Lesson 4 & 5

Question 1

Pretexting

Answer 1

(form of impersonation) Using a scenario with convincing
additional detail The classic impersonation attack is for the social engineer to phone into a department,
claim they have to adjust something on the user’s system remotely, and get the user to
reveal their password. This specific attack is also referred to as pretexting.

Question 2

Tailgating

Answer 2

• Access premises covertly

* Follow someone else through a door

Question 3

• Piggy backing

Answer 3

• Access premises without authorization, but with the knowledge of an employee
• Get someone to hold a door open

Question 4

• Identity fraud

Answer 4

• Impersonation with convincing detail and stolen or spoofed proofs
• Identity fraud versus identity theft

Question 5

• Invoice scams

Answer 5

• Spoofing supplier details to submit invoices with false account details

Question 6

• Credential theft and misuse

Answer 6

Credential harvesting
• Shoulder surfing
• Lunchtime attack

Question 7

PHishing, whaling, vishing, spear fishing, sMishing

Answer 7

you know this

Question 8

Spam

Answer 8

• Unsolicited email
• Email address harvesting
• Spam over Internet messaging (SPIM) (instant messagin service

Question 9

Hoaxes

Answer 9

• Delivered as spam or malvertising
• Fake advertisement to get user to install remote desktop software
• Phone-based scams

Hoaxes, such as security alerts or chain emails, are another common social
engineering technique, often combined with phishing attacks. An email alert or web
pop-up will claim to have identified some sort of security problem, such as virus
infection, and offer a tool to fix the problem.

Question 10

Prepending

Answer 10

adding text that appears to have been generated by the mail
system.

• Tagging email subject line
• Can be used by threat actor as a consensus or urgency technique
• Can be added by mail systems to warn users

Question 11

Pharming

Answer 11

(passive technique)

• Redirection by DNS spoofing

Pharming is a passive means of redirecting users from a legitimate website to a
malicious one. Rather than using social engineering techniques to trick the user,
pharming relies on corrupting the way the victim’s computer performs Internet name
resolution, so that they are redirected from the genuine site to the malicious one. For
example, if mybank.foo should point to the IP address 2.2.2.2, a pharming attack would
corrupt the name resolution process to make it point to IP address 6.6.6.6.

Question 12

Typosquatting

Answer 12

Www.comptia.org ==> www.connptia.org

Use cousin domains instead of redirection
• Make phishing messages more convincing

Question 13

• Watering hole

Answer 13

• Target a third-party site

* Customer, supplier, hobbies, social media…

Question 14

• Credential harvesting

Answer 14

• Attacks focused on obtaining credentials for sale rather than direct
intrusion
• Attacks focused on obtaining multiple credentials for single
company

Question 15

Influence Campaigns

Answer 15

Sophisticated threat actors using multiple resources to change opinions on 
a mass scale
- Soft power
- Hybrid Warfare
-social Media

Question 16

• Soft power

Answer 16

• Leveraging diplomatic and cultural assets

Question 17

• Hybrid warfare

Answer 17

• Use of espionage, disinformation, and hacking

Question 18

• Social media (influence campaign)

Answer 18

• Use of hacked accounts and bot accounts

* Spread rumor and reinforce messaging

Question 19

• Viruses and worms

Answer 19

• Spread within code without authorization

Question 20

Trojans

Answer 20

• A malicious program concealed within a benign one

Question 21

• Potentially unwanted programs/applications (PUPs/PAPs)

Answer 21

•Nonecessarily regarded as malicious
Pre-installed “bloatware” or installed alongside another app
• Not completely concealed, but installation may be covert
• Also called grayware

Question 22

Computer Viruses

Answer 22

• Rely on some sort of host file or 
media
• Non-resident/file infector
• Memory resident
• Boot
• Script/macro 
• Multipartite
• Polymorphic
• Vector for delivery

Question 23

Multipartite

Answer 23

virus uses multiple vectors

Question 24

Polymorphic

Answer 24

(virus) able to obfuscate code to avoid detection

Question 25

• Early computer worms

Answer 25

* Propagate in memory/over network links | * Consume bandwidth and crash process

Question 26

• Fileless malware

Answer 26

does not write code to disk. avoids detection "Living off the land"

Question 27

Advanced persistent threat (APT)/advanced volatile threat (AVT)/ low observable characteristics (LOC)

Answer 27

All used to describe fileless live off the land malware

Question 28

• Backdoor malware

Answer 28

Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control can be referred to as a backdoor.

