Domain 1: Threats, Attacks, and Vulnerabilities (24%) Flashcards
(96 cards)
1
Q
*1.5 Actors and threats
White Hat (CompTIA: Authorized) ethical hackers, Penetration Testers
A
Non-malicious hackers who attempt to break into a company’s systems at their request
2
Q
*1.5 Actors and threats
Black Hat (CompTIA: Unauthorized)
A
Malicious hackers who break into computer systems and networks without authorization or permission
3
Q
*1.5 Actors and threats
Gray Hats (CompTIA: Semi-authorized)
A
Hackers without any affiliation to a company that attempts to break into a company’s network and risk breaking the law
4
Q
*1.5 Actors and threats
Script kiddies
A
Have limited skill and only run other people’s exploits and tools
5
Q
*1.5 Actors and threats
Hacktivists
A
Hackers who are driven by a cause like social change, political agendas, or terrorism.
ex: Anonymous
6
Q
*1.5 Actors and threats
Advanced Persistent Threats (APT)
A
Highly trained and funded groups of hackers (often by nation-states) with covert and open-source intelligence at their disposal.
7
Q
*1.5 Threat intelligence sources
Proprietary source
A
Proprietary is threat intelligence that comes as a commercial service offering, where you’re going to pay for access to these updates and research based on a subscription fee.
Note: Not as useful because these commercial services are just repackaging of information that’s available in free public registries.
8
Q
*1.5 Threat intelligence sources
Closed-source
A
closed-source data is data that’s derived from the provider’s own research and analysis efforts, such as data from honeynets as they operate, plus information that’s mined
from their other customer systems, suitably anonymized-(to remove information that shows which particular person/entity something relates to).
example: FireEye
9
Q
*1.5 Threat intelligence sources
Open-source
A
Open-source is data that’s available for use without a subscription, and this may include threat feeds similar to commercial providers, and it can contain reputation lists, and malware signature databases.
example: US-CERT, UK’s NCSC, AT&T Security (OTX), MISP, VirusTotal, Samphaus, SANS ISC Suspicious Domains.
10
Q
*1.5 Threat intelligence sources
Open-source intelligence (OSINT)
A
Methods of obtaining information about a person or organization through public records, websites, and social media
example: Google, Facebook, enumeration scans. Public records, websites, and social media.
11
Q
*1.7 Threat Hunting
A
A cybersecurity technique designed to detect the presence of threats that have not been discovered by normal security monitoring. it is proactive, not reactive like incident response.
12
Q
*1.2 Malware
Malware
A
malicious software designed to infiltrate a computer system and possibly damage it without the user’s knowledge or consent.
examples: viruses, worms, trojan horses, ransomware, spyware, rootkits, spam.
13
Q
*1.2 Malware
Virus
A
Malicious code that runs on a machine without the user’s knowledge and infects the computer when executed (10 types: Boot sector, Macro, Program, Miltipartite, Encrypted, Polymorphic, Metamorphic, Stealth, Armored, Hoax).
Remember: It needs user interaction like installing a program or opening a file
14
Q
*1.2 Malware
Worms
A
Malicious software, like a virus, but able to replicate itself without user interaction. Doesn’t need you to do anything.
Example: A user receives an attachment to an e-mail or an instant message that contains a malicious worm. When the attachment is opened, the worm infects the user’s computer and then replicates itself by sending copies of the same e-mail or instant message to everyone in the user’s address book.
15
Q
*1.2 Malware
Trojans
A
Trojan horses are a piece of malicious software that is disguised as a piece of harmless or desirable software that when downloaded it can conquer your computer and may open gates for other programs.
Note: Trojans are usually downloaded through e-mail attachments, websites, and instant messages. They are usually disguised as popular programs such as games, pictures, or music.
16
Q
*1.2 Malware
Remote Access Trojan (RAT)
A
A trojan that provides the attacker with remote control of a victim machine.
Note: The ultimate backdoor that provides administrative control of a device (Prof. Messer).
17
Q
*1.2 Malware
Ransomware
A
malware that restricts access to a victim’s computer or their files until a ransom is received.(locks your computer)
18
Q
*1.2 Malware
Spyware
A
Software that secretly gathers information about the user without their consent. Hint: may include a keylogger.
Note: Adware is a type of spyware that displays ads based on what it spied on you.
19
Q
*1.2 Malware
Rootkit
A
Software designed to gain administrative level control over a system without detection.
Note: DLL injections and driver manipulation = Rootkit
20
Q
*1.1 Spam
A
the abuse of electronic messaging systems, most commonly through email.
