Cybersecurity Attacks, Threats, and Alerts

Questions and Answers

Which of the following best describes 'modeling a threat' in the context of cyber security?

• Thwarting an attack before it occurs by adding rules to the security policy. (correct)
• Analyzing the financial impact of a potential cyber attack.
• Predicting the exact date and time a cyber attack will occur.
• Quantifying the uncertainty associated with a specific type of cyber attack.

How do 'hackers' and 'crackers' differ in their approach to unauthorized computer intrusions?

• Hackers always work in groups, while crackers operate individually.
• Hackers primarily target government systems, while crackers focus on private sector networks.
• Hackers may not intend to cause damage, whereas crackers specifically aim to cause damage. (correct)
• Hackers focus on exploiting financial systems, while crackers target personal data.

Which of the following most accurately defines cyberterrorism?

• The use of technology to steal financial information from corporations.
• The act of hacking into government websites to deface them with propaganda.
• Acts in cyberspace intended to create fear, panic, or coercion, often for political or social objectives. (correct)
• Any illegal activity conducted using computers and the internet.

What is the primary goal of 'coordination' as an attack feature in cybersecurity?

Making the attack extremely difficult to detect and characterize. (D)

What distinguishes an 'active attack' from a 'passive attack' in cybersecurity?

Active attacks involve modifications to data, while passive attacks involve obtaining information. (D)

During which stage of a typical cyber attack does privilege escalation occur?

Privilege Escalation (D)

Which of the following activities is characteristic of the 'Reconnaissance' phase of a cyber attack?

Gathering intelligence about a target system. (C)

What is the primary objective of a Denial of Service (DoS) attack?

To make a target device unavailable for legitimate access and use. (A)

A malicious intruder conducts a ping sweep to determine which IP addresses are active then queries the ports to determine the type and version of the application and operating system running on the target host. What type of attack is this?

Reconnaissance Attack (A)

In the context of access attacks, what is 'trust exploitation'?

Using privileges granted to a system in an unauthorized way. (D)

Which type of access attack involves an attacker positioning themselves between two communicating legitimate entities in order to read or modify data?

Man-in-the-middle attack (D)

What is the primary consequence of a 'buffer overflow' vulnerability?

The program writes data beyond the allocated buffer memory. (B)

In the context of Denial of Service (DoS) attacks, what is the main effect of saturating a network with seemingly valid traffic?

It allows valid usertraffic cannot get through. (A)

What was the primary method of propagation used in the 2016 Mirai botnet attack?

Malware installed on IoT devices with weak passwords. (C)

What is the core characteristic of SQL injection vulnerabilities?

They are a subset of unverified user input that injects malicious code (or SQL query) into strings. (B)

What was the primary goal of the attackers in the WannaCry ransomware attack of 2017?

To encrypt data and demand a ransom. (D)

What differentiates parasitic malware from other forms of malware?

It needs a host program to run independently. (C)

How do viruses and worms differ in their method of operation?

Viruses cannot run independently; worms can. (C)

Which of the following best describes the activation mechanism for a logic bomb?

It activates based on execution on a specific condition (trigger). (C)

What is the defining characteristic of a 'backdoor' (or trapdoor) in the context of computer security?

It bypasses a normal security check. (C)

What action does a computer virus perform when it 'infects' another host program?

It attaches a copy of itself to the host program. (A)

What happens during the 'dormant phase' of a computer virus's lifecycle?

The virus is idle, waiting for a trigger event. (B)

Which of the following describes the 'trigger' component of a virus?

The event that makes the virus payload activate. (C)

What is the key characteristic of 'Zero-Day Exploits'?

They target systems that have been unpatched software vulnerabilities. (A)

Which of the following reflects the intent of someone performing hacking?

Ingenuity-driven activity of manipulating technologies. (B)

Which of the following is NOT a threat and potential consequence?

Legal Liability (B)

The process of making decisions based on threat or alert is called?

Uncertainty (D)

Unauthorized computer intrusions not intended to cause damage are encompassed by the terms?

Hacker and Hacking (C)

Looking at the title du graphique, Hacking has the highest relative value in which category?

