Security Plus SY0-701: Section 2

Threat Actors

Individuals or groups that pose a threat to information security.

Threat Actor - Nation State

Government and national Security; motivations: data exfiltration, philosophical, revenge, disruption, war; constant attacks with massive resources; highest sophistication

Threat Actors

Individuals or groups that pose a threat to information security.

Threat Actor - Nation State

Government and national Security; motivations: data exfiltration, philosophical, revenge, disruption, war; constant attacks with massive resources; highest sophistication

APT

Advanced persistent threat. A group that has both the capability and intent to launch sophisticated and targeted attacks

Threat Actors - Unskilled Attackers

runs pre-made scripts without any knowledge of what's really happening. Motivated by the hunt, not very sophisticated, no formal funding

Threat Actor - Hacktivist

A hacker with a purpose motivated by philosophy, revenge, disruption, often an external entity, can be remarkably sophisticated, funding may be limited

Threat Actor - Insider Threat

Extensive resources by using the organizations resources against them, medium level of sophistication, insider knows what to hit

Threat Actor - Organized Crime

Professional criminals motivated by money, very sophisticated, best hacking money can buy, crime that's organized

Threat Actor - Shadow IT

IT-related hardware, software, applications, or services used within an organization without the knowledge or approval of the IT department. It's often driven by employees or departments seeking solutions to perceived limitations or delays with approved IT resources. Builds their own infrastructure, limited resources on the company budget, may not have IT training or knowledge

Threat Vector

Method used by an attacker to access a victim's machine

Message-based Vectors

Phishing attacks

- People want to click links

- Links in an email, links send via text or IM

Deliver the malware to the user

- Attach it to the email

- Scan all attachments, never launch untrusted links

Social engineering attacks

- Invoice scams, cryptocurrency scams

Phishing Attack

An attack that uses deception to fraudulently acquire sensitive personal information by masquerading as an official-looking e-mail, link sent via text, or IM. Used social engineering techniques

Image-Based Vectors

• Easy to identify a text-based threat

- It's more difficult to identify the threat in an image

• Some image formats can be a threat

- The SVG (Scalable Vector Graphic) format

- Image is described in XML

• Significant security concerns

- HTML injection

- Javascript attack code

• Browsers must provide input validation

- Avoids running malicious code

File-Based Vectors

More than just executables

- Malicious code can hide in many places

Adobe PDF

- A file format containing other objects perfect place to start an attack

ZIP/RAR files (or any compression type)

- Contains many different files easy attack vector

Microsoft Office

- Documents with macros

- Add-in files

Voice call Vectors

-Vishing

-Phishing over the phone

-Spam over IP

-Large-scale phone calls

-War dialing

-It still happens

-Call tampering

-Disrupting voice calls

Removable Device Vectors

• Get around the firewall

- The USB interface

• Malicious software on USB flash drives

- Infect air gapped networks

- Industrial systems, high-security services

• USB devices can act as keyboards

- Hacker on a chip

• Data exfiltration

- Terabytes of data walk out the door

- Zero bandwidth used

Vulnerable Software Vectors

-Client-based

-Infected executable

-Known (or unknown) vulnerabilities

-May require constant updates

-Agentless

-No installed executable

-Compromised software on the server would affect all users

-Client runs a new interface each time

Unsupported System Vectors

Older software on unsupported systems that are no longer receiving patches or upgrades

Unsecure Network Vectors

-The network connects everything

-Ease of access for the attackers

-View all (non-encrypted) data

-Wireless

-Outdated security protocols (WEP, WPA, WPA2)

-Open or rogue wireless networks

-Wired

-Unsecure interfaces - No 802.1X

-Bluetooth

-Reconnaissance

-Implementation vulnerabilities

802.1x

A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server to add authentication.

Open service ports

-Most network-based services connect over a TCP or UDP port

-An "open" port

-Every open port is an opportunity for the attacker

-Application vulnerability or misconfiguration

-Every application has their own open port

-More services expand the attack surface

-Firewall rules

-Must allow traffic to an open port

Supply Chain Vector

Exploited vulnerability within an earlier part of the production process. Tamper with the underlying infrastructure or manufacturing process

Phishing

An attack that sends an email or displays a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information

Typosquatting

The unethical practice of registering domain names very similar to those of high-volume sites in hopes of receiving traffic from users seeking the high-volume site who mistakenly enter an incorrect URL in their browsers

Vishing

Phishing attacks committed using telephone calls or VoIP systems

Smishing

Phishing attacks committed using text messages (SMS)

Watering Hole Attack

A type of attack when a threat actor compromises a website frequently visited by a specific group of users. Attack against specific users or groups

Memory Injection

A vulnerability that a threat actor can exploit to run malicious code with the same privilege level as the vulnerable process.