-social media
-broadcast media
21
Q
*1.1 Spim
A
abuse of instant messaging systems.
-texting
-instant messaging
22
Q
What is a Threat Vector?
A
The method used by an attacker to access a victim’s machine
23
Q
*1.1 What is a Watering hole attack?
A
When malware is placed on a website (watering hole) that you know your potential victims will access.
Example: A watering hole is a place where animals need to get water, a predator waits by the watering hole waiting for one of the animals to be careless. (malware is placed in a watering hole for animals to get).
24
Q
*1.2 Malware
Botnet
A
A collection of compromised computers under the control of a master node
25
*1.2 Malware
Backdoor
Backdoors are used to bypass normal security and authentication functions.
A way for a software programmer to access a program while bypassing its authentication schemes. The backdoor is coded in by the programmer during development so that later she can “break into” her own program without having to authenticate to the system through normal access methods.
Note: Remote Access Trojans (RATs) are the ultimate backdoor- Administrative control of a device
26
*1.2 Malware
Logic Bombs
Malicious code that has been inserted inside a program and will execute
only when certain conditions have been met.
27
*1.4 Wireless
Bluejacking
Sending of unsolicited messages to Bluetooth-enabled devices.
28
*1.4 Wireless
Bluesnarfing
Unauthorized access of information from a wireless device over a Bluetooth connection. "taking info"
29
*1.2 Malware
Backdoor
Code placed in computer programs to bypass normal authentication and other security mechanisms.
§ Backdoors are a poor coding practice and should not be utilized.
30
*1.3 Directory Traversal
Method of accessing unauthorized directories by moving through the
directory structure on a remote server.
A directory traversal is a method of accessing unauthorized directories by moving through the directory structure on a remote server.
31
*1.6 Zero-day
Attack against a vulnerability that is unknown to the original developer or
manufacturer.
32
*1.3 Buffer overflows
Occurs when a process stores data outside the memory range allocated
by the developer.
Buffer overflows attempt to put more data into memory than it is designed to
hold.
Let's pretend that you have a glass sitting on a table. It can hold a certain amount of water, right? If it's designed to hold 16 ounces of liquid but you pour 20 ounces in, well, the cup is gonna overflow with water and the table is gonna get wet. In this example, the glass is our buffer and when we overflow it with our data, in our case water, the extra is gonna spill out
onto the table and make a huge mess.
33
*1.3 Cross-site scripting
XSS
Cross-site scripting occurs when an attacker embeds malicious scripting commands into a trusted website.
When this occurs, the attacker is trying to gain elevated privileges, steal information from a victim's cookies, or gain other information stored by the victim's web browser.
34
*1.3 Cross-site request forgery
XSRF/CSRF
In a cross-site request forgery, the attacker forces the user to execute actions on a web server that they already have been authenticated to.
For example, let's say that you've already logged into your bank's website and provided your username and your password. At this point, you're already authenticated and the website trusts you. If an attacker can send a command to the web server through your authenticated session. They are forging the request to make it look like it came from you. The attacker in this case will be unable to see the web server's response to his request or commands, but he could still use this to transfer funds from the victim, change their password or do a myriad of other requests on the victim's behalf.
35
*1.3 Injections
Structured Query Language (SQL) injection
Attack consisting of the insertion or injection of an SQL query via input
data from the client to a web application.
36
*1.3 Injections
Extensible Markup Language (XML) injection
which is the extensible markup language. This is used by web applications for authentication and authorizations and for other types of data exchange and uploading.
37
*1.3 Race condition
A software vulnerability when the resulting outcome from execution processes is
directly dependent on the order and timing of certain events, and those events
fail to execute in the order and timing intended by the developer
o A race condition vulnerability is found where multiple threads are attempting to
write a variable or object at the same memory location
A really funky way of saying that basically the computer is trying to race itself.
So if you're trying to do something legitimately and the attacker is trying to do something at the same time and they can get in before you, they have now taken advantage of this race condition to be able to run their thing before you can run yours. And this is a very specific case.
When we start talking about a race condition vulnerability, this is found when there are multiple threats attempting to write a variable or object at the same memory location, at the same time.
38
*1.3 Race conditions
Time of check/Time of Use (TOCTOU/TOC TO TOU)
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
If the attacker can identify the time the check happened, and then do something before it was used, that's a race condition, they can then manipulate the data after it's been checked, but before it was used by the application, and therefore caused some kind of an issue.
How can you prevent race conditions and TOCTTOU?