Question 29

RAT

Answer 29

Remote Access Trojan backdoor malware that mimics the functionality of legitimate remote control programs

Question 30

bots and botnet

Answer 30

A group of bots that are all under the control of the same malware instance can be manipulated as a botnet by the herder program. A botnet can be used for many types of malicious purpose, including triggering distributed denial of service (DDoS) attacks, launching spam campaigns, or performing cryptomining.

Question 31

• Command & control (C2 or C&C)

Answer 31

Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a connection from the compromised host to a command and control (C2 or C&C) host or network.

Question 32

Ransomware

Answer 32

Nuisance (lock out user by replacing shell) usually easier to fix

Question 33

• Crypto-malware

Answer 33

High impact ransomware (encrypt | data files or drives)

Question 34

• Cryptomining/crypojacking

Answer 34

• Hijack resources to mine | cryptocurrency

Question 35

• Logic bombs

Answer 35

wait for a pre-configured time or date (time bomb) or a system or user event

Question 36

Malware Indicators

Answer 36

Browser changes or overt ransomware notification • Anti-virus notifications • Endpoint protection platforms and next-gen A-V • Behavior-based analysis * Sandbox execution * Cuckoo ``` • Resource utilization/consumption • Task Manager and top • File system changes • Registry • Temp file ```

Question 37

cukoo

Answer 37

does sandbox execution. puts the malware in a completely isolated location from the host

Question 38

shellcode

Answer 38

Fileless malware uses lightweight shellcode to achieve a backdoor mechanism on the host. The shellcode is easy to recompile in an obfuscated form to evade detection by scanners.

Question 39

Process analysis

Answer 39

Signature-based detection is failing to identify modern APT-style tools Looking for abnormal behavior

Question 40

Process Explorer

Answer 40

Does process analysis

Question 41

output from hashing

Answer 41

checksum, hash or digest

Question 42

Anti collision

Answer 42

(hashing) - no two plaintexts likely to produce the same checksum

Question 43

SHA

Answer 43

Secure Hash Algorithm (SHA) - considered the strongest algorithm

Question 44

Message Disgest Algorithm (MD5)

Answer 44

for hashing. not as strong as SHA but sometimes required for compatibilities

Question 45

Hashing

Answer 45

not encryption. process is not reversible

Question 46

Substitution vs Transposition

Answer 46

Substitution - changing the letters or symbols Transposition - reordering

Question 47

key protection

Answer 47

protecting the key is easier than protecting the algorithm

Question 48

symetric encryption

Answer 48

Same key used for encryption and decryption on both sides Good fo bulk Problemtn distributing key securley

Question 49

• Stream ciphers

Answer 49

* Encrypt and decrypt each bit/byte at a time | * Must be used with an initialization vector (IV)

Question 50

• Block ciphers

Answer 50

* Treat data as equal-size blocks, using padding if necessary * Advanced Encryption Standard (AES/AES256)

Question 51

Advanced Encryption Standard (AES)

Answer 51

s the default symmetric encryption cipher for most products. Basic AES has a key size of 128 bits, but the most widely used variant is AES256, with a 256-bit key.

Question 52

Asyemmetric encryption

Answer 52

private and public key ``` Message size is limited to key size so not suitable for large amounts of data • Used for small amounts of authentication data ```

Question 53

Public Key Cryptography Algorithms

Answer 53

RSA algorithm (Rivest, Shamir, Adleman) • Basis of many public key cryptography schemes • Trapdoor function • Easy to calculate with the public key, but difficult to reverse without the private key Elliptic curve cryptography (ECC) • Concerns about RSA being vulnerable to cryptanalysis • Another type of trapdoor function • Can use smaller keys to obtain same security

