secfnd Flashcards Preview

Cyber ops > secfnd > Flashcards

Flashcards in secfnd Deck (17)
Loading flashcards...
1
Q

Describe the function of the network layers as specified by the OSI and the TCP/IP
network models

A

Layer 1, Physical: The physical layer defines the electrical, mechanical, procedural, and functional specifications for activating, maintaining, and deactivating the physical link between end systems. Characteristics such as voltage levels, timing of voltage changes, physical data rates, maximum transmission distances, physical connectors, and other similar attributes are defined by physical layer specifications. Examples of Layer 1 devices are transceivers, modems, CSU/DSU, and hubs.

Layer 2, Data Link: The data link layer defines how data is formatted for transmission and how data accesses the physical layer. This layer also typically includes error checking. Examples of Layer 2 devices are bridges and switches, which forward and flood traffic based on MAC addresses. Although MAC addresses are typically physical addresses, they operate at the data link layer of the OSI model.

Layer 3, Network: The network layer provides connectivity between two host systems that can be located on geographically separated networks. It provides logical addressing, selects the best path for data delivery, and routes data packets. An example of a Layer 3 device is a router.

Layer 4, Transport: The transport layer segments data from the system of the sending host and reassembles the data into a data stream on the system of the receiving host. For example, business users in large corporations often transfer large files from field locations to a corporate site. Reliable delivery of the files is important, so the transport layer breaks down large files into smaller pieces, which are known as segments, that are less likely to incur transmission problems.

The boundary between the transport layer and the session layer can be thought of as the boundary between application protocols and data-flow protocols. Whereas the application, presentation, and session layers are concerned with application issues, the lower four layers are concerned with data transport issues.

The transport layer shields the upper layers from transport implementation details. Specifically, issues such as reliability of transport between two hosts are assigned to the transport layer. In providing a communication service, the transport layer establishes, maintains, and properly terminates virtual circuits. Transport error detection, error recovery, and information flow control ensure reliable service.

Layer 5, Session: The session layer establishes, manages, and terminates sessions between two communicating hosts. The session layer also synchronizes dialog between the presentation layers of the two hosts and manages their data exchange. For example, web servers have many users, so there are many communication processes open at a given time. Therefore, it is important to keep track of which user communicates on which path.

Layer 6, Presentation: The presentation layer ensures that the information that is sent at the application layer of one system is readable by the application layer of another system. For example, a PC program communicates with another computer, with one computer using EBCDIC and the other using ASCII to represent the same characters. If necessary, the presentation layer translates between multiple data formats by using a common format.

Layer 7, Application: The application layer is the OSI layer that is closest to the user. This layer provides network services to the applications of the user, such as email, file transfer, and terminal emulation. The application layer differs from the other layers in that it does not provide services to any other OSI layer, but only to applications outside the OSI model. The application layer establishes the availability of intended communication partners and synchronizes and establishes agreement on procedures for error recovery and control of data integrity.

2
Q

Compare and contrast remote exploit and a local exploit

A

A remote exploit is one that works over the network without any prior access to the target system. The threat actor does not need an account on the vulnerable system to exploit the vulnerability.
A local exploit requires prior access to the vulnerable system. Generally, the threat actor has access to an account on the system. Using their access to that account, they implement the local exploit. Most commonly, local exploits lead to privilege escalation

3
Q

Define privilege escalation

A

Most attacks require administrator or root level access to perform an attack or spread their reign of terror on other computers in the network. Sometimes workstations will run vulnerable services that are logged into the workstation with administrator or root privileges. If the attacker can exploit that service, they would have no issues escalating their privileges.

4
Q

a Encryption and tunneling

  1. 6.b Resource exhaustion
  2. 6.c Traffic fragmentation
  3. 6.d Protocol-level misinterpretation
  4. 6.e Traffic substitution and insertion
A

ttackers can also try to avoid detection by tunneling their traffic over a protocol that is normally permitted and may not be inspected, for example, tunneling the attack traffic inside DNS or HTTP.
Attackers can also combine both encryption and tunneling, for example, using HTTPS to tunnel their attack traffic where HTTPS traffic is encrypted using TLS or SSL.

