1.2 Potential Indicators - Attack Type Flashcards
Threats, Attacks, and Vulnerabilities: Given a Scenario, Analyze Potential Indicators to determine the type of attack (52 cards)
1
Q
Malware - Virus
A
- A malicious computer program that requires user intervention (ex: clicking it or copying it to a media or host) within the affected system
- Most viruses self-replicate without the knowledge of the computer user.
- Can be passed along from one system to another (via email, IM, downloads, removable media, network connections)
- Probably the most common and prevalent type of system attack.
- Often tedious to repair or clean up. Sometimes can be fatal to the entire computer system and company operations.
2
Q
Boot Sector Virus
A
- Infect the boot sector or partition table of a disk.
- Boot sector is used by the computer to determine which OS are present on the system to boot.
- Most common way a boot sector virus finds its way into a system is through an infect disk or removable media device that is inserted into the computer.
3
Q
Boot Sector Virus
A
- Doesn’t allow computer to boot, rendering computer useless.
- Infect the boot sector or partition table of a disk.
- Boot sector is used by the computer to determine which OS are present on the system to boot.
- Most common way a boot sector virus finds its way into a system is through an infect disk or removable media device that is inserted into the computer.
- Best way to remove - is to boot the system using an anti virus or similar emergency recovering media
- This allows you to start up the computer with basic start - up files, bypassing the boot sector and then run the antivirus program on the recovery media.
4
Q
Companion virus
A
- Disguises itself as a legitimate program, using the name of a legit program but with a different extension.
- Typically it will also execute the legitimate program after installing the virus code so that the system appears to be performing normally.
- Some viruses replace the original file with their version that performs the same tasks but includes new malicious code to run with it.
5
Q
File Infector Viruses
A
- Generally infect files that have the extension .com or .exe
- Can be extremely destructive b/c they try to replicate and spread further by infecting other executable programs.
- Sometimes it destroys the original program by overwriting the original code.
- Caution: If your computer is afflicted with a file infector virus, DO NOT attach it to a network b/c it could infect files on other workstations and file servers.
6
Q
Macro Virus
A
- A macro is an instruction that carries out program commands automatically within an application.
- Typically used with Word and Excel.
- Uses the internal workings of the application to perform malicious operations
7
Q
Trojan Horse
A
- Software that pretends to be something else so it can conquer your computer
- Doesn’t really care about replicating
- Circumvents existing security
- Designed to look non-threatening to users and anti-virus software
- Some even disable Anti Virus
- Can configure backdoors or configure additional malware
8
Q
PUP
A
- Potentially Unwanted Program
- Could be undesirable, may not be malicious, may cause performance issue
- Might install a browswer toolbar that’s difficult to uninstall
- or a backup utility that always shows or hijacks browswer
9
Q
Backdoors
A
- Malware tends to open a backdoor on system
- Malware creates a new way to access system
- Sometimes the same backdoor is open other malware can potentially use it
- Difficult to find vulnerabilities and get users to click on links.
- Wants to find a way to easily access your system again (without having to make you click on something etc.)
- Ex: Old version of linux included a backdoor
10
Q
RAT
A
- Remote Access Trojan (or Remote Administration Tool)
- Ultimate backdoor
- Administrative control of a device
- Malware that is installed, might install the RAT
- Ex: can collect log of key strokes, screen shots, copy files, embed more malware
11
Q
Protecting against Trojan + RATs
A
- Similar to preventing other malware
- Don’t run unknown software
- Keep anti virus / malware up to date
- Have latest signature installs for software
- Have a backup so you can restore from known good backup
12
Q
Rootkit
A
- Foundation in Unix/Linux, but they can be found on any OS
- Common characteristic: instead of modifying files in OS, it modifies files in kernel (foundational building blocks of OS) everything that runs in OS runs on top of Kernel
- B/c malware becomes part of OS itself, it becomes invisivble to anti virus / malware
- Identifying and removing from rootkit is very difficult
13
Q
Zeus/ Zbot Malware
A
- Example of malware that combines rootkit with malware
- Very good at transferring money out of bank account and into theirs
- Combined Zeus malware with Necurs rootkit, almost impossible to delete from system
14
Q
Root kit removers
A
- Some anti virus/ malware that can identify malware on rootkits
- BIOs software example - Secure boot:
- EX: UEFI has secure boot will examine if any part of root kit has been modified and then won’t let it boot.
