Malware Overview and Prevention

Questions and Answers

What is the primary purpose of the Installation phase in a cyber attack?

• To create a persistent presence through additional malware (correct)
• To monitor user activities without detection
• To establish initial access without further control
• To exfiltrate sensitive data from the network

In Command and Control (C2), the attacker primarily seeks to:

• Encrypt sensitive data to prevent theft
• Establish a backdoor for future attacks (correct)
• Improve network performance through optimization
• Create user accounts for legitimate access

Which of the following best describes the Actions on Objectives phase during a cyber attack?

• Preventing unauthorized access to sensitive information
• Installing security patches to fortify defenses
• Monitoring network traffic to identify vulnerabilities
• Executing the attacker's intended goals such as data theft (correct)

What is the purpose of the Deny mitigation control in response to an attack?

To prevent unauthorized access to key information and services (C)

Which defensive step involves misleading attackers to gather more knowledge about their tactics?

Deceive (D)

Why do defenders face more challenges than attackers in threat modeling?

Defenders must secure against all vulnerabilities while attackers only need one. (A)

In the STRIDE framework, which of the following is not a category of threat?

Replication (C)

What primary security property does the denial of service attack threaten?

Availability (B)

Which mitigation technique is most appropriate for addressing tampering?

Encryption and checksums (A)

What is the first question in the general approach to threat modeling?

What are we building? (C)

Which example illustrates a repudiation threat?

A user denying they accessed sensitive files. (B)

What aspect of security does the information disclosure category address?

Confidentiality (A)

In threat modeling, what is the purpose of using diagrams like component or data flow diagrams?

To provide a clear representation of the system. (C)

What does elevation of privilege refer to in cybersecurity?

Gaining unauthorized access to higher-level permissions (B)

Which mitigation strategy is effective against DDoS attacks?

Using firewalls and intrusion detection systems (B)

What is the primary purpose of the Cyber Kill Chain framework?

To describe the sequence of actions taken by attackers (A)

During which stage of the Cyber Kill Chain does an attacker create the malicious payload?

Weaponization (C)

In the context of STRIDE, what threat does tampering primarily address?

Modification of data during transmission (A)

What type of reconnaissance is undetectable by the target?

Passive reconnaissance (D)

What is a common consequence of the exploitation stage in the Cyber Kill Chain?

The malware executes and gains initial access (D)

Implementing role-based access control (RBAC) primarily aims to prevent which of the following?

Improper user activity and privilege escalation (A)

What characteristic differentiates worms from viruses?

Worms cause network slowdowns and can provide remote access. (D)

Which type of malware is most likely to install a backdoor on a user's device?

Trojan (D)

What is a primary limitation of virus dictionaries in antivirus approaches?

They struggle to identify unknown or polymorphic viruses. (D)

Which method best describes the function of integrity checkers in malware detection?

Detecting changes in files after malware has caused damage. (C)

What is a key feature of behaviour blockers in antivirus software?

They monitor system commands for suspicious activities. (A)

Which approach to malware prevention involves promoting user education?

User Awareness (A)

What concept involves systematically identifying potential security risks in a given context?

Threat Modelling (D)

What common issue can arise from activity monitoring in antivirus software?

Risk of legitimate actions being flagged as threats. (C)

Flashcards

Malware Types

Malicious software categorized as viruses, worms, and Trojans.

Virus

Malware that attaches to files and spreads by self-replication (copying itself).

Worm

Malware that spreads through networks without user action, often causing network problems.

Trojan

Malware that appears harmless but hides malicious activities like keylogging or backdoors.

Malware Detection Methods

Different ways to identify and stop malware.

Virus Dictionary

Antivirus method that looks for known virus patterns.

Threat Modelling

Systematic process for identifying security risks.

Quarantine

Isolation of a suspected harmful file to prevent further damage.

Threat Actor

Someone or something attempting to exploit vulnerabilities.

STRIDE Framework

A framework to structure threat brainstorming (spoofing, tampering, repudiation, information disclosure, denial of service).

Spoofing (S)

Masquerading as another user or entity to gain unauthorized access.

Tampering (T)

Unauthorized modification of data.

Information Disclosure (I)

Unauthorized access to confidential information.

Denial of Service (DoS)

Preventing legitimate users from accessing services.

Threat Landscape

The range of potential attacks or threats to a system.

Installation (Malware)

Adding more malicious programs or tools to a compromised system. This helps the attacker maintain control and access.

Command and Control (C2)

The attacker communicates with the compromised system through a secret backdoor to control it remotely.

