Domain 2 Flash Cards
Chapter 5 Compare and contrast common threats actors and motivations:
Nation state: These are government sponsored entities that engage in cyber operations to further national security interests.
Advanced Persistent Threat (APT): are typically nation backed agents or organized cybercriminal groups. Are recognized for their ability to to break into specific systems or networks, stay hidden for a long time. quietly steal data little by little over time.
Unskilled attacker: usually use tools from the dark web, lack technical prowess. Motivations might range from personal gain to desire for notoriety.
Hacktivist: driven by ideological, political, or social motives. They promote a cause, raise awareness or enact change. Defacing websites, leaking sensitive information. Seen as a digital protest.
Insider threat: Can be challenging to detect. Misuse access to compromise data. It can also be unintentional such as employees falling for fishing attacks. Or can be intentional attacks for revenged or financial gain.
Organized crime: have been recognized the potential for profit in digital realm. Engage in ransomware attacks, credit card fraud. identity theft. Organized by a hierarchical structure, division of labor, and focus on monetary gains.
Shadow It: technology used within an organization without proper approval or oversight from the it department. (not with malicious intent)
Resources/funding availability: the extent of resources and funding at the disposal of threat actors is a pivotal determinant of their operational power.
level of sophistication/capability: threat actors directly impacts the complexity and potential success of their attacks.
MOTIVATION:
Data Exfiltration: Revolves around stealing financial information selling it on the dark web, leads to breaches of customer data and results in tarnished reputations.
Espionage: nation states and other entities engage in cover activities to gather intelligence. Revolves around infiltrating networks, systems, databases, sensitive information.
Service Disruption: disrupting essential services, like public services, communication networks, or critical infrastructures.
blackmail: exploit stolen data, personal information, or compromising content to extort victims. Ransomware attacks
Chapter 6 Common Threat vectors and attacks surfaces
client based scanning: operates as a tool for automating vulnerability discovery and classification and reporting it to central management server.
agentless scanning: preferred method for threat actors, is employed to scan hosts without necessitating any installations.
Legacy and third party software are prime targets for threats
Service set identifier(SSID) acts as the network name, by disabling this broadcast network administrators obscure the network presence. making it less visible to casual attackers.
Mac filtering: secures the network by ensuring that only an approved users mac address is added to the wireless access point
Supply Chain: the transformation of raw material into finished products and making them available to consumers.
Managed service providers(MSP): is a third party organization that fulfills all of company it needs.
vendors: Makes goods and services available to companies or consumers. The relationship between organizations and their vendors often involves the sharing of sensitive information. should perform risk assessments before giving access to the network.
suppliers: third party contributors who provide goods or services.
Human Vectors/Social Engineering:
pretexting: involves fabricating a scenario to extract information. Attacker might pose as a tech support agent and convince you to steal sensitive information.
Watering hole attacks; Compromise legitimate websites by implementing malicious code.
Typo squatting: exploits typing errors.
Chapter 7 Various types of vulnerabilities:
Memory Injection: secret insertion of malicious code into a programs memory space. They can remain undetected by taking advantage of the dynamic nature of memory collection.
Buffer overflow: attackers flood a programs buffer with excess data which can overwrite adjacent memory spaces, and open doors for unauthorized access.
Race conditions: occurs hen two instructions from separate threads attempt to access the same data simultaneously. TOC/TOU deals with synchronization and handling of shared resources.
Structured query language injection: attacker exploits vulnerabilities in a website or an applications input fields to manipulate the sql queries executed on the backend database.
mitigating SQLI: stored procedures: database object that encapsulates a sequence of sql statements. and Input validation and XXS
VM escape: hypervisor introduce an unexpected challenge. it can unintentionally create a path for lateral movement. Could lead to unauthorized access and compromises the security systems.
resource reuse: improper allocation and management can lead to performance issues. Fend(Resource exhaustion is main concern)
VM sprawl: uncontrolled and excessive creation of VMS. Create automated provisioning,
Risk of shared tenancy: multiple customers sharing the same infrastructure.
Inadequate configuration management: Lack of understanding or mishandling of these configs can result in expose resources, or open ports.
Identity and access management flaws: misconfigured user permissions, compromised credentials, or weak authentication
Cloud access security broker(CASB) enforces company security policies bridging the gap between on premises and dynamic cloud environment
service provided vulnerabilities: poorly managed third party relationships can result in lapses in security controls.
Hardware provided vulnerabilities: Counterfeit hardware or compromised components can infiltrate the supply chain.