Correcting Bugs (A)

The attack feature versioning consists of:

The attack scheme is kept modulo slight modifications (A)

Which of the following is the correct prevention for passive attacks?

Prevention (C)

Which of the following stages of a typical attack scenario belongs to Access Attack?

Privilege Escalation (B)

Gaining unauthorized access to sensitive systems is called:

Privilege Escalation (C)

Which of the following is not an access attack:

Denial of service attacks (C)

A trust exploitation consists of:

An attacker uses privileges granted to a system in an unauthorized way (B)

An intrusion tool is installed on the compromised system for session redirection is called:

Port redirection (D)

Looking at the lecture material, which statement is true regarding viruses?

Viruses need a host program to be run to activate it (D)

The key to virus operation is that:

The infected program when invoked, first executes virus code then original program code (C)

Flashcards

Attacks

An abstract concept represented by information that varies depending on the situation, including threat, intrusion and alert.

Hacking

Manipulating or modifying technologies without respect to their initial functions.

Cracker (black hacker)

Someone who trespasses on computer networks without authorization and with harmful intent.

Cyberterrorism

Acts in cyberspace intended to create fear or panic, often for political or social purposes.

Attack features : Coordination

Combining multiple elementary attacks or using external resources, making detection and characterization difficult.

Attack features : Incomplete knowledge

An amount of uncertainty always characterizes the attack events

Attack features : Versioning

The attack scheme is kept modulo slight modifications

Passive attacks

Provide information about the information system

Active attacks

Involve some modification of the data stream or the creation of a false stream

Reconnaissance Attacks

Unauthorized discovery and mapping of systems, services, or vulnerabilities, using packet sniffers and port scanners.

Access Attacks

Exploiting vulnerabilities in authentication, FTP, and web services to gain entry to accounts and confidential databases.

Denial of Service Attacks (DoS)

Sending excessive requests to overwhelm a network or device, rendering it unavailable for legitimate use.

Password attack

An attacker attempts to guess system passwords.

Trust exploitation

An attacker uses privileges granted to a system in an unauthorized way, possibly leading to compromising the target

Port redirection

A compromised system is used as a jump-off point for attacks against other targets.

Man-in-the-middle attack

An attacker is positioned in the middle of communications between two legitimate entities

Buffer overflow

A program writes data beyond the allocated buffer memory.

Denial of Service (DoS)

Interruption of service to users, devices, or applications.

DDoS (Distributed Denial of Service)

Overloading systems to disrupt service.

SQL Injection

A subset of unverified user input vulnerability that injects malicious code (or SQL query) into strings.

Ransomware Attacks

Encrypting data and demanding a ransom.

Malware

Programs exploiting computing system vulnerabilities

Virus

A piece of code that inserts itself into a host program (infects it).

Worm

A program that can run independently and can propagate a complete working version of itself onto other hosts on a network.

Logic bomb

A program inserted into software by an intruder that executes on specific condition (trigger).

Trojan horse

Programs that appear useful but perform malicious functions without the user's knowledge.

Backdoor (trapdoor)

Any mechanism that bypasses a normal security check.

Computer Virus

A self-replicating code attached to another program.

Dormant phase

Virus is idle, waiting for trigger event (e.g., date, time, program)

Propagation phase

Virus places a copy of itself into other programs or system areas on disk

Triggering phase

Virus is activated by some trigger event to perform intended function

Execution phase

the intended function is performed

Zero-Day Exploits

Attacking unpatched software vulnerabilities.

Study Notes

Attacks

• An attack represents an abstract concept that varies based on the situation.
• Threats involve outcomes and probabilities.
• Intrusions involve elementary actions and composition rules.
• Alerts involve FP probability, FN probability, and alert/attack weight.

Threats and Potential Consequences

• Threats can result in worms/viruses, recon attacks, distributed denial of service, privilege escalation, machine compromise, and social engineering.
• Potential consequences include disruption of business, loss of productivity, loss of privacy, theft of information, legal liability, and damage to reputation and consumer confidence.

