2. Threats, Vulnerabilities, and Mitigations

2.1 Compare and contrast common threat actors and motivations.

Threat Actors:

  • Nation-state: Government-sponsored entities targeting other nations for political, economic, or military purposes.
  • Unskilled Attacker: Individuals with limited technical expertise or resources attempting to exploit vulnerabilities.
  • Hacktivist: Individuals or groups motivated by political or social causes, engaging in cyber attacks to promote their agenda.
  • Insider Threat: Current or former employees, contractors, or partners with insider access to systems and data, posing a risk to security.
  • Organized Crime: Groups engaged in illegal activities, including cybercrime, for financial gain.
  • Shadow IT: Unauthorized IT systems or services implemented within an organization without official approval or oversight.

Attributes of Actors:

  • Internal/External: Whether the threat actor operates from within the target organization or externally.
  • Resources/Funding: The level of financial and technological resources available to the threat actor.
  • Level of Sophistication/Capability: The technical expertise and sophistication of the threat actor’s tactics, techniques, and procedures (TTPs).

Motivations:

  • Data Exfiltration: Stealing sensitive data for espionage, financial gain, or sabotage.
  • Espionage: Gathering intelligence or intellectual property for political, economic, or military advantage.
  • Service Disruption: Interrupting or disabling critical services to cause operational disruptions.
  • Blackmail: Coercing victims by threatening to expose sensitive information or disrupt operations.
  • Financial Gain: Monetizing stolen data, conducting ransomware attacks, or engaging in cybercrime for profit.
  • Philosophical/Political Beliefs: Acting in alignment with ideological or political agendas.
  • Ethical: Conducting security research or penetration testing with permission to identify vulnerabilities and improve defenses.
  • Revenge: Retaliating against individuals, organizations, or entities perceived as adversaries.
  • Disruption/Chaos: Creating chaos or confusion for strategic or ideological reasons.
  • War: Engaging in cyber warfare to achieve political, economic, or military objectives.

2.2 Explain common threat vectors and attack surfaces.

Attack Vectors:

  • Message-based:
    • Email: Using email communication to deliver malicious content or phishing attempts.
    • Short Message Service (SMS): Sending malicious messages via text messaging.
    • Instant Messaging (IM): Exploiting vulnerabilities in instant messaging platforms to deliver malware or scams.
  • Image-based: Leveraging image files containing hidden malware or exploiting vulnerabilities in image processing software.
  • File-based: Delivering malicious payloads through file attachments, such as infected documents or executables.
  • Voice Call: Exploiting vulnerabilities in voice communication systems to deliver scams or phishing attempts.
  • Removable Device: Infecting systems through the use of infected USB drives or external storage devices.
  • Vulnerable Software:
    • Client-based vs. Agentless: Exploiting vulnerabilities in client software or agentless systems to gain unauthorized access or deliver malware.
  • Unsupported Systems and Applications: Targeting systems or applications that no longer receive security updates or patches.
  • Unsecure Networks:
    • Wireless: Exploiting vulnerabilities in wireless network protocols to intercept communications or gain unauthorized access.
    • Wired: Eavesdropping or conducting man-in-the-middle attacks on wired network connections.
    • Bluetooth: Exploiting vulnerabilities in Bluetooth connections to gain unauthorized access or deliver malware.
  • Open Service Ports: Targeting open ports on networked devices to exploit known vulnerabilities or gain unauthorized access.
  • Default Credentials: Exploiting devices or systems with default login credentials that have not been changed.
  • Supply Chain:
    • Managed Service Providers (MSPs): Exploiting vulnerabilities in services provided by third-party managed service providers.
    • Vendors: Targeting vulnerabilities in software or hardware provided by vendors.
    • Suppliers: Exploiting vulnerabilities in components or services provided by suppliers.
  • Human Vectors/Social Engineering:
    • Phishing: Sending fraudulent emails or messages to trick individuals into revealing sensitive information or performing actions.
    • Vishing: Using voice communication to deceive individuals into divulging sensitive information.
    • Smishing: Sending deceptive text messages to trick individuals into revealing information or downloading malware.
    • Misinformation/Disinformation: Spreading false or misleading information to manipulate individuals or organizations.
    • Impersonation: Pretending to be someone else to deceive individuals or gain unauthorized access.
    • Business Email Compromise: Targeting employees with fraudulent emails to trick them into transferring funds or sensitive information.
    • Pretexting: Creating a false pretext or scenario to manipulate individuals into revealing information or performing actions.
    • Watering Hole: Compromising websites frequented by target individuals or organizations to deliver malware or conduct attacks.
    • Brand Impersonation: Impersonating reputable brands or organizations to deceive individuals into taking actions.
    • Typosquatting: Registering domain names similar to legitimate ones to deceive users into visiting malicious websites.

