Understanding Cyber Threats & Threat Sources

Questions and Answers

What is the primary goal of attackers when using cyber threats?

• To enhance system functionality
• To improve network performance
• To infiltrate and steal data (correct)
• To provide security updates

Which of the following actions is an example of an attacker attempting privilege escalation?

• Stealing sensitive data of an organization
• Performing unauthorized URL redirection
• Gaining unauthorized access to elevated system rights (correct)
• Remotely altering data in a database server

Which of the following is an example of an unintentional threat source?

• Hackers
• Foreign intelligence agents
• Terrorists
• Unskilled administrators (correct)

What is a key difference between structured and unstructured external threats?

Structured threats aim to disrupt services using advanced tools (B)

What is the primary motive of hacktivists as threat actors?

Promoting a political agenda by defacing or disabling websites (B)

Which attribute primarily distinguishes an insider threat actor from an external one?

Authorized access to the organization's resources (A)

Which of the following best describes a threat vector?

The method by which an attacker gains access to a system (A)

An attacker injects malicious code into cloud resources to access user data. What type of threat vector is being employed?

Cloud (D)

Which malware component is designed to evade antivirus detection by concealing the malware's existence?

Crypter (A)

Which of the listed options is the purpose of 'drive-by downloads' in malware distribution?

Exploiting flaws in browser software (A)

How do attackers primarily use 'spam emails' to distribute malware?

By tricking victims into clicking attachments containing malware. (A)

If a computer screen blinks and inverts, webpages open without user input, and the antivirus program is disabled what type of malware could be present?

Trojan (B)

What is the distinguishing characteristic of a 'Remote Access Trojan' (RAT)?

It provides attackers with full control over the victim's system. (C)

A Trojan is installed on a system and is now directing computers to participate in a distributed denial-of-service (DDoS) attack. What classification of Trojan would be responsible for this activity?

Botnet Trojan (B)

Which type of Trojan specifically targets financial data by intercepting account information before it is encrypted by the system?

E-Banking Trojans (A)

What is the main function of a 'Security Software Disabler Trojan'?

To disable security programs like firewalls and IDS. (B)

Which of the following is an indication that a computer has been infected with the Emotet Trojan?

The presence of malicious Word documents used for installing malware (D)

What is the primary method by which a virus replicates itself?

By attaching itself to another program or document. (D)

Which of the following indicates a potential virus attack?

Computer freezes and a display of a BSOD. (D)

In the stages of a virus lifecycle, what action does the 'Launch' stage involve?

Activation when the user performs certain actions (D)

Which statement best describes the characteristics of 'Sparse Infector Viruses'?

They infect less often and try to minimize their discovery probability. (A)

What is the fundamental process of a 'Companion Virus' when it infects a system?

Creating a file with the same name as a legitimate program. (D)

Which of the following describes an armored virus?

Designed to confuse antivirus systems (A)

To create a virus using a batch file the instruction del c:\Windows\*.* is provided. What result would this command have?

It removes all files in the folder c:\Windows (B)

Concerning the classification of ransomware, what action characterizes this type of malware?

Restricting access to a computer system's files, for ransom payment. (D)

What is a primary distinction between a computer worm and a virus?

A worm can spread through a network, while a virus typically needs user interaction. (C)

What is a 'rootkit' primarily designed to do on an infected system?

Hide the presence of malicious activity (D)

In the context of rootkits, what does 'exploited by the attackers' describe?

The period before being acknowledged and patched (D)

What is a common characteristic of Potentially Unwanted Applications (PUAs)?

They pose severe risks to security and privacy (A)

Which of the following is a typical behavior of Adware PUAs?

Displaying unsolicited advertisements and pop-ups (C)

What is the main purpose of spyware?

Monitoring user activities without consent (C)

Keystroke loggers are mainly used for what purpose?

To monitor each keystroke from a keyboard (D)

What is the purpose of Botnets?

Perform a distributed task (C)

A type of malware infects legitimate software to perform malicious activities; which malware type is being described?

Fileless Malware (B)

What is an inherent weakness, relating to network security, that may exist in hardware or software?

Vulnerability (A)

What is the primary result of insecure configurations of hardware or software in a network?