Actions on Objectives

The final goal of an attack, like stealing data, disrupting services, or launching more attacks.

Detect

Spotting attackers as they enter a system or explore the network.

Deny

Preventing attackers from accessing important information or services.

Elevation of Privilege

Gaining unauthorized access to higher-level permissions, allowing a user with limited access to perform actions they shouldn't.

STRIDE

A threat modeling framework used to systematically identify and analyze potential security threats to a system.

Cyber Kill Chain

A sequence of steps attackers typically follow to infiltrate a network, gain access, and achieve their malicious goals.

Reconnaissance

The attacker gathers information about the target to identify vulnerabilities and potential entry points.

Weaponization

Creating the malicious tool or payload (malware) based on the vulnerabilities found during reconnaissance.

Delivery

The attacker delivers the malware or exploit to the target.

Exploitation

The malware is executed, taking advantage of a vulnerability to gain initial access to the system.

Active Reconnaissance

Gathering information about a target that can be detected by the target.

Study Notes

Malware Overview

• Malware comes in three main forms: viruses, worms, and trojans
• Viruses: Self-replicating malicious code that attaches to files, often polymorphic (mutating to avoid detection). Spread through executable files, boot sectors, or email attachments.
• Worms: Spread through network vulnerabilities without user interaction, often causing network slowdowns and providing remote access to attackers. Examples include Blaster and Witty worms.
• Trojans: Appear harmless but hide malicious activities, such as keylogging (recording keystrokes) or opening backdoors for remote control.

Malware Detection and Prevention

• User Awareness: Educating users to avoid risky behaviors like downloading suspicious files.
• Technical Solutions: Using write protection, firewalls, and intrusion detection systems to prevent attacks.
• Antivirus Software: Identifying and removing malware, but requires regular updates to recognize new threats.

Antivirus Approaches

• Virus Dictionaries: Scans for known virus signatures, but struggles with unknown or polymorphic viruses.
• Behavior Blockers: Monitors suspicious system commands (e.g., file deletions) and alerts users before actions are carried out.
• Integrity Checkers: Detect changes in files caused by malware, but only after damage has occurred.
• Activity Monitoring: Tracks program behavior for unusual activities (e.g., attempts to alter other programs), potentially resulting in false positives.

Threat Modelling

• A structured process to identify potential threats and security risks.
• Systematic Approach: Maps out the threat landscape against a system to identify vulnerabilities and risks.
• Threat Actors vs. Defenders: Attackers have an advantage, focusing on exploits, compared to defenders trying to prevent all potential exploits.
• General Approach (4 Key Questions):
  • What are we building? (System description)
  • What can go wrong? (Potential threats & attacks; using frameworks like STRIDE or cyber kill chains)
  • What will we do about it? (Mitigation strategies, prioritizing actions)
  • Reflection: Continuous review, reflection, and revisions of procedures for better security over time.

STRIDE Framework

• Spoofing (S): Masquerading as another user/entity (e.g., phishing). Mitigation: Strong authentication.
• Tampering (T): Unauthorized modification of data. Mitigation: Data integrity measures (encryption, checksums).
• Repudiation (R): Denying responsibility for an action. Mitigation: Non-repudiation mechanisms (digital signatures).
• Information Disclosure (I): Unauthorized access to information. Mitigation: Strong encryption, access controls, and proper data handling policies.
• Denial of Service (D): Preventing legitimate users from accessing services (e.g., DDOS). Mitigation: Firewalls, intrusion detection, and load balancing.
• Elevation of Privilege (E): Gaining unauthorized access to higher-level permissions. Mitigation: Role-based access controls (RBAC) and privilege separation.

Cyber Kill Chain

• Sequence of actions attackers use to infiltrate a network.
• Stages: Reconnaissance (gathering info), Weaponization (creating payload), Delivery, Exploitation, Installation, Command and Control (C2), Actions on Objectives (achieving goals).

Example Attacks

• Stealing intellectual property, defacing websites, selling stolen data.

Mitigation Steps (to reduce the success of an attack)

• Detecting attackers that attempt to access systems or explore networks.
• Denying attackers access to critical information or services.
• Disrupting attacker operations by altering or stopping outbound data.
• Degrading attacker efforts through a counterattack.
• Deceive attackers with interference in the data collected or accessed.

Description

This quiz covers the essential aspects of malware, including its main forms such as viruses, worms, and trojans. It also explores strategies for malware detection and user education to prevent infections. Test your knowledge on the critical protective measures against these threats.