Protocol level misinterpretation–The attacker can also evade detection by causing the IPS sensor to misinterpret the end-to-end meaning of network protocols and see traffic differently from the target. Therefore, the IPS sensor will either ignore traffic that should not be ignored or vice versa.

Fragmentation-based evasion refers to any evasion attempts where the attacker fragments the malicious traffic, hoping to avoid detection or filtering in the following ways:

Bypassing the network IPS sensor if the IPS sensor does not perform any fragment reassembly

Reordering the fragments, hoping the network IPS sensor does not correctly reorder the fragments

traffic substitution and insertion. With traffic substitution, the attacker attempts to evade detection by substituting the payload data with other data in a different format but with the same meaning.
Insertion attacks are similar. For example, the attacker sends a malicious sequence byte-by-byte and inserts extra bytes of data within the malicious sequence.
Resource Exhaustion
A less subtle method of evading detection is through extreme resource consumption. The attacker sends lots of fake traffic to produce noise. If the IPS sensor is too busy to analyze the noise traffic, the true attack traffic may go undetected. For example, attack tools can be used to create a tremendous number of false IPS alerts that consume the resources of the IPS sensor and prevent attacks from being detected.

Timing Attacks
Attackers can evade detection by performing their actions slower than normal, not exceeding the thresholds inside the time windows that the signatures use to correlate different packets together.

5
Q

6.6.f Pivot

A

Pivoting involves the use of a backdoor, vulnerability, or simple exploitation of trust at some point in the attack chain as a springboard to launch a more sophisticated campaign against much bigger targets, such as the network of a major energy firm or a financial institution’s data center.

6
Q

Describe these endpoint-based attacks

  1. 5.a Buffer overflows
  2. 5.b Command and control (CnC)
A

Buffer overflow attacks are a common vector for client-side attacks. Malicious code can be injected into data files, and the code can be executed when the data file is opened by a vulnerable client application. For example, assume that an attacker posts such an infected file to the Internet. An unsuspecting user downloads the document and opens it with a vulnerable application.

A botnet operator infects computers by sending them malicious bots. A malicious bot is self-propagating malware that is designed to infect a host and connect back to the command-and-control server. In addition to its worm-like ability to self-propagate, a bot can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. They have been known to exploit back doors that are opened by worms and viruses, which allows them to access networks that have good perimeter control. Bots rarely announce their presence with high scan rates, which damage network infrastructure; instead they infect networks in a way that escapes immediate notice.

The bot on the newly infected host logs in to the CnC server and awaits commands. Often, the CnC server is an IRC channel or a web server.

Instructions are sent from the command-and-control server to each bot in the botnet to execute actions. When the zombies receive the instructions, they begin generating malicious traffic that is aimed at the victim.

7
Q

Malware

A

Malware is malicious software that comes in several forms, including the following:

Viruses: A virus is a type of malware that propagates by inserting a copy of itself into another program and becoming part of that program. It spreads from one computer to another, leaving infections as it travels. Viruses require human help for propagation, such as the insertion of an infected USB drive into a USB port on a PC. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing DoS conditions.

Worms: Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.

Trojan horses: A Trojan horse is named after the wooden horse the Greeks used to infiltrate the city of Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an email attachment, or downloading and running a file from the Internet.
Malware is commonly utilized by APTs. APTs are a set of continuous hacking processes targeting a specific entity, often with a specific goal. Some characteristics of APTs are obvious from the name. They are advanced; the attackers have the most advanced intelligence systems and techniques at their disposal and will use what is optimal for each step. They may utilize commonly available security tools when they are sufficient, but they may also discover and exploit zero-day (unpublished) vulnerabilities when necessary. They are also persistent.

8
Q

Rootkits

A

A rootkit is the most complex attacker tool. Its goal is to completely hide the activities of the attacker on the local system. A rootkit takes control of the operating system by compromising the internal structure of the system. When a program attempts to list files, processes, or network connections, a rootkit presents a sanitized version of the output, eliminating any incriminating output.