Security loopholes (C)

If a firewall is not updated with security features what could occur?

Increased risk from network related attacks (B)

What is a potential impact of vulnerabilities within an organization?

Data loss and reputation damage (C)

Which is a reason for a careless approach of end users?

It enables exploitation of critical data through cyberattacks. (D)

What key risk is expressed by this formula; Risk = Asset + Threat + Vulnerability?

An understanding of why loss or damage can occur (A)

What factor most directly contributes to system sprawl vulnerability within a network?

An increased number of systems or servers due to the network (C)

How might a third-party put financial information, customer data, and employee data at risk?

If services have privileged systems access or a breach has occured. (B)

What distinguishes a 'threat' from other cybersecurity terms?

The potential for an undesirable event to damage or disrupt an organization. (B)

Which of the following scenarios is the BEST example of "an attacker modifying or tampering with the data transferred over a network"?

An attacker intercepts an email and alters the message before it reaches the recipient. (C)

What is the MOST likely characteristic of an 'unintentional threat source' within an organization?

They are typically caused by negligence or human error. (B)

Which of the following scenarios highlights a key difference between structured and unstructured external threats?

A script kiddie defacing a website versus a nation-state conducting espionage. (B)

Which action is MOST representative of a cyber terrorist?

Disrupting a nation's critical infrastructure to incite fear. (C)

How does an 'insider threat' primarily gain unauthorized access to sensitive information compared to external threat actors?

By leveraging existing authorized access to systems and data. (B)

An employee connects a personal USB drive containing malware to their office computer. This scenario BEST exemplifies which threat vector?

Removable Media (D)

What is the MOST likely outcome when an attacker injects malicious code into a cloud-based service implementation module?

Gaining unauthorized access to user data managed by the cloud service. (B)

What type of malware focuses primarily on concealing its existence to evade detection?

Crypter (A)

An attacker uses 'black hat SEO' techniques to trick users into clicking on malicious links in search engine results. What is the PRIMARY goal?

To distribute malware to unsuspecting visitors. (A)

What action is MOST crucial that a user must perform for malware distributed through spam emails to compromise their system?

Clicking a malicious link or opening an infected attachment. (C)

A user reports the following: computer screen blinks and inverts, webpages open without user input and strange pop-ups suddenly appear. Additionally, the antivirus program has been disabled. Which type of malware is MOST likely present?

Trojan (D)

Which capability BEST distinguishes a Remote Access Trojan (RAT) from other types of malware?

The ability to grant an attacker full control over the victim's system remotely. (C)

What is the PRIMARY function of a Botnet Trojan after it infects a system?

To direct the compromised computer to participate in coordinated attacks. (C)

What characteristic is MOST unique to E-Banking Trojans compared to other types of Trojans?

They intercept the victim's banking information before the system encrypts it. (C)

What distinguishes a Security Software Disabler Trojan from other types of malware?

Its primary function is to stop the working of security programs. (A)

A user receives an email with a malicious Word document attached. Upon opening, the document prompts the user to "Enable Content" to view it properly. If the user enables content, which Trojan might be installed?

Emotet Trojan (A)

What is the defining characteristic of how a virus spreads from one computer to another?

By attaching itself to another program or file. (C)

What is the MOST direct indication that a computer might be infected with a virus?

Antivirus alerts, missing files, and sluggish performance. (B)

In the 'Launch' stage of a virus lifecycle, what action MOST accurately describes the virus's activity?

The user performs an action, such as running an infected program, that activates it. (C)

What is a key characteristic of Sparse Infector Viruses' infection strategy?

They infect files based on very specific conditions. (B)

How does a Companion Virus primarily achieve its infection?

By creating a file with a similar name to the target file and manipulating the execution order. (B)

What is the MOST significant feature of an 'armored' virus?

The ability to make it difficult to trace the actual source of the infection. (B)

A malicious batch file contains the instruction @echo off then del c:\Windows\*.*. What specific action would this batch file MOST likely perform?

It attempts to delete all files within the Windows directory. (A)

What action defines the operational purpose of ransomware?