Threats and Alerts

• Threats and alerts are used to select the best countermeasures for an attack using a cost-benefit balance.
• They are characterized by an amount of uncertainty.
• Modeling a threat can help prevent attacks by adding rules to the security policy.
• Alerts provide a way to react against intrusions.

Hacking

• Hacking manipulates or modifies technologies without concern for their original functions.
• It should be distinguished from cracking, which is a destructive form of hacking.

Hacker (White Hacker)

• A hacker enjoys learning the details of programming systems.
• A hacker stretches the possibilities of systems.
• A hacker programs enthusiastically.
• A hacker appreciates hack value.
• A hacker is skilled at programming quickly.
• A hacker is an expert at a particular program.
• A hacker may be a malicious or inquisitive meddler.

Cracker (Black Hacker)

• A cracker trespasses onto computer systems and cause harm.
• Hacking includes unauthorized computer intrusions not intended to cause damage.
• Cracking encompass unauthorized computer intrusions intended to cause damage.

Cyberterrorism

• Cyberterrorism involves both acts in cyberspace as well as the use of cyberspace tools to create fear or panic and to intimidate or coerce a government.
• Cyberterrorism may be committed by subnational groups.
• Cyberterrorism may be in the furtherance of political or social causes.

Hacking - Cybercrime - Cyberterrorism

• Hacking can be driven by competition, fame, or correcting bugs
• Cybercrime often aims for financial gain.
• Cyberterrorism aims for political agendas.

Attack Features

• Coordination: Attackers combine multiple attacks or use external resources to make detection and characterization difficult.
• Incomplete Knowledge: Attack events are always characterized by uncertainty.
• Versioning: Attack schemes are kept modulo slight modifications.

Attacks Classification

• Passive Attacks: Provide information about the information system; prevention is the goal here.
• Active Attacks: Modify data stream or create a false stream; prevention, detection, and recovery are all important here.

Typical Attack Scenario

• A typical attack scenario begins with reconnaissance, then port scanning, then enumeration.
• The attacker will then try to gain unauthorized access and attempt privilege escalation.
• The attacker will then try and collect / Steal data, then hide traces and install a backdoor.
• Finally, the attacker may use a denial of service.
• The listed steps can be classified as reconnaissance attacks, access attacks, and DoS attacks.

Stages of a Cyber Attack

• Reconnaissance: Gathering intelligence on the target.
• Exploitation: Exploiting vulnerabilities
• Privilege Escalation: Gaining unauthorized access to sensitive systems.
• Data Exfiltration: Stealing, encrypting, or manipulating data.
• Covering Tracks: Erasing logs and avoiding detection.

Attacks Types

• Reconnaissance Attacks: Discovery and mapping of systems, services, or vulnerabilities; use packet sniffers and port scanners.
• Access Attacks: Exploit vulnerabilities in authentication, FTP, and web services to gain entry to sensitive information; employ dictionary attacks to guess passwords.
• Denial of Service Attacks (DoS): Send large numbers of requests over a network to cause the target device to run suboptimally and become unavailable for legitimate use.

Reconnaissance Attacks: Examples

• Reconnaissance attacks involve information gathering through eavesdropping and packet sniffing.
• Malicious intruders conduct ping sweeps to determine active IP addresses
• Malicious intruders check available services/ports using Nmap port scans.
• Intruders determine application/OS versions.
• Packet sniffers and port scans are used in these attacks.

Reconnaissance Attacks: Internet Queries

• This involves using utilities such as whois to gather information about the target.

Phishing & Social Engineering

• These attack types trick users into revealing credentials.
• In 2016, a hacker impersonated a Google and Facebook vendor to steal $100 million.
• The hacker identified employees responsible for payments and created fake email addresses.
• The hacker sent fraudulent invoices, and the finance teams were tricked into wire transfers to overseas bank accounts.

Access attacks

• Hackers use access attacks to retrieve data, gain access, and escalate access privileges.
• Includes password attacks, brute-force attacks, trojan horse programs, IP spoofing, and packet sniffers.
• A brute-force attack uses a program to run across the network to try and log in to a shared resource.
• Success may allow attackers to create back doors for future use.