* Develop applications to not process things sequentially if possible
* Implement a locking mechanism to provide app with exclusive
access
39
*1.4 Layer 2 attacks
MAC flooding
Attempt to overwhelm the limited switch memory set aside to store the
MAC addresses for each port
§ Switches can fail-open when flooded and begin to act like a hub
40
*1.2 Adversarial artificial intelligence (AI)
Machine Learning (ML)
A component of AI that enables a machine to develop strategies for
solving a task given a labeled dataset where features have been manually
identified but without further explicit instructions
§ Machine learning is only as good as the datasets used to train it
41
1.2 Password attacks
*Spraying
Brute force attack in which multiple user accounts are tested with a
dictionary of common passwords
42
1.8 Penetration Testing
Occurs when an attacker moves onto another workstation or user account
Pivoting
43
1.8 Penetration testing
Ability of an attacker to maintain a foothold inside the compromised
network
Persistence
44
1.8 Exercise types
The hostile or attacking team in a penetration test or incident
response exercise
Red Team
45
1.8 Exercise types
The defensive team in a penetration test or incident response
exercise
Blue Team
46
1.8 Exercise types
Staff administering, evaluating, and supervising a penetration test
or incident response exercise
White team
47
1.7 Syslog/Security information and event management (SIEM)
SYSLOG
A standardized format used for computer message logging that
allows for the separation of the software that generates
messages, the system that stores them, and the software that
reports and analyzes them
* SYSLOG uses port 514 over UDP
A protocol enabling different appliances and software applications to
transmit logs or event records to a central server
§ Syslog follows a client-server model and is the de facto standard for
logging of events from distributed systems
48
1.7 Syslog/Security information and event management (SIEM)
SIEM
A solution that provides real-time or near-real-time analysis of security
alerts generated by network hardware and applications
SIEM solutions can be implemented as software, hardware
appliances, or outsourced managed services
* Log all relevant events and filter irrelevant data
* Establish and document scope of events
* Develop use cases to define a threat
* Plan incident response to an event
Establish a ticketing process to track events
* Schedule regular threat hunting
* Provide auditors and analysts an evidence trail
o There are many commercial and open-source SIEM solutions available
EX: Splunk, Elk/Elastic Stack, ArcSight, QRadar, Alien Vault and OSSIM, Graylog
49
1.7 Security Orchestration, Automation, and Response
A class of security tools that facilitates incident response, threat hunting,
and security configuration by orchestrating automated runbooks and
delivering data enrichment
§ SOAR is primarily used for incident response
50
Non-malicious hackers who attempt to break into a company's systems at their request
*1.5 Actors and threats
White Hat (CompTIA: Authorized) ethical hackers, Penetration Testers
51
Malicious hackers who break into computer systems and networks without authorization or permission
*1.5 Actors and threats
Black Hat (CompTIA: Unauthorized)
52
Hackers without any affiliation to a company that attempts to break into a company's network and risk breaking the law
*1.5 Actors and threats
Gray Hats (CompTIA: Semi-authorized)
53
Have limited skill and only run other people's exploits and tools
*1.5 Actors and threats
Script kiddies
54
Hackers who are driven by a cause like social change, political agendas, or terrorism.
ex: Anonymous
*1.5 Actors and threats
Hacktivists
55
Highly trained and funded groups of hackers (often by nation-states) with covert and open-source intelligence at their disposal.
*1.5 Actors and threats
Advanced Persistent Threats (APT)
56
Proprietary is threat intelligence that comes as a commercial service offering, where you're going to pay for access to these updates and research based on a subscription fee.
Note: Not as useful because these commercial services are just repackaging of information that's available in free public registries.
*1.5 Threat intelligence sources
Proprietary source
57
closed-source data is data that's derived from the provider's own research and analysis efforts, such as data from honeynets as they operate, plus information that's mined
from their other customer systems, suitably anonymized-(to remove information that shows which particular person/entity something relates to).
example: FireEye
*1.5 Threat intelligence sources
Closed-source
58
Open-source is data that's available for use without a subscription, and this may include threat feeds similar to commercial providers, and it can contain reputation lists, and malware signature databases.
example: US-CERT, UK's NCSC, AT&T Security (OTX), MISP, VirusTotal, Samphaus, SANS ISC Suspicious Domains.
*1.5 Threat intelligence sources
Open-source
59
Methods of obtaining information about a person or organization through public records, websites, and social media
example: Google, Facebook, enumeration scans. Public records, websites, and social media.
*1.5 Threat intelligence sources
Open-source intelligence (OSINT)
60
A cybersecurity technique designed to detect the presence of threats that have not been discovered by normal security monitoring. it is proactive, not reactive like incident response.
