module 4: attacks Flashcards

Question

Malware: Keyloggers

Answer 1

Software or hardware that covertly records keystrokes (pws, ssns, cc info) 1) antivirus/anti-spyware: detects/ removes before it can steal data (endpoint protection) 2) application control(allowlisting): prevents unauthorized spyware from ever executing 3) patch management: keeping apps and OS updated, which removes vulnerabilities that spyware uses to install itself 4) user awareness/safe downloading practices (primary infection vector) 5) physical security: check for suspicious hardware devices on pc

Answer 2

Goal: give attacker remote, admin-level access control of a victim’s machine How: delivered via phishing, trojanized software, or drive-by download. installs silently, opens backdoor connedction to attacker's command-and control (c2) server). now they can remotely control system as admin. Foundation of the bots/botnet concept Defend: 1) antivirus/anti-spyware: detects/ removes before it can steal data (endpoint protection) 2) application control(allowlisting): prevents unauthorized spyware from ever executing 3) patch management: keeping apps and OS updated, which removes vulnerabilities that spyware uses to install itself 4) user awareness/safe downloading practices (primary infection vector) 5) firewalls & network monitoring : detects/blocks unusual outbound traffick to attacker's c2: if blocked, RAT can't phone home/lose control

Answer 3

A way to bypass security controls sometimes built into software for dev testing; not always malicious but can always be exploited Defend: Defend: 1) antivirus/anti-spyware: detects/ removes before it can steal data (endpoint protection) 2) least privilege/access control: limits ability to install/use backdoor 3) patch management: kclose vulnerabilities that attackers exploit to install backdoors 4) fileintegrity monitoring: watches for unauthorized changes in system files (eg backdoors) 5) network monitoring : detect suspicious outbound traffick to ttacker servers code review, patch management, remove unnecessary services

Answer 4

Goal: trick users into running malware disguised as legit software How: user installs it; behind the scene it installs malware (spyware, RAT, backdoor, ransomware, etc) Defend: 1. application allowlisting/permissions: only approved software can running so nothing unverified executes 2. endpoint protection: antivirus/edr, which detect/block malicous apps / suspicious behavior 3. user awareness training: educate ppl to avid downloading pirated or suspicious software 4. patch management: keep OS and apps updated: prevents trojan from exploiting known vulnerabilities during install

Answer 5

Goal: infect as many systems as possible, often to deliver payloads (backdoors, ransomware, Dos) How: exploits network vulnerabilities (open ports, unpatched OS, weak passwords). do NOT require user interaction. once in the machine, scan for others on the network and spread automatically Defend: 1. patch management: reduce exploitable vulnerabilities worms use to spread 2. firewalls & network segmentation: limit unnecessary open ports and isolate networks. stops worms from moving laterally across networks 3. endpoint protection (antivirus/edr): detect worm files/abnormal behavior & remove 4. intrusion detection/prevention (IDS/IPS): monitor/block suspicious scanning/traffic patterns. worms generate a lot of traffic while spreading

Answer 6

Goal: infect host files/programs and spread when those files are executed. intent is to corrupt data, disrupt systems, or deliver payloads like spyware or ransomware How: needs user interaction or scheduled system process to spread. attaches self to legit programs/boot sectors. when infected file runs, virus executes malicious code Defend: 1. endpoint rptoection (antivirus/edr): scan & block known virus signatures/behaviors 2. application allowlisting: only allow approved programs (no execution of unauthorized infected apps) 3. user awareness training: teach users not to open suspicious attachments/untrusted files 4. file integrity monitoring (FIM): detects unauthorized changes to files 5. patching: removes vulnerabilities viruses exploit

Answer 7

Goal: gain higher-level access than intended eg user -> admin/root so you can disable defenses, increase attacker control, or steal sensitive data How: vertical: low-privileged user gaining higher-lvel access horizontal: user gains access to OTHER users' data methods: unpatched vulnerability exploitation, misconfigured permissions, credential theft, social engineering insiders. Defend: 1. patch mgmt; closes privilege-escalation vulnerabilities 2. limits damage if an account is compromised; 3. strong authentication + crediential protection: MFA, hashed pws, secure token storage so attackers can't reuse/steal creds 4.system hardening + secure configurations: disable unnecessary accounts, services, & permissions 5. monitoring + logging: for unusual privilege use or access attempts

