Threats, Attacks & Vulnerabilities

Question 1

Indicator of Compromise (IOC)

Answer 1

Indications that a system has been compromised.

Question 2

Network Traffic IOC (5 types)

Answer 2

-Unusual outbound traffic
-Geographical irregularities
-Unusual DNS requests
-Mismatched port-application traffic
-Web traffic with non-human behavior

Question 3

Account Traffic IOC (3 types)

Answer 3

• Anomalies in privileged user account activity
• Account login red flags
• Mobile device profile changes

Question 4

Data IOC (5 types)

Answer 4

• Large database read volumes
• HTML response sizes
• Large numbers of requests for the same file,
• Suspicious registry or system file changes
• Bundles of data in the wrong place

Question 5

Crypto Malware/Ransomware

Answer 5

Malware that encrypts files on a system.

Question 6

Virus

Answer 6

Malicious programs that self-copy and self-replicate.

Question 7

Non-memory-resident virus

Answer 7

Executes, spreads, and then shut down the system.

Question 8

Boot sector virus

Answer 8

• Reside inside the boot sector of a drive.
• Executes before the computer has fully booted.

Question 9

Worm

Answer 9

• Self Replicates
• Self installs (do not require interaction)
• Can spread via many methods

Question 10

E-mail Virus

Answer 10

Spread via email either as attachments

Question 11

Macro Virus

Answer 11

Use macros or code inside word processing software or other tools to spread

Question 12

Fileless Virus

Answer 12

Do not require file storage

Question 13

Trojan

Answer 13

• Disguised as legitimate software (requires interaction)

Question 14

RAT (Remote Access Trojan)

Answer 14

• A Trojan that allows for remote access

Note: Can be confused with legitimate RAT software creating false positives in anti-malware software.

Question 15

E-mail Worm

Answer 15

• Creates and sends outbound messages to all the addresses in a user’s contact list.
• The messages include a malicious executable file that infects the new system when the recipient opens it.

Question 16

File-Sharing Worm

Answer 16

• File-sharing worms copy themselves into shared folders and spread through peer-to-peer file-sharing networks.

Note: often target industrial environments, including power utilities, water supply services and sewage plants.

Question 17

Crypto Worm

Answer 17

Perpetrators can use this type of worm in ransomware attacks

Question 18

Instant Messaging Worm

Answer 18

Like email worms, instant messaging worms are masked by attachments or links

Question 18

Internet Worm

Answer 18

• Specifically target popular websites with poor security. 7
• If they can infect the site, they can infect a computer accessing the site.

Question 19

Rootkit

Answer 19

Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor.

Question 20

Keylogger

Answer 20

Captures input. Keyboard, Mouse, touchscreen, swipes.

Question 21

Spyware

Answer 21

Spyware is malware that is designed to obtain information about an individual, organization, or system.

Question 22

Adware

Answer 22

Spreads advertisement on infected system.

Question 23

Bots

Answer 23

• Bots are remotely controlled systems or devices that have a malware infection.
• Can be organized into Botnets.

Question 24

Command & Control System

Answer 24

• Many botnet command and control (C&C) systems operate in a client-server mode, which provide commands and updates.
• Many modern botnets rely on secure HTTP (HTTPS) traffic to help hide C&C traffic and to prevent it from easily being monitored.

Question 25

Logic Bomb

Answer 25

Functions or code that are placed inside other programs that will activate when set conditions are met.

Question 26

Backdoor

Answer 26

• Provide access that bypasses normal authentication and authorization procedures.
• Backdoors can be hardware or software based.

Question 27

Whaling

Answer 27

Targeting CEO or C-suite individual.

Question 28

Spear Phishing

Answer 28

Targeting specific roles/individuals.

Question 29

Phishing

Answer 29

Often focused on obtaining credentials like usernames and passwords. Often via E-mail.

Question 30

Vishing

Answer 30

Phishing using phone.

Question 31

Smishing

Answer 31

Phishing using SMS.

Question 32

Impersonation

Answer 32

Social Engineering technique pretending to be someone else.

Question 33

Dumpster Diving

Answer 33

Procuring sensitive data in the trash.

Question 34

Credential Harvesting

Answer 34

• Often via Phishing.
• Can be achieved through acquisition of user databases and passwords.

Question 35

Watering Hole Attack

Answer 35

Where an attacker uses a well-known website that they infect with malware.

Question 36

Typosquatting

Answer 36

Using similar DNS to catch traffic from individuals making a typo.

Question 37

DOS

Answer 37

• Denial of Service (Overload)
• DoS attacks are done by exploiting a vulnerability in a specific application, operating system, or protocol.

Question 38

Man-In-The-Middle (MITM)

Answer 38

An attacker intercepts a conversation/traffic between two users.