Key compromise: key can be compromised due to theft, weak generation or poor key management.
side channel attacks: cryptographic operations can leak information through side channels such as power consumption, timing, or radiation. Attackers skilled in this can also compromise encryption keys or data.
backdoor exploitational rendering encryptions useless, when attackers can access backdoors with cryptographic systems.
CRL and OCSP are vital tools to maintain integrity, CRL lets the individual know what certificates are valid, and OCSP is better of the two because it enables real time certificate validation.
SSL Stripping: carry out an ssl downgrade attack and manage to bypass certificate based protection which turns it into a http attack. And capture data such as credit card numbers. Known as the HTTPS attacks.
SSL/TLS downgrade: the SSL traffic is intercepted to by a server pretending to have an older, less secure browser. Then switches to a weaker encryption method and makes it easier for hackers to see the data. An example of this is when Padding oracle on Downgraded Legacy Encryption(POODLE) attack, targets the older versions of SSL which is used by outdated servers.
Network devices: open ports, weak access controls, unpatched firmware can allow for attacks like Distributed denial of service DDoS and man in the middle attacks.
Access Control Lists(ACL’s) could grant users unauth access to sensitive segments of the network.
Firewalls: act as a frontline defense against unauth access by filtering incoming and outgoing network traffic.
Jailbreaking: specific to apple devices, allows users to bypass manufacturer or OS restrictions providing more control over the device.
Rooting: allows users to bypass manufacture or OS restrictions on Android devices
Sideloading: android devices using APK files
Zero day vulnerabilities: is like a secrete passage in a computer software that hackers fine before the software creators do. Gives hackers unrestricted assess to break into systems because there is no defense. They can not be detected.
Chapter 8: Indicators of malicious activity
Potentially unwanted programs (PUPs): programs downloaded inside of other programs. overconsume computer resources and slow down other processes.
Ransomware: encrypts private files and demands a ransom payment.
Prevention against Ransomware Attacks: Endpoint protection software like an endpoint detection and response (EDR) or extended detection and response (XDR) tool will provide the greatest protection
Trojans: deceive users by their appearance as legitimate software or files. setting up backdoor access bypass authentication process could also be used for surveillance.
Portable executable files: common executable and binary files in windows OS.
Remote access Trojans: allows remote control over compromised systems. All from a safe distance
Worms: resides in a computers memory the are difference because they can replicate and spread through interconnected networks, and consuming network bandwidth
Spyware: slow down computers using processing power and ram resources to track user activities with cookies.
Bloatware: helpful addition to new devices, but can lead to a drain on performance and storage, sapping resources, slowing operations.
polymorphic viruses: modify code, making them appear unique with each infection. renders signature based detection methods less effective. The virus continues to evolve and outsmart security measures.
Keyloggers: silent digital observes that discreetly record keystrokes as users type on their keyboard.
Logic bombs: digital time bombs lying dormant within systems that are designed to trigger specific actions or disruptions at a predetermined time or condition.
Rootkits: hide within OS, thus evading detection, possess system level access akin to root or kernel level which allows to intercept system level function calls. They grant remote control over compromised systems.
Malware Inspection: need to use sandbox is an isolated virtual machine, patching, testing and if the application is dangerous. Cuckoo is well known open source sandbox tool.
Radio frequency identification RFID cloning: intruders copy the signals from key cards or badges that allows people to enter secure areas.
Pivoting: when an attacker gains access to network via a vulnerable host and targets a critical server like a database server. It is the same thing as a VM escape but vm escape happens on VM.
Network mapper(nmap) tool: used to map out the whole network and create an inventory of all the hosts, versions of software
Distributed denial of service: one host prevents a victim’s servers from working. Can be launched from multiple servers to take down the targeted server.
botnet: group of devices such as computers or IOT gadgets that team up to attack a victim system and know it offline.
Amplified attack: sends a small request that triggers a much larger response such as the Internet control message protocol
Reflected: the victims IP address is obtained and crafts a packet seemingly from the victim. Domain name system(DNS): backbone of the internet responsible for translating host or domain names.
ARP poisoning: it maps ip addresses to mac address. Where the local area network(lan) is flooded with fake arp messages. messages meant for the victim is sent to the attacker Can only happen on a lan
dns sinkhold: identifies known malicious domains an ingeniously sends back false information to potential attackers. redirect malicious actors to a honeypot instead for further analysis.
