2.4 Given a scenario, analyze indicators of malicious activity

Question 1

Physical attacks

Answer 1

• Brute force
• Radio frequency identification
  (RFID) cloning
• Environmental

Question 2

Brute Force Attacks in physical attack

Answer 2

● Forcible entry
● Tampering with security devices
● Confronting security personnel
● Ramming a barrier with a vehicle

Question 3

What is Brute Force attack

Answer 3

Type of attack where access to a system is gained by simply trying all of the possibilities until you break through.

Question 4

Access Badges

Answer 4

● Use of Radio Frequency Identification (RFID) or Near Field
Communication (NFC) for access

Question 5

Some of the different methods used by attackers to bypass organization surveillance systems

Answer 5

• Visual Obstruction: blocking, spraying, placing sticker, positioning objects
• Blinding Sensors and Cameras : overwhelming the sensor or camera with a sudden burst of light

Interfering with Acoustics : Jamming or playing loud music to disrupt the microphone’s functionality

Interfering with Electromagnetic: (EMI) : involves jamming the signals that surveillance system relies on to
monitor the environment

Question 6

Access Badge Cloning

Answer 6

Copying the data from an RFID or NFC card or badge onto another card or device

Question 7

How does an attacker clone an access badge ?

Answer 7

■ Step 1: Scanning
● Scanning or reading the targeted individual’s access badge

■ Step 2: Data Extraction
● Attackers extract the relevant authentication credentials from the card,
such as a unique identifier or a set of encrypted data

■ Step 3: Writing to a new card or device
● Attacker will then transfers the extracted data onto a blank RFID or NFC
card or another compatible device

■ Step 4: Using the cloned access badge
● Attackers gain unauthorized access to buildings, computer systems, or
even make payments using a cloned NFC-enabled credit card

Question 8

How can you stop access badge cloning?

Answer 8

■ Implement advanced encryption in your card-based authentication systems
■ Implement Multi-Factor Authentication (MFA)
■ Regularly update your security protocols
■ Educate your users
■ Implement the use of shielded wallets or sleeves with your RFID access badges
■ Monitor and audit your access logs

Question 9

Malware

Answer 9

Malicious software designed to infiltrate computer systems and potentially
damage them without user consent

Question 10

Threat Vector

Answer 10

Method used to infiltrate a victim’s machine

Question 11

Attack Vector

Answer 11

Combines both method of gaining unauthorized access and infection process

Question 12

Examples of Threat Vector

Answer 12

○ Unpatched software
○ USB drive installation
○ Phishing campaign

Question 13

Types of Malware Attacks

Answer 13

■ Viruses
■ Worms
■ Trojans
■ Ransomware
■ Spyware
■ Rootkits

Question 14

Viruses

Answer 14

Attach to clean files, spread, and corrupt host file

Question 15

Worms

Answer 15

● Standalone programs replicating and spreading to other computers

Question 16

Trojans

Answer 16

● Disguise as legitimate software, grant unauthorized access

Question 17

Ransomware

Answer 17

● Encrypts user data, demands ransom for decryption

Question 18

Zombies and Botnets

Answer 18

● Compromised computers remotely controlled in a network for malicious
purposes

Question 19

Rootkits

Answer 19

Designed to gain administrative level control over a given computer system
without being detected

Question 20

Backdoors and Logic Bombs

Answer 20

Backdoors allow unauthorized access, logic bombs execute malicious actions

Question 21

Keyloggers

Answer 21

● Record keystrokes, capture passwords or sensitive information

Question 22

■ Spyware and Bloatware

Answer 22

● Spyware monitors and gathers user/system information,
bloatware
consumes resources without value

Question 23

Malware Techniques and Infection Vectors

Answer 23

■ Evolving from file-based tactics to modern fileless techniques
■ Multi-stage deployment, leveraging system tools, and obfuscation techniques

Fileless Malware is used to create a process in the system memory without
relying on the local file system of the infected host

Question 24

Indications of Malware Attack

Answer 24

■ Recognizing signs like the following
● Account lockouts
● Concurrent session utilization
● Blocked content
● Impossible travel
● Resource consumption
● Inaccessibility
● Out-of-cycle logging
● Missing logs
● Documented attacks