Answer 8

Goal: crash a program or inject & execute malicious code How: 1. program allocates a fixed-sized memory buffer. say 8 bytes 2. attacker inputs oversized data, eg 20 bytes 3. extra data spills into adjacent memory, potentially overwriting instructions 4. attacker crafts payload to execute arbitrary code with the program's privileges attacker sends too much input into a memory buffer, which spills into adjacent memory and overwrites it (eg user credentials) ex: program expects 20 chars; attacker enters 300 which forces app to run code Defend: 1. input validation/bounds checking: ensure inputs don't exceed buffer limits 2. patch mgmt: remove known buffer overflow exploits 3. DEP (data execution prevention): mark memory areas as non-executable to stop code from running in data-only memory regions 4. ASLR (address space layout randomization): randomize memory locations of processes so attackers can't predict where to inject code 5. safe programming languages: choose ones that manage memory automatically unlike c/c++ - Mitigate: input validation, secure coding, memory-safe programming

Answer 9

Goal: make small requests that generate large responses and direct them to a victim to overwhelm them How: Attacker spoofs victim’s IP, sends a DNS request, and large response overwhelms victim Defend: 1. ingress/egress filtering: block spoofed packets at ISPs and firewalls 2. rate limiting & query throttling: limit requests a server will answer at a given time; 3. disable unnecessary or open services: turn off open/unnecessary DNS/NTP resolvers 4. ddos protection services: absorb & filter out high volume attack traffic to keep victim services online

Answer 10

Goal: overwhelm a target system, network, or service with massive traffic from multiple sources so it's unavailable to legit users. How: 1. attacker controls a botnet (thousands of infected devices) 2. sends coordinated floods of traffic (HTTP requets, SYN packets, DNS queries, etc @ victim system/svc 3. victim's resources (cpu, memory, bandwidth) get saturated -> system crashes or becomes unusable Defend: 1. use DDoS mitigation service (CDNs, scrubbing enters, cloud-based WAFs): keeps legit traffic flowing while discarding attack traffic 2. rate limiting/throttling: limit how many requests per second a client can send: reduces impact of traffic floods 3. firewalls/IPS rules: detect and block abnormal traffic patterns, 4. ingress/egress filtering: block spoofed IP packets at routers/firewalls so hiding traffic origin is harder 5. load balancers: distribute traffic across multiple servers/locations to prevent a single point of failure

Answer 11

Goal: keep many connections open for as long as possible to exhaust a server’s resources How: sends tiny, incomplete http requests very slowly to tie up server connections. server keeps connection open, waiting for rest of request. attacker reppeats this over many connections and server's resources are all tied up Defend: 1. Use a WAF (web application firewall: detect and block abnormal slow traffic pattrerns 2. connection limits/reverse proxies: limit per-ip connections or put a proxy/load balancer in front to offload/drop malicious slow connections 3. web server timeouts: configure servers to close idle or incomplete connections quickly 4. scaling/redundancy: oad balancers, CDNs, multiple servers so it's harder to overwhelm the whole system

Answer 12

Goal: make a network resource unavailable by overwhelming it or disrupting connections How: attacker uses one system to flood a target w traffic or exploit a flaw to crash it Defend: 1. firewalls & IDS/IPS: detect and block obious flood patterns before reaching services 2. rate limiting/traffic filtering/shaping: restrict number of requests from one source 3. patch management: prevent crashes from malformed input/other vunlerabilities 4. redundancy/load balancing: spread traffic across multiple systems so it's harder to fully take down the service

