Malicious Activity

Question 1

What is the purpose of malicious activity in cybersecurity?

Answer 1

• Delve into cyber threats
• Understand types, mechanisms, and impacts

Malicious activity includes constantly evolving threats in the digital age.

Question 2

Name the types of Distributed Denial of Service (DDoS) attacks.

Answer 2

• Denial of Service
• Amplified DDoS
• Reflected DDoS

These variants represent different methods of executing DDoS attacks.

Question 3

What are the types of Domain Name Server (DNS) attacks?

Answer 3

• DNS Cache Poisoning
• DNS Amplification
• DNS Tunneling
• Domain Hijacking
• DNS Zone Transfer

Each type exploits different vulnerabilities within the DNS infrastructure.

Question 4

Define Privilege Escalation Attack.

Answer 4

Exploiting system vulnerability to gain elevated access

This attack allows unauthorized users to gain higher-level permissions.

Question 5

What are the indicators of compromise (IoC)?

Answer 5

• Account lockout
• Concurrent session usage
• Blocked content
• Impossible travel
• Resource consumption
• Inaccessibility
• Out-of-cycle logging
• Published documents indicating hacking
• Missing logs

IoCs are signs that may indicate a security breach.

Question 6

True or false: A Flood Attack is a type of DDoS attack.

Answer 6

TRUE

Flood attacks, such as Ping Flood and SYN Flood, are common methods used in DDoS attacks.

Question 7

What is a Permanent Denial of Service (PDOS) attack?

Answer 7

Exploits security flaws to break a networking device permanently

This attack requires a full firmware reload to restore the device.

Question 8

What is the function of a Black Hole or Sinkhole in DDoS mitigation?

Answer 8

Routes attacking IP traffic to a non-existent server

This is an effective but temporary solution to manage DDoS attacks.

Question 9

What does DNS Cache Poisoning do?

Answer 9

Corrupts a DNS resolver’s cache with false information

This attack redirects users to malicious websites.

Question 10

What is Directory Traversal Attack?

Answer 10

Exploiting insufficient security validation of user-supplied input file names

This attack allows access to commands, files, and directories outside the web document root.

Question 11

Define Replay Attacks.

Answer 11

Malicious or fraudulent repeat/delay of a valid data transmission

This attack involves intercepting data and retransmitting it later.

Question 12

What is Session Hijacking?

Answer 12

Attacker takes over a user session to gain unauthorized access

This can occur through the theft or modification of cookies.

Question 13

What is the difference between Vertical and Horizontal Privilege Escalation?

Answer 13

• Vertical: From normal user to higher privilege
• Horizontal: Accessing resources at the same level

Vertical escalation leads to admin-level permissions, while horizontal involves accessing unauthorized resources.

Question 14

What is a Rootkit?

Answer 14

Class of malware that conceals its presence by modifying system files

Rootkits can be challenging to detect and provide attackers with persistence.

Question 15

What is Cookie Poisoning?

Answer 15

Modifies the contents of a cookie after it has been generated

This can exploit vulnerabilities in the web application.

Question 16

What is an On-Path Attack?

Answer 16

Attacker positions their workstation between two hosts during communication

This allows the attacker to capture, monitor, and relay communications.

Question 17

What is a Credential Replay Attack?

Answer 17

Capturing a user’s login credentials during a session and reusing them

This type of replay attack allows unauthorized access.

Question 18

What does WPA3 stand for?

Answer 18

Wi-Fi Protected Access 3

WPA3 is a security protocol designed to enhance wireless network security.

Question 19

What is a Replay Attack?

Answer 19

An attack where valid data transmission is maliciously repeated or delayed

Common in wireless network attacks; can also be used in wired networks.

Question 20

In a Relay Attack, what role does the attacker play?

Answer 20

The attacker becomes part of the conversation between two hosts

Serves as a proxy and can read or modify communications between the hosts.

Question 21

What are the challenges associated with Replay and Relay attacks?

Answer 21

• Encryption complicates interception
• Strong encryption schemes like TLS 1.3 pose challenges for attackers

These challenges make it difficult for attackers to craft communications.

Question 22

What is SSL Stripping?

Answer 22

An attack that tricks the encryption application into presenting an HTTP connection instead of HTTPS

Enables attackers to capture unencrypted data when the user believes they are using a secure connection.

Question 23

What is a Downgrade Attack?

Answer 23

An attacker forces a client or server to abandon a higher security mode in favor of a lower security mode

This can occur in various encryption and protection methods, including Wi-Fi and VPNs.

Question 24

What is LDAP?

Answer 24

An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network

Commonly used in directory services.

Question 25

What is **LDAP Injection**?

Answer 25

An application attack that targets web-based applications by fabricating LDAP statements typically created by user input ## Footnote Use input validation and input sanitization as protection against this attack.

Question 26

What occurs during a **Command Injection**?

Answer 26

A threat actor executes arbitrary shell commands on a host via a vulnerable web application ## Footnote This can lead to unauthorized access and control over the system.

Question 27

What is **Process Injection**?

Answer 27

Method of executing arbitrary code in the address space of a separate live process ## Footnote Various techniques include DLL injection, thread execution hijacking, and process hollowing.

Question 28

What are some **mitigation strategies** for injection attacks?

Answer 28

* Endpoint security solutions * Security Kernel Modules * Practice of Least Privilege ## Footnote These strategies help to block common sequences of attack behavior.

Question 29

What are **Indicators of Compromise (IoC)**?

Answer 29

Pieces of forensic data that identify potentially malicious activity on a network or system ## Footnote Serves as digital evidence that a security breach has occurred.

Question 30

What does an **Account Lockout** indicate?

Answer 30

Occurs when an account is locked due to multiple failed login attempts ## Footnote This may suggest a potential brute force attack to gain access.

Question 31

What does **Concurrent Session Usage** refer to?

Answer 31

Multiple active sessions from a single user account ## Footnote Indicates a possible account compromise when the legitimate user is also logged in.

Question 32

What does **Blocked Content** suggest?

Answer 32

Attempts to access or download content blocked by security protocols ## Footnote Indicates a user trying to access malicious content or an attacker attempting to steal data.

Question 33

What does **Impossible Travel** detect?

Answer 33

Logins from geographically distant locations within an unreasonably short timeframe ## Footnote Indicates a likely account compromise as physical travel between these locations is impossible.

Question 34

What does **Resource Consumption** indicate?

Answer 34

Unusual spikes in resource utilization such as CPU, memory, or network bandwidth ## Footnote May indicate malware infections or Distributed Denial of Service (DDoS) attacks.

Question 35

What does **Resource Inaccessibility** suggest?

Answer 35

Inability to access resources like files, databases, or network services ## Footnote Suggests a ransomware attack, where files are encrypted, and a ransom is demanded.

Question 36

What does **Out-of-Cycle Logging** indicate?

Answer 36

Log entries occurring at unusual times ## Footnote Indicates an attacker trying to hide their activities during off-peak hours.

Question 37

What does **Missing Logs** signify?

Answer 37

Logs have been deleted to hide attacker activities ## Footnote May result in gaps in the log data, making it harder to trace the attacker's actions.

Question 38

What are **Published Articles or Documents** in the context of cybersecurity?

Answer 38

Attackers publicly disclose their actions, boasting about their skills or causing reputational damage ## Footnote Can occur on social media, hacker forums, or the victim's own website.