Knowt
Note
Studied by 34 peopleNoteStudied by 20 peopleNoteStudied by 13 peopleNoteStudied by 13 peopleNoteStudied by 10 peopleNoteStudied by 18952 people
2.0 Threats, Vulnerabilities, and Mitigations
2.1 Compare and contrast common threat actors and motivations.
Threat actors:
Nation-state
These threat actors often have the support of governments. Their activities, including cyber espionage, are typically motivated by strategic or political reasons. They have the advanced capabilities, significant resources, and strategic motivations to carry out the sophisticated, long-term attack the financial institution discovered.
Hacker
Not necessarily a threat actor but they have the skills to gain access to computer systems through unauthorized or unapproved means. The term is sometimes associated with illegal or malicious system intrusion.
Unskilled attacker
Definition: A hacker with little technical knowledge who relies on pre-made tools or scripts to launch attacks.
Example: A beginner hacker uses a phishing kit downloaded online to steal login credentials.
Hacktivist
A threat actor that uses cyber weapons to promote a political agenda. They can attempt to obtain and release confidential information to the public domain, perform denial-of-service (DoS) attacks, or deface websites.
Insider threat
Threat actors that are employees who harbor grievances or perpetrate fraud a potential risk posed by individuals with inside information about the company's security practices, data, and computer systems.. For example, an insider threat might plan and execute a campaign to modify invoices and divert funds.
Organized crime
Definition: Cybercriminal groups that operate like businesses, often engaging in ransomware attacks, fraud, and identity theft for financial gain.
Example: A cyber gang deploys ransomware on hospital networks and demands payment to unlock patient records.
Shadow IT
refers to hardware, software, and services used within an organization without explicit approval from the IT department
Attributes of actors:
Internal/external
A security risk that comes from within an organization, such as employees or contractors.
Example: A disgruntled employee leaks confidential files to a competitor.
Resources/funding
Definition: The money, tools, and infrastructure available to a threat actor to conduct attacks.
Example: A nation-state attacker has government funding to develop advanced malware for espionage.
Level of sophistication/capability
consider an adversaries' sophistication and level of resources and funding. A targeted attack might use highly sophisticated tools backed by a budget that can allocate physical and human resources.
Opportunistic
attack might launch without much sophistication or funding, simply by using tools widely available on the Internet.
Motivations:
Data exfiltration
Definition: The unauthorized transfer of sensitive data from a system.
Example: A hacker steals customer credit card information from an online store and sells it on the dark web.
Espionage
characterized by stealthy, long-term breaches, aims at acquiring secret information, often for strategic advantage. The intruders' focus on the proprietary designs and their ability to remain undetected aligns with this motivation.
Service disruption
Definition: Any event that prevents a system, application, or network from functioning properly.
Example: A DDoS attack floods a company’s website with traffic, making it unreachable for customers.
Blackmail
Definition: Threatening to release sensitive data or take harmful action unless demands are met.
Example: A hacker steals private emails from a CEO and demands money to keep them secret.
Financial gain
involves monetary gain through methods such as blackmail, extortion, or fraud, the primary goal in this scenario is acquiring proprietary information, not explicit financial gain.
Philosophical/political beliefs
typically involve strategic objectives to bring about change or achieve specific goals, often at a societal or governance level.
Ethical
Definition: Security professionals who use hacking techniques legally to find and fix vulnerabilities.
Example: A company hires an ethical hacker to test its security before a cybercriminal can exploit weaknesses.
Revenge
typically involve a disgruntled individual seeking retaliation. This scenario does not provide evidence of a personal grievance or individual retaliation.
Disruption/chaos
disrupt for its own sake, often as an act of vandalism or to sow chaos.
War
Definition: Cyberattacks launched by one country against another to cause disruption or gain intelligence.
Example: A nation-state hacks into a rival country’s power grid, causing blackouts.
