Malware Overview and Prevention - Week 6

Questions and Answers

What is a defining characteristic of worms?

• They self-replicate and have different triggers.
• They attach to files and require user interaction to spread.
• They exploit network vulnerabilities to spread without user interaction. (correct)
• They can mutate to avoid detection like viruses.

Viruses can only spread through email attachments.

False (B)

What is the purpose of antivirus software?

To identify and remove malware.

A __________ is a program that appears harmless but can perform malicious activities like keylogging.

Trojan

Match the types of antivirus approaches with their descriptions:

Virus Dictionaries = Scans for known virus signatures Behaviour Blockers = Monitors suspicious system commands Integrity Checkers = Detects changes in files caused by malware Activity Monitoring = Tracks unusual program activities

Which approach can lead to false positives?

Activity Monitoring (A)

User awareness is the only method to prevent malware infections.

False (B)

What is threat modeling?

A process for identifying potential threats and security risks.

What is the primary purpose of a remote access Trojan (RAT)?

To maintain access and control over the compromised system (A)

The action 'Disrupt' in defensive steps refers to stopping attackers from accessing critical information.

False (B)

What does 'C2' stand for in the context of cybersecurity?

Command and Control

The final goal of an attacker during an intrusion can involve __________ data.

exfiltrating

Match the following defensive steps with their descriptions:

Detect = Stopping attackers gaining access to critical information Deny = Counterattack on the attacker Degrade = Altering or stopping outbound data Deceive = Interfering with data available to attackers

What is the primary goal of threat modeling?

To identify and mitigate potential risks (D)

Defenders only need to protect against a single vulnerability to be effective.

False (B)

What framework can be used to brainstorm potential threats during threat modeling?

STRIDE

__________ is a security property related to ensuring the authenticity of a user.

Authentication

Match the STRIDE elements with their corresponding definitions:

Spoofing = Masquerading as another user Tampering = Unauthorized modification of data Repudiation = Denying responsibility for an action Information Disclosure = Unauthorized access to information Denial of Service = Preventing access to services

Which of the following is a mitigation technique for tampering?

Using strong encryption (A)

Continuous reflection and revision of security procedures are unnecessary after implementation.

False (B)

What example can illustrate information disclosure in a cybersecurity context?

Password leaks

What is the main goal of a DDoS attack?

To flood a website with service requests (A)

Effective mitigation against elevation of privilege involves role-based access controls.

True (A)

What are the two types of reconnaissance in the Cyber Kill Chain?

Active reconnaissance and passive reconnaissance

A successful ________ attack occurs when malware is executed to exploit a vulnerability.

exploitation

Match the stages of the Cyber Kill Chain with their definitions:

Reconnaissance = Gathering information about the target Weaponization = Creating the malware based on vulnerabilities Delivery = Transmitting the malware to the target Exploitation = Executing the malware to gain access

Which of the following is NOT a method of mitigating DDoS attacks?

Privilege separation (A)

The Cyber Kill Chain includes a stage for data exfiltration after exploitation.

False (B)

What is the purpose of STRIDE in software development?

To systematically evaluate components against potential threats

Flashcards

Malware Types

Malicious software categorized into Viruses, Worms, and Trojans.

Virus (Malware)

Self-replicating malicious code that attaches to files.

Worm (Malware)

Self-replicating malware that spreads via networks without user interaction.

Trojan (Malware)

Malicious program disguised as harmless, often allowing remote access.

Malware Detection Approach: Virus Dictionary

Scanning for known virus signatures.

Malware Detection Approach: Behavior Blocker

Monitors suspicious system activity (e.g., file deletion).

Quarantine (Malware)

Isolation of suspected malicious files to prevent further damage.

Threat Modeling

Structured method for identifying and evaluating security risks.

Threat Actors vs. Defenders

Attackers (threat actors) only need one weakness to succeed, while defenders must protect against everything.

Spoofing (threat)

Tricking someone into thinking they're acting legitimately, like a fake email.

Tampering (threat)

Unauthorized changes to data, like altering records.

Repudiation (threat)

Denying an action, like claiming never sent a message

Information Disclosure (threat)

Someone seeing data they shouldn't.

Denial of Service (threat)

Blocking legitimate use of a system.

STRIDE Framework

A structured way to think about potential attacks during threat modelling, with the acronym Spoofing, Tampering, Repudiation, Information Disclosure, and Denial of Service.

Installation (Malware)

Adding extra malicious software to enhance attacker control over a system.

Command and Control (C2)

Attacker communication with a compromised system for remote control using a backdoor.

Actions on Objectives

Attacker's final goal (e.g., data theft, service disruption).