Encrypting user data and demanding a payment for its recovery. (B)

What is the PRIMARY difference in how a computer worm spreads compared to a computer virus?

Worms spread independently, while viruses require a user action to spread. (C)

What is the defining purpose of a rootkit on an infected system?

To prevent detection of other malware and maintain persistence. (D)

The phrase "exploited by the attackers" in the context of describing rootkits indicates which state?

The reason of being actively used to perform malicious activities. (C)

What is a common trait exhibited by Potentially Unwanted Applications (PUAs)?

They perform actions that users may not fully understand or consent to. (B)

What is a typical behavior pattern of Adware PUAs?

Displaying unsolicited advertisements and collecting user data. (C)

What is the PRIMARY goal of spyware?

To monitor user activity and collect sensitive information without their knowledge. (A)

Why are keystroke loggers primarily used?

To monitor and collect keystrokes, potentially capturing passwords and other sensitive information. (D)

What is the PRIMARY use of Botnets?

To perform distributed task, such as DDoS attacks or spamming. (A)

Malware has infected legitimate software to perform malicious activities. Which is being described?

Trojan (C)

What constitutes an inherent weakness as it pertains to network security?

A fundamental flaw in a design or code that can be unintentionally exploited. (D)

Insecure configuration of hardware or software in a network primarily leads to what outcome?

Security loopholes. (D)

What is the primary effect of not keeping a firewall’s security features up to date?

The firewall can be exploited. (B)

What is the MOST significant potential impact of unaddressed vulnerabilities within an organization?

Compromised system security. (A)

Why might a careless approach by end users increase security risks?

It can be exploited to effect serious outcomes including data loss. (D)

What elements are combined to define risk in the formula: Risk = Asset + Threat + Vulnerability?

The potential loss or damage that can occur when a threat to an asset exists in the presence. (A)

What aspect MOST directly contributes to system sprawl vulnerability within a network?

An increased number of system or server connections. (D)

What is the MOST likely compromise that a third-party puts company information at risk?

Through direct access to privileged systems (D)

How do natural threats primarily impact an organization's assets?

By causing severe physical damage to computer systems. (B)

What is a defining characteristic of intentional insider threats?

They involve disgruntled employees or privileged users harming the organization intentionally. (C)

Which type of external threat actor is MOST likely to simultaneously execute attacks from multiple sources, such as distributed ICMP floods?

Technically skilled attackers (A)

How do 'gray hat' hackers typically operate?

Offensively and defensively, sometimes helping and sometimes hindering security efforts. (C)

Which motivation aligns with 'cyber terrorists' as threat actors?

Political agenda. (C)

What is the main objective of 'industrial spies' as threat actors?

Stealing critical information from competitor organizations. (C)

How do attackers primarily use 'removable media' as a threat vector?

By plugging in infected devices that automatically run malware. (B)

In what way does a 'supply chain' act as a threat vector?

By using a third-party vendor's vulnerabilities to compromise a target. (C)

What is the initial action performed by malware designed to 'attack browsers and track websites visited'?

Exploiting unpatched vulnerabilities. (C)

Which of the following techniques involves 'tricking users into clicking on innocent-looking webpages'?

Social Engineered click-jacking. (B)

What describes a crypter in the context of malware components?

A software to elude antivirus detection. (B)

What is the function of an 'Obfuscator' in malware?

To conceal the malicious code making it difficult to detect. (C)

What is a 'Destructive Trojan' designed to do on an infected system?

Delete files on a target system. (C)

If a system displays a computer message directed at the user, asking them questions requiring a 'yes', 'no', or 'ok' click response, what type of malware might be present?

Trojan attack (D)

Why are 'Sparse Infector Viruses' more difficult to detect compared to other types of viruses?

They infect less frequently to minimize their probability of discovery. (C)

How does a 'Companion Virus' primarily achieve infection?

By creating a file with the same name but different extension as the target. (A)

Why is identifying and removing 'LoJax' rootkit particularly challenging?

It maintains its persistence even after OS reinstallation. (C)

What is the primary risk associated with Potentially Unwanted Applications (PUAs) classified as “Dialers”?

Generating massive telephone bills without user consent. (A)

How does a 'fileless malware infection' commonly propagate?