15
Q
Spyware
A
- More malicious than Adware, it is trying to gather information about you
- Ex: where you visit on the internet or PII
- Can be installed different ways, ex: Trojan horse, peer to peer or fake security software
- Common spyware will examine sites visiting, and examine strokes your using to get user names/ password
- Adware and spyware continue to be popular b/c users are very valuable
- Prevention: Always make sure you have the latest signatures, don’t install unverified third party software
16
Q
Adware
A
- Adware is one big advertisement, can cause performance in OS and slowdown and increased network traffic
- Sometimes it can be installed accidentally
- If you try to remove adware, you can find removal software that is also malware
17
Q
Bot
A
- Stands for robot
- Describes automation that occurs behind the scenes when this type of malware takes control of your machine
- Entry points: Trojan horse, through vulnerability in OS, or alongside a normal application installation
18
Q
Botnet
A
- When a group of bots on different machines is woking together and controlled with the C&C (Command and Control server)
- When all these systems are being controlled by a bad actor it can cause a DDoS (Distributed Denial of Service)
- Systems can act as proxies or relays for spam, network traffic and other types of tasks
- Can be rented out to 3rd parties to “rent a DDoS”
- map.lookingglass.cyber.com lists active botnets and live attacks and countries
19
Q
C&C Server
A
- Controls botnets
- ## Issues commands to bot nets
20
Q
How to stop a botnet
A
- Ensure your OS is running the latest patches
- Antivirus/malware and latestsignatures
- Can perform an on-demand network scan and look for any unusual network patterns
- Prevent C&C - If you know the patterns of the C&C can block it at the firewall or at the IPS / Firewall at the workstation level
21
Q
Logic Bomb
A
- Waits for a predefined event to trigger something
- Often left by someone with a grudge
- Ex: a person places file in a particular location or turning on or off a particular computer
- Difficult to detect logic bombs b/c they don’t follow any known signature, makes it difficult for anti virus/ malware
- Many logic bombs will also delete themselves once executed so can be hard to repair as well
22
Q
Time Bomb
A
- A specific type of Logic Bomb
- Occurs when a particular date/time is reached
- Ex: South Korea media / banks organizations targeted, installed trojan malwares. A day later the bomb went off and it started deleting master boot record and rebooting systems. Started looking for a OS and disabled a lot of ATMS.
- Ex: Ukraine - focused on high voltage substations. Disabled electrical circuits
23
Q
SCADA Network
A
- Supervisory Control and Data Acquisition Network
- Supervisory Control and Data Acquisition (SCADA) is a system that aims to monitor and control field devices at your remote sites. … SCADA is a centralized system that monitors and controls the entire area. This supervisory system gathers data on the process and sends the commands control to the process.
24
Q
Preventing Logic Bomb
A
- Have formal process and controls in place to monitor if any changes in environment that deviate from process and procedures
- Automated processes that do this, host-based intrusion detection or tripwire.
- Constant auditing of alert and computer systems and make sure all system administrator changes are authorized
25
Plaintext/ unencrypted passwords
- Some applications store passwords "in the clear"
- No encryption, you can read stored passwords
- This is relatively rate
- Do not store any passwords as plaintext
- Need to stop using this application or upgrade applications
26
Best way to store passwords
- Hash - represents the password as a string of text (aka message digest) or "fingerprint"
27
Hash
- Hash - represents the password as a string of text (aka message digest) or "fingerprint"
- Different inputs will not have the same hash
- It's very secure b/c it's a "one way trip", once you create the hash of the password, you can't restore the original password by using the hash
28
Shah -256
- A very common hashing algorithm used in many algorithms
29
Spraying Attack
- Tries using a few very common passwords and then moves on
- Ex: Often an application has the user names and the hash for the password stored, instead of using a brute force attack, they'll use spraying
- Spraying attack avoids the lock out issue with too many incorrect guesses of a brute force attack
- no alarms, no alerts b/c they move on quickly
30
Brute Force
- if a hacker wants to obtain every user name and account in a system
- going to try every combination of letters, numbers, special characters for a given account
- If you're starting with a hash (a strong hash algorithm slows things down)
- generate a password and compare the resulting hash then they know the password
- (if you did this online it would be very slow, probably will lock out)
- more common that the hacker has already downloaded the password file and run the brute force offline
31
Dictionary Attack
- Uses common words from the dictionary
- Certain passwords are unique to a particular type of job
- Can perform letter substitutions in these dictionary attacks
32
GPU
- Graphical Processing Unit
- high speed cpu
- Can be used in brute force attacks to speed things along
33
Rainbow table
- An optimized, pre-built set of hashes
- Saves time and storage space
- Doesn't need to contain every hash
- Contains pre-calculated hash chains
- Very fast (bypasses the time it takes to create a hash)
- Challenges with Rainbow tables for hackers, a different application may have a different hash algorithm so you'll need different rainbow tables
34
Salt
- A little bit of extra random data added to the password before it is hashed
- Ex: if 2 users are using the same password, their hash will be different
- Can foil a Rainbow table
- Doesn't stop brute force, but slows things down b/c hacker has to know how the salt was implemented
35
Physical attacks
- Not all attacks occur over the network
- Ex: malicious usb cable
- Don't plug in anything unknown
- Free flash drive!