DNS cache poisoning: attacker manipulates dns records to redirect users to malicious websites
Wireless attacks:
Rogue access points: pretends to be a legitimate wireless access point to trick users into connecting and sharing sensitive information.
Evil twin: it also intercepts communications between users and the legitimate network.
Deauthentication and jamming attacks: Jamming blocks the victim from accessing WAP, and forces the users to disconnect from the network.
MAC spoofing: impersonate authorized devices on network
WIFI analyzers: can identify hidden threads of abnormal network traffic that can indicate security breaches or performance degradation.
On-Path attack: interception attacks, eavesdrop on data being exchanged
Replay attack: is an on path attack that intercepts data but resends or replays the data at a later date. assigning unique sequence numbers or time stamps prevents this from happening
credential replay attacks: captures valid credentials during a legitimate login attempt and then use those same credentials for impersonation. Telnet allows this issue to exist if we use Secure shell ssh a protocol used for secure remote administration then all sessions are encrypted.
disadvantage for NT LAN Manager(NTLM): it is a legacy system therefore a prime target for attacks.
credential stuffing: user uses same credentials for every system(sudden spike in logins, or failed attempts) is a big indicator of this issue, companies should run security awareness trainings and the use of password manager should be encouraged.
bash shell attacks: execute unauth commands, compromise systems, or manipulate files. Give themselves privilege's escalation
Injection attacks: insertion of untrusted data into application inputs, such as SQL injection
Select * or 1=1 is a SQL injection attack
Buffer overflow: writes data beyond the allocated buffer space. Data execution prevention(DEP) is used to mitigate bugger overflows by preventing the execution of code in memory pages marked as non executable.
Privilege Escalation: purpose is to gain elevated privilage’’, allows attackers to perform actions beyond auth levels.
Forgery Attacks: manipulate data goal is to impersonate legitimate users or applications. Cross site request forgery(CSRF) is where users are tricked into performing actions without their consent.
Server side Request forgery (SSRF): is a web security vulnerability that allows attackers to send unauth requests from the server.
Directory Traversal: attackers aims to traverse the directory structure and access sensitive or confidential files.
Cryptographic attacks
Downgrade attacks: alters communication between two parties attempting to make the encryption protocol weaker
SSL/TLS downgrade attack: exploits vulnerabilities in communication between a client(web browser) suggests using a older and less secure encryption method which makes it easier for hackers to hack
SSL Stripping: it is an attack where intercepts a secure HTTPS connection and downgrades to http allowing to eavesdrop on sensitive information.
identifying birthdays could cause collisions,
Pass the hash attack is a concern for older OS exploits weak hashing methods.
The weakness of NTLM is that all the passwords are stored in the local security authority subsystem service
Dictionary attack: exhaustive list of words found in the dictionary(misspellings or special characters are not found in this dictionary)
Password spraying: focus on few common usernames and try a list of common passwords
brute force: password lists, or rainbows tables requires a lot of resources.
Hybrid attacks: combination of both dictionary attack and brute force attack.
online password attack: guess or crack a password using website login interface
offline password attacks: already gained access to systems password storage then attempt to crack during offline without alerting the security team.
Indicator of attacks: these are early warnings of potential threats by identifying suspicious activities or behaviors within a network.
account lockout: especially for privileged accounts could indicate an attempt to gain unauth access.
concurrent session usage: sudden spike or higher number of concurrent sessions than usual might indicate unauth access or a breach in progress.
blocked content: attempts to access valuable data
impossible travel: multiple logins from two geographically distant locations.
resource consumption: excessive CPU or memory usage could indicate malware infection or a Ddos attack targeting the systems.
Resource inaccessibility: when critical resources become suddenly unavailable could be a sign of cyber or Ddos attack.
out of cycle logging: logs generated at unusual times, cyber attacks often manipulate logs to cover their tracks.
published documented: documented vulnerabilities and config settings can attract malicious attackers.
Missing logs: absence of expected logs can be a clear sign of tampering or an attempt to hide malicious activities.
Practice Exam notes:
A Port mirroring, VLAN hopping, ARP poising, Rogue Access Point
B I got spear phishing and waterhole mized up
B Malicious Macro
B Mac flooding vs apr poisoning
A BEC vs Phishing
C OS patch management issue vs Weak Encryption algorithm
C botnet vs sppyware
D dns cache poisoning (dns spoofing) DNS tunneling, DNS fast flux, Domain hijacking
A HTTP Header forgery
D CSRF vs Directory traversal
B password spraying
A Worm
A Ranswomware attack
D DDOS attack vs ARP poisoning
Domain 2 Flash Cards
Chapter 5 Compare and contrast common threats actors and motivations:
Nation state: These are government sponsored entities that engage in cyber operations to further national security interests.
