Looks like no one added any tags here yet for you.
Social Engineering
an attempt by an attacker to convince someone to provide info like a password or perform an action they wouldn’t normally perform such as clicking on a malicious link
Phishing
commonly used to try to trick users into giving up personal information such as user accounts and passwords, click a malicious link, or open a malicious attachment
Spear Phishing
targets specific groups of users
Whaling
targets high level executives
Vishing
(Voice Phishing) phone based
Smishing
uses sms text messaging on mobile
Spam
Unsolicited email, generally considered an irritant
Spim
SPAM over instant messaging, also generally considered an irritant
Dumpster Diving
Gathering important details (intelligence) from things that people have thrown out in their trash
Tailgating
when an unauthorized individual might follow you in through that open door without badging in themeselves
Eliciting information
strategic use of casual conversation to extract information without the arousing suspicion of the target
Shoulder Surfing
a criminal practice where thieves steal you personal data by spying over your shoulder
Pharming
an online scam similar to phishing, where a website’s traffic is manipulated. and confidential information is stolen
Identity Fraud
use of another person’s personal information, without authorization, to commit a crime or to deceive or defraud that person or another third party
Prepending
is adding words or phrases like “SAFE” to a malicious file or suggesting topics via social engineering to uncover information of interest
Invoice Scams
fake invoices with a goal of receiving money or by prompting a victim to put their credentials into a fake login screen
Credential Harvesting
attackers trying to gain access to your usernames and passwords that might be stored on your local computer
Countermeasures: email defense, anti-malware, EDR/XDR solutions that will check URL’s and block the scripts often used to execute the attack
Reconnaissance
A common technique that comes in multiple forms
Passive discovery
techniques that do not send packets to the target like Google hacking, phone calls, DNS and WHOIS lookups
Semi-passive discovery
Touches the target with packets in a non-aggressive fashion to avoid raising alarms of the target
Active discovery
More aggressive techniques likely to be noticed by the target, including port scanning, and tools like nmap and Metasploit
Hoaxes
Intentional falsehoods coming in a variety of forms ranging from virus hoaxes to fake news. Social media plays a prominent role in hoaxes today
Impersonation
A form of fraud in which attackers pose as a known or trusted person to dupe the user into sharing sensitive info, transferring money, etc.
Watering hole attack
Attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware
Typosquatting
a form of cybersquatting (sitting on sites under someone else’s brand or copyright) targeting users who type an incorrect website address
This often employs a drive-by download that can infect a device even if the user does not click anything
Pretexting
an attacker tries to convince a victim to give up information of value, or access to a service or system
The distinguishing feature is that the attacker develops a story, or pretext in order to fool the victim. This often leans an establishing authority for the attacker as someone who should have access to information. This often includes a character played by the scam artist and a plausible situation where that character needs access to information
Influence Campaign
A social engineering attack intended to manipulate the thoughts and minds of large groups of people
Hybrid Warfare
Attack using a mixture of conventional and unconventional methods and resources to carry out the campaign
Social media
May use multiple social platforms everaging multiple / many individuals to amplify the message, influencing credibility. Many involve creating multiple fake accounts to post content and speed the spread.
Principles of Social Engineering
Authority - Citing position, responsibility, or affiliation that grants the attacker the authority to make the request.
Intimidation - Suggesting you may face negative outcomes if you do not facilitate access or initiate a process.
Consensus - Claiming that someone in a similar position or peer has carried out the same task in the past.
Scarcity - Limited opportunity, diminishing availability that requires we get this done in a certain amount of time, similar to urgency.
Familiarity - Attempting to establish a personal connection, often citing mutual acquaintances, social proof.
Trust - Citing knowledge and experience, assisting the target with an issue, to establish a relationship
Urgency - Time sensitivity that demands immediate action, similar to scarcity
Application Attacks
attacks attackers use to exploit poorly written software
Rootkit (escalation of privilege)
freely available on the internet and exploit known vulnerabilities in various operating systems enabling attackers to elevate privilege. Always keep security patches up to date and install anti malware software EDR / XDR
Back Door
undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions often used in development and debugging.