2.2 Explain common threat vectors and attack surfaces.
Message-based:
Email
Definition: Cyberattacks that use fraudulent emails to trick users into revealing sensitive information or downloading malware.
Example: A hacker sends an email pretending to be a bank, asking the recipient to click a fake login link to steal their credentials.
Short Message Service (SMS)
Definition: Social engineering attacks that use fake text messages to deceive users into taking harmful actions.
Example: A scammer sends a text message claiming to be from a delivery company, with a fake tracking link that installs malware.
Instant messaging (IM)
Definition: Cyber threats targeting messaging apps like WhatsApp, Telegram, or Slack to spread malware or steal data.
Example: A hacker sends a malicious link through WhatsApp, tricking users into downloading spyware onto their phones.
Image-based
Definition: Attacks that hide malicious code within images.
Example: A phishing email contains an infected image, and when clicked, it installs malware.
File-based
Definition: Cyberattacks that exploit vulnerabilities in files like PDFs, Word documents, or spreadsheets.
Example: A victim opens an infected PDF, allowing a hacker to install spyware on their computer.
Voice call
Definition: Social engineering attacks conducted over the phone to trick people into giving up sensitive information.
Example: A scammer calls a bank employee, pretending to be the IT department and asking for login credentials.
Removable device
Definition: Cyber risks associated with USB drives, external hard drives, and other portable storage devices.
Example: A hacker leaves infected USB drives in a company parking lot, hoping employees plug them into work computers.
Vulnerable software:
Client-Based Security (Agent-Based)
Definition: Requires installing a software agent on a device to provide security features such as monitoring, threat detection, and enforcement.
Example: A company installs endpoint protection software on employee laptops to detect malware in real-time.
Agentless Security
Definition: Provides security without requiring software installation on the end device, often working through network-based scanning or cloud integration.
Example: A cloud security service monitors all devices accessing a network without installing software on each one.
Unsupported systems and applications
Unsecure networks:
Wireless/Cloud Network Vector Attack
attack targets cloud-based services by exploiting vulnerabilities or misconfigurations to gain unauthorized access but does not include transmitting malicious files to a user's device.
Wired Network Vector Attack
a threat actor gains access to the site. He attaches an unauthorized device to a physical network port, permitting the device to communicate with other hosts.
Bluetooth Network Attack
the threat actor exploits vulnerabilities or misconfigurations in the Bluetooth protocol to transmit a malicious file to a user's device.
Direct Access Vector Attack
attack requires the threat actor to gain physical access to the site, such as accessing an unlocked workstation or stealing a PC.
Open service ports
Definition: Network ports that are left open and accessible, potentially exposing a system to unauthorized access or attacks.
Example: A company leaves port 3389 (Remote Desktop Protocol) open, allowing hackers to attempt brute-force attacks on remote connections.
Default credentials
Definition: Pre-set usernames and passwords that come with devices or software, which attackers can easily guess or find online.
Example: A router still uses the factory-set "admin/admin" login, making it vulnerable to unauthorized access.
Supply chain:
Managed service providers (MSPs)
Definition: Third-party companies that remotely manage IT services, such as security, networking, and cloud computing, for businesses.
Example: A small business hires an MSP to handle its cybersecurity, ensuring firewalls and antivirus software stay updated.
Vendors
Definition: Companies or individuals that sell products or services to an organization, often including software, hardware, or cloud solutions.
Example: A company purchases antivirus software from a security vendor to protect employee computers.
Suppliers
Definition: Businesses that provide raw materials, hardware, or components needed for a company's operations.
Example: A computer manufacturer relies on a supplier for processors used in its laptops.
Supply Chain Attack
involves a threat actor seeking methods to infiltrate a company in its supply chain.
Human vectors/social engineering:
Phishing
Definition: A cyberattack where attackers send fake emails or messages pretending to be from a trusted source to steal sensitive information.
Example: A hacker sends an email pretending to be from a bank, asking the recipient to enter their password on a fake website.
Spear Phishing
a phishing scam where the attacker has some information that is more likely to fool an individual target by the attack.