Rootkits are able to hide not only the activities of attackers but also their own presence. As a result, rootkits are extremely difficult to detect. Some can be circumvented by defenders using a trusted toolset, but this result is not guaranteed. If there is any indication that a system has been compromised by a rootkit, it is best to consider the operating system permanently compromised. Image the machine (for analysis purposes), and then wipe the hard drive and reinstall everything

9
Q

Exploit kit

A

An exploit kit is an automated framework attackers use to discover and exploit vulnerabilities in an endpoint, infect it with malware, and execute malicious code on it. Exploit kits may use a process that is known as drive-by download, commonly hidden in a malicious ad that is loaded on a legitimate webpage, which invisibly redirects a user’s browser to a malicious server hosting the exploit kit framework. Alternatively, attackers can embed redirects to their exploit servers from compromised websites, or through domain shadowing. Domain shadowing involves compromising domain registration information for legitimate domains, such as example.com, and then registering second-level subdomains, such as ek.example.com with the registrar, hoping that the registrant does not notice. Malicious redirects can then be sent to the exploit kit server from this “shadow domain” through redirects.

10
Q

attacks, Vulnerability , exploit

A

A vulnerability is a flaw or weakness in a system. An exploit is a method of leveraging a vulnerability to do harm. An attack is an attempt to exploit a vulnerability. Attacks may be successful or unsuccessful. If an exploit attempt is made against a system that is not vulnerable to the exploit, then the attack is unsuccessful, but it is still considered an attack.

11
Q

Describe these attacks

6.4.a Social engineering

A

Social engineering is manipulating people and capitalizing on expected behaviors. Social engineering often involves utilizing social skills, relationships, or understanding of cultural norms to manipulate people inside a network to provide the information that is needed to access the network. The following are examples of social engineering:

Calling users on the phone claiming to be IT, and convincing them that they need to set their passwords to particular values in preparation for the server upgrade that will take place tonight

An individual without a badge following a badged user into a badge-secured area (“tailgating”)

Leaving a USB key that is infected with silent, Windows Autoplay-initiated malware that “phones home” in a public area

Developing fictitious personalities on social networking sites to obtain and abuse “friend” status

Sending an email enticing a user to click a link to a malicious website (“phishing”)

Visual hacking, where the attacker physically observes the victim entering credentials (such as a workstation login, an ATM PIN, or the combination on a physical lock)

12
Q

6.4.b Phishing

A

Phishing is a common social engineering technique. Typically, a phishing email pretends to be from a large, legitimate organization, as illustrated in the figure below. Since the large organization is legitimate, the target may have a real account with the organization. The malicious website generally resembles that of the real organization. The goal is to get the victim to enter personal information such as account numbers, social security numbers, usernames, or passwords.
pear phishing: Emails are sent to smaller, more targeted groups. Spear phishing may even target a single individual. Knowing more about the target community allows the attacker to craft an email that is more likely to successfully deceive the target.

Whaling: Like spear phishing, whaling uses the concept of targeted emails; however, it increases the profile of the target. The target of a whaling attack is often one or more of the top executives of an organization. The content of the whaling email is something that is designed to get an executive’s attention, such as a subpoena request or a complaint from an important customer.

Pharming: Whereas phishing entices the victim to a malicious website, pharming lures victims by compromising name services. This can be done by injecting entries into local host files or by poisoning the DNS in some fashion, such as compromising the DHCP servers that specify DNS servers to their clients. When victims attempt to visit a legitimate website, the name service instead provides the IP address of a malicious website. In the figure below, an attacker has injected an erroneous entry into the host file on the victim system. As a result, when the victims attempt to do online banking with BIG-bank.com, they are directed to the address of a malicious website instead. Pharming can be implemented in other ways. For example, the attacker may compromise legitimate DNS servers. Another possibility is for the attacker to compromise a DHCP server, causing the DHCP server to specify a rogue DNS server to the DHCP clients. Consumer market routers acting as DHCP servers for residential networks are prime targets for this form of pharming attack.
Watering hole: A watering hole attack leverages a compromised web server to target select groups. The first step of a watering hole attack is to determine the websites that the target group visits regularly. The second step is to compromise one or more of those websites. The attacker compromises the websites by infecting them with malware that can identify members of the target group. Only members of the target group are attacked. Other traffic is undisturbed. This makes it difficult to recognize watering holes by analyzing web traffic. Most traffic from the infected web site is benign.

Vishing: Vishing uses the same concept as phishing, except that it uses voice and the phone system as its medium instead of email. For example, a visher may call a victim claiming that the victim is delinquent in loan payments and attempt to collect personal information such as the victim’s social security number or credit card information.