36
HID
- Human interface device (aka keyboard, mouse)
- Could be on a malicious USB cable
- When you plug it in, you can start typing, it can open files
37
Malicious Flash drive
- Ex: Malicious PDF, macros in spreadsheets
- Can be configured as a boot device (which would infect the computer after a reboot)
- It can be an ethernet adaptor if is configured as a wireless gateway
38
Skimming
- Stealing credit card information as we use the card for some other purpose
- Ex: stealing from the magnetic strip or the card reader itself
- Camera could also monitor ATM pad
- check card reader before using, pull on it to make sure nothing pops out
39
Card Cloning
- Create an exact duplicate of credit card (including same CVC)
- They clone the magnetic stripe (not the chips)
- Ex: Gift cards are popular targets, they'll clone the gift card, wait for it to be activated and then use it before legitimate person can
40
Machine Learning
- Find patterns in data
- takes a lot of data to train computer system
- Ex: a spam folder can catch more spam with more spam examples
- All of the training data assumes that all the data is legitimate
- But if it used fake training data that would corrupt the learning
- Ex: Microsoft Ai chatterbot Tay (Thinking about you) - Added to twitter in 2016, didn't add any type of anti-offensive behavior. Other uses realized they could poison Tay.
- Ex: Attackers tricked ML into revealing the actual SSN used to train the algorithm
- Ex: Once spammers know what the spam filter is trained on they can tweak their language
41
Prevent issues with ML Training Data
- Cross check and verify the training data
- Constantly retrain with new data
- More data / better data
- Use same techniques attackers are using to help prevent your system from becoming vulnerable.
42
Supply Chain
- Raw materials, suppliers, manufactures, distributors, customers, consumers
- Provides a lot of points of attack
- Tend to trust our suppliers
- Ex: Target Corp in 2013, started in HVAC company, there was a VPN connection the techs would use, there was an email with malware that stole VPN credentials
- Attack vector was a surprise
43
Supply chain access points
- Can you trust your new: server, router, switch, firewall, software
- Supply chain cyber security is a big concern
- Many companies are narrowing vendor list to do more testing / auditing
- Many companies are requiring that suppliers have strict controls in their own supplier network
44
Cloud based vs on premise
- 2 schools of thought: on site is more secure vs cloud is more secure
- Cloud security, everything is centralized so costs tend to be lower (don't have to worry about data center/ purchasing software/ IT services)
- On site: have to have your own data center, but you know where all your data is can control what happens to data
45
On Premise security
- You can control everything in house
- You can have your own IT team, what expertise, security controls are in place
- There are additional costs for all of this
- Can handle all the up time / availablity
- Making security changes can take time (re-config can require new software etc.)
46
Cloud based system
- You can control how much security you have on your data
- usually no physical access
- concerning that there is a 3rd party access
- Benefits: these cloud providers provide security to a lot of people and they have a lot of past experience
- Challenge: want to make sure users are following best practices for access data
- Tends to be more available (more redundance)
- May also have additional options (ex: 3rd party firewall, might be less options with on premise)
47
Cryptographic attacks
- How do we know if data that's been encrypted is really secure from start to delivery?
- The attacker often doesn't have the decryption key so they'll try other things:
- Ex: Hackers look for vulnerability. Often it's not the cryptography that's the problem but the way we've implemented the cryptography
48
Birthday Attack
- 23 ppl in a room, 50% chance of someone sharing a birthday
- B/c you're comparing every student to every other student (Hash collision)
49
Hash collision
- The same hash values for two different plaintexts
- Should never happen
- If you find one, attacker can find the other value that matches the hash
- Prevention: increase the length of the hash
- Hash should always be unique, however sometimes that doesn't happen
-
50
MD5
- Message Digest Algorithm 5
- Hash algorithm that had a hash collision
- Hackers created a fake certificate authority
51
Downgrade Attack
- If you are securely communicating, two sides will have a conversations and both sides will determine what the best encryption algorithm will be
- If you can sit in the middle and influence conversation you can have two sides downgrade their encryption to one that is easily to break
- EX: TLS POODLE attack (Transport Layer Security) (Padding Oracle On Downgraded Legacy Encryption) successor to SSL, encryption used to communicate to webservers, in TLS they fell back to SSL 3.0.
- Now ppl program to not allow downgrading to SSL 3.0
52
Privilege Escalation
- Gain higher level access to a system
- Often attacker will use a normal user (non-admin) and then gain greater access by exploiting a bug / design flaw. Often enabling this normal user to behave as an admin
- Sometimes it's a horizontal escalation (gain access to resources of another user at the same level), doesn't have to be a vertical escalation