Types of Access Attacks

• Password attack
• Trust exploitation
• Port redirection
• Man-in-the-middle attack
• Buffer overflow

Password Attack

• An attacker attempts to guess system passwords.
• A dictionary attack is a common example of a password attack.
• Brute-force attacks, trojan horse programs, and packet sniffers can be used in these attacks.

Trust exploitation

• This involves abusing granted system privileges in an unauthorized way, potentially compromising the target.

Port Redirection

• This uses a compromised system as a jump-off point for attacks against other targets.
• An intrusion tool can be installed on the compromised system for session redirection.

Man-in-the-Middle Attack

• An attacker positions themselves in the middle of communications between two legitimate entities.
• The attacker may then read or modify the data that passes between the two entities.

Buffer Overflow

• This happens when a program writes data beyond the allocated buffer memory.
• It is the consequence of a bug in a C or C++ program.
• Valid data can be overwritten or exploited for the execution of malicious code.

Denial of Service Attacks (DoS)

• This involves the interruption of service to users, devices, or applications.
• This may involve generating large amounts of valid network traffic, saturating the network.
• A DoS attack may occur when a host fails to handle an unexpected condition.
• It may also occur when a network, host, or application is unable to handle an enormous quantity of data.

DDoS (Distributed Denial of Service)

• This involves overloading systems to disrupt services.
• In 2016 Mirai botnet attack took down major websites (Twitter, Netflix, Amazon).
• Computers were infected with malware and then used to launch massive traffic floods at DNS providers.
• Websites relying on these services experienced outages.

SQL Injection

• This is a subset of unverified user input vulnerability that injects malicious code into SQL queries.
• This code is executed when passed on to the SQL server.
• In 2019, an attacker exploited an SQL Injection vulnerability in a government website, leaking millions of citizen records.
• The attacker injected malicious SQL code, bypassing authentication.

Ransomware Attacks

• This involves encrypting data and demanding a ransom.
• The 2017 WannaCry Ransomware Attack affected over 200,000 computers worldwide.
• Attackers exploited an SMB protocol vulnerability in Windows.
• Malware spread automatically across networks.
• Organizations without backups were forced to pay ransom or lose data.

Malware

• Malware are programs exploiting computing system vulnerabilities.
• Malware can be parasitic, requiring a host program, or independent/self-contained.
• Parasitic malware includes viruses, logic bombs, and backdoors.
• Independent forms include worms and bots.
• Software threats either do not replicate and are activated by a trigger, or replicate and propagate themselves.

Malware Terminology

• Virus: Code that inserts itself into a host program and requires the host program to run independently.
• Worm: A program that can run independently and propagate a complete working version of itself onto other hosts on a network.
• Logic Bomb: Program inserted by an intruder that executes on a specific condition (trigger).
• Trojan Horse: Programs that appear to have a useful function, but perform another malicious function without the user's knowledge.
• Backdoor (Trapdoor): Bypasses normal security checks and recognizes special input, legitimately used to debug and test programs.

Computer Virus

• A computer virus is a self-replicating code attached to another program.
• This will infect another (host) program with a copy of itself and then executes secretly when the host program is run.
• A virus propagates and carries a payload.

Virus Operation

• During its lifetime, a typical virus goes through four phases, which are:
  • Dormant Phase: The virus is idle, waiting for a trigger event.
  • Propagation Phase: The virus places a copy of itself into other programs or system areas on a disk, and may morph to avoid detection.
  • Triggering Phase: The virus is activated by a trigger to perform the intended function.
  • Execution Phase: The intended function is performed.
• Virus details are specific to the hardware/OS.

Virus Structure

• Major components are the infection mechanism, trigger, and payload.
• The infection mechanism is the code that enables replication.
• The infected program, when invoked, executes the virus code first and then the original program code.
• Prevention blocks initial infection or propagation (with access controls).

Zero-Day Exploits

• This involves attacking unpatched software vulnerabilities.
• The 2010 Stuxnet worm targeted Iranian nuclear facilities.
• The process involved Malware being introduced via infected USB drives.
• Zero-day vulnerabilities in Windows were then exploited.
• The attacker took control of industrial control systems.
• Uranium enrichment processes were sabotaged by altering centrifuge speeds.