Computer Virus
a type of malicious code or program written to alter the way a computer operates and is designed to spread from one computer to another.
Crypto malware
Ransomware that encrypts files stored on a computer or mobile device in order to extort money.
Hoaxes
Virus hoaxes are a nuisance that result in wasted resources. Used to spread through “email from a friend” but have changed with social media.
Logic Bombs
Logic Bombs are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions, such as time, program launch, website logon, etc.
Trojan Horse
a software program that appears good and harmless but carries a malicious, hidden payload that has the potential to wreak havoc on a system or network. Only install software from trusted sources and do not let users install anything they want.
Worm
a type of malware that spreads copies of itself from computer to computer, replicating itself without human interaction.
Potentially unwanted programs (PUPs)
a program that may be an unwanted app often delivered alongside a program the user wants. PUPs include spyware, adware, and dialers.
Keylogger
Designed to log keystrokes, creating records of everything you type on a computer or mobile keyboard.
Spyware
Malware designed to obtain information about an individual, system, or organizaiton.
Fileless virus
a type of malicious software that does not rely on virus-laden files to infect a host. Instead, it exploits applications that are commonly used for legitimate and justified activity to execute malicious code in resident memory.
Command and control
a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
Remote access trojan (RAT)
a malware program that gives an intruder administrative control over a target computer.
Ransomware
infects a target machine and then uses encryption technology to encrypt documents, spreadsheets, and other files stored on the system with a key known only to the malware creator. Some countermeasures are to backup your computer, store backups separately, and to do file auto-versioning. To prevent malware, update / patch your computer, use caution with web links, use caution with email attachments, verify email senders, and preventative software programs and user awareness training.
Dictionary attacks
Use programs with built in dictionaries. They attempt all dictionary words to try and find the correct password, in the hope that a user would have used a standard dictionary word. Countermeasures include MFA, biometric authentication, limit number of attempts, and to force reset after certain number of failed attempts.
Password spraying
Attacker tries a password against many different accounts to avoid lockouts that typically come when brute forcing a single account. This will succeed when the admin or an application sets a default password for new users. Countermeasures to this include MFA, CAPTCHA, and forcing password change on first login.
Offline
Attempt to discover passwords from a captured database or captured packet scan.
Online
Attempts to discover a password from an online system. For example, an attacker trying to log on to an account by trying to guess a user’s password. Most web and wi-fi attacks are online attacks.
Plaintext / unencrypted
Protocols and authentication methods that leave credentials unencrypted, like basic authentication and telnet.
Brute Force Attack
Attempts to randomly find the correct cryptographic key attempting all possible combinations (trial and error). Password complexity and attacker resources will determine effectiveness of this attack. Countermeasures include cryptographic salts, CAPCHA, and throttling the rate of repeated logins and IP blocklists.
Cryptographic Salts
help us neutralize the rainbow tables attackers may be using
Rainbow tables
These contain precomputed values of cryptographic hash functions to identify commonly used passwords
Salt
random data that is used as an additional input to a one-way function that hashes data, a passwords, or passphrase. Adding salts to the passwords before hashing them reduces the effectiveness of rainbow table attacks.
Multi-factor Authentication
Something you know (pin or password)
Something you have (trusted device)
Something you are (biometric)
This prevents phishing attacks, spear phishing attacks, keyloggers, credential stuffing, brute force and reverse brute force attacks, and man-in-the-middle attacks.
Bots
represent significant threats due to the massive number of computers that can launch attacks.
Botnet
a collection of compromised computing devices (often called bots or zombies)
Bot Herder
criminal who uses a command-and-control-server to remotely control the zombies. They often use botnets to launch attacks on other systems or to send spam or phishing emails.
Malicious flash drive
Attack comes in two common forms:
Drives dropped where they are likely to be picked up.
