Malware Overview and Prevention

Questions and Answers

What is the primary purpose of the Installation phase in a cyber attack?

To create a persistent presence through additional malware (correct)

To monitor user activities without detection

To establish initial access without further control

To exfiltrate sensitive data from the network

In Command and Control (C2), the attacker primarily seeks to:

Encrypt sensitive data to prevent theft

Establish a backdoor for future attacks (correct)

Improve network performance through optimization

Create user accounts for legitimate access

Which of the following best describes the Actions on Objectives phase during a cyber attack?

Preventing unauthorized access to sensitive information

Installing security patches to fortify defenses

Monitoring network traffic to identify vulnerabilities

Executing the attacker's intended goals such as data theft (correct)

What is the purpose of the Deny mitigation control in response to an attack?

To prevent unauthorized access to key information and services

Which defensive step involves misleading attackers to gather more knowledge about their tactics?

Deceive

Why do defenders face more challenges than attackers in threat modeling?

Defenders must secure against all vulnerabilities while attackers only need one.

In the STRIDE framework, which of the following is not a category of threat?

Replication

What primary security property does the denial of service attack threaten?

Availability

Which mitigation technique is most appropriate for addressing tampering?

Encryption and checksums

What is the first question in the general approach to threat modeling?

What are we building?

Which example illustrates a repudiation threat?

A user denying they accessed sensitive files.

What aspect of security does the information disclosure category address?

Confidentiality

In threat modeling, what is the purpose of using diagrams like component or data flow diagrams?

To provide a clear representation of the system.

What does elevation of privilege refer to in cybersecurity?

Gaining unauthorized access to higher-level permissions

Which mitigation strategy is effective against DDoS attacks?

Using firewalls and intrusion detection systems

What is the primary purpose of the Cyber Kill Chain framework?

To describe the sequence of actions taken by attackers

During which stage of the Cyber Kill Chain does an attacker create the malicious payload?

Weaponization

In the context of STRIDE, what threat does tampering primarily address?

Modification of data during transmission

What type of reconnaissance is undetectable by the target?

Passive reconnaissance

What is a common consequence of the exploitation stage in the Cyber Kill Chain?

The malware executes and gains initial access

Implementing role-based access control (RBAC) primarily aims to prevent which of the following?

Improper user activity and privilege escalation

What characteristic differentiates worms from viruses?

Worms cause network slowdowns and can provide remote access.

Which type of malware is most likely to install a backdoor on a user's device?

Trojan

What is a primary limitation of virus dictionaries in antivirus approaches?

They struggle to identify unknown or polymorphic viruses.

Which method best describes the function of integrity checkers in malware detection?

Detecting changes in files after malware has caused damage.

What is a key feature of behaviour blockers in antivirus software?

They monitor system commands for suspicious activities.

Which approach to malware prevention involves promoting user education?

User Awareness

What concept involves systematically identifying potential security risks in a given context?

Threat Modelling

What common issue can arise from activity monitoring in antivirus software?

Risk of legitimate actions being flagged as threats.

Study Notes

Malware Overview

• Malware comes in three main forms: viruses, worms, and trojans
• Viruses: Self-replicating malicious code that attaches to files, often polymorphic (mutating to avoid detection). Spread through executable files, boot sectors, or email attachments.
• Worms: Spread through network vulnerabilities without user interaction, often causing network slowdowns and providing remote access to attackers. Examples include Blaster and Witty worms.
• Trojans: Appear harmless but hide malicious activities, such as keylogging (recording keystrokes) or opening backdoors for remote control.

Malware Detection and Prevention

• User Awareness: Educating users to avoid risky behaviors like downloading suspicious files.
• Technical Solutions: Using write protection, firewalls, and intrusion detection systems to prevent attacks.
• Antivirus Software: Identifying and removing malware, but requires regular updates to recognize new threats.

Antivirus Approaches

• Virus Dictionaries: Scans for known virus signatures, but struggles with unknown or polymorphic viruses.
• Behavior Blockers: Monitors suspicious system commands (e.g., file deletions) and alerts users before actions are carried out.
• Integrity Checkers: Detect changes in files caused by malware, but only after damage has occurred.
• Activity Monitoring: Tracks program behavior for unusual activities (e.g., attempts to alter other programs), potentially resulting in false positives.

Threat Modelling

• A structured process to identify potential threats and security risks.
• Systematic Approach: Maps out the threat landscape against a system to identify vulnerabilities and risks.
• Threat Actors vs. Defenders: Attackers have an advantage, focusing on exploits, compared to defenders trying to prevent all potential exploits.
• General Approach (4 Key Questions):
  • What are we building? (System description)
  • What can go wrong? (Potential threats & attacks; using frameworks like STRIDE or cyber kill chains)
  • What will we do about it? (Mitigation strategies, prioritizing actions)
  • Reflection: Continuous review, reflection, and revisions of procedures for better security over time.

STRIDE Framework

• Spoofing (S): Masquerading as another user/entity (e.g., phishing). Mitigation: Strong authentication.
• Tampering (T): Unauthorized modification of data. Mitigation: Data integrity measures (encryption, checksums).
• Repudiation (R): Denying responsibility for an action. Mitigation: Non-repudiation mechanisms (digital signatures).
• Information Disclosure (I): Unauthorized access to information. Mitigation: Strong encryption, access controls, and proper data handling policies.
• Denial of Service (D): Preventing legitimate users from accessing services (e.g., DDOS). Mitigation: Firewalls, intrusion detection, and load balancing.
• Elevation of Privilege (E): Gaining unauthorized access to higher-level permissions. Mitigation: Role-based access controls (RBAC) and privilege separation.

Cyber Kill Chain

• Sequence of actions attackers use to infiltrate a network.
• Stages: Reconnaissance (gathering info), Weaponization (creating payload), Delivery, Exploitation, Installation, Command and Control (C2), Actions on Objectives (achieving goals).

Example Attacks

• Stealing intellectual property, defacing websites, selling stolen data.

Mitigation Steps (to reduce the success of an attack)

• Detecting attackers that attempt to access systems or explore networks.
• Denying attackers access to critical information or services.
• Disrupting attacker operations by altering or stopping outbound data.
• Degrading attacker efforts through a counterattack.
• Deceive attackers with interference in the data collected or accessed.

Description

This quiz covers the essential aspects of malware, including its main forms such as viruses, worms, and trojans. It also explores strategies for malware detection and user education to prevent infections. Test your knowledge on the critical protective measures against these threats.