DLL injection attack

An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite DLL, inserting malicious code

TOCTOU attack

Time Of Check, Time Of Use--Altering a condition after it has been checked by the operating system but before it is used

Code Injection

A method used by hackers to insert malicious code into otherwise legitimate files or data transmissions.

SQL Injection

An attack that targets SQL servers by injecting commands to be manipulated by the database.

XSS

Cross-site scripting. It scripting allows an attacker to redirect users to malicious websites and steal cookies. E-mail can include an embedded HTML image object or a JavaScript image tag as part of a malicious cross-site scripting attack. Websites prevent cross-site scripting attacks with input validation to detect and block input that include HTML and JavaScript tags. Many sites prevent the use of < and > characters to block cross-site scripting.

Non-persistent XSS

XSS that occurs when the attacker's script that is injected is not stored in the backend, and the Web-browser client simply echoes back the results of the script execution to the attacker.

Can be used to steal cookies, redirect to phishing sites, and force actions if targets click on crafted links

Persistent XSS

XSS that occurs when the injected script or payload is persistent in the system and executes every time a user visits the site that has been injected. The payload may be embedded later by the vulnerable system in an HTML page provided to a victim.

EOL

(end of life) Product life cycle phase where sales are discontinued and support options reduced over time

EOSL

(end of service life) Product life cycle phase where support is no longer available from the vendor

VM Escape Protection

A security exploit that enables a hacker/cracker to gain access to the primary hypervisor and its created virtual machines.

CVSS

Common Vulnerability Scoring System; Open protocol for scoring new vulnerabilities

Attacking the Service

Denial of Service (DoS)

- A fundamental attack type

Authentication bypass

- Take advantage of weak or faulty authentication

Directory Traversal

- Faulty configurations put data at risk

Remote Code Execution

- Take advantage of unpatched systems

Attack the Application

Web application attacks have increased

- Log4j and Spring Cloud Function

- Easy to exploit, rewards are extensive

Cross-site scripting (XSS)

- Take advantage of poor input validation

Out of bounds write

- Write to unauthorized memory areas

- Data corruption, crashing, or code execution

SQL Injection

- Get direct access to a database

Supply Chain Risk

The chain contains many moving parts

- Raw materials, suppliers, manufacturers, distributors, customers, consumers

Attackers can infect any step along the way

- Infect different parts of the chain without suspicion

- People trust their suppliers

One exploit can infect the entire chain

- There's a lot at stake

Supply Chain - Service Providers

You can control your own security posture

- You can't always control a service provider

Service providers often have access to internal services

- An opportunity for the attacker

Many different types of providers

- Network, utility, office cleaning, payroll/accounting,

cloud services, system administration, etc.

Consider ongoing security audits of all providers

- Should be included with the contract

Supply Chain - Hardware Providers

• Can you trust your new server/router/switch/firewall/

software?

- Supply chain cyber security

• Use a small supplier base

- Tighter control of vendors

• Strict controls over policies and procedures

- Ensure proper security is in place

• Security should be part of the overall design

- There's a limit to trust

Supply Chain - Software Providers

• Trust is a foundation of security

- Every software installation questions our trust

• Initial installation

- Digital signature should be confirmed during

installation

• Updates and patches

- Some software updates are automatic

- How secure are the updates?

• Open source is not immune

- Compromising the source code itself

Misconfiguration Vulnerabilities

Open Permissions

Unsecure admin/root accounts

Default settings

open ports and services

Zero Day Vulnerabilities

security vulnerabilities in software, unknown to the creator, that hackers can exploit before the vendor becomes aware of the problem

Malware

software that is intended to damage or disable computers and computer systems

virus

malware that can reproduce itself and embeds itself in a computers file system

Types of Viruses

Program Viruses

Boot sector viruses

Script Viruses

Macro Viruses

Fileless virus

when a piece of malware operates only in memory, never touching the filesystem, a memory-based attack

Worms

Independent computer programs that copy themselves from one computer to other computers over a network

spyware

A type of Malware that locates and saves data from users without them knowing about it. Can trick user into installing, browser monitoring, and keylogger logs keystrokes

Bloatware

Unnecessary or preinstalled software that consumes system resources in space, without offering any value to the user

keyloggers

software that tracks or logs the keys struck on your keyboard, typically in a covert manner so that secret information is logged and recorded

Logic Bomb

A computer program or part of a program that lies dormant until it is triggered by a specific logical event

rootkits

a set of software tools that enable an unauthorized user to gain root control of a computer system without being detected

Denial of Service

An availability attack, to consume resources to the point of exhaustion causing the service to fail

DDoS

A distributed denial of service attack attempts to make an online service, like a website, unavailable by overwhelming it with a flood of traffic from a team of computers

DNS Poisoning

Technique used by criminals to alter DNS records and drive users to fake sites, to committing phishing

Domain Hijacking

An attack that changes the registration of a domain name without permission from the owner

URL hijacking

Redirecting a user to a fictitious website based on a misspelling of the URL. Also called typo squatting