Answer 13

Goal: intercept or read network traffic for mitm attack, data theft, or DOS. How: 1. ARP maps ip addresses to mac addreses on a LAN 2. ARP is trust-based so devices believe the latest reply they hear 3. attacker sends forged arp replies eg: getway ip is at my mac address! or dns server ip is at my mac address! 4. victims arp cache is updated -> traffic then goes to the attacker 5. they can now sniff, alter, or drop packets Defend: 1. use static ARP entries: manually defin trusted ip to mac mappings 2. dynamic arp inspection (DAI) on switches: switch validates arp messages against trusted bindings. automatically blocks forged arp messages 3. packet encryption (TLS, IPSec, HTTPS): makes traffic unreadable even if intercepted 4. ARP cache monitoring: detect abnormal ARP table changes/alert

Answer 14

Goal: reDirect victims to fke login pages, malware downloads, or attacker-controlled servers, by corrupting DNS records so users are sent to malicious websites instead of trusted ones How: 1. user tries to visit bank.com 2. dns resolver asks for ip address of bank.com 3. attacker injects a forged dns response and gives you a different one. 4. victim's system caches the fake record 5. next time user types bank.com, they're sent to attacker's site poisoning can happen at multiple levels: - local host file (malware changes it) - dns cache of a resolver - at a rogue dns server run by an attacker Defend: 1. DNSSEC: domain name system security extensions. add digital signatures to dns records to validate authenticity of dns responses. forged ones get rejected 2. DNS cache validation and monitoring: checks for unexpected or sudden DNS changes 3. use secure/trusted DNS servers: rely on well-managed providers 4. block known malicious domains 5. endpoint protection/host file monitoring: block malware that tries

Answer 15

Goal: intercept, read, or alter communications undetected How: 1. victim thinks they're talking directly to a trusted server 2. attacker positions themselves between sender and receiver (via arp poisoning, dns poisoning, rogue wifi, etc). 3. all traffic flows thru attacker: can eavesdrop and inject malware/malicious requests 4. victim and server are unaware bc attacker relays messages normally this type of attack is associated with defeating encryption Defend: 1. Use end-to-end encryption (TLS)/HTTPS, IPSec, VPNs: even if attacker intercepts they see gibberish 2. certificate validation (PKI): veriy server identity with digital certificates 3. strong wifi security: prevents rogue access points 4. ARP/DNS security (DAI, DNSSec): protect arpt/dns from poisoning 5. user awareness: warn against clicking thru SSL/TLS certificate warnings 6. secure authentication: attacker pretends to be the client to the server, and the server to the client. with secure authentication its much harder for them to intercept/replay credentials

Answer 16

Goal: steal card data and PINs from ATMs/ gas pumps How: hidden readers and tiny cameras capture card info and keystrokes Mitigate: inspect devices; use chip readers over mag stripes

Answer 17

Goal: copy data from RFID or magstripe card How: attackers clone access cards to enter restricted areas Mitigate: chip-and-pin cards=dynamic authentication instead of static magstripe data: each transaction generates a unique code 2. or encryption for contactless cards

Answer 18

Goal: Infect a system with malware How: Attacker leaves USB in public hoping victims will plug them in out of curiosity (USB drop attack) Mitigate: Train users; disable USB autorun

Answer 19

Goal: deliver malware or exfiltrate data How: Looks like a regular cable but can inject malicious code or use built-in cellular modules to transmit data Mitigate: Never use untrusted cables

Answer 20

Goal: Crack hashed passwords using precomputed values (in the table) to get plaintext password values How: 1. attacker builds/dwnloads a huge rainbow table 2. steals a system's hashed passwords from a database, SAM file, etc 3. looks up the hash in the rainbow table 4. if a match is found: attacker instantly knows plaintext pw defend: 1. salting passwords before hashing: adding random value (salt) to pw before hashing 2. strong, unique passwords: makes precomputation impractical 3. key stretching: make hash computation intentionally slow to make rainbow tabes unrealistic 4. MFA: even if attacker gets the password, they don't have the second factor

Answer 21

Goal: discover key/plaintext from the ciphertext alone. How: Attacker has encrypted data but no known plaintext; 2. they apply cryptanalysis techniques, brute force, or key search when they have enough ciphertexts 3. if encryption algo is weak attacker can deduce plaintext/key Mitigate: 1. strong encryption algos : make cyphertext patterns computationally infeasible to crack 2. key management: make sure they're random and long enough 3. frequent key rotation 4. add randomness: initialization vectors, padding to prevent attackers from spotting cipher patterns