2.3 Explain various types of vulnerabilities.

Application:

  • Memory Injection: Exploiting vulnerabilities to inject malicious code into a running process’s memory space.
  • Buffer Overflow: Overwriting adjacent memory locations to execute malicious code or crash the application.
  • Race Conditions:
    • Time-of-Check (TOC): Exploiting the time gap between checking a condition and acting on it.
    • Time-of-Use (TOU): Exploiting changes in system state between the time of validation and the time of use.
  • Malicious Update: Distributing updates or patches that contain malicious code or backdoors.

Operating System (OS)-Based:

  • Exploiting vulnerabilities in the operating system to gain unauthorized access or disrupt operations.

Web-Based:

  • Structured Query Language Injection (SQLi): Exploiting vulnerabilities in web applications to execute malicious SQL queries.
  • Cross-Site Scripting (XSS): Injecting malicious scripts into web pages viewed by other users.

Hardware:

  • Firmware: Exploiting vulnerabilities in device firmware to gain unauthorized access or control.
  • End-of-Life: Exploiting vulnerabilities in devices or systems that are no longer supported by the manufacturer.
  • Legacy: Exploiting vulnerabilities in older hardware or software that is still in use.

Virtualization:

  • Virtual Machine (VM) Escape: Exploiting vulnerabilities in virtualization software to break out of a virtual machine and access the host system.
  • Resource Reuse: Exploiting shared resources in virtualized environments to gain unauthorized access or disrupt operations.

Cloud-Specific:

  • Exploiting vulnerabilities in cloud services or infrastructure to gain unauthorized access or disrupt operations.

Supply Chain:

  • Service Provider: Exploiting vulnerabilities in services provided by third- party vendors or service providers.
  • Hardware Provider: Exploiting vulnerabilities in hardware components provided by suppliers.
  • Software Provider: Exploiting vulnerabilities in software provided by third- party vendors or service providers.

Cryptographic:

  • Exploiting weaknesses or vulnerabilities in cryptographic protocols or implementations.

Misconfiguration:

  • Exploiting misconfigured settings or permissions to gain unauthorized access or disrupt operations.

Mobile Device:

  • Side Loading: Installing applications from unofficial or untrusted sources, which may contain malware.
  • Jailbreaking: Removing software restrictions imposed by the manufacturer to gain access to unauthorized features or apps.
  • Zero-Day: Exploiting vulnerabilities that are unknown to the software vendor or have not yet been patched.

2.4  Given a scenario, analyze indicators of malicious activity.

Malware Attacks:

  • Ransomware: Malicious software that encrypts files or systems and demands payment for decryption.
  • Trojan: Malware disguised as legitimate software, which performs unauthorized actions when executed.
  • Worm: Self-replicating malware that spreads across networks and devices without user intervention.
  • Spyware: Software designed to secretly gather user information or monitor activities without consent.
  • Bloatware: Unwanted software that consumes system resources and may display intrusive advertisements.
  • Virus: Malicious code that attaches itself to legitimate programs and spreads when those programs are executed.
  • Keylogger: Software or hardware that records keystrokes, often used to capture sensitive information like passwords.
  • Logic Bomb: Malicious code that executes a harmful action when specific conditions are met.
  • Rootkit: Malware that grants unauthorized access to a computer system and conceals its presence from users and security software.

Physical Attacks:

  • Brute Force: Attempting to gain access to a system or account by systematically trying all possible passwords or encryption keys.
  • Radio Frequency Identification (RFID) Cloning: Copying RFID tags to gain unauthorized access to secure areas or systems.
  • Environmental: Physical damage or disruption caused by factors such as fire, water, or extreme temperatures.