Question 25

10 Different Types of Viruses

Answer 25

Boot Sector Macro Program Multipartite Encrypted Polymorphic Metamorphic Stealth Armored Hoax

Question 26

Boot Sector Virus

Answer 26

● One that is stored in the first sector of a hard drive and is then loaded into memory whenever the computer boots up

Question 27

Macro Virus

Answer 27

● Form of code that allows a virus to be embedded inside another document so that when that document is opened by the user, the virus is executed

Question 28

Program Virus

Answer 28

● Try to find executables or application files to infect with their malicious code

Question 29

Multipartite Virus

Answer 29

● Combination of a boot sector type virus and a program virus It can install itself in a program where it can be run every time the computer starts up

Question 30

Encrypted Virus

Answer 30

● Designed to hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software

Question 31

Polymorphic Virus

Answer 31

Advanced version of an encrypted virus, but instead of just encrypting the contents it will actually change the viruses code each time it is executed

Question 32

Metamorphic Virus

Answer 32

● Able to rewrite themselves entirely before it attempts to infect a given file

Question 33

Stealth

Answer 33

Technique used to prevent the virus from being detected by the anti-virus software

Question 34

Armored

Answer 34

● Have a layer of protection to confuse a program or a person who's trying to analyze it

Question 35

Hoax

Answer 35

● Form of technical social engineering that attempts to scare our end users

Question 36

○ Worm

Answer 36

Able to self-replicate and spread throughout your network without a user's consent or their action

Question 37

Worms are dangerous for two reasons

Answer 37

■ Infect your workstation and other computing assets ■ Cause disruptions to your normal network traffic since they are constantly trying to replicate and spread themselves across the network ○ Worms are best known for spreading far and wide over the internet in a relative short amount of time

Question 38

Trojans

Answer 38

Piece of malicious software Claims that it will perform some needed or desired function for you

Question 39

Remote Access Trojan (RAT)

Answer 39

■ Widely used by modern attackers because it provides the attacker with remote control of a victim machine like a backdoor in our modern networks

Question 40

Trojans are commonly used today by attackers to

Answer 40

- exploit a vulnerability in your workstation and then - conducting data exfiltration to steal your sensitive documents, - creating backdoors to maintain persistence on your systems, - and other malicious activities

Question 41

How can we protect ourselves and our organizations against ransomware?

Answer 41

■ Always conduct regular backups ■ Install software updates regularly ■ Provide security awareness training to your users ■ Implement Multi-Factor Authentication (MFA)

Question 42

What should you do if you find yourself or your organization as the victim of a ransomware attack?

Answer 42

■ Never pay the ransom ■ If you suspect ransomware has infected your machine, you should disconnect it from the network ■ Notify the authorities ■ Restore your data and systems from known good backups

Question 43

Command and Control Node

Answer 43

Computer responsible for managing and coordinating the activities of other nodes or devices within a network

Question 44

Botnets are used

Answer 44

■ as pivot points ■ disguise the real attacker ■ to host illegal activities ■ to spam others by sending out phishing campaigns and other malware - to combine processing power to break through different types of encryption schemes ○ Attackers usually only use about 20-25% of any zombie’s power

Question 45

Most common use for a botnet is to conduct

Answer 45

a DDoS (Distributed Denial-of-Service) attack ■ Distributed Denial-of-Service (DDoS) Attack ● Occurs when many machines target a single victim and attack them at the exact same time

Question 46

different rings of permissions throughout the system

Answer 46

Ring 3 (Outermost Ring) ● Where user level permissions are used ■ Ring 0 (Innermost or Highest Permission Levels) ● Operating in Ring 0 is called “kernel mode” ● Kernel Mode: Allows a system to control access to things like device drivers, your sound card, your video display or monitor, and other similar things

Question 47

DLL Injection

Answer 47

● Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library

Question 48

Dynamic Link Library (DLL)

Answer 48

● Collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software development

Question 49

Shim

Answer 49

● Piece of software code that is placed between two components and that intercepts the calls between those components and can be used redirect them

Question 50

How To detect Rootkits

Answer 50

To detect them, the best way is to boot from an external device and then scan the internal hard drive to ensure that you can detect those rootkits using a good anti-malware scanning solution from a live boot Linux distribution

Question 51

Logic Bombs

Answer 51

Malicious code that's inserted into a program, and the malicious code will only execute when certain conditions have been met