Answer 22

Goal: Use known pairs of plaintext and its corresponding ciphertextto figure out the encryption key/deduce future encrypted messages/predict how new plaintexts will encrypt How: 1. attacker intercepts encrypted messages 2. if attacker knows both plaintext and its encrypted for, they analyze patterns to crack the key or future messages Defend: 1. use strong encryption: AES, ECC, RSA that are resistant to known plaintext analysis 2. initialization vectors & salts: add randomness to each encryption to prevent pattern recognition across messages 3. regularly rotate keys to limit usefulness of any collected plaintext/ciphertext pairs 4. limit plaintext leakage: don't let attackers access both sides of the communication process: use as much encryptionas possible

Answer 23

Goal: Find 2 inputs w the same w the same hash value using probability theory How: Uses the birthday paradox (50% chance of 2 people sharing a birthday in a group of 23-->collisions are more likely than brute force would suggest) to find hash collisions faster 1. attacker keeps generating differnt inputs until tey find 2 that hash to the same value NOTE: birthday attack is really just finding collisions faster than a human's intuition would expect.that's why it's called a 'paradox' Defend: 1. use longer hash outputs (256 bits or more--makes collisions computationally infeasible) 2. avoid weak hashes, retire ones with known collision weaknesses 3. digital signatures/message authenticadion codes (MACs)

Answer 24

Goal: Find 2 inputs that produce the same hash value in order to trick systems/people that rely on hashes for integrity or authenticity into accepting their malicious file, etc How: 1. hash functions like md5, sha-512, etc produce a fixed length output 2. bc the output space is finite, eventually two different inputs will hash to the same value (collision) 3. if an attacker can find such collisions: they can replace a legit file with a malicious one that has the same hash; and/or forge a digital cert/signature Defend: 1. use collision-resistant hash algorithms 2. digital signatures/MACs: cryptographic signatures that bind identity to the hash. stops attackers from substituting colliding data unnoticed. 3. deprecate weak hashes: deprecate md5, sha-1, etc. weak and exploitable

Answer 25

Goal: gain unauthorized access by trying one or a few common passwords across many diff accounts, while avoiding detection by account lockout policies How;: Tries one/a few known passwords on many accounts to avoid lockouts. if even one person is using it, attacker gets in. bc only a few attempts are made, lockout policies dont trigger Defend: 1) Account lockout/rate limiting: lock/slow down after failed login attempt. makes large-scale spraying impractical 2) require complexity + regular checks against known breached pws 3) MFA so they still can't log in w just the pw 4) monitor & alert for failed login attempts across many accounts

Answer 26

Goal: Crack a password using a list (dictionary) of commonly used passwords How: attacker builds/downloads a precompiled list of leaked/stolen passwords (dictionary) and runs each against the target system. faster than brute force Defend: 1. Strong pw policies: prevent them ending up on a wordlist 2. bw blacklist: breach checkers: block known weak/leadked pws 3) account lockout/rate limiting 4) salting/key stretching: salt makes precomputed hash values useless; stretching slows guesses 5) MFA

Answer 27

Goal: discover a password by trying every possible character combination How: systematically attempts all possible passwords. eventually works if system doesn't lock out or slow down 2 types: 1. online brute force: against live login systems (slow/noisy) 2. offline brute force: against stolen hash database (much faster) Defend: 1. long, complex passwords to exponentially increase number of attempts needed 2. account lockout/rate limiting to limit attempts 3. salting/key stretching: salt stops precomputed attacks; stretching makes each guess very slow 4. MFA: still need 2nd factor to get in 5. monitoring.& alerts: detect rapid login attempts/failed login storms. brute force is noisy and often detectable.

Answer 28

1. check browser cache 2. ask recursive DNS resolver 3. Resolver asks root > TLD > authoritative server 4. Get IP, send TCP request 5. TLS handshake (if HTTPS) 6. Server sends web content 7. Browser displays page

Answer 29

Transport Layer Security security protocol that encrypts data as it moves over a network. website server sends your device a certificate proving its identity (issued by a CA). → your browser verifies it → they agree on what encryption keys to use for the session → create a secure, encrypted tunnel

Answer 30

a logical door on a device for specific network traffic types.