By injecting malicious code directly into running processes. (C)

What is a key factor that leads to 'system sprawl vulnerability' within a network?

Increased number of system/server connections without proper documentation. (C)

Flashcards

What is a Threat?

A potential event that can damage or disrupt an organization's activities.

Examples of Threats

Stealing sensitive data, causing server shutdowns, tricking employees, or infecting systems with malware.

Threat Sources

Natural, unintentional, and intentional occurrences.

Black Hats

Individuals with extraordinary computing skills used for illegal purposes.

White Hats

Individuals who use their hacking skills for defensive purposes, often as security analysts.

Gray Hats

Individuals who work both offensively and defensively at various times.

Suicide Hackers

Individuals who aim to bring down critical infrastructure for a cause, disregarding personal consequences.

Script Kiddies

Unskilled hackers who compromise systems using scripts and tools developed by others.

Threat Vector Definition

A medium through which an attacker gains access to a system by exploiting vulnerabilities.

Threat Vectors

Direct access, removable media, wireless, and email.

Introduction to Malware

Malicious software that damages computer systems and gives control to creator for theft or fraud.

Malware Intentions

Damages or disables computer systems for monetary gains.

Malware Entry Points

Instant messaging, portable hardware, software bugs, untrusted sites.

Crypter Definition

A software program that conceals the existence of malware.

Downloader Definition

A type of Trojan that downloads other malware from the Internet.

Dropper Definition

A covert carrier of malware that embeds notorious malware files inside.

Exploit Definition

Software code that takes advantage of a bug or vulnerability.

Injector

This program injects exploits/malicious code into vulnerable running processes.

Obfuscator

Hides a malware's malicious code using various techniques.

Packer

It compresses the malware code to convert it into an unreadable format.

Payload

This carries out malicious activity.

Types of Malware

Malicious software category: Trojans, Viruses, Ransomware, Worms.

What is a Trojan?

Malicious code is inside an apparently benign file.

Trojan Symptoms

Computer screen blinks, changes automatically, AV disabled.

How Hackers Use Trojans

Delete or replace critical files, disable firewalls, create backdoors.

Ransomware

Lock file to demand payment

Computer Worms

A type of malware that replicates and spreads across networks.

Why Attackers Use Botnets?

Use sniffers, perform keylogging, and spread new bots.

Fileless Malware

Fileless malware infects legitimate software.

What is Vulnerability?

Weaknesses that allows attack

Existence of vulnerabilities comes from?

Hardware/software misconfigurations, poor design, inherent weaknesses.

Impact Caused Due to Vulnerabilities. Result in..

Information disclosure, denial of service, and identity theft.

Risk!

Potential loss or damage when a threat exploits a vulnerability.

Examples of Risks

Disruption of business activities and the theft of information.

Vulnerability Classifications

Misconfigurations, flawed applications, default passwords, zero-day vulnerabilities.

Weak Configurations

A common vulnerability caused by human error.

Default Password

Set password to weak. Easy to attack.

Study Notes

Threats

• A threat is a possible undesirable event that could eventually damage and/or disrupt an organization's operations and functions
• Cyber threats are used by attackers to infiltrate systems and steal data like individuals' personal, financial, and login information

Examples of Threats

• Stealing sensitive data
• Causing server shutdowns
• Tricking employees into revealing sensitive information
• Infecting systems with malware
• Spoofing identities to gain unauthorized access
• Modifying data transfers
• Remotely altering database servers
• Performing URL redirection/forwarding
• Escalating privileges for unauthorized access
• Executing denial-of-service attacks
• Eavesdropping on unauthorized communications

Threat Sources

• Unintentional threats are due to potential unintentional errors, including insider security breaches, negligence, operator errors, unskilled administrators, and accidents
• Intentional threats consist of two sources: internal and external

Natural Threats

• Fires, floods, power failures, lightning, meteors, and earthquakes are all Natural threats
• These may cause severe physical damage to computer systems.

