Security+ SY0-601 Chap 2dot2 Analyzing Potential Indicators to Determine the Type of Attack

Online and offline

Yes.

No. It attempts to break into remote systems as well.

Attackers can discover hashed passwords on a compromised Windows, Linux, or macOS system and then crack the password on the same system (online) or on a separate dedicated system (offline).

A rainbow table is a precomputed table used to reverse engineer a cryptographic hash function and crack passwords.

L0phtCrack

By using salts.

The randomization of the hashing process.

Passing the hash enables the hacker to authenticate to a remote server by using the underlying NT LAN Manager (NTLM) and/or LAN Manager (LM) hash of a user’s password, instead of using the associated plaintext password.

An application that enable the pass the hash attack.

• A hashed copy of the password is kept in the Local Security Authority Subsystem Service
• LSASS

Removable media that contains malware

Different USB cables are designed to infect connected devices with malware. These malicious USB cables work by injecting keystrokes onto the victim’s system when plugged into a USB-capable device.

Attackers can perform different card cloning attacks. For example, an attacker can clone a credit card, a smartphone SIM card, or even the badges/cards used to access a building. Specialized software and hardware can be used to perform these cloning attacks.

VUsers should be advised against this, and as a security administrator, you should create and implement policies that make unlocking the SIM card difficult if not impossible. Unlocking the phone—making it SIM-free—effectively takes it off the grid and makes it difficult to track and manage.

Blacklist the phone by using its IMEI, ESN, or MEID.

Skimming is a type of attack in which an attacker captures credit card information or information from other similar cards (gift cards, loyalty cards, identification cards, and so on) from a cardholder surreptitiously. Attackers use a device called a skimmer that can be installed at strategic locations such as ATMs and gas pumps to collect card data.

Yes. They can be affected by skimming, MITM attacks, sniffing, eavesdropping/replaying, spoofing, and jamming (DoS).

On some RFID tags, correct passcodes emit a different level of power than incorrect passcodes. To prevent these attacks, you, as the security administrator, or your team should consider newer-generation RFID devices, encryption, chip coatings, filtering of data, and multifactor authentication methods. Encryption is one of the best methods. Included in this prevention method are rolling codes, which are generated with a pseudorandom number generator (PRNG) and challenge-response authentication (CRA), where the user (or user’s device) must present the valid response to the challenge.

Use newer RFID proximity readers and keys.

NFC generally requires that communicating devices be within 4 cm of each other, which makes skimming of information difficult.

machine learning

Attackers can manipulate (taint) training data used for machine learning implementations to cause errors in the outcome of the ML solution. They can either change the integrity and modify the training data, or they can inject incorrect data in the training set.

The CIA concepts:

Classify events to protect them.

• Prevent attacker from reaching the system.
• Prevent attacker from reading the critical data and injecting malicious or erroneous data.

When a machine learning system starts the learning process and “memorizes” its training data set, it will not generalize to new data.

When the pretrained model is widely available, an attacker may be able to formulate attacks using this pretrained model that will be robust enough to succeed against your tuned task-specific model (which is typically unavailable to the attacker). In addition, the ML system you are fine-tuning could possibly be a Trojan injected by the attacker that includes devious ML behavior that is unanticipated.

A supply-chain attack is a type of attack in which attackers target security weaknesses in the supply network. Attackers have successfully launched supply-chain attacks against many different types of industries (including manufacturing plants, financial services companies, energy and oil companies, technology companies, and more). Attackers can modify products or software during or right after the manufacturing process of a product by installing a rootkit or hardware-based spying components.

Go from CapEx to OpEx.

Access control is a key concern because insider attacks are a huge risk. Anyone who has been approved to access the cloud is a potential hacker, so you want to know who has access and how they were screened. Even if it was not done with malice, an employee can leave, and then you find out that you don’t have the password, or the cloud service gets canceled because maybe the bill didn’t get paid.

Organizations operating in the United States, Canada, and the European Union must abide by many regulatory requirements (for example, ISO/IEC 27002, EU-U.S. Privacy Shield Framework, ITIL, and COBIT). You must ensure that your cloud provider can meet these requirements and is willing to undergo certification, accreditation, and review.

This particular item is no small matter in that the cloud provider should agree in writing to the terms of the audit. With cloud computing, maintaining compliance could become more difficult to achieve and even harder to demonstrate to auditors and assessors. Of the many regulations touching on information technology, few were written with cloud computing in mind. Auditors and assessors might not be familiar with cloud computing generally or with a given cloud service in particular.

Very few.

This is a rather important item to consider because people will always be the weakest link in security. Knowing how your provider trains its employees is an important item to review.