Smishing: Smishing uses the same concept as phishing, except that it uses SMS texting as the medium instead of email.

13
Q

Describe these web application attacks

6.3.a SQL injection

A

Web applications commonly connect to a relational database to access data. Because relational databases often contain sensitive data, databases are a frequent target for attacks. SQL is the language that is used to query a relational database. SQL injections are commonly used by attackers to breach the relational database. SQL injections allow attackers to manipulate the user’s input to create malicious SQL queries and obtain sensitive data from the relational database

14
Q

6.3.b Command injections

A

Command injection is an attack whereby an attacker’s goal is to execute arbitrary commands on the web server’s OS via a vulnerable web application. Command injection vulnerability occurs when the web application supplies vulnerable, unsafe input fields to the malicious users to input malicious data.

During a command injection attack, attacker-supplied OS commands are usually executed with the privileges of the vulnerable web application. Command injection attacks are possible largely due to insufficient input validation. SQL injection and XSS are two specific forms of command injection attacks.

15
Q

6.3.c Cross-site scripting

A

Cross-Site Scripting
XSS involves the injection of malicious scripts into web pages that are executed on the client-side in the user’s web browser. Malicious scripts can be used to gain access to users’ systems or sensitive information, such as the session cookies. XSS can use JavaScript, Visual Basic script, and other types of code to implement the attack script. XSS is a threat that is caused by security weakness in client-side scripting languages.

XSS attacks may occur when malicious user is allowed to post content to a trusted web site without any input validations. Any other users visiting that trusted web site will then be exposed to the content posted by the malicious user.
Cross-Site Request Forgery
Another common web-based attack is the CSRF attack. CSRF attacks can include unauthorized changes of user information, or extraction of user sensitive data from a web application. CSRF exploits utilize social engineering to convince a user to open a link that, when processed by the affected web application, could result in arbitrary code execution. When processed, the CSRF link could allow the attacker to submit arbitrary requests via the affected web application with the privileges of the already authenticated user. The attacker’s identity is concealed because the targeted web server is treating the request as a legitimate request from the victim.

16
Q

6.2.a Denial of service

A

DoS attacks attempt to consume all the critical computer or network resources in order to make them unavailable for valid use. DoS attacks are considered a major risk, because they can easily disrupt the operations of a business and they are relatively simple to conduct.

A TCP SYN flood attack is a classic example of a DoS attack. The TCP SYN flood attack exploits the TCP three-way handshake design by sending multiple TCP SYN packets with random source addresses to a victim host. The victim host sends a SYN-ACK back to the random source address and adds an entry to the connection table. Because the SYN ACK is destined for an incorrect or nonexistent host, the last part of the three-way handshake is never completed and the entry remains in the connection table until a timer expires. By generating TCP SYN packets from random IP addresses at a rapid rate, the attacker can fill up the connection table and deny TCP services (such as email, file transfer, or WWW) to legitimate users. There is no easy way to trace the originator of the attack because the IP address of the source is forged.

17
Q

6.2.b Distributed denial of service

A

DDoS attack. DDoS attacks typically emanate from networks of compromised systems that are known as botnets.

A botnet consists of a group of “zombie” computers that run robots (or bots) and a master control mechanism that provides direction and control for the zombies. The originator of a botnet uses the master control mechanism on a command-and-control server to control the zombie computers remotely using IRC or other means.

A botnet typically operates as follows:

A botnet operator infects computers by sending them malicious bots. A malicious bot is self-propagating malware that is designed to infect a host and connect back to the command-and-control server. In addition to its worm-like ability to self-propagate, a bot can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. Bots have been known to exploit back doors that are opened by worms and viruses, which allows the bots to access networks that have good perimeter control. Bots can infect networks in a way that escapes immediate detection.

The bot on the newly infected host logs in to the command-and-control server and awaits for the commands. Often, the CnC traffic is sent using either IRC, P2P, DNS, HTTP, and HTTPS. When using HTTPS, the CnC traffic will be encrypted using TLS or SSL, making it harder to detect.

Instructions are sent from the CnC server to each bot (zombie) in the botnet to execute actions. When the zombies receive the instructions, they begin generating malicious traffic that is aimed at the victim.