week 4 content Flashcards
___ team - A group authorized and organized to emulate a potential adversary’s attack or exploitation against an organizations network
red team
___ team - The group responsible for defending an organizations security posture against all adversary, internal or external
blue team
___ team - A collaborative cybersecurity group that brings together red and blue teams to test and improve security posture
purple team
___-_ - an individual or a group that performs malicious acts against cyber resources generally for monetary gain or disruption of service
adversary
___ - Techniques, tactic and procedures. A tactic is the highest level description of the behavior, while technique give more detailed description of behavior in the context of a tactic. Procedures are lowest level, highly detailed description in the context of a technique
TTP
____ ____ - A globally accessible knowledge base framework of adversary tactics and techniques based on real world observations.
Mitre attack
____ - Living Off the Land Binaries are binaries of a non-malicious nature, local to the operating system, to camouflage malicious activity
LOLBINS
_____ - common vulnerabilities and exposures is a database of publicly disclosed information security code flaws
CVE
____ ____ - use a single or small list of commonly used passwords against many different accounts for credential access
password spraying
____ ___ - use of credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap
credential stuffing
Threat actors place a high priority on targeting _____in their attacks
networks
Attacks that target a network or a process that relies on a network include:
* ______ attacks
*______ attacks
*_____attacks
* _____attacks
*_____attacks
Interception attacks
Layer 2 attacks
DNS
Distributed denial of service attacks
Malicious codding and scripting attacks
Interception attacks
In an ____, a threat actor is positioned in a communication between two parties
* The goal of it is to eavesdrop on the conversation or impersonate one of the parties
- it has two phases:
- ____ the traffic
- ____ the transmissions
a ___ attack makes a copy of a legitimate transmission before sending it to the
recipient
threat actors use several techniques for stealing an active session ID:
___ attacks: (hijacks and altered communication between two users)
____ attacks: (cross-site scripting, Trojans, and malicious JavaScript coding)
A _____ attack intercepts communication between parties to steal or manipulate the data
* It occurs between a browser and the underlying computer
usually begins with a ___infecting the computer and installing an
“extension” into the browser configuration
MITM (man in the middle)
intercept the traffic
decrypt the transmissions
replay attack
network attacks
endpoint attacks
MItb (man in the browser)
trojan
Advantages to a MITB attack:
difficult to ___
remains ___
resides in the web browser, hard to ___
recognize
dormant
detect
Layer 2 attacks
Layer 2, the Data Link Layer, is responsible for dividing the data into packets. A comprise here can affect the entire communication
____ ____ - Relies upon MAC spoofing, which is imitating another computer by means of
changing the MAC address
media access control attacks
MAC ____ attack - threat actors discover a valid MAC address of a device connected to a switch
they spoof the MAC address on and the switch changes its MAC address table to reflect the MAC address with the port to which the attacker’s device is connected
A MAC _____attack is another attack based on spoofing, MAC cloning, and the MAC address table of a switch A threat actor overflows the switch with Ethernet packets that have been spoofed so that every packet contains a different source MAC address
ARP poisoning
MAC cloning attack
MAC flooding attack
___ is a hierarchical name system for matching computer names
and IP addresses
DNS (domain name system)
DNS attacks
_____ a DNS address so that the computer is silently redirected to a different device
- A successful DNS attack has two consequences:
URL _____
domain _____
DNS _____ : modifies a local lookup table on a device to point to a different domain
DNS ____: is intended to infect an external DNS server with IP addresses that point
to malicious sites
substitutes
URL redirection
domain reputation
DNS poisoning
DNS hijacking
Two locations for DNS poisoning
*_____ ___ table
______ ____ server
Two locations for DNS poisoning
* Local host table
* External DNS server
DNS hijacking
has the advantage of ____ all users accessing the server
Attackers attempt to exploit a ____ ___ and convince the authentic DNS server to accept fraudulent DNS entries sent from the attackers’ DNS serve
redirecting
protocol flaw
Distributed Denial of Service Attack
(DDoS)
is a deliberate attempt to prevent authorized users from
accessing a system by _____ it with requests
users are aware that their systems are part of a DDoS attack (T/F)
overwhelming
F
Malicious Coding and Scripting Attacks
uses:
___
___ ___ (VBA)
___
__/___ ___
powershell
visual basic
python
Linux/unix bash
Malicious Coding and Scripting Attacks
Visual basic for applications
is an ___-___ Microsoft programming language
used to create ___
microsoft implemented several protections
- ___ view
- trusted ___
- trusted ____
event driven
macros
protected view
trusted documents
trusted location
In which type of attack is the threat actor positioned between two parties and alters the
transmission to eavesdrop or impersonate one of the parties?