Sometime effectively a trojnan, shipped with malware installed after leaving the factory.
Malicious USB cable
Less likely to be noticed than a flash drive. May be configured to show up as a human interface device (e.g. a keyboard)
Card cloning
Focusses on capturing info from cards used for access, like RFID and magnetic stripe cards.
Skimming
Involve fake card readers or social engineering and handheld readers to capture (skim) cards, then clone so attacker may use for their own purposes.
Adversarial Artificial Intelligence
A rapidly developing field targeting AI and ML.
Tainted training data for machine learning (ML)
Data poisoning that supplies AI and ML algorithms with adversarial data that serves the attackers purposes, or attacks against privacy.
Security of machine learning algorithms
Validate quality and security of the data sources.
Secure infrastructure and environment where AI and ML is hosted.
Review. test. and document changes to AI and ML algorithms.
Artificial Intelligence (AI)
Focusses on accomplishing “smart” tasks combining machine learning and deep learning to emulate human intelligence
Machine Learning (ML)
A subset of AI, computer algorithms that improve automatically through experience and the use of data.
Deep Learning
a subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.
Supply Chain Attacks
a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.
Often attempt to compromise devices, systems. or software before it reaches an organization.
Sometimes focus on compromising a vulnerable vendor in the organization’s supply chain, and then attempting to breach the target organization.
This attack is known as an “island hopping” attack.
Cloud_based attacks
Data center is often more secure and less vulnerable to disruptive attacks such as DDoS.
On the downside, you will not have facility-level or physical system-level audit access.
On-premise attacks
You do not benefit from the cloud’s shared responsibility model.
You have more control, but are responsible for security of the full stack.
Collision Attack
attack on a cryptographic hash to find two inputs that produce the same hash value
Downgrade Attack
when a protocol is downgraded from a higher mode or version to a low-quality mode or lower version.
Birthday Attack
an attempt to find collisions in hash functions.
Replay Attack
an attempt to rescue authentication requests.
Privilege Esculation
A security hole created when code is executed with higher privileges than those of the user running it.
Request Forgeries
a type of injection using malicious scripts
Cross-site scripting (XSS)
A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
This occurs when an attacker uses a web application to send malicious code to a different end user.
Cross-site request forgery (XSRF or CSRF)
exploits user trust to execute code
similar to cross-site scripting attacks, but exploit a different trust relationship.
exploits trust that a user has in a website to execute code on the user’s computer.
Dynamic-link library (DLL)
Is a situation in which the malware tries to inject code into the memory process space of a library using a vulnerable/compromised DLL.
Lightweight Directory Access Protocol (LDAP)
exploits weaknesses in LDAP implementations
This can occur when the user’s input is not properly filtered, and the result can be executed commands, modified content, or results returned to unauthorized queries.
Extensibe Markup Language (XML)
when users enter values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack.
XPATH works in a similar manner to SQL except that it does not have the same levels of access control, so exploits can return entire documents.
SQL injection attakcs
used to compromise web front-end and backend databases
Use unexpected input to a web application to gain unauthorized access to an underlying database. Some countermeasures include input validation, use prepared statements, and limit account privileges.
Pointer / Object Dereference
An attack that consists of finding null references in a target program and dereferencing them, causing an exception to be generated.
The vulnerability in memory that usually causes the applications to crash or a denial of service is a NULL Pointer dereference.
In this case, there is nothing at that memory address to dereference (it is empty, or NULL) and the application crashes.
Directory Traversal
Gaining access to restricted directories
If an attacker is able to gain access to restricted directories through HTTP, it is known as a directory traversal attack.
One of teh simplest ways to perform directory traversal is by using a command injection attack that carries out the action.
Most vulnerability scanners will check for weaknesses with directory traversal / command injection and inform you of their presence.
Buffer Overflows
attacks attackers use to exploit poorly written software.
exists when a developer does not validate user input to ensure that it is of an appropriate size (allows input that is too large can “overflow” memory buffer).
