CMSC 426 Lecture 3

1. Q: What is an attacker?
A: An attacker (also called a threat actor, adversary, or malicious actor) is an individual, group, or entity attempting to compromise the confidentiality, integrity, and availability of information systems, networks, or data.

2. Q: What are the types of attackers?
A: They include Script Kiddies (novices), Cybercriminals (seeking financial gain), Hacktivists (motivated by social/political issues), and Advanced Persistent Threats (APTs), which are resource-rich and target long-term objectives.

3. Q: Can you give examples of APT groups?
A: Examples include APT1 (linked to a unit in the Chinese PLA) and Sandworm (a Russian state-sponsored group involved in high-profile attacks like the Ukrainian power grid outage and NotPetya).

4. Q: What is offensive security?
A: Offensive security is a proactive, adversarial approach to computer security that involves red teaming and penetration testing to understand attackers’ goals, tools, and techniques.

5. Q: What are the main stages of offensive security?
A: The stages include Reconnaissance, Weaponization & Development, Delivery, Initial Access/Exploitation/Execution, Installation & Persistence, Command & Control, Discovery/Escalation/Lateral Movement, and Actions on Objective.

6. Q: What happens during the Reconnaissance phase?
A: Attackers gather information—using techniques like OSINT, port scans, social engineering, and vulnerability searches—to plan their attack.

7. Q: What is involved in the Weaponization & Development stage?
A: Based on gathered intelligence, attackers create tailored payloads (e.g., custom malware), determine target connection methods, and develop ways to deliver the payload.

8. Q: What methods are used in the Delivery stage?
A: Delivery methods include social engineering, phishing emails with malicious links or documents, redirecting targets to exploit kits, or exploiting vulnerabilities in internet-facing services.

9. Q: What happens during the Initial Access, Exploitation, & Execution stage?
A: The crafted code or malware is executed on the target—either by tricking the user into running it or by exploiting a system vulnerability to run it automatically.

10. Q: What is the purpose of the Installation & Persistence stage?
A: To install additional malware and establish persistent access (such as via backdoors) so the attacker remains on the system even if the initial access vector is removed.

11. Q: What is the Command & Control phase?
A: It’s the stage where the compromised system communicates with the attacker’s C2 server, allowing the attacker to remotely control the target machine.

12. Q: What occurs during the Discovery, Escalation, and Lateral Movement stage?
A: The attacker gathers more information about the target’s network, escalates privileges (e.g., from user to root or from local to domain admin), and moves laterally to compromise additional systems.

13. Q: What is meant by Actions on Objective?
A: This final stage involves completing the attacker’s mission—such as data exfiltration, disruption, or other malicious activities—once all necessary access and controls are in place.

14. Q: What is Incident Response (IR)?
A: Incident Response is the process of detecting, responding to, mitigating, recovering from, and reporting on cyber incidents to minimize damage.

15. Q: What are the main phases of Incident Response?
A: The phases are Detection, Response (Containment), Mitigation, Recovery, and Reporting.

16. Q: What happens during the Detection phase in IR?
A: Suspicious or unusual activity is identified through system and network logging, monitoring, and alert/ticketing systems.

17. Q: What is the goal of the Response (Containment) phase?
A: To contain the incident quickly—limiting the damage and isolating affected systems to prevent further compromise.

18. Q: What is involved in the Mitigation phase?
A: Analyzing the incident to determine its cause, securing systems against the exploited vulnerability, and patching or fixing the underlying issue.

19. Q: What is the Recovery phase in Incident Response?
A: The process of returning systems to a stable state by removing malware, restoring data, and ensuring systems are secure before full operations resume.

20. Q: What does the Reporting phase entail?
A: Documenting the incident, detailing the events and responses, and outlining lessons learned and recommendations for improving future security.

21. Q: What is Antivirus Software (AV)?
A: Software that detects, blocks, and removes malware using signature-based and heuristic-based detection methods.

22. Q: What is an Intrusion Detection System (IDS)?
A: A system that monitors networks or hosts for signs of malicious activity or security policy violations and alerts administrators when anomalies are detected.

23. Q: How do IDS and IPS differ?
A: IDS only detects and alerts on potential threats, while Intrusion Prevention Systems (IPS) can actively block or prevent the detected threats.

24. Q: What is Endpoint Detection and Response (EDR)?
A: A next-generation security solution that continuously monitors endpoint activities to detect, analyze, and respond to potential threats.

25. Q: What is Security Information and Event Management (SIEM)?
A: SIEM aggregates logs and alert data from various security tools into a centralized platform for real-time event management, visualization, and analysis.

26. Q: What are Indicators of Compromise (IOCs)?
A: IOCs are artifacts left behind by a cyberattack, such as malicious file hashes, IP addresses, domain names, URLs, email addresses, or cryptocurrency wallet addresses.

27. Q: What are Tactics, Techniques, and Procedures (TTPs)?
A: TTPs describe the methods and behaviors (goals, target preferences, favored techniques) that a threat actor uses during an attack.

28. Q: What is an Entry Point in cybersecurity?
A: An entry point is the initial infection or access vector through which an attacker gains access to a system, often via vulnerabilities.

29. Q: What is the difference between a vulnerability and an exploit?
A: A vulnerability is a flaw or weakness in a system, while an exploit is a piece of code or technique that takes advantage of that vulnerability.

30. Q: What is command injection?
A: A type of attack where unsanitized user input is passed to a system command, allowing an attacker to execute arbitrary commands on the server.

31. Q: What are common techniques used in command injection attacks?
A: Techniques include appending additional commands using separators like “;” or “&&”, piping outputs, and using comments to alter the intended command structure.

32. Q: What are effective defenses against command injection?
A: Defenses include avoiding direct execution of user input, sanitizing and validating inputs, escaping dangerous characters, and employing whitelists of allowed characters.

33. Q: What is a SQL Injection attack?
A: An attack where user input is inserted directly into an SQL query, enabling attackers to bypass authentication, retrieve sensitive data, or modify database contents.

34. Q: How can SQL Injection be prevented?
A: Prevention strategies include input validation, sanitization, escaping inputs, using stored procedures, and proper error handling to avoid leaking database details.

35. Q: What is Cross-Site Scripting (XSS)?
A: XSS is a vulnerability where an attacker injects malicious JavaScript into a website, causing the script to run in other users’ browsers and potentially steal data or credentials.

36. Q: What are the types of XSS attacks?
A: The primary types are stored (persistent) XSS, where the malicious script is saved on the server, and reflected XSS, where the script is immediately reflected off the web server.

37. Q: What are some defenses against XSS?
A: Defenses include secure input handling (encoding outputs), validating and sanitizing user input, and implementing Content Security Policies (CSP) to restrict resource loading.

38. Q: What is the basic structure of an HTTP request?
A: An HTTP request typically consists of a method (e.g., GET, POST), a path to the resource, the HTTP version, headers, and a blank line; GET requests have no body.

39. Q: What is the basic structure of an HTTP response?
A: An HTTP response includes the HTTP version, a status code and reason phrase, headers (such as cookies), and the response data (e.g., HTML content).

40. Q: What are the common HTTP methods?
A: GET (to retrieve data) and POST (to send data), with GET including parameters in the URL and POST carrying data in the request body.

41. Q: What are cookies in the context of HTTP?
A: Cookies are small pieces of data stored in a user’s browser that maintain stateful information, such as login status or shopping cart contents.

42. Q: How are sessions maintained using cookies?
A: The server sends a cookie that the browser stores and returns with subsequent requests, enabling the server to track and maintain the user’s session.