CIA Triad, AAA Framework & Cybersecurity threats

Questions and Answers

Which component of the CIA triad focuses on ensuring that data is accessed and modified only by authorized users?

• Availability
• Accountability
• Confidentiality (correct)
• Integrity

In the AAA framework, which element is primarily responsible for verifying the identity of a user?

• Accounting
• Authentication (correct)
• Authorization
• Auditing

Which of the following represents a 'something you are' factor in multi-factor authentication?

• A smart card
• A security question's answer
• A one-time password sent via SMS
• A fingerprint scan (correct)

An attacker is trying to infiltrate a corporate network. Which of the following is an example of a threat vector they might use to target an organization?

Exploiting a vulnerability in a web server (D)

Which type of malware is known for encrypting a victim's files and demanding a ransom payment for the decryption key?

Ransomware (B)

An organization wants to proactively identify potential threats by understanding attacker behaviors. Which framework would be most suitable for analyzing the tactics, techniques, and procedures (TTPs) used by threat actors?

MITRE ATT&CK Framework (A)

A cybersecurity analyst is investigating a network intrusion and wants to map the relationships between the adversary, infrastructure, victim, and capabilities. Which model is specifically designed for this type of analysis?

Diamond Model of Intrusion Analysis (B)

During incident response, a security team identifies that an attacker initially performed reconnaissance, then weaponized an exploit, delivered it via phishing, and installed malware. Which framework best describes this sequence of actions?

Cyber Kill Chain (C)

A company wants to improve its understanding of how threat actors operate after initial access to their network. Which of the following would provide the MOST relevant information for this purpose?

Examining MITRE ATT&CK for post-exploitation techniques. (D)

A user types google.com into their web browser which leads them to Google's website. What process translates the domain name into the numerical address needed to access the web server?

DNS Resolution (D)

Which framework, developed by Lockheed Martin, outlines the stages of a cyberattack, from reconnaissance to actions on objectives?

Cyber Kill Chain (B)

A security analyst is investigating a series of network intrusions. They need a model to understand the relationships between the adversary, infrastructure, and victim. Which model is MOST suited for this?

Diamond Model of Intrusion Analysis (B)

What does TTPs stand for in the context of cybersecurity and threat analysis?

Tactics, Techniques, and Procedures (A)

An organization aims to improve its understanding of adversary behavior, focusing on the specific methods attackers use after gaining initial access to a system. Which framework would provide the MOST relevant information?

MITRE ATT&CK framework (D)

A security team discovers a new malware variant using a previously unknown technique for evading detection. Which cybersecurity resource would be MOST helpful in understanding and documenting this novel technique for broader community awareness?

MITRE ATT&CK (C)

Flashcards

CIA Triad

Confidentiality, Integrity, and Availability. These are the core principles of information security.

AAA Framework

Authentication, Authorization, and Accounting. A framework for controlling access and tracking user activity.

Multi-Factor Authentication

Something you know (password), something you have (token), something you are (biometrics).

Threat Vector

A path or method that attackers use to gain access to a system or network.

Ransomware

A type of malware that encrypts a victim's files and demands a ransom payment to restore access.

Cyber Kill Chain

A structured approach that outlines the stages of a cyberattack.

TTPs

Tactics, Techniques, and Procedures - the patterns of behavior used by threat actors.

MITRE ATT&CK

A framework for understanding adversaries and their methodologies.

Diamond Model of Intrusion Analysis

A framework for analyzing intrusion events by mapping adversary, infrastructure, capability, and victim.

DNS (on Webserver)

Translates domain names (like google.com) to IP addresses (like 142.251.175.139).

EC-Council

A vendor-neutral cybersecurity certification organization that offers various training and certifications.

Study Notes

Module 1: Information Security Threats and Vulnerabilities

• Module one covers the types of threats and threat sources, threat actors/agents, various threat vectors, overview of malware, different types of malware, vulnerabilities and examples of network security vulnerabilities, common areas of vulnerability, the impact of vulnerabilities, the risk of vulnerabilities, and the classification of vulnerabilities.

What is a Threat?

• A threat represents the potential for an undesirable event.
• This event has the capacity to damage or disrupt an organization's operational and functional activities.
• Cyber threats enable attackers to infiltrate systems and steal data such as personal information, financial data, and login credentials

Threat Vectors:

• A threat vector provides a medium through which an attacker gains access to a system.
• This gains access by exploiting vulnerabilities in the system.
• Common threat vectors: Direct access, removable media, wireless connections, email, cloud services, ransomware and malware, supply chain vulnerabilities.