Wireless deauthentication

A significant wireless denial of service (DoS) attack to get devices to disconnect from a wireless access point

802.11

A series of network standards that specifies how two wireless devices communicate over the air with each other. Had major issues with unencrypted traffic

RF Jamming

Intentionally flooding the radio frequency (RF) spectrum with extraneous RF signal "noise" that creates interference and prevents communications from occurring between wireless networks and devices

man-in-the-middle attack

a hacker placing himself between a client and a host to intercept communications between them. Used with ARP poisoning attack

ARP

Address Resolution Protocol. Resolves IP addresses to MAC addresses. ARP poisoning attacks can redirect traffic through an attacker's system by sending false MAC address updates

ARP Poisoning

an attack that convinces the network that the attacker's MAC address is the one associated with an allowed address so that traffic is wrongly sent to the attacker's machine

On-path browser attack

Malware that is the relay between victim and devices exists on the same computer as the victim

Replay Attack

A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network

pass the hash

A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol

Session Hijacking

An attack that attempts to impersonate a user by capturing and using a session ID. Session IDs are stored in cookies. Best way to prevent this is through end-to-end encryption

Header Manipulation

An attack that modifies HTTP headers so they contain malicious information, such as harmful commands and scripts.

Injection Attack

Malicious code inserted into a vulnerable application

Privilege escalation

a network intrusion attack that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications

XSRF

Cross-site request forgery, An attack that exploits the trust a website has in a user's browser in an attempt to transmit unauthorized commands to the website. One-click attack, session riding. Cryptographic token prevents forgery

directory traversal attack

an attack that involves navigating to other directories an gaining access to files and directories that would otherwise be restricted

Cryptographic attacks

1. Birthday: Trying to exploit a hash collision (brute force)

2. Collision: Hash digest creates a hash that is not unique given two different inputs

3. Downgrade

Birthday Attack

An attack that searches for any two hash digests that are the same

Downgrade Attack

An attack in which the system is forced to abandon the current higher security mode of operation and fall back to implementing an older and less secure mode. Attacker sits in the middle of a conversation

SSL Stripping

Occurs when an attacker tricks the encryption application into presenting the user with an HTTP connection instead of an HTTPS connection

Spraying Attack

Attack an account with top 3 passwords used by people and then move onto another account if that doesn't work

Brute Force Attack

Try every possible password combination until the hash is matched. This will take some time

Brute Force Attack - offline

gain access to the file containing the hashed passwords.

large computational resources needed to calculate passwords and try matching them to stored passwords.

IOC

Indicators of Compromise:

Account Logout

Concurrent Session Usage

Blocked Security Content

Impossible Travel

Resource Consumption

Resource Inaccessibility

Out-of-Cycle Logging

Missing Logs

Out-of-Cycle Logging

If you are noticing that your logs are being generated at odd hours or during times when no legitimate activities should be taking place.

Network Segmentation

A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.

ACL

Access Control List

Allow or disallow traffic based on

- Groupings of categories

- Source IP, Destination IP, port number, time of day, application, etc

Allow List

A company set up controls to allow only a specific set of software and tools to install on workstations. A user navigates to a software library to make a selection

Deny List

Nothing on the "bad list" can be executed, i.e. Anti-virus or anti-malware

FDE

Full Disk Encryption. Method to encrypt an entire disk.

Least Privilege

a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization

EDR

Endpoint detection and response: A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats. Can perform behavior analysis, machine learning, and process monitoring. Can also perform root cause analysis

EFS

Encrypting File System. A feature within NTFS on Windows systems that supports encrypting individual files or folders for confidentiality.

VPN

Virtual Private Network: Allows a secure private connection over a public network, using an encrypted 'tunnel'. For example, a remote computer can securely connect to a LAN, as though it were physically connected.

Host-Based firewall

A software firewall that runs as a program on the local computer to block or filter traffic coming into and out of the computer. Allows or Disallows incoming or outgoing application traffic.

IPS

Intrusion prevention system. A preventative control that will stop an attack in progress. It is similar to an active IDS except that it's placed in line with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress.

IDS

Intrusion detection system. A passive detective control used to detect attacks during or after they occur. A signature-based IDS (also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline. An IDS can be either host-based (HIDS) or network-based (NIDS). In contrast, a firewall is a preventative control that attempts to prevent the attacks before they occur. An IPS is a preventative control that will stop an attack in progress.

HIPS

Host-based intrusion prevention system. An extension of a host-based IDS or built into host EDR. Designed to react in real time to catch an attack in action.

NGFW

Next generation firewall: Advances in firewall technology, from app awareness, user-based filtering, and intrusion prevention to cloud inspection. Also known as layer 7 firewall.

Layer 7

-Application layer

- protocol association HTTP, Telnet, FTP etc

-Integrating of network functionality into the host OS

-Enabling communication between network client and services