Defensive Step: Detect

Identifying attackers trying to access or explore a network.

Defensive Step: Deny

Blocking attackers from critical information or services.

Elevation of Privilege (E)

Gaining unauthorized access to higher-level permissions.

Reconnaissance (Cyber Kill Chain)

Gathering information about the target to identify weaknesses or entry points.

Weaponization (Cyber Kill Chain)

Creating malicious code (malware) based on reconnaissance findings.

Delivery (Cyber Kill Chain)

Delivering the malicious code or exploit to the target.

Exploitation (Cyber Kill Chain)

Executing malware, taking advantage of a vulnerability to access a system.

Cyber Kill Chain

Sequence of actions attackers take to infiltrate a network.

Active Reconnaissance

Attacker's reconnaissance that can be detected by the target.

Passive Reconnaissance

Attacker's reconnaissance that cannot be detected by the target.

Study Notes

Malware Overview

• Malware comes in three forms: viruses, worms, and Trojans.
• Viruses attach to files, replicate, and spread. They can be polymorphic (mutate to avoid detection) and have triggers like logic bombs or time bombs. Spread via files, boot sectors, and email attachments.
• Worms replicate across systems without user interaction, exploiting network vulnerabilities. Cause slowdowns and provide remote access for attackers (e.g., Blaster and Witty worms).
• Trojans appear harmless but hide malicious activities like keylogging (recording keystrokes) or opening backdoors for attackers to control remotely.

Malware Detection and Prevention

• User Awareness educating users to avoid risky behaviors (e.g., downloading suspicious files) prevents infections.
• Technical Solutions, like write protection, firewalls, and intrusion detection systems help prevent attacks.
• Antivirus Software identifies and removes malware but requires regular updates to recognize new threats.

Antivirus Approaches

• Virus Dictionaries scan for known virus signatures. Struggles with unknown or polymorphic viruses.
• Behavior Blockers monitor suspicious system commands (e.g., file deletions) and alert users before actions are carried out.
• Integrity Checkers detect changes in files caused by malware but only after some damage has occurred.
• Activity Monitoring tracks program behavior for unusual activities (e.g., attempting to alter other programs) but can produce false positives. Suspected files can be quarantined (isolated) in a sandbox environment.

Threat Modeling

• A systematic process for identifying potential threats and security risks.
• Provides a more comprehensive approach to evaluating security risks than a more ad-hoc approach. Helpful in preventing vulnerabilities.
• Systematic Approach involves mapped-out steps to map the threat landscape.
• Threat Actors vs. Defenders Attackers only need to exploit one vulnerability, while defenders must protect against all possible threats.
• General Approach (Key Questions):
  • What are we building? (system description, diagrams)
  • What can go wrong? (brainstorming threats, STRIDE, cyber kill chains, attack trees)
  • What will we do about it? (Identify and implement mitigation, prioritize actions)
  • Reflection (review, reflect, revise procedures)

STRIDE Framework

• Spoofing (S): Masquerading as another user or entity (e.g., phishing emails). Mitigation: Ensure strong authentication.
• Tampering (T): Unauthorized modification of data (e.g., changing salary information). Mitigation: Protect data integrity via encryption and checksums.
• Repudiation (R): Denying responsibility for an action (e.g., denying sending an email). Mitigation: Implement non-repudiation mechanisms.
• Information Disclosure (I): Unauthorized access to information (e.g., password leaks). Mitigation: Strong encryption, access controls, and proper data handling.
• Denial of Service (D): Preventing legitimate users from accessing services (e.g., DDoS attacks). Mitigation: Firewalls, intrusion detection/prevention systems, load balancing.
• Elevation of Privilege (E): Gaining unauthorized access to higher-level permissions (e.g., read-only user gaining write access). Mitigation: Authorization mechanisms, role-based access controls (RBAC), privilege separation.

Cyber Kill Chain

• Sequence of actions attackers typically follow to infiltrate a network.

• Stages:

  • Reconnaissance: Gathering information about the target (identifying weaknesses, entry points).
  • Weaponization: Creating the malicious tool or payload.
  • Delivery: Delivering the malware or exploit.
  • Exploitation: Executing the malware to gain access.
  • Installation: Establishing the attacker's presence.
  • Command and Control (C2): Establishing communication with the compromised system.
  • Actions on Objectives: Achieving final goal (e.g., exfiltrating data, disrupting services).

Additional Notes (page 5)

• Example Mitigation: Steps for minimizing attack success:
  • detecting attackers
  • stopping attackers gaining access
  • disrupting outbound data
  • counter-attacking the attacker
  • deceiving the attacker