Question 54

RSA

Answer 54

RSA algorithm (Rivest, Shamir, Adleman) • Basis of many public key cryptography schemes • Trapdoor function • Easy to calculate with the public key, but difficult to reverse without the private key

Question 55

ECC

Answer 55

Elliptic curve cryptography (ECC) • Concerns about RSA being vulnerable to cryptanalysis • Another type of trapdoor function • Can use smaller keys to obtain same security

Question 56

Digital Signatures

Answer 56

* Using public key cryptography with hashing * Digital signatures provide integrity, authentication, non-repudiation * RSA-based digital signatures Hashing - authentication & non repudiation RSA - integrity

Question 57

Digital Envelopes and key exchange

Answer 57

hybrid - enable large amounts of data. able to send symetric key securely

Question 58

Digital Certificate

Answer 58

Certificate authority validates authenticity foy signing PKI

Question 59

Perferct Foward sectrcy

Answer 59

Uses Diffie Hellman key agreemen protocols | Allows two parties to derive the sam secret value that an eaves dropper cannot guess

Question 60

cipher suite and mode of operation

Answer 60

In a protocol such as Transport Layer Security (TLS), the requirements to both authenticate the identity of the server and to encrypt communications between the server and client need to be fulfilled by separate cryptographic products and cipher implementations. The combination of ciphers supported is referred to as a ***cipher suite*. The server and client negotiate mutually compatible cipher suites as part of the TLS handshake. The final part of a cipher suite determines the bulk encryption cipher. When AES is selected as the symmetric cipher, it has to be used in a *mode of operation** that supports a stream of network data.

Question 61

• Unauthenticated encryption

Answer 61

• Secret key encryption cannot prove integrity • Makes cryptographic system vulnerable to insertion and modification attacks

Question 62

• Authenticated encryption

Answer 62

• Message authentication code (MAC) • Create a hash from combination of the message and a shared secret • Implementations vulnerable to padding oracle attacks

Question 63

AEAD

Answer 63

* Authenticated encryption with additional data (AEAD) * Counter modes or stream ciphers that do not use padding * Associates message with context to prevent replay

Question 64

Integrity (in cryptography)

Answer 64

• Using hash functions and message authentication codes to validate messages

Question 65

• Resiliency

Answer 65

• Using cryptography to ensure authentication and integrity of control messages

Question 66

Obfuscation (cryptography)

Answer 66

• Make something hard to understand • Encryption can perform this function, but it is very hard to secure an embedded key • White box cryptography

Question 67

White box cryptography

Answer 67

attempts to protect an embedded key while preserviing functinality of the code - all attempts have been brokent

Question 68

nonce

Answer 68

rever reuse the same key value

Question 69

salt

Answer 69

random pseudo number. goes with hashing

Question 70

• Man-in-the-Middle (MitM)

Answer 70

• Interferes with the public key presented to the client

Question 71

• Downgrade attack

Answer 71

• Forces server into using weak protocol versions and ciphers

Question 72

• Key stretching

Answer 72

* Use additional rounds to strengthen keys | * Makes attacker do more work so slows down brute force

Question 73

Entropy

Answer 73

Entropy is a measure of disorder. A plaintext will usually exhibit low entropy [salting and stretching increases entropy]

Question 74

Collision

Answer 74

Function produces same has value for two different plain texts

Question 75

Birthday attack

Answer 75

brute force attack aimed to exploiting collisions in has functions

Question 76

Post quantum

Answer 76

when quantum computing become reality

Question 77

lightweight cryptograhy

Answer 77

low power devices. encryption take up power

Question 78

Homomorphic Encryption

Answer 78

Supports data analytics functions while preserving confidentiality and privacy

Question 79

Blockchain

Answer 79

Expanding list of transactional records (blocks) • Each block is linked by hashing * Public ledger * Ledger of transactions performed on a digital asset * Peer-to-peer so transactions are public * Transactions cannot be deleted or reversed • Widely used for cryptocurrencies • Potential uses for financial transactions, online voting systems, identity management systems, notarization, data storage,

Question 80

Stenography

Answer 80

obfuscation ``` • Concealing messages within a covertext • Often uses file data that can be manipulated without introducing obvious artifacts • Image • Audio • Video • Covert channels ```