Whaling (Targeted Phishing)
a type of spear phishing attack explicitly directed against the upper levels of management in an organization.
Vishing
a phishing attack conducted through a voice channel, such as a phone call or VOIP
Smishing
a phishing technique that uses simple message service (SMS) text communications as the attack vector. The text message may include a link to a fake website asking a user to log in.
SPIM
spam (or mass unsolicited messages) over instant messaging or Internet messaging services.
Misinformation/disinformation
False or misleading information shared unintentionally.
Disinformation: False information deliberately spread to deceive people.
Example: A hacker spreads fake news about a company's data breach to damage its reputation.
Impersonation
Definition: When an attacker pretends to be someone else to gain trust and trick victims into revealing information or taking action.
Example: A scammer calls an employee, pretending to be IT support and asking for login credentials.
Business email compromise
Definition: A targeted phishing attack where cybercriminals impersonate company executives or vendors to trick employees into transferring money or sensitive data.
Example: A hacker spoofs the CEO’s email and requests the finance department to wire money to a fraudulent account.
Pretexting
a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext.
Watering hole
a social engineering technique where the attacker identifies a popular and frequently visited website used by the target group and compromises that website with exploit code. Their computers become infected when target group members visit the website, and the attacker can then use this foothold to penetrate the organization's systems.
Brand impersonation
committing resources to accurately duplicate a company's logos and formatting to make a phishing message or pharming website a visually compelling fake, associated with pharming
Pharming
Redirecting users from legitimate websites to malicious ones by corrupting the victim's computer's name resolution process. It is not specific to targeting a group of individuals.
Typosquatting
registers domains like legitimate ones, making users believe they're accessing a trusted site. The attacker creates a hijacked subdomain using the primary domain of a trusted cloud provider. Employees may fall victim to this attack if they overlook minor differences.
2.3 Explain various types of vulnerabilities.
Application:
Memory injection
refers to a security flaw where an attacker can introduce or inject malicious code into a running application's process memory.
Buffer overflow
occurs when an application receives more data than it can process, which can cause the application to crash or allow an attacker to execute arbitrary code, the attacker passes data that deliberately flood a temporary memory space.
Race conditions
Application race condition vulnerabilities refer to software flaws associated with the timing or order of events within a software program,
Time-of-check (TOC)
Refers to the moment when a system checks a condition or a state (e.g., verifying user permissions or file access).
Example: A program checks if a user has permission to access a file.
Time-of-use (TOU)
Refers to the moment when the system acts based on the result of the check (e.g., granting or denying access).
Example: The program opens the file after confirming the user's permission
TOC/TOU Vulnerability
A TOC/TOU vulnerability occurs when there's a time gap between the "check" and the "use," during which an attacker can manipulate the system or change the state.
Example Attack Scenario:
A program checks if a file is safe to open (TOC).
Before the file is used (TOU), an attacker swaps the file with a malicious one
Malicious update
an update that appears legitimate but contains harmful code, often used by cyber criminals to distribute malware or execute a cyber attack.
Operating system (OS)-based
Web-based:
Structured Query Language injection (SQLi)
Definition: A type of attack where an attacker injects malicious SQL code into a web application’s database query to manipulate or steal data.
Example: A hacker enters '; DROP TABLE users; -- into a website’s login form, which deletes the user database if the input is not properly secured.
Cross-site scripting (XSS)
Definition: An attack where an attacker injects malicious scripts into a trusted website, which then executes in a victim’s browser, allowing data theft or unauthorized actions.
Example: A hacker posts a malicious JavaScript snippet in a website's comment section, which steals login cookies when other users view the page.
Hardware:
Firmware
instances where processors inside the computer allow malicious programs to steal data during processing.
End-of-life
(EOL) system vulnerability includes instances where a specific product or version of a product that the manufacturer or vendor publicly declares as no longer supported.