Question 52

Keyloggers can be either software-based or hardware-based

Answer 52

■ Software Keyloggers ● Malicious programs that get installed on a victim's computer ■ Hardware Keyloggers ● Physical devices that need to be plugged into a computer ● These will resemble a USB drive or they can be embedded within a keyboard cable itself

Question 53

To protect your organization from keyloggers, ensure the following

Answer 53

■ Perform regular updates and patches ■ Rely on quality antivirus and antimalware solutions ■ Conduct phishing awareness training for your users ■ Implement multi-factor authentication systems ■ Encrypt keystrokes being sent to your systems ■ Perform physical checks of your desktops, laptops, and servers

Question 54

Spyware can get installed on a system in several different ways

Answer 54

● Bundled with other software ● Installed through a malicious website ● Installed when users click on a deceptive pop-up advertisement

Question 55

To help protect yourself against spyware,

Answer 55

you should only use reputable antivirus and anti-spyware tools that are regularly updated detect and remove any potential threats

Question 56

To remove bloatware, you can either do the following

Answer 56

● Do a manual removal process ● Use bloatware removal tools to uninstall the unwanted applications ● Perform a clean operating system installation

Question 57

How does this modern malware work?

Answer 57

Stage 1 Dropper or Downloader - to retrieve additional portions of the malware code and to trick the user into activating it Stage 2: Downloader ○ Downloads and installs a remote access Trojan to conduct command and control on the victimized system - “Actions on Objectives” Phase : Threat actors will execute primary objectives - Concealment : Used to help the threat actor prolong unauthorized access

Question 58

Dropper:

Answer 58

Specific malware type designed to initiate or run other malware.

Question 59

Downloader

Answer 59

○ Retrieve additional tools post the initial infection facilitated by a dropper

Question 60

Shellcode

Answer 60

○ Broader term that encompasses lightweight code meant to execute an exploit on a given target

Question 61

“Actions on Objectives” Phase

Answer 61

○ Threat actors will execute primary objectives to meet core objectives like ■ data exfiltration ■ file encryption

Question 62

Concealment

Answer 62

○ Used to help the threat actor prolong unauthorized access to a system by ■ hiding tracks ■ erasing log files ■ hiding any evidence of malicious activity

Question 63

“Living off the Land”

Answer 63

■ A strategy adopted by many Advanced Persistent Threats and criminal organizations ■ the threat actors try to exploit the standard tools to perform intrusions

Question 64

Indications of Malware Attacks: Account Lockouts

Answer 64

Malware, especially those designed for credential theft or brute force attacks, can trigger multiple failed login attempts that would result in a user’s account being locked out

Question 65

Indications of Malware Attacks: Concurrent Session Utilization

Answer 65

● If you notice that a single user account has multiple simultaneous or concurrent sessions open, especially from various geographic locations

Question 66

Indications of Malware Attacks: Blocked Content

Answer 66

● If there is a sudden increase in the amount of blocked content alerts you are seeing from your security tools

Question 67

Indications of Malware Attacks: Impossible Travel

Answer 67

● Refers to a scenario where a user's account is accessed from two or more geographically separated locations in an impossibly short period of time

Question 68

Indications of Malware Attacks: Resource Consumption

Answer 68

● If you are observing any unusual spikes in CPU, memory, or network bandwidth utilization that cannot be linked back to a legitimate task

Question 69

Indications of Malware Attacks: Resource Inaccessibility

Answer 69

● Ransomware ○ Form of malware that encrypts user files to make them inaccessible to the user ● If a large number of files or critical systems suddenly become inaccessible or if users receive messages demanding payment to decrypt their data

Question 70

Indications of Malware Attacks: Out-of-Cycle Logging

Answer 70

● If you are noticing that your logs are being generated at odd hours or during times when no legitimate activities should be taking place (such as in the middle of the night when no employees are actively working)

Question 71

Missing Logs

Answer 71

● If you are conducting a log review as a cybersecurity analyst and you see that there are gaps in your logs or if the logs have been cleared without any authorized reason

Question 72

Indications of Malware Attacks: Published or Documented Attacks

Answer 72

● If a cybersecurity research or reporter published a report that shows that your organization’s network has been infected as part of a botnet or other malware-based attack