CMSC 426 Lecture 3

Attacker

An individual, group, or entity attempting to compromise the confidentiality, integrity, and availability of information systems.

Types of attackers

Script Kiddies, Cybercriminals, Hacktivists, Advanced Persistent Threats (APTs).

APTs

Resource-rich threat actors that target long-term objectives, examples include APT1 and Sandworm.

Offensive security

A proactive approach to computer security involving red teaming and penetration testing.

Reconnaissance

The phase where attackers gather information using techniques such as OSINT and social engineering.

Weaponization & Development

Creating tailored payloads and determining target connection methods based on gathered intelligence.

Delivery methods

Techniques used to deliver payloads, including social engineering and phishing emails.

Initial Access, Exploitation, & Execution

Executing crafted code or malware on the target system.

Installation & Persistence

Installing additional malware to establish persistent access.

Command & Control

The stage where the compromised system communicates with the attacker's server.

Discovery, Escalation, & Lateral Movement

Gathering more information, escalating privileges, and compromising additional systems.

Actions on Objective

Completing the attacker’s mission such as data exfiltration or disruption.

Incident Response (IR)

The process of detecting and responding to cyber incidents to minimize damage.

Main phases of Incident Response

Detection, Response (Containment), Mitigation, Recovery, and Reporting.

Detection phase

Identifying suspicious activity through monitoring and logging.

Response (Containment) phase

Containing the incident to limit damage and isolate affected systems.

Mitigation phase

Analyzing the incident to determine its cause and securing systems against exploited vulnerabilities.

Recovery phase

Returning systems to a stable state post-incident.

Reporting phase

Documenting the incident and outlining lessons learned.

Antivirus Software (AV)

Software that detects, blocks, and removes malware through various methods.

Intrusion Detection System (IDS)

A system that monitors for signs of malicious activity and alerts administrators.

Difference between IDS and IPS

IDS detects and alerts, while IPS actively blocks threats.

Endpoint Detection and Response (EDR)

A security solution monitoring endpoint activities for threats.

Security Information and Event Management (SIEM)

Aggregates logs and alert data for centralized event management.

Indicators of Compromise (IOCs)

Artifacts left by attacks, such as malicious file hashes and IP addresses.

Tactics, Techniques, and Procedures (TTPs)

Methods and behaviors used by threat actors during attacks.

Entry Point in cybersecurity

The initial access vector through which attackers gain system access.

Difference between vulnerability and exploit

A vulnerability is a weakness; an exploit is a technique to take advantage of that weakness.

Command injection

An attack where unsanitized user input is passed to system commands.

Techniques used in command injection attacks

Appending commands using separators and piping outputs.

Defenses against command injection

Input validation, sanitization, escaping dangerous characters, whitelists.

SQL Injection attack

Inserting user input directly into an SQL query to manipulate databases.

Prevention strategies for SQL Injection

Input validation, sanitization, using stored procedures.

Cross-Site Scripting (XSS)

A vulnerability where attackers inject malicious JavaScript into websites.

Types of XSS attacks

Stored (persistent) XSS and reflected XSS.

Defenses against XSS

Secure input handling, sanitizing user input, Content Security Policies.

Basic structure of an HTTP request

Method, path, HTTP version, headers, and optional body.

Basic structure of an HTTP response

HTTP version, status code, headers, and response data.

Common HTTP methods

GET (retrieve data) and POST (send data).

Cookies in HTTP

Small data pieces stored in a user's browser for maintaining state.

Maintaining sessions using cookies

Server sends cookies that browsers return with subsequent requests.