Legacy
typically describe outdated software methods, technology, computer systems, or application programs with continued use despite known shortcomings.
Virtualization:
Virtual machine (VM) escape
when an attacker with access to a VM breaks out of this isolated environment and gains access to the host system or other VMs running on the same host.
Resource reuse
Definition:
Resource reuse occurs when system components, such as memory, storage, or hardware, are not properly cleared or reset before being reassigned. This can lead to security risks, such as data leaks or unauthorized access.
Example:
A cloud provider fails to wipe virtual machine storage before reassigning it to a new customer, potentially exposing the previous user's sensitive data.
Secure deallocation
takes any residual data in a resource (memory, disk space, etc.) and cleans or overwrites it before reuse, preventing potential data leakage.
Cloud-specific
Supply chain:
Service provider
Definition: A company that offers IT, cloud, or network services to businesses and consumers.
Example: AWS (Amazon Web Services) provides cloud computing services to companies for hosting websites and applications.
Hardware provider
Definition: A company that supplies physical devices such as servers, computers, or networking equipment.
Example: Dell manufactures and sells laptops, desktops, and enterprise servers.
Software provider
Definition: A company that develops and distributes software applications for businesses or consumers.
Example: Microsoft provides the Windows operating system and Office productivity tools.
Cryptographic
Misconfiguration
Mobile device:
Side loading
Definition: Installing applications from unofficial sources instead of the official app store.
Example: A user downloads an app from an unverified website, which secretly installs malware.
8. Jailbreaking
Jailbreaking
Definition: Removing software restrictions on a device to install unauthorized apps and modifications.
Example: A user jailbreaks their iPhone to install apps not available in the App Store, increasing security risks.
Zero-day
Definition: A newly discovered software vulnerability that has no fix yet, making it a prime target for cyberattacks.
Example: A hacker exploits a zero-day vulnerability in a web browser before the software vendor releases a patch.
2.4 Given a scenario, analyze indicators of malicious activity.
Malware attacks:
Ransomware
a type of malware that tries to extort money from the victim by making the victim’s computer or data files unavailable, demanding payment before making them available again.
Trojan
malware concealed within an installer package for software that appears legitimate. They misrepresent themselves to appear useful, routine, or interesting to persuade a victim to install them This type of malware does not seek consent for installation and actively operates secretly.
Worm
one of the first types of malware that spreads without any authorization from the user. An executable code of another process conceals a worm.
Spyware
malware that can perform adware-like tracking, but it also monitors local application activity, takes screenshots, and activates recording devices, such as a microphone or webcam.
Bloatware
refers to unwanted software that comes preinstalled on a system or bundled with other software, occupying memory and processing resources and potentially leading to system slowdowns.
Virus
malware that reproduces itself, needing to be executed, typically exhibit more destructive behaviors, such as file corruption or data theft.
Keylogger
Logic bomb
a string of code embedded in a software system or computer program that remains dormant until triggered by a specific logical event.
Rootkit
Definition: A type of stealthy malware that hides deep in a system to give attackers remote access while avoiding detection.
Example: A hacker installs a rootkit on a victim’s computer, allowing them to steal files and monitor activities without being noticed.
Physical attacks:
Brute force
Definition: An attack where an attacker tries all possible passwords or encryption keys until they find the correct one.
Example: A hacker uses a script to try thousands of password combinations to break into an employee’s account.
Radio frequency identification (RFID) cloning
Definition: Copying data from an RFID-based access card or key fob to create a duplicate for unauthorized entry.
Example: An attacker uses an RFID scanner near an employee’s badge to clone it and gain access to a restricted area.
Environmental
Definition: Physical threats caused by environmental factors like heat, fire, flooding, or power failures.
Example: A server room without proper cooling overheats, causing a system crash and data loss.
Network attacks:
Distributed denial-of-service (DDoS)
Amplified
Definition: A DDoS attack where attackers use small requests to trigger massive responses from a network, overwhelming the target.