Question 38

DDOS

Answer 38

• Distributed denial-of-service attacks.
• Use botnets/malware to take down big targets.

Question 39

Buffer Overflow

Answer 39

A large amount of data than allowed is inserted into an application, resulting in data overflow into the adjacent memory and memory corruption.

Question 40

Injection

Answer 40

Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.

Question 41

Cross Site Scripting (XSS Injection)

Answer 41

• Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website.
• Allow an attacker to take the place of a victim user, do anything the user is able to do, and access any of the user’s data.
• If the user who is being attacked has privileged access inside the program, the attacker may be able to take full control of the data and functions of the application.

Question 41

SQL Injection

Answer 41

• SQL injection is a weakness in web security that could let an attacker change the SQL queries that are run on the database.
• This can be used to get sensitive information like the structure of the database, its tables, columns, and data set.

Question 42

Code Injection

Answer 42

An application has a code injection vulnerability if an attacker can present application code as user input and convince the server to execute it.

Question 43

OS Command Injection

Answer 43

• In most cases, they will inject this instruction into the program via an input method such as HTTP parameters, cookies, or form fields.. -

-Attackers are able to run certain commands on the host machine and start attacking the network from the infected system.

Question 44

Privilege Escalation

Answer 44

• Vertical and Horizontal
• Vertical privilege escalation involves a user accessing files or functions that are normally associated with accounts that have higher privileges.
• Horizontal privilege escalation allows users to access resources in other accounts with similar privilege levels as they have.

Question 45

Spoofing

Answer 45

Using someones identity

Question 46

ARP Poisoning

Answer 46

An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows attackers to intercept communication between network devices.

Question 47

Pharming

Answer 47

Re-directing traffic from a website to another

Question 48

Amplification

Answer 48

Amplification attacks generate a high volume of packets that are used to overwhelm the target website without alerting the intermediary.

Question 49

DNS Poisoning

Answer 49

Domain Name System (DNS) poisoning happens when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website.

Question 50

Domain Hijacking

Answer 50

Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges on domain hosting and domain registrar systems.

Question 51

Man In The Browser (MITB)

Answer 51

Man-in-the-Browser Attack: An MITB attack injects malicious software (malware) into a victim’s web browser.

Question 52

Zero Day

Answer 52

After a attacker uncover a vulnerability, they do not disclose it but rather store it in a vulnerability repository for later use.

Question 53

Pass The Hash

Answer 53

A Pass-the-Hash (PtH) attack is a technique where an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access to other networked systems.

Question 54

Clickjacking

Answer 54

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Question 55

Session Hijacking

Answer 55

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

Question 56

Refactoring

Answer 56

Sophisticated attackers may reach down into device drivers and manipulate them in ways that undermine security.

Question 57

MAC spoofing

Answer 57

MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device.

Question 58

IP spoofing

Answer 58

IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender, to impersonate another computer system, or both.

Question 59

Replay

Answer 59

A replay attack occurs when a cybercriminal eavesdrops on a secure network communication, intercepts it, and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants.

Question 60

Evil Twin

Answer 60

An evil twin attack is a cyberattack that works by tricking users into connecting to a fake Wi-Fi access point.

Question 60

Rogue AP

Answer 60

A rogue access point is an access point installed on a network without the network owner’s permission.

Question 61

Jamming

Answer 61

A jamming attack is an attack in which an attacker transfers interfering signals on a wireless network intentionally.

Question 62

Bluejacking

Answer 62

Bluejacking is a Bluetooth attack in which a hacker spams your device with unsolicited phishing messages.

Question 63

Bluesnarfing

Answer 63

Bluesnarfing is a hacking technique in which a hacker accesses a wireless device through a Bluetooth connection.

Question 64

Known Plain Text/Cipher Attack

Answer 64

In the known plaintext attack, the hacker has access both the ciphertext and its corresponding plaintext.

Question 65

Birthday Attack

Answer 65

This is named after the “birthday paradox,” which describes the high (50%) probability that two individuals (in a group of 23 or more) will share a birthday.

Question 66

Rainbow Table Attack

Answer 66

• Rainbow tables are an easily searchable database of precomputed hashes using the same hashing methodology as the captured password file (length, complexity etc).

Question 67

Brute Force Attack

Answer 67

Brute force is a process that involves trying different variations until it succeeds.

Question 68

Dictionary Attack

Answer 68

A form of brute-force attack that uses a list of words for their attempts.

Question 68

Downgrade Attack

Answer 68

A downgrade attack is an attack in which the attacker tries to force two hosts on a network (for example, a client (browser) and a website server) to use an insecure or weakly protected data transmission protocol (such as HTTP instead of HTTPS, or SSL instead of TLS).

Question 69

Collission Attack

Answer 69

Collision attacks are a type of attack in which an attacker generates two or more different messages that produce the same hash value when hashed using a cryptographic hashing algorithm like SHA-1 or SHA-2.

