week 4 content Flashcards
___ team - A group authorized and organized to emulate a potential adversary’s attack or exploitation against an organizations network
red team
___ team - The group responsible for defending an organizations security posture against all adversary, internal or external
blue team
___ team - A collaborative cybersecurity group that brings together red and blue teams to test and improve security posture
purple team
___-_ - an individual or a group that performs malicious acts against cyber resources generally for monetary gain or disruption of service
adversary
___ - Techniques, tactic and procedures. A tactic is the highest level description of the behavior, while technique give more detailed description of behavior in the context of a tactic. Procedures are lowest level, highly detailed description in the context of a technique
TTP
____ ____ - A globally accessible knowledge base framework of adversary tactics and techniques based on real world observations.
Mitre attack
____ - Living Off the Land Binaries are binaries of a non-malicious nature, local to the operating system, to camouflage malicious activity
LOLBINS
_____ - common vulnerabilities and exposures is a database of publicly disclosed information security code flaws
CVE
____ ____ - use a single or small list of commonly used passwords against many different accounts for credential access
password spraying
____ ___ - use of credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap
credential stuffing
Threat actors place a high priority on targeting _____in their attacks
networks
Attacks that target a network or a process that relies on a network include:
* ______ attacks
*______ attacks
*_____attacks
* _____attacks
*_____attacks
Interception attacks
Layer 2 attacks
DNS
Distributed denial of service attacks
Malicious codding and scripting attacks
Interception attacks
In an ____, a threat actor is positioned in a communication between two parties
* The goal of it is to eavesdrop on the conversation or impersonate one of the parties
- it has two phases:
- ____ the traffic
- ____ the transmissions
a ___ attack makes a copy of a legitimate transmission before sending it to the
recipient
threat actors use several techniques for stealing an active session ID:
___ attacks: (hijacks and altered communication between two users)
____ attacks: (cross-site scripting, Trojans, and malicious JavaScript coding)
A _____ attack intercepts communication between parties to steal or manipulate the data
* It occurs between a browser and the underlying computer
usually begins with a ___infecting the computer and installing an
“extension” into the browser configuration
MITM (man in the middle)
intercept the traffic
decrypt the transmissions
replay attack
network attacks
endpoint attacks
MItb (man in the browser)
trojan
Advantages to a MITB attack:
difficult to ___
remains ___
resides in the web browser, hard to ___
recognize
dormant
detect
Layer 2 attacks
Layer 2, the Data Link Layer, is responsible for dividing the data into packets. A comprise here can affect the entire communication
____ ____ - Relies upon MAC spoofing, which is imitating another computer by means of
changing the MAC address
media access control attacks
MAC ____ attack - threat actors discover a valid MAC address of a device connected to a switch
they spoof the MAC address on and the switch changes its MAC address table to reflect the MAC address with the port to which the attacker’s device is connected
A MAC _____attack is another attack based on spoofing, MAC cloning, and the MAC address table of a switch A threat actor overflows the switch with Ethernet packets that have been spoofed so that every packet contains a different source MAC address
ARP poisoning
MAC cloning attack
MAC flooding attack
___ is a hierarchical name system for matching computer names
and IP addresses
DNS (domain name system)
DNS attacks
_____ a DNS address so that the computer is silently redirected to a different device
- A successful DNS attack has two consequences:
URL _____
domain _____
DNS _____ : modifies a local lookup table on a device to point to a different domain
DNS ____: is intended to infect an external DNS server with IP addresses that point
to malicious sites
substitutes
URL redirection
domain reputation
DNS poisoning
DNS hijacking
Two locations for DNS poisoning
*_____ ___ table
______ ____ server
Two locations for DNS poisoning
* Local host table
* External DNS server
DNS hijacking
has the advantage of ____ all users accessing the server
Attackers attempt to exploit a ____ ___ and convince the authentic DNS server to accept fraudulent DNS entries sent from the attackers’ DNS serve
redirecting
protocol flaw
Distributed Denial of Service Attack
(DDoS)
is a deliberate attempt to prevent authorized users from
accessing a system by _____ it with requests
users are aware that their systems are part of a DDoS attack (T/F)
overwhelming
F
Malicious Coding and Scripting Attacks
uses:
___
___ ___ (VBA)
___
__/___ ___
powershell
visual basic
python
Linux/unix bash
Malicious Coding and Scripting Attacks
Visual basic for applications
is an ___-___ Microsoft programming language
used to create ___
microsoft implemented several protections
- ___ view
- trusted ___
- trusted ____
event driven
macros
protected view
trusted documents
trusted location
In which type of attack is the threat actor positioned between two parties and alters the
transmission to eavesdrop or impersonate one of the parties?
a. MITB
b. MAC cloning
c. MITM
d. Session replay
Answer: c. MITM
In a man-in-the-middle (MITM) attack, a threat actor is positioned between two parties
with the goal of eavesdropping or impersonating a party. In an MITM attack, the
transmission is altered whereas in a session replay attack, a copy is made of a
legitimate transmission for the purpose of replaying it later.
Packet Capture and Replay Tools
- ____ is a popular GUI packet capture and analysis tool
- ____ is a command-line packet analyzer
- ____ is a tool for editing packets and then “replaying” the packets back onto the
network to observe their behavior
It can detect unusual behavior that could
- indicate the presence of ____
- search for unusual \_\_\_\_ or \_\_\_ \_\_ \_\_\_ - discover regular \_\_\_\_ to a threat actor’s command and control (C&C) server
Wireshark
Tcpdump
Tcpreplay
malware
unsual domains
IP address endpoints
connections