Example: A hacker sends small DNS queries that result in large responses, overwhelming a victim’s server.
Reflected
Definition: A DDoS attack that tricks legitimate servers into sending large amounts of traffic to a victim’s IP address.
Example: A hacker spoofs a victim’s IP and sends multiple requests to unsecured servers, causing them to flood the victim’s network with replies.
Domain Name System (DNS) attacks
Definition: Exploiting weaknesses in DNS to redirect users to malicious sites or disrupt services.
Example: An attacker poisons a DNS server, causing users who try to visit a bank's website to be redirected to a phishing site instead.
Wireless
Definition: Attacks targeting Wi-Fi networks to intercept or manipulate data.
Example: A hacker sets up a fake Wi-Fi hotspot at a coffee shop to steal user credentials.
On-path
Definition: An attacker intercepts communication between two parties to steal or alter data.
Example: A hacker eavesdrops on a public Wi-Fi network, capturing login credentials sent over an unencrypted connection.
Credential replay
Definition: An attacker intercepts and reuses login credentials to gain unauthorized access.
Example: A hacker steals a session token from a user’s browser and reuses it to log into their bank account.
Malicious code
Definition: Any form of malware designed to harm, exploit, or disrupt systems.
Example: A phishing email tricks users into downloading a trojan virus that steals their passwords.
Application attacks:
Injection
a application attack that involve sending untrusted data to an interpreter as part of a command or query. This data tricks the interpreter into executing unintended commands, potentially allowing unauthorized access or data retrieval.
Buffer overflow
occurs when a program writes more data into a memory buffer than it can hold, causing the excess data to overwrite adjacent memory. Attackers exploit this vulnerability to execute malicious code or crash a system
Example:
A hacker inputs a long string of characters into a website's login form, exceeding the expected limit and overwriting memory to gain unauthorized system access.
Replay
a application attack that involve the malicious repetition or delayed transmission of valid data.
Privilege escalation
Definition: When an attacker gains higher access rights than they are supposed to have.
Example: A hacker exploits a system vulnerability to elevate their account from a regular user to an administrator.
Forgery
Definition: Creating fake data, credentials, or requests to impersonate a legitimate user or system.
Example: An attacker spoofs an employee’s email to request a fraudulent wire transfer.
Directory traversal
Definition: A web attack where an attacker accesses restricted files by navigating outside the intended directory.
Example: A hacker inputs “../../etc/passwd” into a website URL to access system files.
Cryptographic attacks:
Downgrade
cryptographic attack, involves forcing a system to abandon its high-security mode and revert to a less secure state.
Collision
Definition: When two different inputs produce the same cryptographic hash value, making it easier for attackers to forge data.
Example: An attacker creates a fraudulent digital certificate with the same hash as a legitimate one to impersonate a trusted website.
Birthday
Definition: A type of cryptographic attack that exploits the probability of hash collisions.
Example: An attacker finds two different files that produce the same hash, allowing them to forge digital signatures.
Password attacks:
Spraying
a method attackers use to gain unauthorized access by attempting a common password across many accounts.
Brute force
Definition: Trying all possible password combinations until the correct one is found.
Example: A hacker runs an automated script to guess a user's password by trying thousands of possible combinations.
Indicators:
Account lockout
Definition: A security feature that temporarily disables an account after multiple failed login attempts to prevent brute force attacks.
Example: A user gets locked out of their email after entering the wrong password five times.
Concurrent session usage
Definition: When multiple logins occur for the same account from different locations or devices simultaneously, potentially indicating an account compromise.
Example: A user logs into their email from the U.S. and Russia at the same time, triggering an alert.
Blocked content
Definition: Security policies or firewalls preventing access to specific websites, files, or data.
Example: A company blocks employees from visiting gambling or malicious sites using a web filter.
Impossible travel
Definition: A security alert triggered when a user logs in from two geographically distant locations within an impossible time frame.
Example: A user logs in from New York and then from Tokyo within 5 minutes, raising a red flag for potential account compromise.
