Topic 13B Flashcards
(32 cards)
Brute force
Smashing a hardware device to perform physical denial of service (DoS).
Breaking into premises or cabinets by forcing a lock or gateway
environmental attack
A physical threat directed against power, cooling, or fire suppression systems
RFID cloning
refers to making one or more copies of an existing card. A lost or stolen card with no cryptographic protections can be physically duplicated
RFID skimming
refers to using a counterfeit reader to capture card or badge details, which are then used to program a duplicate.
Reconnaissance
Uses scanning
Fingerprinting identifies the application types and versions of the software operating each port, and potentially of the operating system running on the host, and its device type
Rapid scanning generates a large amount of distinctive network traffic that can be detected and reported as an intrusion event
Hard to differentiate malicious and non malicious scanning
Weaponization, delivery, and breach
refer to techniques that allow a threat actor to get access without having to authenticate.
typically involves various types of malicious code being directed at a vulnerable application host or service over the network, or sending code concealed in file attachments, and tricking a user into running it.
Command and control (C2 or C&C), beaconing, and persistence
techniques and malicious code that allow a threat actor to operate a compromised host remotely, and maintain access to it over a period of time
The threat actor has to disguise the incoming command and outgoing beaconing activity as part of the network’s regular traffic, such as by using encrypted HTTPS connections.
Lateral movement, pivoting, and privilege escalation
techniques that allow the threat actor to move from host to host within a network or from one network segment to another, and to obtain wider and higher permissions for systems and services across the network.
These types of attacks are detected via anomalous account logins and privilege use, but detection usually depends on machine learning-backed software, as it is typically difficult to differentiate anomalous behavior from normal behavior.
Data exfiltration
refers to obtaining an information asset and copying it to the attacker’s remote machine.
Anomalous large data transfers might be an indicator for exfiltration, but a threat actor could perform the attack stealthily, by only moving small amounts of data at any one time.
distributed DoS (DDoS)
DoS attacks against network hosts and gateways
the attack is launched from multiple hosts simultaneously
Some types of DDoS attacks simply aim to consume network bandwidth, denying it to legitimate hosts, by using overwhelming numbers of bots making ordinary requests. Others cause resource exhaustion on the victim host by bombarding them with requests, which consume CPU cycles and memory.
SYN flood attack
works by withholding the client’s ACK packet during TCP’s three-way handshake. A server, router, or firewall can maintain a queue of pending connections, recorded in its state table. When it does not receive an ACK packet from the client, it resends the SYN/ACK packet a set number of times before timing out the connection. This can fill up the pending connections, not allowing other connections to respond.
distributed reflected DoS (DRDoS)
the threat actor spoofs the victim’s IP address and attempts to open connections with multiple third-party servers. Those servers direct their SYN/ACK responses to the victim host.
This is done because assembling a botnet large enough to disrupt can be costly.
amplification attack
a type of reflected attack that targets weaknesses in specific application protocols to make the attack more effective at consuming target bandwidth.
Exploits protocols in a way that forces the target to respond with large amounts of data.
Protocols commonly targeted include domain name system (DNS), Network Time Protocol (NTP), and Connectionless Lightweight Directory Access Protocol (CLDAP).
DDoS indicator
A large traffic spike is an indicator of a denial of service attack. If the source addresses are spoofed it can be difficult to stop the attack.
on-path attack
where the threat actor gains a position between two hosts, and transparently captures, monitors, and relays all communication between them
could also be used to covertly modify the traffic. For example, an on-path host could present a workstation with a spoofed website form to try to capture the user credential.
Also known as an adversary-in-the-middle (AitM) attack.
ARP
Address Resolution Protocol
identifies the MAC address of a host on the local segment that owns an IPv4 address
ARP poisoning
uses a packet crafter, such as Ettercap, to broadcast unsolicited ARP reply packets.
Because ARP has no security mechanism, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address.
typosquatting
cause victims to confuse malicious sites with legitimate ones.
DNS poisoning
An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing.
DNS Client Cache Poisoning
Even though most name resolution now functions through DNS, the HOSTS file is still present and most operating systems check the file before using DNS. Its contents are loaded into a cache of known name:IP mappings, and the client only contacts a DNS server if the name is not cached.
Therefore, if an attacker is able to place a false name:IP address mapping in the HOSTS file and effectively poison the DNS cache, they will be able to redirect traffic
Requires administrator access to modify HOSTS file.
DNS server cache poisoning
aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers
DNS event logs can hold a variety of information that may supply useful security intelligence and attack indicators, such as the following:
The types of queries a host has made to DNS.
Hosts that are in communication with suspicious IP address ranges or domains.
Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications.
A rogue access point
one that has been installed on the network without authorization, whether with malicious intent or not.
A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an access point by accident
There are also various Wi-Fi analyzers and wireless intrusion protection systems that can detect rogue access points
access points are usually connected to switches. Monitoring can detect any that are not and flag them as potential rogues
evil twin
A rogue access point masquerading as a legitimate one
the attacker might use some DoS technique to overcome the legitimate access point. In the case, they could spoof both the SSID and the basic SSID (BSSID)
