 109

Difference between armored virus and stealth virus?

Answer 109

Stealth virus hide themselves from the OS and/or antivirus software by making changes to file sizes or directory structure.

Armored virus are difficult to detect or analyze, and may be able to protect itself from antivirus programs.

Question 110

Difference between polymorphic and metamorphic viruses?

Answer 110

Polymorphic encrypts its code using a variable encryption key so each copy of the virus appears different.

Metamorphic rewrites its code itself in order to make each copy of the virus different, no encryption key necessary.

Question 111

Difference between phishing and pharming?

Answer 111

Phishing requires only successful social engineering. It is a one-time scam, usually involving the attacker trying to get victims to click on a link to a fraudulent site. It usually involves targeting one individual at a time.

Pharming requires an attacker to gain unauthorized access to a system. This involves creating a fake website for users to enter their credentials, and then redirecting them via DNS poisoning/spoofing/hijacking. It involves simultaneously targeting huge groups of people.