a. MITB
b. MAC cloning
c. MITM
d. Session replay
Answer: c. MITM
In a man-in-the-middle (MITM) attack, a threat actor is positioned between two parties
with the goal of eavesdropping or impersonating a party. In an MITM attack, the
transmission is altered whereas in a session replay attack, a copy is made of a
legitimate transmission for the purpose of replaying it later.
Packet Capture and Replay Tools
- ____ is a popular GUI packet capture and analysis tool
- ____ is a command-line packet analyzer
- ____ is a tool for editing packets and then “replaying” the packets back onto the
network to observe their behavior
It can detect unusual behavior that could
- indicate the presence of ____
- search for unusual \_\_\_\_ or \_\_\_ \_\_ \_\_\_ - discover regular \_\_\_\_ to a threat actor’s command and control (C&C) server
Wireshark
Tcpdump
Tcpreplay
malware
unsual domains
IP address endpoints
connections
Which of the following is a GUI tool that it used to capture and analyze packets?
a. Tcpdump
b. PowerShell
c. Tcpreplay
d. Wireshark
Answer: d. Wireshark
Wireshark is a GUI packet capture and analysis tool. Tcpdump is a command-line
packet analyzer, Tcprelay is used to edit and replay packets, and PowerShell is a
scripting tool
Physical Security Controls
Physical security involves preventing a threat actor from ___ ___ the network
Physical security controls include:
* ____ ___ defenses
* ___ ___ ___ controls
* ___ ___ security
physically accessing
External perimeter
Internal physical security
Computer hardware
External Perimeter Defenses
___ ____ is an attempt to make the physical presence of a building as
nondescript as possible
* When its not possible, external perimeter defenses must be used
barriers: acts as passive security devices
____is usually a permanent structure to keep unauthorized personnel out. It is usually accompanied by signage that explains the area is restricted
- A ____ is generally designed to block the passage of traffic but not designed to keep out individuals
- A ____ is a short but sturdy vertical post that is used as a vehicular traffic barricade to
prevent a car from ramming into a secured area
____ - human security guards, drones, robot sentries
___ - To supplement the work of security guards, sensors can be placed in strategic locations
to alert guards by generating an audible alarm of an unexpected or unusual action
Industrial camouflage
Fencing
barricade
bollard
personnel
Sensors
Internal Physical Security Controls
includes:
____ - require a key or other device
types:
___ ____: uses buttons
___ ___: uses phone
___ ___: scans for
locks
electronic locks
smart locks
fingerprint locks
Internal Physical Security Controls
Secure areas
A ____ ___ in cybersecurity is an area that separates threat actors from
defenders
A _____ is designed as an air gap to separate a nonsecure area from a secured area. monitors and controls two interlocking doors to a vestibule
demilitarized zone (DMZ)
mantrap
Internal Physical Security Controls
protected cable distribution (PDS)
is a system of ___ ___ used to protect classified information that is being transmitted between two secure areas
two types of PDS:
* In a ____ carrier PDS, the data cables are installed in a conduit constructed of
special electrical metallic tubing and all connections between segments are permanently sealed with welds or special sealants
* In an \_\_\_\_\_ carrier PDS, the carrier system is deployed with specialized optical fibers in the conduit that can sense acoustic vibrations that occur when an intruder attempts to gain access to cables
cable conduits
hardened carrier
alarmed carrier
Internal Physical Security Controls
Computer Hardware Security
is the physical security that involves protecting endpoint hardware
A ___ ___ can be inserted into the security slot of a portable device to secure the device
For storage, a laptop can be placed in a ___/___
Computer systems, printers, and similar electronic devices emit ____ fields, which can result in interference
____ ___ can be defined as picking up electromagnetic fields and reading data that is producing them
A ___ ___ is a metallic enclosure that prevents entry or escape of an electromagnetic field. A Faraday cage can prevent electromagnetic spying and remote
wiping of electronic devices
cable lock
safe/vault
electromagnetic fields
Electromagnetic spying
Faraday cage