Questions you should be concerned with here include what data classification standard is being used and whether the provider even uses data classification.

Is the data on a shared server or a dedicated system? A dedicated server means that your information is the only thing on the server. With a shared server, the amount of disk space, processing power, bandwidth, and so on is limited because others are sharing this device. If it is shared, the data could potentially become comingled in some way.

Encryption should be discussed. Is it being used while the data is at rest and in transit? You will also want to know what type of encryption is being used. For example, there are big technical differences between DES and AES. For both of these algorithms, however, the basic questions are the same: Who maintains control of the encryption keys? Is the data encrypted at rest in the cloud? Is the data encrypted in transit, or is it encrypted at rest and in transit?

The SLA serves as a contracted level of guaranteed service between the cloud provider and the customer that specifies what level of services will be provided.

How long has the cloud provider been in business, and what is its track record? If it goes out of business, what happens to your data? Will your data be returned and, if so, in what format?

If a security incident occurs, what support will you receive from the cloud provider? While many providers promote their services as being “unhackable,” cloud-based services are an attractive target to hackers.

Although you might not know the physical location of your services, it is physically located somewhere. All physical locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these events, how will the cloud provider respond, and what guarantee of continued services is it promising?

What happens with your data?

This attack occurs when the attacker can sniff traffic and intercept traffic to take over a legitimate connection to a cloud service.

DNS attack: This form of attack tricks users into visiting a phishing site and giving up valid credentials.

This type of attack is used to steal cookies that can be exploited to gain access as an authenticated user to a cloud-based service.

This attack exploits vulnerable cloud-based applications that allow attackers to pass SQL commands to a database for execution.

This term is often used to describe a cross-site request forgery (CSRF) attack. Attackers use this technique to transmit unauthorized commands by riding an active session using an email or malicious link to trick users while they are currently logged in to a cloud service.

Some security professionals have argued that the cloud is more vulnerable to DDoS attacks because it is shared by many users and organizations, which also makes any DDoS attack much more damaging.

This attack is carried out when the attacker places himself or herself in the communication path between two users. Any time the attacker can do this, there is the possibility that he or she can intercept and modify communications.

An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side-channel attack.

Authentication is a weak point in hosted and virtual services and is frequently targeted. There are many ways to authenticate users, such as based on what a person knows, has, or is. The mechanisms used to secure the authentication process and the method of authentication used are frequent targets of attackers.

Often APIs are configured insecurely. An attacker can take advantage of API misconfigurations to modify, delete, or append data in applications or systems in cloud environments.

Attacks against cryptographic implementations or against crypto algorithms.

A collision occurs when two different files end up using the same hash.

No. They are suceptible to collisions.

Secure Hash Algorithm

vulnerabilities

A birthday attack is an attack on a hashing system that attempts to send two different messages with the same hash function, causing a collision (similarly to the concept explained in the preceding section).

Is a type of cryptographic attack that forces the rollback of a strong algorithm in favor of an older, lower-quality algorithm or mode of operation. Attackers leverage systems that have legacy crypto algorithms typically enabled for backward compatibility with older systems. Downgrade attacks can be performed by attackers in combination with an MITM attack.

Downgrade attack

botnet

Bot

Pop-up windows with advertisements

You have been infected with a worm.

Ransomware

Logic bomb

Through email

Trojan

From network protocols to the application

Social engineering, the application, the network, or the cryptographic elements being employed in a system.

At least one of the three security requirements, CIA

attacks on specific software (such as an application or the operating system) and attacks on a specific protocol or service.

Rainbow tables are precomputed tables or hash values associated with passwords.

Setup rules such use a 3 for the letter 'e'

Rainbow tables are precomputed tables or hash values associated with passwords.

A salt is a random set of characters designed to increase the length of the item being hashed

rainbow table attacks.

The length of the password and the size of the possible characters in the password.

Brute force

After an attacker gains unauthorized access to a system.

No. An authorized user can inadvertently install a trojan horse.

Anything the OS does.

Can change threat priorities to boost an application.

• -hide processes and files
• - change thread priorities
• - perform keylogging
• - act as a sniffer
• - hide files from applications
• - create backdoors

RATs often mimic the behavior of keyloggers and packet sniffers using the automated collection of keystrokes, usernames, passwords, screenshots, browser history, e-mails, chat logs, and more, but they also do so with a design of intelligence.

User ID and Password

A stolen password file. Challenge is stealing the file first.

GPU-based parallel machines

A real system, attacking usually a single account.

They tend to be very noisy and can be seen by network security tools and system response (lock the account).