Resource consumption
Definition: A system slowdown due to excessive use of CPU, memory, or network resources, often caused by malware or attacks.
Example: A DDoS attack floods a web server, consuming all bandwidth and making the site slow or unresponsive.
Resource inaccessibility
Definition: When critical system resources (like files, databases, or services) become unavailable due to attacks or failures.
Example: A ransomware attack encrypts all company files, making them inaccessible until a ransom is paid.
Out-of-cycle logging
a indicator, that refers to an anomaly where the log data occurs outside the expected or routine logging cycle. The generated logs occurring at unusual times point toward an out-of-cycle logging issue.
Published/documented
Definition: Security flaws that have been publicly disclosed and can be exploited if not patched.
Example: A hacker targets outdated operating systems by exploiting a well-known vulnerability from a security advisory.
Missing logs
missing logs, making it difficult to ascertain what happened during a specific period, like a malware attack or system lockout
2.5 Explain the purpose of mitigation techniques used to secure the enterprise.
Mitigation techniques:
Segmentation
divides systems into separate segments or subnets, each with distinct security controls and access permissions.
Access control
Access control refers to regulating and managing the permissions granted to individuals, software, systems, and networks to access resources or information.
Access control list (ACL)
enforce access control policies in computer systems and networks.
Permissions
Definition: Access rights assigned to users or systems to control what they can view or modify.
Example: An employee has read-only access to financial records but cannot edit them.
Application allow list
Definition: A security measure that permits only approved applications to run on a system.
Example: A company blocks all software installations except for officially approved apps like Microsoft Office.
Isolation
Definition: Segregating a system or network to prevent threats from spreading.
Example: An infected computer is placed in an isolated network to prevent malware from spreading.
Patching
Definition: Updating software to fix security vulnerabilities and improve functionality.
Example: A company applies security patches to prevent hackers from exploiting software bugs.
Encryption
Limits how much data a person can get a hold on, and prevents access to data files, includes File level Encryption, FDE, Full disk encryption
Monitoring
Aggregates information from devices, using internal or external devices like sensors to detect or collectors (IPS, firewall, SIEM, syslog) to monitor and report data
Least privilege
Rights and permissions being set to the bare minimum, getting exactly whats needed to complete the objective
Configuration enforcement
Enforces the configuration of the systems that are connected, through a posture assessments (checks if everything is up to date)
Decommissioning
Definition: Securely retiring old hardware or software to prevent unauthorized access.
Example: A company wipes and destroys hard drives before disposing of old computers.
Hardening techniques
Encryption
Definition: Converting data into a coded format to protect it from unauthorized access.
Example: A bank encrypts customer data so it cannot be read if stolen.
Installation of endpoint protection
Definition: Deploying security software like antivirus and anti-malware on devices to detect and prevent threats.
Example: A company installs endpoint security software to block malware on employee laptops.
Host-based firewall
can protect logical ports, but if compromised or not set up correctly, the unneeded logical ports risk exploitation.
Host-based intrusion prevention system (HIPS)
describes software tools that monitor and protect individual hosts, like computers or servers, from unauthorized access and malicious activities, it requires deploying and configuring specialized software agents, describes software tools that monitor and protect individual hosts and uses signature based detection and anomaly detection.
Disabling ports/protocols
ensures that a hacker cannot compromise a system using these ports. Failing to disable these ports increases the likelihood of an attacker bypassing existing protections.
Default password changes
Definition: Replacing manufacturer-set passwords with stronger, unique ones to improve security.
Example: A new router’s default "admin" password is changed before connecting it to the network.
Removal of unnecessary software
Definition: Uninstalling applications that are not needed to reduce security risks.
Example: A company removes outdated software to prevent exploitation by attackers.
NoteStudied by 34 peopleNoteStudied by 20 peopleNoteStudied by 13 peopleNoteStudied by 13 peopleNoteStudied by 10 peopleNoteStudied by 18952 people