Understanding Types of Security Attacks

Questions and Answers

Which type of security attack involves an attacker actively attempting to alter, modify, or destroy data?

• Distribution attack
• Insider attack
• Active attack (correct)
• Passive attack

What is the primary goal of a reconnaissance attack?

• To disrupt network services and make them unavailable
• To gain unauthorized access to a network component
• To compromise a trusted host and use it for further attacks
• To gather unauthorized information about a network and its services (correct)

Which of the following methods is commonly used in reconnaissance attacks to discover weaknesses in a network?

• Compromising a trusted host to gain access
• Conducting a ping sweep to identify active IP addresses (correct)
• Installing a keylogger on a target system
• Encrypting network traffic to prevent monitoring

In the context of access attacks, what is the purpose of 'port redirection'?

To redirect network traffic from one port to another for malicious purposes (B)

Which characteristic is most indicative of a Denial of Service (DoS) attack?

Making a network/service unavailable to its intended users (C)

Which type of malicious code requires human action to spread?

Virus (D)

What is the primary function of spyware?

To secretly monitor a user's online activities and send information to a third party (D)

Which of the following social engineering techniques involves using phone calls to trick victims into revealing sensitive information?

Vishing (A)

What does 'reverse social engineering' primarily involve?

Creating a problem for the target and then posing as someone who can solve it (C)

In the Cyber Kill Chain methodology, what is the main objective of the 'Reconnaissance' stage?

To collect information about the target to identify vulnerabilities (A)

Which stage of the Cyber Kill Chain involves creating malware or phishing emails based on information gathered during reconnaissance?

Weaponization (D)

In the Cyber Kill Chain, what is the significance of the 'Delivery' phase?

It's the point where the attacker attempts to gain initial access to the victim's system by delivering the malicious payload. (B)

What activity occurs during the 'Exploitation' phase of the Cyber Kill Chain?

Gaining initial access by executing malicious code (A)

Within the Cyber Kill Chain framework, what is the purpose of the 'Installation' stage?

To establish persistence and maintain access to the compromised system (C)

What is the final stage of the Cyber Kill Chain, where the attacker achieves their objectives?

Actions on Objective (C)

Flashcards

Security Attack

A security attack exploits vulnerabilities to harm systems or people, often taking advantage of security flaws.

Passive Attack

Involves monitoring transmissions to gather information without altering data (ex: traffic analysis).

Active Attack

Attackers actively attempt to alter, modify, or destroy data, like in man-in-the-middle attacks.

Insider Attack

Attacks originating from individuals within the organization, such as employees or contractors.

Distribution Attack

Compromising the supply chain or software distribution to insert malicious code.

Reconnaissance Attack

Gathering unauthorized information about networks and services to identify weaknesses.

Access Attack

Gaining unauthorized access to a component or information within a system.

Denial of Service (DoS)

A cyberattack aiming to make a machine, network, or service unavailable to its intended users.

Resource Exhaustion

Sends overwhelming traffic or data to exhaust resources, making the target unable to respond to legitimate requests.

Malicious Code Attack

Code inserted to damage a system, replicate itself, or deny services.

Virus

Self-replicating program that produces copies of itself into executable codes and requires human action.

Worm

Spreads from computer to computer and can travel without any human action.

Trojan Horse

Software that appears useful but causes damage once installed or run.

Spyware

Software secretly monitors online activities and sends info back to the software's creator.

Ransomware

Malicious software that locks a user's computer and demands payment to decrypt it.

Study Notes

• A security attack can harm people and systems by exploiting security flaws through a vulnerable application
• An attacker can launch an attack from anywhere

Classification of Security Attacks

• Passive attacks involve monitoring transmissions to gather information without altering data
• Active attacks involve attempts to alter, modify, or destroy data
• Insider attacks originate from within an organization, such as from an employee or contractor
• Distribution attacks compromise the supply chain or software distribution by inserting malicious code during manufacturing

Types of Security Attacks

• During a Reconnaissance attack, an adversary attempts to learn information about the target network by gathering unauthorized information on network systems and services
• Reconnaissance attacks precede an actual access or DOS attack
• Attackers discover weaknesses on a network through a ping sweep to determine which IP addresses are alive and which services or ports are active on the live IPs
• Attackers determine the type and version of the application and OS running on the target host
• Packet sniffers scan TCP/IP connections, port scans scan open ports, and ping sweeps determine active IP addresses
• During an Access attack, someone attempts to gain unauthorized access to a component or information on a component
• Password attacks use a packet sniffer to yield user accounts and passwords transmitted as clear text
• Trust Exploitation compromises a trusted host to stage attacks on other hosts in a network
• A Port Redirection attack involves an attacker taking network traffic coming into a host on one port and directing it out from another host

Denial of Service (DoS) Attacks

• DoS attacks are cyberattacks where the attacker aims to make a machine, network, or service unavailable to its intended users by flooding useless network traffic or preventing legitimate users from accessing a service
• A key characteristic of DoS Attacks is Resource Exhaustion; the attacker sends an overwhelming amount of traffic or data to exhaust resources like CPU, memory, or bandwidth
• Disruption is where the main goal is to disrupt the normal functioning of a service, causing it to slow down significantly or become completely unresponsive
• DoS attacks can target websites, servers, networks, or even individual devices
• Volume-Based attacks flood the network with massive amounts of traffic, overwhelming the bandwidth, such as UDP floods and ICMP floods
• Protocol attacks exploit weaknesses in network protocols, overwhelming the target with malformed packets, like SYN floods and Ping of Death
• Application Layer attacks target specific applications or services by sending a large number of requests to exhaust the application's resources, like HTTP flooding