Question 70

Active Reconnaissance

Answer 70

Used during phone calls, email, and other means of contact to elicit more information about a target than is publicly available.

Question 71

Passive Reconnaissance

Answer 71

Passive reconnaissance is the process of gathering information about the target without directly interacting with it.

Question 72

Pivot

Answer 72

In penetration testing, pivoting is the act of using a compromised system to spread between different computer systems once inside the network, simulating the behavior of a real attacker.

Question 73

Escalation of Privilege

Answer 73

Privilege escalation attacks exploit weaknesses and security vulnerabilities with the goal of elevating access to a network, applications, and mission-critical systems.

Question 73

Initial Exploitation

Answer 73

Once the tester is armed with the knowledge of vulnerabilities present in the system, they will start exploiting them. This will help in identifying the nature of the security gaps and the effort required to exploit them.

Question 74

Persistence

Answer 74

When a threat actor discreetly maintains long-term access

Question 75

Black Box Pentest

Answer 75

The tester here has no knowledge of the system and designs the test as an uninformed attacker.

Question 76

Gray Box Pentest

Answer 76

As suggested by the name, this approach stands midway between white box pentesting and black box testing.

Question 77

White Box Pentest

Answer 77

In a white box test, the testers have complete knowledge of the system and complete access.

Question 78

Pen testing vs. vulnerability scanning

Answer 78

• Vulnerability assessment is focused on detecting and categorizing vulnerabilities in a system.
• Penetration testing involves exploiting vulnerabilities to draw insights about them.

Question 79

End of Life Vulnerability

Answer 79

End-of-life refers to a system that is no longer functioning as intended. This could be because the original vendor doesn’t support it anymore.

Question 80

Missconfiguration/Weak Configuration Vulnerability

Answer 80

This refers to any kind of configuration that weakens the security posture of an organization or its systems. This might be leaving default credentials as-is.

Question 81

Default configuration Vulnerability

Answer 81

Default configuration is “the configuration that a system enters upon start, upon recovering from an error, and at times when operating.”

Question 82

Resource exhaustion Vulnerability

Answer 82

If a program runs out of memory, or needs more bandwidth, the program might run into errors or crash.

Question 83

Improperly configured accounts Vulnerability

Answer 83

If a database is configured with overly permissive access rights, or if it is exposed to the public internet without proper authentication, then it could be vulnerable to attack.

Question 83

Weak cipher suites and implementations Vulnerability

Answer 83

Weak ciphers are those encryption algorithms vulnerable to attack, often as a result of an insufficient key length.

Question 84

Memory/buffer vulnerability

Answer 84

If you ask for user input, but do not verify or limit the length of the input, it could result in a buffer overflow. This means that other areas in memory will be overwritten.

Question 85

Zero Day Vulnerability

Answer 85

A zero day is a vulnerability that is new and not yet covered by a patch.

Question 86

Threat Intelligence

Answer 86

Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.

Question 87

OSINT

Answer 87

Open Source Intelligence. Can be governmental or vendor based.

Question 88

Vulnerability databases

Answer 88

Reports of vulnerabilities certainly help direct an organization’s defensive efforts, but they also provide valuable insight into the types of exploit being discovered by researchers.

Question 89

Closed source intelligence

Answer 89

Commercial security vendors, government organizations, and other security-centric organizations also create and make use of proprietary, or closed-source intelligence.

Question 90

Threat Map

Answer 90

Threat maps provide a geographic view of threat intelligence.

Question 91

Assessing Threat Intelligence (3 concepts)

Answer 91

Is it timely, accurate and relevant.

Question 92

Structured Threat Information eXpression (STIX)

Answer 92

XML language originally sponsored by the U.S. Department of Homeland Security.

Question 93

Indicator Management

Answer 93

To allow threat information to be processed and used in automated ways.

Question 94

Shadow IT

Answer 94

Unauthorized technology installed or used on corporate devices.

Question 95

Open Indicators of Compromise (OpenIOC)

Answer 95

A typical IOC includes metadata like the author, the name of the IOC, and a description of the indicator. The full definition of the IOC may also include details of the actual compromise(s) that led to the indicator’s discovery.

Question 96

Trusted Automated eXchange of Indicator Information (TAXII) protocol.

Answer 96

TAXII is intended to allow cyber threat information to be communicated at the application layer via HTTPS. TAXII is specifically designed to support STIX data exchange.

Question 97

CISA

Answer 97

Cybersecurity and Infrastructure Security Agency

Question 98

SANS

Answer 98

SANS Institute. SANS is the world’s largest cybersecurity research and training organization

Question 99

Information Sharing and Analysis Centers (ISACs)

Answer 99

Organization to help infrastructure owners and operators share threat information and provide tools and assistance to their members.