Advanced Persistent Threat (APT): are typically nation backed agents or organized cybercriminal groups. Are recognized for their ability to to break into specific systems or networks, stay hidden for a long time. quietly steal data little by little over time.
Unskilled attacker: usually use tools from the dark web, lack technical prowess. Motivations might range from personal gain to desire for notoriety.
Hacktivist: driven by ideological, political, or social motives. They promote a cause, raise awareness or enact change. Defacing websites, leaking sensitive information. Seen as a digital protest.
Insider threat: Can be challenging to detect. Misuse access to compromise data. It can also be unintentional such as employees falling for fishing attacks. Or can be intentional attacks for revenged or financial gain.
Organized crime: have been recognized the potential for profit in digital realm. Engage in ransomware attacks, credit card fraud. identity theft. Organized by a hierarchical structure, division of labor, and focus on monetary gains.
Shadow It: technology used within an organization without proper approval or oversight from the it department. (not with malicious intent)
Resources/funding availability: the extent of resources and funding at the disposal of threat actors is a pivotal determinant of their operational power.
level of sophistication/capability: threat actors directly impacts the complexity and potential success of their attacks.
MOTIVATION:
Data Exfiltration: Revolves around stealing financial information selling it on the dark web, leads to breaches of customer data and results in tarnished reputations.
Espionage: nation states and other entities engage in cover activities to gather intelligence. Revolves around infiltrating networks, systems, databases, sensitive information.
Service Disruption: disrupting essential services, like public services, communication networks, or critical infrastructures.
blackmail: exploit stolen data, personal information, or compromising content to extort victims. Ransomware attacks
Chapter 6 Common Threat vectors and attacks surfaces
client based scanning: operates as a tool for automating vulnerability discovery and classification and reporting it to central management server.
agentless scanning: preferred method for threat actors, is employed to scan hosts without necessitating any installations.
Legacy and third party software are prime targets for threats
Service set identifier(SSID) acts as the network name, by disabling this broadcast network administrators obscure the network presence. making it less visible to casual attackers.
Mac filtering: secures the network by ensuring that only an approved users mac address is added to the wireless access point
Supply Chain: the transformation of raw material into finished products and making them available to consumers.
Managed service providers(MSP): is a third party organization that fulfills all of company it needs.
vendors: Makes goods and services available to companies or consumers. The relationship between organizations and their vendors often involves the sharing of sensitive information. should perform risk assessments before giving access to the network.
suppliers: third party contributors who provide goods or services.
Human Vectors/Social Engineering:
pretexting: involves fabricating a scenario to extract information. Attacker might pose as a tech support agent and convince you to steal sensitive information.
Watering hole attacks; Compromise legitimate websites by implementing malicious code.
Typo squatting: exploits typing errors.
Chapter 7 Various types of vulnerabilities:
Memory Injection: secret insertion of malicious code into a programs memory space. They can remain undetected by taking advantage of the dynamic nature of memory collection.
Buffer overflow: attackers flood a programs buffer with excess data which can overwrite adjacent memory spaces, and open doors for unauthorized access.
Race conditions: occurs hen two instructions from separate threads attempt to access the same data simultaneously. TOC/TOU deals with synchronization and handling of shared resources.
Structured query language injection: attacker exploits vulnerabilities in a website or an applications input fields to manipulate the sql queries executed on the backend database.
mitigating SQLI: stored procedures: database object that encapsulates a sequence of sql statements. and Input validation and XXS
VM escape: hypervisor introduce an unexpected challenge. it can unintentionally create a path for lateral movement. Could lead to unauthorized access and compromises the security systems.
resource reuse: improper allocation and management can lead to performance issues. Fend(Resource exhaustion is main concern)
VM sprawl: uncontrolled and excessive creation of VMS. Create automated provisioning,
Risk of shared tenancy: multiple customers sharing the same infrastructure.
Inadequate configuration management: Lack of understanding or mishandling of these configs can result in expose resources, or open ports.
Identity and access management flaws: misconfigured user permissions, compromised credentials, or weak authentication
Cloud access security broker(CASB) enforces company security policies bridging the gap between on premises and dynamic cloud environment
service provided vulnerabilities: poorly managed third party relationships can result in lapses in security controls.
Hardware provided vulnerabilities: Counterfeit hardware or compromised components can infiltrate the supply chain.