Examples of threats:

• Stealing sensitive data.
• Causing a server to shut down.
• Tricking an employee into revealing sensitive information.
• Infecting a system with malware.
• An attacker spoofing the identity of an authorized person.
• Modifying or tampering with data transferred over a network.
• Remotely altering data in a database server.
• Performing URL redirection or forwarding

Threat Sources:

• Natural: Include fires, floods, and power failures etc.
• Unintentional errors: Stem from unskilled administrators, accidents, or lazy/untrained employees.
• Intentional: Originate from either internal or external sources.
• Internal intentional threats include fired or disgruntled employees, service providers, and contractors.
• External intentional threats encompass hackers, criminals, terrorists, foreign intelligence agents, and corporate raiders.

Unintentional Threats:

• Unintentional threats are those that exist due to the potential for unintentional errors occurring within an organization.
• Examples include insider-originating security breaches, negligence, operator errors, unskilled administrators, and accidents

Intentional Threats:

• These are threats that are an attack by someone inside or outside the organization.

Threat Actors/Agents:

• Black Hats: Individuals with extraordinary computing skills and intent to cause malicious damage,.
  • They are also known as 'crackers'.
• White Hats: Security analysts who use their hacking skills for defensive purposes.
• Gray Hats: Individuals who work both as black hats and white hats at various times.
• Suicide Hackers: Individuals who want to disrupt critical infrastructure, and are unconcerned about facing jail time.
• Script Kiddies: An unskilled hacker who compromises a system using pre-made scripts, tools, and software developed by othes.
• Cyber Terrorists: Individuals motivated by religious or political beliefs, aiming to create fear through destruction.
• State-Sponsored Hackers: Individuals working for governments to infiltrate and damage other nations' information systems
• Hacktivist: Individuals who promote a political agenda by hacking via defacing or disabling websites.
• Hacker Teams: Skilled hackers working together with resources and funding, researching state-of-the-art technologies in synergy.
• Industrial Spies: Individuals who perform corporate espionage, illegally syping on competitor organizations.
• Insider: Any employee with access to critical organizational assets or who may use their privileged access to cause harm.
• Criminal Syndicates: Groups involved in organized, planned, and prolonged cyber criminal schemes.
• Organized Hackers: Hardcore criminals who use rented devices or botnets to pifler money from victims through cyber-attacks

Attributes of Threat Actors:

• Internal: The trusted insiders who have permission and authorized access to an organization’s assets .
• External: Those without authorized access.
• Level of Sophistication: Highly sophisticated threat actors are more successful because of techincal and financial sophistication. That said, unsophisticated attacks may still suceed with bad user practices.
• Resources/Funding - Determines how a threat actor financially supports an attack or with the necessary software and equipment.
• Intent/Motivation - Highly motivated actors are more likely to launch an attack that stems from political or personal goals.

Introduction to Malware:

• Malware is software designed to cause damage or disable computer systems by the malware creator in order to commit theft or fraud or limit system control.
• Malware is used to attack browsers, track website visits, slow down system performance, cause hardware failure, and steal data

Ways for Malware to Enter a System:

• Instant Messenger applications, portable hardware-based removable devices, browser and email software bugs, untrusted sites and freeware web applications or freeware, downloading files from the internet, email attachments and other forms of installations, and Bluetooth and wireless networks.

Techniques Attackers Use to Distribute Malware (web-based):

• Black hat Search Engine Optimization (SEO) ranking malware pages highly in search results.
• Tricking uses into selecting innocent looking webpages.
• Spear-phishing, mimicking legitimate institutions in an attempt to steal login credentials.
• Embedding malware into malicious ad-networks that display across hundreds of legitimate, high-traffic internet sites.
• Hosting embedded malware that spreads to unsuspecting users of legitimate websites.
• Exploiting flaws in browser software to install malware when visiting a webpage. The 'water hole' technique focuses on infecting sites that are known to be used by a target organization.
• Attaching malware into emails while tricking users into selecting said malicious attachment

Components of Malware:

• Crypter: Software that protects malware from reverse engineering or analysis.
• Downloader: A type of Trojan that downloads other malware from the Internet on to the PC.
• Dropper: A type of Trojan that covertly installs other malware files onto the target system.
• Exploit: Breaches system security - can breach a system accessing data for illegal purposes.
• Injector: a program that injects executable code into vulnerable running processes.
• Obfuscator: A program that hinders the detection of its purpose.
• Packer: A program that compresses various files and bypasses existing scanning detection mechanisms.
• Payload: A piece of control software.
• Malicious Code: A command that defines malware's basic functionalities, like stealing data

Types of Malware:

• Trojans, viruses, ransomware, computer worms, root kits, PUAs, spyware, keyloggers, botnets, and fileless malware.