Malicious Code Attacks

• A malicious code attack is a program inserted onto a host to damage, corrupt, or replicate a system, deny services, or network access

Viruses

• Self-replicate by attaching copies of itself into other executable codes
• Viruses require human action

Worms

• Spread from computer to computer and can travel without human action

Trojan Horses

• Seem like useful software, but once installed cause damage

Differences Between Spyware, Adware, Rootkit, Dialer, and Ransomware

• Spyware secretly monitors online activity and sends information back to the software's creator including web browsing history, search queries, keystrokes, screenshots, and mouse movements
• Adware displays advertisements when visiting certain websites and may be bundled with other programs as an advertising toolbar
• A Rootkit is a malicious program that hides itself, making detection challenging, and allowing attackers to conceal their identity while committing fraud
• Dialers are used to hide illegal activity by making phone calls using a computer
• Ransomware is a type of malicious software that locks all or part of a user's computer, encrypts the hard drive, and then demands payment to decrypt it

Social Engineering: Impersonation (Vishing) and Eavesdropping

• This refers to voice impersonation-based phishing, using phone calls to trick victims into revealing sensitive information, by pretending to be a legitimate organization
• Eavesdropping involves secretly listening to private conversations or intercepting phone calls
• Active eavesdropping involves the attacker inserting themselves into the communication, which is more likely to be detected and can lead to severe consequences like data modification or fraud
• Passive eavesdropping involves silently listening to the communication without interfering, making it harder to detect, and primarily involves data theft without immediate disruption

Additional Social Engineering Techniques

• Shoulder surfing involves observing another person's actions, such as entering a passwords or PINs on ATMs or computers, to steal information
• Dumpster diving involves searching through trash to find sensitive information that can be used for attacks or to gain access to a computer network
• Reverse Social Engineering involves an attacker creating a problem for the target and then posing as someone who can solve it, such as calling users and asking for their passwords or sending a spoofed email in advance

Cyber Kill Chain Methodology

• The Cyber Kill Chain is a systematic model used to analyze and understand the steps attackers take when carrying out a cyberattack
• It helps organizations identify vulnerabilities, mitigate risks, and implement security measures effectively
• By breaking the chain at any stage, security teams can stop attacks before they cause serious damage

Stages of Cyber Kill Chain

• During Reconnaissance the first phase, attackers collect information to identify vulnerabilities by researching public-facing data, scanning networks, and analyzing system weaknesses
• Reconnaissance can be done actively by scanning networks and probing for weaknesses, or passively by gathering data from social media and web searches
• Implement the following Prevention methods: Restrict publicly available sensitive information, use network monitoring tools to monitor unusual scanning activities and train employees on the risks of oversharing on social media
• During the Weaponization phase, attackers prepare their cyberweapon, such as malware, phishing emails, or exploits, based on the information gathered in reconnaissance
• Consider the following Preventative methods: Implement endpoint security to detect and bloc malware. Keep all software and systems up to date to minimize vulnerabilities and use sandboxing to analyze suspicious files before execution
• Delivery phase refers to when the attacker delivers the malicious payload to the target using various methods, such as emails, compromised websites, or infected USB drives
• Implement these Preventative methods: Implement email filtering to detect phishing emails. Educate employees on recognizing socials engineering tactics and use application whitelisting to prevent unauthorized software execution
• Exploitation Phase is when the attacker exploits a vulnerability to execute the malicious code and further infiltrate the network
• Implement these Preventative methods: Regularly patch and update software to fix known vulnerabilities, use intrusion detection and prevention systems (IDS/IPS), and deploy endpoint detection and response (EDR) solutions
• During Installation, the Attacker proceeds to install malware or a backdoor to maintain access to the compromised system this ensures continued access even if the system is rebooted or patched
• Prevent by using use advanced malware detection solutions, restrict administrative privileges to prevent unauthorized installations and conduct regular security audits to identify/ remove malicious software
• During Command & Control (C2), attackers establish communication between the compromised system and their control server which allows them to issue commands, exfiltrate data, and manipulate the system remotely
• Implement these Preventative methods: Monitor network traffic for unusual outbound connections, use firewalls to block unauthorized remote access and/or implement DNS filtering to prevent access to known malicious domains
• During the Actions on Objective stage which is where the attacker completes their objective, such as data theft, network disruption, or system destruction, by exfiltrating sensitive data, encrypting files for ransom, or deleting critical system files
• Secure by implementing these Preventative methods: Encrypt sensitive data to prevent unauthorized access, regularly back up important files to a secure location and use data loss prevention (DLP) solutions to monitor and protect critical information

Importance of Cyber Kill Chain

• Aids organizations in Identifying attack patterns and detecting threats at early stages
• It also implements proactive defense strategies to prevent attacks before they happen
• Minimizes damage by disrupting the attack at different stages
• Improves cybersecurity awareness among employees and IT teams

Break Cyber Kill Chain

• Threat intelligence should be implemented to detect suspicious activities and ensure strong security controls to prevent malware development
• Email fitering and endpoint security can be used to black malicious payloads
• Software should be regulary updated to prevent exploitation of vulnerabilities
• Restrict administrative privileges to prevent malware installations
• Monitor network traffic and user data encryption to detect unauthorized connections

Description

Explore the classifications and types of security attacks, including passive, active, and insider threats. Learn how attackers gather information through reconnaissance to exploit network vulnerabilities. Understand distribution attacks that compromise software supply chains.