Key compromise: key can be compromised due to theft, weak generation or poor key management.
side channel attacks: cryptographic operations can leak information through side channels such as power consumption, timing, or radiation. Attackers skilled in this can also compromise encryption keys or data.
backdoor exploitational rendering encryptions useless, when attackers can access backdoors with cryptographic systems.
CRL and OCSP are vital tools to maintain integrity, CRL lets the individual know what certificates are valid, and OCSP is better of the two because it enables real time certificate validation.
SSL Stripping: carry out an ssl downgrade attack and manage to bypass certificate based protection which turns it into a http attack. And capture data such as credit card numbers. Known as the HTTPS attacks.
SSL/TLS downgrade: the SSL traffic is intercepted to by a server pretending to have an older, less secure browser. Then switches to a weaker encryption method and makes it easier for hackers to see the data. An example of this is when Padding oracle on Downgraded Legacy Encryption(POODLE) attack, targets the older versions of SSL which is used by outdated servers.
Network devices: open ports, weak access controls, unpatched firmware can allow for attacks like Distributed denial of service DDoS and man in the middle attacks.
Access Control Lists(ACL’s) could grant users unauth access to sensitive segments of the network.
Firewalls: act as a frontline defense against unauth access by filtering incoming and outgoing network traffic.
Jailbreaking: specific to apple devices, allows users to bypass manufacturer or OS restrictions providing more control over the device.
Rooting: allows users to bypass manufacture or OS restrictions on Android devices
Sideloading: android devices using APK files
Zero day vulnerabilities: is like a secrete passage in a computer software that hackers fine before the software creators do. Gives hackers unrestricted assess to break into systems because there is no defense. They can not be detected.
Chapter 8: Indicators of malicious activity
Potentially unwanted programs (PUPs): programs downloaded inside of other programs. overconsume computer resources and slow down other processes.
Ransomware: encrypts private files and demands a ransom payment.
Prevention against Ransomware Attacks: Endpoint protection software like an endpoint detection and response (EDR) or extended detection and response (XDR) tool will provide the greatest protection
Trojans: deceive users by their appearance as legitimate software or files. setting up backdoor access bypass authentication process could also be used for surveillance.
Portable executable files: common executable and binary files in windows OS.
Remote access Trojans: allows remote control over compromised systems. All from a safe distance
Worms: resides in a computers memory the are difference because they can replicate and spread through interconnected networks, and consuming network bandwidth
Spyware: slow down computers using processing power and ram resources to track user activities with cookies.
Bloatware: helpful addition to new devices, but can lead to a drain on performance and storage, sapping resources, slowing operations.
polymorphic viruses: modify code, making them appear unique with each infection. renders signature based detection methods less effective. The virus continues to evolve and outsmart security measures.
Keyloggers: silent digital observes that discreetly record keystrokes as users type on their keyboard.
Logic bombs: digital time bombs lying dormant within systems that are designed to trigger specific actions or disruptions at a predetermined time or condition.
Rootkits: hide within OS, thus evading detection, possess system level access akin to root or kernel level which allows to intercept system level function calls. They grant remote control over compromised systems.
Malware Inspection: need to use sandbox is an isolated virtual machine, patching, testing and if the application is dangerous. Cuckoo is well known open source sandbox tool.
Radio frequency identification RFID cloning: intruders copy the signals from key cards or badges that allows people to enter secure areas.
Pivoting: when an attacker gains access to network via a vulnerable host and targets a critical server like a database server. It is the same thing as a VM escape but vm escape happens on VM.
Network mapper(nmap) tool: used to map out the whole network and create an inventory of all the hosts, versions of software
Distributed denial of service: one host prevents a victim’s servers from working. Can be launched from multiple servers to take down the targeted server.
botnet: group of devices such as computers or IOT gadgets that team up to attack a victim system and know it offline.
Amplified attack: sends a small request that triggers a much larger response such as the Internet control message protocol
Reflected: the victims IP address is obtained and crafts a packet seemingly from the victim. Domain name system(DNS): backbone of the internet responsible for translating host or domain names.
ARP poisoning: it maps ip addresses to mac address. Where the local area network(lan) is flooded with fake arp messages. messages meant for the victim is sent to the attacker Can only happen on a lan
dns sinkhold: identifies known malicious domains an ingeniously sends back false information to potential attackers. redirect malicious actors to a honeypot instead for further analysis.
