Malware Overview and Prevention - Week 6

Questions and Answers

What is a defining characteristic of worms?

They self-replicate and have different triggers.

They attach to files and require user interaction to spread.

They exploit network vulnerabilities to spread without user interaction. (correct)

They can mutate to avoid detection like viruses.

Viruses can only spread through email attachments.

False

What is the purpose of antivirus software?

To identify and remove malware.

A __________ is a program that appears harmless but can perform malicious activities like keylogging.

Trojan

Match the types of antivirus approaches with their descriptions:

Virus Dictionaries = Scans for known virus signatures Behaviour Blockers = Monitors suspicious system commands Integrity Checkers = Detects changes in files caused by malware Activity Monitoring = Tracks unusual program activities

Which approach can lead to false positives?

Activity Monitoring

User awareness is the only method to prevent malware infections.

False

What is threat modeling?

A process for identifying potential threats and security risks.

What is the primary purpose of a remote access Trojan (RAT)?

To maintain access and control over the compromised system

The action 'Disrupt' in defensive steps refers to stopping attackers from accessing critical information.

False

What does 'C2' stand for in the context of cybersecurity?

Command and Control

The final goal of an attacker during an intrusion can involve __________ data.

exfiltrating

Match the following defensive steps with their descriptions:

Detect = Stopping attackers gaining access to critical information Deny = Counterattack on the attacker Degrade = Altering or stopping outbound data Deceive = Interfering with data available to attackers

What is the primary goal of threat modeling?

To identify and mitigate potential risks

Defenders only need to protect against a single vulnerability to be effective.

False

What framework can be used to brainstorm potential threats during threat modeling?

STRIDE

__________ is a security property related to ensuring the authenticity of a user.

Authentication

Match the STRIDE elements with their corresponding definitions:

Spoofing = Masquerading as another user Tampering = Unauthorized modification of data Repudiation = Denying responsibility for an action Information Disclosure = Unauthorized access to information Denial of Service = Preventing access to services

Which of the following is a mitigation technique for tampering?

Using strong encryption

Continuous reflection and revision of security procedures are unnecessary after implementation.

False

What example can illustrate information disclosure in a cybersecurity context?

Password leaks

What is the main goal of a DDoS attack?

To flood a website with service requests

Effective mitigation against elevation of privilege involves role-based access controls.

True

What are the two types of reconnaissance in the Cyber Kill Chain?

Active reconnaissance and passive reconnaissance

A successful ________ attack occurs when malware is executed to exploit a vulnerability.

exploitation

Match the stages of the Cyber Kill Chain with their definitions:

Reconnaissance = Gathering information about the target Weaponization = Creating the malware based on vulnerabilities Delivery = Transmitting the malware to the target Exploitation = Executing the malware to gain access

Which of the following is NOT a method of mitigating DDoS attacks?

Privilege separation

The Cyber Kill Chain includes a stage for data exfiltration after exploitation.

False

What is the purpose of STRIDE in software development?

To systematically evaluate components against potential threats

Study Notes

Malware Overview

• Malware comes in three forms: viruses, worms, and Trojans.
• Viruses attach to files, replicate, and spread. They can be polymorphic (mutate to avoid detection) and have triggers like logic bombs or time bombs. Spread via files, boot sectors, and email attachments.
• Worms replicate across systems without user interaction, exploiting network vulnerabilities. Cause slowdowns and provide remote access for attackers (e.g., Blaster and Witty worms).
• Trojans appear harmless but hide malicious activities like keylogging (recording keystrokes) or opening backdoors for attackers to control remotely.

Malware Detection and Prevention

• User Awareness educating users to avoid risky behaviors (e.g., downloading suspicious files) prevents infections.
• Technical Solutions, like write protection, firewalls, and intrusion detection systems help prevent attacks.
• Antivirus Software identifies and removes malware but requires regular updates to recognize new threats.

Antivirus Approaches

• Virus Dictionaries scan for known virus signatures. Struggles with unknown or polymorphic viruses.
• Behavior Blockers monitor suspicious system commands (e.g., file deletions) and alert users before actions are carried out.
• Integrity Checkers detect changes in files caused by malware but only after some damage has occurred.
• Activity Monitoring tracks program behavior for unusual activities (e.g., attempting to alter other programs) but can produce false positives. Suspected files can be quarantined (isolated) in a sandbox environment.

Threat Modeling

• A systematic process for identifying potential threats and security risks.
• Provides a more comprehensive approach to evaluating security risks than a more ad-hoc approach. Helpful in preventing vulnerabilities.
• Systematic Approach involves mapped-out steps to map the threat landscape.
• Threat Actors vs. Defenders Attackers only need to exploit one vulnerability, while defenders must protect against all possible threats.
• General Approach (Key Questions):
  • What are we building? (system description, diagrams)
  • What can go wrong? (brainstorming threats, STRIDE, cyber kill chains, attack trees)
  • What will we do about it? (Identify and implement mitigation, prioritize actions)
  • Reflection (review, reflect, revise procedures)

STRIDE Framework

• Spoofing (S): Masquerading as another user or entity (e.g., phishing emails). Mitigation: Ensure strong authentication.
• Tampering (T): Unauthorized modification of data (e.g., changing salary information). Mitigation: Protect data integrity via encryption and checksums.
• Repudiation (R): Denying responsibility for an action (e.g., denying sending an email). Mitigation: Implement non-repudiation mechanisms.
• Information Disclosure (I): Unauthorized access to information (e.g., password leaks). Mitigation: Strong encryption, access controls, and proper data handling.
• Denial of Service (D): Preventing legitimate users from accessing services (e.g., DDoS attacks). Mitigation: Firewalls, intrusion detection/prevention systems, load balancing.
• Elevation of Privilege (E): Gaining unauthorized access to higher-level permissions (e.g., read-only user gaining write access). Mitigation: Authorization mechanisms, role-based access controls (RBAC), privilege separation.

Cyber Kill Chain

• Sequence of actions attackers typically follow to infiltrate a network.

• Stages:

  • Reconnaissance: Gathering information about the target (identifying weaknesses, entry points).
  • Weaponization: Creating the malicious tool or payload.
  • Delivery: Delivering the malware or exploit.
  • Exploitation: Executing the malware to gain access.
  • Installation: Establishing the attacker's presence.
  • Command and Control (C2): Establishing communication with the compromised system.
  • Actions on Objectives: Achieving final goal (e.g., exfiltrating data, disrupting services).

Additional Notes (page 5)

• Example Mitigation: Steps for minimizing attack success:
  • detecting attackers
  • stopping attackers gaining access
  • disrupting outbound data
  • counter-attacking the attacker
  • deceiving the attacker

Description

This quiz explores the various types of malware including viruses, worms, and Trojans. It also discusses key strategies for detection and prevention, focusing on user awareness and technical solutions like antivirus software. Test your knowledge on the vital aspects of malware management.