Race Conditions
A condition where the system’s behavior is dependent on the sequence or timing of other uncontrollable events.
Time-of-Check-to-Time-of-Use (TICTOU)
a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.
Error handling
Related to input validation is error handling
Every function that has any meaningful functionality should have appropriate error handling.
Properly done, the user will simply see an error message box.
Error handling is an element of good coding practices.
Session Replay
an attacker steals a valid session ID of a user and reuses it to impersonate an authorized user and perform fraudulent transactions or activities.
Integer Overflow
Putting too much information into too small of a space that has been set outside for numbers.
A type of arithmetic overflow error when the result of an integer operation does not fit within the allocated memory space.
Instead of an error handled in the program, it usually causes the result to be unexpected.
Other lead to buffer overflows and generally ranked as one of the most dangerous software errors.
Countermeasures; Good coding practices, appropriate typing of variables using large variable types, like long (Java) or long int (C).
API Attacks
Attempts to manipulate the application programming interface (API)
Include DDoS, Man in the Middle, and injection attacks focused on an API
Goals are to gain additional resource or data access, or interrupt service
Countermeasures: Transport Layer Security (TLS), OAuth, request timestamps, key/password hash
Resource Exhaustion
When an application continuously allocates additional resources exhausting machine resources, leading the system to hang or crash.
When exploited, vulnerabilities in apps, software, or system security that hang, crash, or interfere with external programs perform designated tasks properly.
Memory leaks can lead to resource exhaustion (see “memory leaks” in this session).
However, these attacks can be executed by exhausting other resource subsystems, such as CPU, disk, or network.
Countermeasures: Good software development practices (e.g. preventing memory leaks), limiting what files and apps can be executed on endpoints.
Memory Leak
The most common issue in memory management
Which languages are susceptible?
Many modern programming languages (such as C# and Java) don’t allow the programmer to directly allocate or deallocate memory. Therefore, those programming languages are not prone to memory leaks. However, certain older languages most notably C and C++, give the programmer a great deal of control over memory management.
Cause
Memory leaks are usually caused by failure to deallocate memory that has been allocated.
Secure Sockets Layer (SSL) Stripping
A technique by which a website is downgraded from https to http
This attack downgrades you connection from HTTPS to HTTP and exposes you to eavesdropping and data manipulation.
How it works
To execute an SSL strip attack, there must be three entities which are the victim’s system, secure web server, and attacker’s system.
In order to “strip” the TLS/SSL, an attacker intervenes in the redirection from HTTP to HTTPS and intercepts a request from the user to the server.
Countermeasures: Enable HTTPS on All pages of your website, implement a HTTP Strict Transport Security (HSTS) policy, so the browser requires HTTPS
Shimming
A shim is a small library that is created to intercept API calls transparently and do one of three things: handle the operation itself, change the arguments passed, or redirect the request elsewhere.
Involves creating a library (or modifying an existing) to bypass a driver and perform a function other than the one for which the API was created.
Refactoring
The name given to a set of techniques used to identify the flow and then modify the internal structure of code without changing the code’s visible behavior.
In legitimate scenarios, this is done in order to improve the design, to remove unnecessary steps, and to create better code.
In malware, this is often done to look for opportunities to take advantage of weak code and look for holes that can be exploited.
Pass the Hash
a technique whereby. an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access.
Pass the hash vs Pass the Ticket
One primary difference between them is ticket expiration.
Countermeasures: Enforce least privilege access, analyze applications to determine which require admin privileges, use flexible policies that allow only trusted applications to run and in specific context.
On-Path (Man-in-the-Middle) Attack
Attacker who sits in the middle between to endpoints and is able to intercept traffic, capturing (and potentially changing) information.
Fools both parties into communicating with the attacker (in between the two) instead of directly with each other.
Different versions of the attack exist, some affecting websites, email communications, DNS lookups, or Wi-Fi networks
Countermeasures: only use secured Wi-Fi, VPN, HTTPS, and use multi-factor authentication.