DNS cache poisoning: attacker manipulates dns records to redirect users to malicious websites
Wireless attacks:
Rogue access points: pretends to be a legitimate wireless access point to trick users into connecting and sharing sensitive information.
Evil twin: it also intercepts communications between users and the legitimate network.
Deauthentication and jamming attacks: Jamming blocks the victim from accessing WAP, and forces the users to disconnect from the network.
MAC spoofing: impersonate authorized devices on network
WIFI analyzers: can identify hidden threads of abnormal network traffic that can indicate security breaches or performance degradation.
On-Path attack: interception attacks, eavesdrop on data being exchanged
Replay attack: is an on path attack that intercepts data but resends or replays the data at a later date. assigning unique sequence numbers or time stamps prevents this from happening
credential replay attacks: captures valid credentials during a legitimate login attempt and then use those same credentials for impersonation. Telnet allows this issue to exist if we use Secure shell ssh a protocol used for secure remote administration then all sessions are encrypted.
disadvantage for NT LAN Manager(NTLM): it is a legacy system therefore a prime target for attacks.
credential stuffing: user uses same credentials for every system(sudden spike in logins, or failed attempts) is a big indicator of this issue, companies should run security awareness trainings and the use of password manager should be encouraged.
bash shell attacks: execute unauth commands, compromise systems, or manipulate files. Give themselves privilege's escalation
Injection attacks: insertion of untrusted data into application inputs, such as SQL injection
Select * or 1=1 is a SQL injection attack
Buffer overflow: writes data beyond the allocated buffer space. Data execution prevention(DEP) is used to mitigate bugger overflows by preventing the execution of code in memory pages marked as non executable.
Privilege Escalation: purpose is to gain elevated privilage’’, allows attackers to perform actions beyond auth levels.
Forgery Attacks: manipulate data goal is to impersonate legitimate users or applications. Cross site request forgery(CSRF) is where users are tricked into performing actions without their consent.
Server side Request forgery (SSRF): is a web security vulnerability that allows attackers to send unauth requests from the server.
Directory Traversal: attackers aims to traverse the directory structure and access sensitive or confidential files.
Cryptographic attacks
Downgrade attacks: alters communication between two parties attempting to make the encryption protocol weaker
SSL/TLS downgrade attack: exploits vulnerabilities in communication between a client(web browser) suggests using a older and less secure encryption method which makes it easier for hackers to hack
SSL Stripping: it is an attack where intercepts a secure HTTPS connection and downgrades to http allowing to eavesdrop on sensitive information.
identifying birthdays could cause collisions,
Pass the hash attack is a concern for older OS exploits weak hashing methods.
The weakness of NTLM is that all the passwords are stored in the local security authority subsystem service
Dictionary attack: exhaustive list of words found in the dictionary(misspellings or special characters are not found in this dictionary)
Password spraying: focus on few common usernames and try a list of common passwords
brute force: password lists, or rainbows tables requires a lot of resources.
Hybrid attacks: combination of both dictionary attack and brute force attack.
online password attack: guess or crack a password using website login interface
offline password attacks: already gained access to systems password storage then attempt to crack during offline without alerting the security team.
Indicator of attacks: these are early warnings of potential threats by identifying suspicious activities or behaviors within a network.
account lockout: especially for privileged accounts could indicate an attempt to gain unauth access.
concurrent session usage: sudden spike or higher number of concurrent sessions than usual might indicate unauth access or a breach in progress.
blocked content: attempts to access valuable data
impossible travel: multiple logins from two geographically distant locations.
resource consumption: excessive CPU or memory usage could indicate malware infection or a Ddos attack targeting the systems.
Resource inaccessibility: when critical resources become suddenly unavailable could be a sign of cyber or Ddos attack.
out of cycle logging: logs generated at unusual times, cyber attacks often manipulate logs to cover their tracks.
published documented: documented vulnerabilities and config settings can attract malicious attackers.
Missing logs: absence of expected logs can be a clear sign of tampering or an attempt to hide malicious activities.
Practice Exam notes:
A Port mirroring, VLAN hopping, ARP poising, Rogue Access Point
B I got spear phishing and waterhole mized up
B Malicious Macro
B Mac flooding vs apr poisoning
A BEC vs Phishing
C OS patch management issue vs Weak Encryption algorithm
C botnet vs sppyware
D dns cache poisoning (dns spoofing) DNS tunneling, DNS fast flux, Domain hijacking
A HTTP Header forgery
D CSRF vs Directory traversal
B password spraying
A Worm
A Ranswomware attack
D DDOS attack vs ARP poisoning