*1.7 Threat Hunting
61
malicious software designed to infiltrate a computer system and possibly damage it without the user's knowledge or consent.
examples: viruses, worms, trojan horses, ransomware, spyware, rootkits, spam.
*1.2 Malware
Malware
62
Malicious code that runs on a machine without the user's knowledge and infects the computer when executed (10 types: Boot sector, Macro, Program, Miltipartite, Encrypted, Polymorphic, Metamorphic, Stealth, Armored, Hoax).
Remember: It needs user interaction like installing a program or opening a file
*1.2 Malware
Virus
63
Malicious software, like a virus, but able to replicate itself without user interaction. Doesn't need you to do anything.
Example: A user receives an attachment to an e-mail or an instant message that contains a malicious worm. When the attachment is opened, the worm infects the user’s computer and then replicates itself by sending copies of the same e-mail or instant message to everyone in the user’s address book.
*1.2 Malware
Worms
64
Trojan horses are a piece of malicious software that is disguised as a piece of harmless or desirable software that when downloaded it can conquer your computer and may open gates for other programs.
Note: Trojans are usually downloaded through e-mail attachments, websites, and instant messages. They are usually disguised as popular programs such as games, pictures, or music.
*1.2 Malware
Trojans
65
A trojan that provides the attacker with remote control of a victim machine.
Note: The ultimate backdoor that provides administrative control of a device (Prof. Messer).
*1.2 Malware
Remote Access Trojan (RAT)
66
malware that restricts access to a victim's computer or their files until a ransom is received.(locks your computer)
*1.2 Malware
Ransomware
67
Software that secretly gathers information about the user without their consent. Hint: may include a keylogger.
Note: Adware is a type of spyware that displays ads based on what it spied on you.
*1.2 Malware
Spyware
68
Software designed to gain administrative level control over a system without detection.
Note: DLL injections and driver manipulation = Rootkit
*1.2 Malware
Rootkit
69
the abuse of electronic messaging systems, most commonly through email.
-social media
-broadcast media
*1.1 Spam
70
abuse of instant messaging systems.
-texting
-instant messaging
*1.1 Spim
71
The method used by an attacker to access a victim's machine
What is a Threat Vector?
72
When malware is placed on a website (watering hole) that you know your potential victims will access.
Example: A watering hole is a place where animals need to get water, a predator waits by the watering hole waiting for one of the animals to be careless. (malware is placed in a watering hole for animals to get).
*1.1 What is a Watering hole attack?
73
A collection of compromised computers under the control of a master node
*1.2 Malware
Botnet
74
Backdoors are used to bypass normal security and authentication functions.
A way for a software programmer to access a program while bypassing its authentication schemes. The backdoor is coded in by the programmer during development so that later she can “break into” her own program without having to authenticate to the system through normal access methods.
Note: Remote Access Trojans (RATs) are the ultimate backdoor- Administrative control of a device
*1.2 Malware
Backdoor
75
Malicious code that has been inserted inside a program and will execute
only when certain conditions have been met.
*1.2 Malware
Logic Bombs
76
Sending of unsolicited messages to Bluetooth-enabled devices.
*1.4 Wireless
Bluejacking
77
Unauthorized access of information from a wireless device over a Bluetooth connection. "taking info"
*1.4 Wireless
Bluesnarfing
78
Code placed in computer programs to bypass normal authentication and other security mechanisms.
§ Backdoors are a poor coding practice and should not be utilized.
*1.2 Malware
Backdoor
79
Method of accessing unauthorized directories by moving through the
directory structure on a remote server.
A directory traversal is a method of accessing unauthorized directories by moving through the directory structure on a remote server.
*1.3 Directory Traversal
80
Attack against a vulnerability that is unknown to the original developer or
manufacturer.
*1.6 Zero-day
81
Occurs when a process stores data outside the memory range allocated
by the developer.
Buffer overflows attempt to put more data into memory than it is designed to
hold.
Let's pretend that you have a glass sitting on a table. It can hold a certain amount of water, right? If it's designed to hold 16 ounces of liquid but you pour 20 ounces in, well, the cup is gonna overflow with water and the table is gonna get wet. In this example, the glass is our buffer and when we overflow it with our data, in our case water, the extra is gonna spill out
onto the table and make a huge mess.
*1.3 Buffer overflows
82
Cross-site scripting occurs when an attacker embeds malicious scripting commands into a trusted website.
When this occurs, the attacker is trying to gain elevated privileges, steal information from a victim's cookies, or gain other information stored by the victim's web browser.