Trojans:

• A program with hidden malicious code.
• A seemingly harmless program or data with the ability to cause damage.
• Can gain control of devices but must be manually activated by an action.
• Trojan actions can include recording the desktop, use of microphones and cameras.

Indications of Trojan Attack:

• Flips the colourings within the system and disables key security protocols
• Can cause antivirus defaults or key pages suddenly opening without system input.

How Hackers use Trojans:

• Delete or replace critical operating system files.
• Enable the deletion or firewall tools or disable antivirus protection.
• Create backdoors and steal logins.

Viruses:

• Self replicating code that can transfer copies to an external programme
• Computer viruses are transmitted through file downloads or other storage file devices
• Capable of impacting data, transforming the device and or encrypting and altering files in the system.

Purposes of Creating Viruses:

• To cause financial or reputational damage to competitors, or to perform financial extraction by causing issues through various methods while causing damages and extracting details

Indications of Virus Attacks:

• Slow performance, file corruption, boot failures, increased drive use and activity coupled with unusual disk warnings.

Types of Computer Viruses:

• System Boot, Polymorphic, Web Script, File and Multipartite, Metamorhpic, Email Armoured, Companion and Camouflage.

Ransomware:

• Restricts computer systems through file and folder encryption until specific requirements are met.
• The code for the malware begins with an execution install code followed by paying the attackers and then allowing the systems to be unlocked.
• Dharma is one example. It is sent though email campaigns and demands ransom in Bitcoins
• Ransomware Families: Cerber, CTB-Locker, Sodinokibi, BitPaymer, CryptXXX, Cryptorbit ransomware, Crypto Locker Ransomware, Crypto Defense Ransomware, Crypto Wall Ransomware

Computer Worms:

• Self replicating programs with the ability to spread themselves across networks.
• They overload network connections and install backdoors and cause more problems.

Viruses vs. Worms:

• Viruses require activation. Worms do not.

Rootkits:

• A series of programmes that allow users to hide all aspects of a system and steal data. These may require a reboot to load.
• Root kits can lead to exploits, malware processes and unauthorized server activity while attacking network devices.

Potentially Unwanted Applications (PUAs):

• Harmful applications that may pose severe data risks to the security; these Mostly are free downloads used to make computers fraud and system.
• µTorrent is considered a PUA.

Adware:

• Adware is a form of PUAs - generating ads and pop-ups with use to make computers fraud and slow.

Spyware:

• A steal data which has be sent by fraudulent sites such as through malicious code which forward information and can come at any time.
• The re-routing of information is often designed to capture credentials and personal activities.

KeyLoggers:

• record all keystrokes along with other forms of data for illegal and potentially harmful. Those include key data and username logs.
• This will monitor your activity and track username and password activity.

Botnets:

• Collection of compromised computers connected remotely to a server and used to cause harm
• Botnets are used to infect and re-infect others as the process is automated.

Zero File Malware Tactics:

• Works by infecting system with exploits using legitimate software, will leveraged with system RAM
• Can infect applications such as Microsoft Word, Flash, Javascript + Powershell

Vulnerabilities and Cybersecurity

• Refers to existing weaknesses that can be exploited by threat level
• Most can be solved after checking for hardware issues/firmware misconfiguration, poor/ unsecured systems + careless practices
• Poor security policy can itself be a vulnerability
  • Unwritten Policy. Difficult to enforce.
  • Lack of Continuity: Lack of implementation of continuity.
  • Politics.
  • Lack of awareness.
• These issues will lead to data theft, identity threats and reputational damage including in TCP/IP systems as HTTP, FTP, ICMP, SNMP and SMTP.
• Common network security issues inclue with default passwords, and internet misconfiguration and use.
• Different areas of vulnerability consist of intentional or unintentional human errors, unpatched software
• High network connection with undocumented systems causes major cybersecurity issues

Fileless Malware

• Functions by the use of nonmalware components, infects legitimate software by using code within an existing system allowing the system to perform the duties in a malicious function
• The software can use anything from RAMs- Microsoft Word to javascript
• For this, there are three types - Stealth in nature through attacks and trustworthy methods to implement them.

Description

Test your knowledge on cybersecurity concepts like CIA triad, AAA framework, MFA and malware types. Identify the core principles and components of information security. Learn about common threat vectors used by attackers.