Intentional Threats

• Most computer and Internet-related crimes are internal attacks that are carried out of disgruntled employees that can harm the organization intentionally or unintentionally
• These attacks are usually performed by privileged users
• Structured external threats are initiated by skilled attackers to use tools in order to gain access to a network with the aim of disrupting services. Motivations include criminal bribes, racism, politics, terrorism, etc.
• Examples: Distributed ICMP floods and spoofing
• Unstructured external threats are executed by unskilled attackers, often script kiddies to access networks, most of the time out of curiosity instead of criminal intentions
• Examples: Using online tools to launch a network attack or crashing a website
• Unstructured external threats are able to be prevented with security solutions

Threat Actors/Agents

• Black Hats use computing skills for illegal activities. They are also known as crackers.
• White Hats, or penetration testers, use hacking skills for defensive purposes with permission from the system owner.
• Gray Hats work both offensively and defensively. They may assist hackers and help vendors improve product security.
• Suicide Hackers aim to disrupt critical infrastructure for a "cause" and are not deterred by potential punishments.
• Script Kiddies are unskilled hackers who use tools developed by others
• They lack specific targets and aim to gain popularity or prove skills

Other Threat Actors/Agents

• Cyber Terrorists disrupt computer networks with wide range of skills, motivated by religious or political beliefs
• State-Sponsored Hackers penetrate and damage other governments' information systems with expertise in hacking while working for the government
• Industrial Spies perform corporate espionage by illegally spying on competitors to steal critical information
• Insider Threats misuse their trusted access to critical data and resources and can bypass the security rules
• Hacker Teams work together and detect vulnerabilities while researching in order to develop advanced tools, and execute attacks with proper planning
• Criminal Syndicates embezzle money and exploit victims from distinct jurisdictions with the aim of illegally embezzling money by performing sophisticated cyber-attacks and money-laundering
• Hacktivist break into computer systems as an act of protest, to deface/disable websites to promote a political agenda.

Attributes of Threat Actors

• Internal threat actiors are entrusted insiders who have permission and authorized access to organization's network.
• External threat actors are the outsiders who do not have any authorized acess
• How sophisticated the attack is
• How motivated the threat actor in launching the the attack

Threat Vectors

• A medium through which an attacker gains access to system where identified vulnerabilities can be exploited
• Gaining physical access to the target system and performing malicious activities
• Devices which might contain malware that run automatically on the host system to steal or corrupt critical files
• Implementing an unsecured wireless hotspot or using cracking/spoofing tools to gain access
• Using Email for phishing attacks such as clicking on malicious links with malicious attachments.
• Injecting malware into cloud resources to gain access to user information
• Unpatched vulnerablilities that inject ransomware.
• Compromising the target by exploiting vulnerabilities in the resources supplied by a third-party vendor.
• Using supply chain attacks to gain access to the customers' information of third party organizations

Mitigation: Autorun.inf

• Here is how to mitigate such infection
• Turn off the Autostart functionality with the following content of an Autorun.inf file:
  • [autorun]
  • open=setup.exe To mitigate such infection, turn off the Autostart functionality. Follow the instructions below to turn off Autoplay in Windows 10::

1. Click Start. Type gpedit.msc in the Start Search box, and then press ENTER.
2. If you are prompted for an administrator password or confirmation, type the password, or click Allow.
3. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies.
4. In the Details pane, double-click Turn off Autoplay.
5. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
6. Restart the computer.

Components of Malware:

• Crypter eludes antivirus detection and protects malware from reverse engineering or analysis
• Downloader downloads other malware (or) malicious code and files from the Internet to a PC or device
• Dropper is a covert carrier of malware that perform the installation task covertly can transport malware code and execute malware on a target system without being detected by antivirus scanners.
• Exploit breaches the system’s security through software vulnerabilities
• Injector injects exploits or malicious code available in the malware into other vulnerable running processes and changes the method of execution to hide or prevent its removal
• Obfuscator conceals the malicious code of malware via various techniques
• Packer compresses the malware file to convert the code and data of the malware into an unreadable format
• Payload performs the desired activity when activated such as deleting, modifying files, degrading the system performance, opening ports, changing settings, etc.
• Malicious code defines the basic functionality of the malware such as Java Applets or Browser Plug-ins

Common Techniques Attakers use to Distribute Malware on the Web:

• Black hat SEO (unethical SEO) uses aggressive SEO to get higher search engine rankings for malware pages
• Social Engineered Click-jacking injects malware into website, it triggers the knowledge before the user clicks.
• Spear-phishing mimics sites by mimicing legitimate institutions.
• Malvertising embeds malwares.
• Drive by Downloads exploits flaws in browser software by installation malware.
• Compromised Leginimate Websites use websites to infect with malicious activities.
• Spam Emails attaches malicious files to email in order to trick users into executing them

Types of Trojans

• Remote Access Trojans (RATs) provide attackers with full control over the victim's system
• Backdoor Trojans bypass the standard system protocol
• They trick regular computer users into downloading Trojan-infected files to their systems through phishing, SEO hacking, URL redirection
• Rootkit Trojans attack the root or OS and have full victim control to the OS
• E-banking Trojans are extremely dangerous and steal monetary amounts, also install a malicious advertisement
• Point of Sale Trojans obtain sensitive information.
• Defacement Trojans change the entire continent of the databse
• Mobile Trojans attack phones through banking and social networking credential stealing
• Io T Trojans attack Io T networks Security Software Disabler Trojans are entry Trojans that allow an attacker to perform the next level of attack on the target system.
• Destructive Trojans delete files on a target system
• DDos Attack Trojans perform DDoS attacks on target machines, networks, or web addresses
• Command Shell Trojans provide remote control of command shell

Indicators of a Trojan

• The DVD-ROM drawer opens and closes automatically.
• The computer screen blinks, flips upside-down, or is inverted .
• Pop-ups with bizarre messages suddenly appear.
• Strange warnings or question boxes appear.
• The Task Manager is disabled.
• The default background or wallpaper settings change automatically.

Types of Creating a Virus

• The virus can be created with these tools:
  • Writing a Virus Program
  • Using Virus Maker Tools

Types of Viruses

• System or Boot Sector infects boot record sector (MBR)
• File Viruses infects COM, EXE, SYS,
• Multipartite Virus combines both approaches to a infection, the boot sector and the executable or program files
• Macro Virus infects Microsoft Word or similar applications by automatically a sequence of action.
• Cluster Virus infects files without changing the file or planting additional files
• Stealth/Tunneling Virus These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running.

Types of Using Using Virus Maker Tools

• To customize and craft your virus into a single executable file it have to perform these task:
  • Disable Windows command prompt and Windows Task Manager
  • Shut down the system
  • Infect all executable files Inject itself into the Windows registry and start up with Windows -Perform non-malicious activity such as unusual mouse and keyboard actions

Malware: Ransomware

• A type of malware that restrict access to the computer system's files and demand an online ransom money for it

Characteristics of Worms

• Malicious programs replicate, execute, and spreads across network connections independently.
• Consume bandwidth without human interaction
• Attackers use worm payloads to install backdoors in infected computer

Examples of Potential Ransomware

• eCh0raix, SamSam,WannaCry, Petya, GandCrab,MegaCortex,LockerGoga,NamPoHyu,Ryuk,Cryptghost;

How is a Worm Different From a Virus?

• A worm does not attack itself to another programs in a system or computer
• Worms attacks through file or other transports
• A worms replicate but its speed is not uniformed

How to spot an Adware

• Frequent system log with a system crash displays the blue screen
• Homepage changes unexpectedly and redirects to malicious pages

Types of unwanted Applications

• Adware display unsolicited advertisements
• Torrent application with a peer sharing.

Types of what and why:

• Viruses and worms
• Trojans and how the code and system functions

Popular Rootkits

• LoJax is the name of the system and what it does
• Popularities of the UEF

Areas of Vulnerability

• Users : Intentional or unintentional human errors
• Operating System : bugs in the operating system The applications themselves
• Network Devices : Failing to change default settings
• Network Infrastructure
• Io T
• Configuration Files

Impact Caused Due to Vulneratilities

• A website or application and information disclosure, denial of service, privilege, identity, access
• Loss reputation and damages

Types of Vulnerabilities

These items are a combination of Misconfigurations, Weak, Application, Design, Default and Operating System