*1.3 Cross-site scripting
XSS
83
In a cross-site request forgery, the attacker forces the user to execute actions on a web server that they already have been authenticated to.
For example, let's say that you've already logged into your bank's website and provided your username and your password. At this point, you're already authenticated and the website trusts you. If an attacker can send a command to the web server through your authenticated session. They are forging the request to make it look like it came from you. The attacker in this case will be unable to see the web server's response to his request or commands, but he could still use this to transfer funds from the victim, change their password or do a myriad of other requests on the victim's behalf.
*1.3 Cross-site request forgery
XSRF/CSRF
84
Attack consisting of the insertion or injection of an SQL query via input
data from the client to a web application.
*1.3 Injections
Structured Query Language (SQL) injection
85
which is the extensible markup language. This is used by web applications for authentication and authorizations and for other types of data exchange and uploading.
*1.3 Injections
Extensible Markup Language (XML) injection
86
A software vulnerability when the resulting outcome from execution processes is
directly dependent on the order and timing of certain events, and those events
fail to execute in the order and timing intended by the developer
o A race condition vulnerability is found where multiple threads are attempting to
write a variable or object at the same memory location
A really funky way of saying that basically the computer is trying to race itself.
So if you're trying to do something legitimately and the attacker is trying to do something at the same time and they can get in before you, they have now taken advantage of this race condition to be able to run their thing before you can run yours. And this is a very specific case.
When we start talking about a race condition vulnerability, this is found when there are multiple threats attempting to write a variable or object at the same memory location, at the same time.
*1.3 Race condition
87
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
If the attacker can identify the time the check happened, and then do something before it was used, that's a race condition, they can then manipulate the data after it's been checked, but before it was used by the application, and therefore caused some kind of an issue.
How can you prevent race conditions and TOCTTOU?
* Develop applications to not process things sequentially if possible
* Implement a locking mechanism to provide app with exclusive
access
*1.3 Race conditions
Time of check/Time of Use (TOCTOU/TOC TO TOU)
88
Attempt to overwhelm the limited switch memory set aside to store the
MAC addresses for each port
§ Switches can fail-open when flooded and begin to act like a hub
*1.4 Layer 2 attacks
MAC flooding
89
A component of AI that enables a machine to develop strategies for
solving a task given a labeled dataset where features have been manually
identified but without further explicit instructions
§ Machine learning is only as good as the datasets used to train it
*1.2 Adversarial artificial intelligence (AI)
Machine Learning (ML)
90
Brute force attack in which multiple user accounts are tested with a
dictionary of common passwords
1.2 Password attacks
*Spraying
91
A standardized format used for computer message logging that
allows for the separation of the software that generates
messages, the system that stores them, and the software that
reports and analyzes them
* SYSLOG uses port 514 over UDP
A protocol enabling different appliances and software applications to
transmit logs or event records to a central server
§ Syslog follows a client-server model and is the de facto standard for
logging of events from distributed systems
1.7 Syslog/Security information and event management (SIEM)
SYSLOG
92
A solution that provides real-time or near-real-time analysis of security
alerts generated by network hardware and applications
SIEM solutions can be implemented as software, hardware
appliances, or outsourced managed services
* Log all relevant events and filter irrelevant data
* Establish and document scope of events
* Develop use cases to define a threat
* Plan incident response to an event
Establish a ticketing process to track events
* Schedule regular threat hunting
* Provide auditors and analysts an evidence trail
o There are many commercial and open-source SIEM solutions available
EX: Splunk, Elk/Elastic Stack, ArcSight, QRadar, Alien Vault and OSSIM, Graylog
1.7 Syslog/Security information and event management (SIEM)
SIEM
93
A class of security tools that facilitates incident response, threat hunting,
and security configuration by orchestrating automated runbooks and
delivering data enrichment
§ SOAR is primarily used for incident response
1.7 Security Orchestration, Automation, and Response
94
Condition that occurs when two different files create the same hash
digest
1.2 Cryptographic attacks
Collision
95
A technique that allows an attacker to authenticate to a remote server or
service by using the underlying NTLM or LM hash instead of requiring the
associated plaintext password
1.3 Pass the hash
96
Technique used by an attacker to find two different messages that have
the same identical hash digest
§ 99% chance of finding a matching birthday in a 57-person group
§ 50% chance of finding a matching birthday in a 23-person group
§ Collision
* Occurs when two different inputs to a hash create an identical
hash digest output
1.2 Cryptographic Attacks
Birthday Attack