Answer 31

Modem = converts ISP signal to digital Router = directs traffic between networks Switch = connects local devices (LAN)

Answer 32

Resolver queries root > TLD > authoritative DNS > gets IP

Answer 33

transmission control Protocol: slower, reliable: web browsing, email ”Here’s your package, please sign” • Connection-oriented: TCP sets up a connection between two devices before sending data (the “3-way handshake”). • Reliable delivery: Ensures packets arrive in order, with retransmission if anything is lost. • Error checking: Uses checksums and acknowledgments (ACKs). • Segmentation & reassembly: Breaks large data into segments, reassembles at the other end.

Answer 34

Top-Level Domain the last part of a domain name eg .com, .org., .net, etc TLD DNS servers help your DNS resolver fnd the authoritative DNS server for the domain you're looking up

Answer 35

User Datagram Protocol: faster, less relaible: video calls, games, streams ”here’s your package, good luck”:

Answer 36

IP: network address (changes) MAC: hardware ID (fixed)

Answer 37

Virus eneds user/file to spread Worm is self-spreading via network

Answer 38

- specialized computer that helps translate human-readable domain names into IP addresses so computers can find each other on the Internet - when you type http://example.com into your browser, your devise asks a DNS server: “hey, what IP address does example.com point to?” - DNS server replies: “example.com=23.456.789.12” - browswer uses that IP to connect to the web server and load the site

Answer 39

Recursive Resolver: first to get the request Root DNS: top-level helper; sends you to the right “directory” TLD DNS: handles ‘.com’, ‘.org’, ‘.net’, etc Authoritative DNS: final boss! it knows the IP for example.com

Answer 40

validation = only allow what's expected; reject the rest sanitization = clean up what's given (make it safe - more of a backup if you must accept user input as-is but want to make it safe)

Answer 41

resolving and cleaning the path into its standard, simplest form BEFORE using it. so if attacker trying to do directory traversal sends %2f...%2fetc/passwd normalization converts it back into the slashes /../..etc/passwd which is easier to spot and blok

Answer 42

goal: pretend to be a trusted system, service, or user to gain unauthorized access/trick victims how: IP spoofing: attacker forges source IP address to make packet origin look trustworthy MAC spoofing: atkr changes their device's MAC address to impersonate another device on the LAN Email spoofing: attacker forges the 'from' field to look like it came from your boss, bank, etc caller id/DNS spoofing: attacker alters displayed info (phone num, DNS record) to redirect/trick users Defend: 1) authentication: even if attacker fakes identity details, they can't fake strong cryptographic proof 2) secure protocols (tls, IPSec, DNSSEC): encrypt/authenticate communications so forged traffic is invalid 3) email security (SPF, DKIM, DMARC): helps mail servers verify sender really owns domain 4) network monitoring + filtering: detects mismatched or unusual IP/MAC addresses

Answer 43

Endpoint detection & response

Answer 44

server software Apache HTTP Server listens for requestson TCP port 80 (http) or 443 (https) delivers web pages, apis, and files to clients handles thousands of simultaneous connections but historically vulnerable to slowloris

Answer 45

proxy server server that sits between a client and the destination server security uses: 1. content filtering/access control: block certain websites, enforce policies 2. anonymity/privacy: hide client ip addresses from external servers 3. load balancing/performance: distribute traffic to multiple backend servers 4. security: when have WAFs, filter malicious trafic before it reaches web servers reverse proxy = protects servers

Answer 46

initialization vector like salt, extra randomness, but applied to an entire message or session prior to ENCRYPTION (not hashing)

Answer 47

verifies integrity 1. sender runs message thru a hashing or encryption function with a secret key -> produce a small code (the MAC) 2. recipient does same computation with shared key 3. if macs match -> msg is authentic and unmodified

module 4: attacks Flashcards

(71 cards)