Network Attacks:

  • Distributed Denial-of-Service (DDoS):
    • Amplified: Exploiting vulnerabilities to amplify the volume of traffic used in a DDoS attack.
    • Reflected: Spoofing the source IP address to redirect and amplify traffic towards a target.
  • Domain Name System (DNS) Attacks: Disrupting or manipulating DNS services to redirect traffic or disrupt network operations.
  • Wireless: Exploiting vulnerabilities in wireless networks or devices to gain unauthorized access or disrupt operations.
  • On-Path: Intercepting and modifying network traffic between two parties to eavesdrop or manipulate data.
  • Credential Replay: Capturing and reusing authentication credentials to gain unauthorized access to systems or services.
  • Malicious Code: Executing unauthorized commands or actions on a target system.

Application Attacks:

  • Injection: Inserting malicious code or commands into an application to exploit vulnerabilities.
  • Buffer Overflow: Writing data beyond the allocated memory buffer, potentially allowing attackers to execute arbitrary code.
  • Replay: Capturing and replaying valid data packets to gain unauthorized access or perform malicious actions.
  • Privilege Escalation: Exploiting vulnerabilities to gain elevated privileges and access restricted resources.
  • Forgery: Creating and using falsified data or credentials to impersonate a legitimate user or system.
  • Directory Traversal: Exploiting insufficient input validation to access files and directories outside of the intended directory structure.

Cryptographic Attacks:

  • Downgrade: Forcing a system to use weaker cryptographic protocols or algorithms to exploit vulnerabilities.
  • Collision: Finding two different inputs that produce the same hash value, potentially leading to unauthorized actions.
  • Birthday: Exploiting the mathematical probability of two different inputs producing the same hash value.

Password Attacks:

  • Spraying: Attempting to gain unauthorized access by using a small number of commonly used passwords against multiple accounts.
  • Brute Force: Attempting to guess passwords by systematically trying all possible combinations until the correct one is found.

Indicators:

  • Indications or signs of potential security incidents, breaches, or abnormal activities within a system or network.
    • Account lockout
    • Concurrent session usage Blocked content
    • Impossible travel
    • Resource consumption Resource inaccessibility Out-of-cycle logging
    • Published/documented Missing logs

2.5 Explain the purpose of mitigation techniques used to secure the enterprise.

Segmentation:

  • Involves dividing a network or system into smaller, isolated segments to enhance security by controlling access and limiting the impact of security incidents.

Access Control:

  • Access Control List (ACL): List of permissions attached to an object that specifies which users or system processes are granted access to it and what operations they are allowed to perform.
  • Permissions: Rights granted to users, groups, or processes that define their access levels to system resources.
  • Application Allow List: A list of approved applications that are allowed to execute within an environment, reducing the risk of unauthorized or malicious software.
  • Isolation: Separating critical systems or sensitive data from other parts of the network or environment to contain potential threats and limit their impact.
  • Patching: Regularly applying software updates, patches, or fixes to address known vulnerabilities and improve system security.
  • Encryption: Converting data into a secure form to prevent unauthorized access, especially during transmission or while stored on a device or server.
  • Monitoring: Continuous surveillance of systems, networks, or applications to detect and respond to security threats or suspicious activities.
  • Least Privilege: Principle of restricting access rights for users, accounts, or processes to only those necessary to perform their job functions.
  • Configuration Enforcement: Ensuring that system configurations comply with security policies, standards, or best practices to minimize vulnerabilities.
  • Decommissioning: Process of securely removing or shutting down systems, applications, or services that are no longer needed to prevent them from being exploited.
  • Hardening Techniques: Methods to enhance the security of systems or networks by reducing their attack surface and minimizing potential vulnerabilities.
    • Encryption: Protecting data by encoding it in a secure format.
    • Installation of Endpoint Protection: Deploying security software on endpoints to detect and prevent malware infections.
    • Host-based Firewall: Software-based firewall installed on individual hosts to control incoming and outgoing network traffic.
    • Host-based Intrusion Prevention System (HIPS): Security software that monitors and analyzes host system activities to detect and prevent intrusions.
    • Disabling Ports/Protocols: Closing unused network ports or disabling unnecessary network protocols to reduce potential entry points for attackers.
    • Default Password Changes: Replacing default passwords with strong, unique passwords to prevent unauthorized access.
    • Removal of Unnecessary Software: Removing or disabling unnecessary software or services to minimize the attack surface and reduce potential vulnerabilities.
Previous Next
Subscribe To Our Newsletter

We’ll share with you test preparation tips, exam updates, and exclusive deals.

About Us
Contact Us
Blog
Privacy Policy
FAQs
Terms of Use