Electronic cables that deliver malware to machines

Artificial intelligence (AI) is the use of complex models to simulate functions of the brain—in essence, a means to impart analytical abilities to the things we use, from robot vacuum cleaners to smartphone apps, to digital assistants.

adversarial AI

ML works by using a training data set to calibrate the detection model to enable detection on sample data.

The birthday attack is a special type of brute force attack that gets its name from something known as the birthday paradox, which states that in a group of at least 23 people, the chance that two individuals will have the same birthday is greater than 50 percent. Mathematically, we can use the equation 1.25k1/2 (with k equaling the size of the set of possible values), and in the birthday paradox, k would be equal to 365 (the number of possible birthdays). This same phenomenon applies to passwords, with k (the number of passwords) being quite a bit larger than 50, but still a manageable number for computers and today’s storage capacities.

A collision attack is where two different inputs yield the same output of a hash function.

D. Because both servers crashed at exactly the same time, this is most likely a logic bomb. A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload—in this case, 30 days after the disgruntled employee was fired.

B. The animated screensaver is most likely a trojan. The software appears to do one thing, but contains hidden, additional functionality. Your colleague brought the trojan “inside the walls” when he downloaded and installed the software on his desktop.

C. This is quite clearly ransomware. The malware has encrypted files on the affected systems and is demanding payment for recovery of the files.

C. This prompt most likely belongs to a backdoor—an alternate way of accessing the system. The TCP service is listening for incoming connections and prompts for a password when connections are established. Providing the correct password would grant command-line access to the system.

A. Periodic traffic that looks like a heartbeat on high ports to an unknown server outside the network is suspicious, and this is what many command-and-control signals look like.

A. This behavior is often seen in a potentially unwanted program—a type of application that has been bundled with others and is performing tasks that are undesired.

B. These systems are most likely infected with crypto-malware and are now part of a botnet that’s mining cryptocurrency. The systems are running an unknown/unauthorized process, communicating with an external IP address, and using significant resources. These are all classic signs of crypto-malware.

D. This is most likely a worm attack. Attacks that move across the network, seemingly without user intervention, are commonly worms.

D. All of these are characteristics of remote-access trojans (RATs). RATs are often deployed through other malware, allow remote access to the affected system, and give the attacker the ability to manipulate and modify the affected system.

B. Using preset passwords against all accounts is an example of password spraying.

Manipulation of data used to train the algorithms.

Manipulation or sabotage of data inputs.

The ability of AI to automate cyberattacks or other negative activity such as impersonating an authorized user.

• Attempts to fool models through malicious input
• • This technique can be applied for a variety of reasons, the most common being to attack or cause a malfunction (mistake) in standard machine learning models

An attacker may poison (contaminate) the training data by injecting carefully designed samples to eventually compromise the whole learning process

• Adversarial Training
• Block Switching | Randomness
• Pruning

Brute force solution where a significant number of adversarial examples are generated and explicitly train the model not to be fooled by each of them

Programming parts of an Al's model layers with randomly assigned run times so that it "fools" the adversary and prevents them from knowing and exploiting model layer weaknesses

Ability to self-identify infected neurons and remove them.

Indicators of compromise (IOC) are artifacts that identify potentially malicious activity on a system or network.

Indicators of attack

IOC - are clues to something that happened

IOA - are real-time behaviors

Artifacts refer to information of interest (clues) such as virus signature, IP addresses, malicious URLs, command and control connections, file changes, and "reports from the field".

• Unusual outbound traffic
• Anomalies in admin activity
• Geographic irregularities
• Endpoint changes

An unusually high volume of outbound network traffic could be indicative of communication with a command-and-control server, exfiltrating large amounts of data, or use of bandwidth for nefarious purposes.

Take-over or creation of admin accounts are a prime target because of their access to systems and applications. Suspicious behavior indicators may include time of suspicious activity, systems accessed, and type or volume of information accessed.

Irregular traffic from geographic regions could be indicative of communication with a command-and-control server, reconnaissance activity, or exfiltration.

Any unexpected change to endpoints - registry, file, services, open ports, etc. could be indicative of a system compromise.

• Anti-malware software
• Al/ML
• Log analysis
• Threat Intelligence
• Malware Verification
• File Integrity Monitoring

Signatures (.dat files), known characteristics and behaviors (heuristic analysis)

• Use of Artificial Intelligence (AI) and Machine Learning
• (ML) to determine anomalous behavior

Use of a Security Information and Event Management (SIEM) or equivalent

Knowledge of known attacks, infection characteristics, C&C IP address, or distribution URLs

Analysis of suspicious files and URLS (e.g. Virus Total)

Monitor file changes on servers, databases, network devices, directory servers, applications, and virtual images

analyzing for known malicious behaviors.