CyberWarGamingMidterm1
What is the Centralized C& C?
•Classical client server model •Central server is used to command and control the infected machines. •easy to manage.
Three categories of Defending Persistence?
•Component-based stealth malware countermeasures •Pattern-based stealth malware countermeasures •Adaptive models for Stealth malware recognition
What are some advantages of an invariant specification?
Detects Direct Kernel Object Manipulation (DKOM) attacks reliably. There are aspects of the of the kernel that should not change, like the length.
What are advantages of cross-view detection?
Detects malware that hijacks API calls.
What does Heartbleed detect?
Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160).
Advantages of type 2 rootkits:
Difficult to differentiate genuine and malicious hooking.
disadvantage of type 2 rootkits?
Difficult to inject.
What is a disadvantage of a targeting mechanism malware?
Disadvantage is malware spreads at a lower rate.
What is the output from the following print statements, assuming; String myString = "Testing"; Make sure all of your responses are in quotes, e.g. "Test". printf("%8s", myString);
" Testing" Strings shorter than the specified width will be printed with spaces, "Testing" requires 7 characters, 1 space is added as padding.
What is the output from the following print statements, assuming; String myString = "Testing"; Make sure all of your responses are in quotes, e.g. "Test". printf("%.4s", myString);
"Test" Strings longer than the specified precision will be truncated.
What is the output from the following print statements, assuming; String myString = "Testing"; Make sure all of your responses are in quotes, e.g. "Test". printf("%.10s", myString);
"Testing" A maximum of 10 characters can be printed, only 7 characters were needed.
What is the output from the following print statements, assuming; String myString = "Testing"; Make sure all of your responses are in quotes, e.g. "Test". printf("%4s", myString);
"Testing" Strings longer than the specified width will be printed without truncation.
The format specifier ________ is a placeholder for an int value.
%d
What are examples of Cyber Operations?
(e.g. disrupt, deny, degrade, or destroy) Reconnaissance (e.g. mapping a network) Seizure (e.g. securing access to key network systems.) Pre-emplacement (e.g. implanting cyber access tools)
What is a Bootkit installation?
(subset of rootkits) •malwares that are able to hook and patch system to get loaded into the system Kernel •getting unrestricted access to the entire system.
**Patterns: Secure Session:
- can be used to store globally relevant information, such as a user's name and roles, for use throughout an application. It provides a location to store common data that is made available to all components. Session is often used in web applications to store a user's information between requests.
OutputStream object's helper methods
- can be used to write to stream or to do other operations on the stream. - public void close() throws IOException{} -protected void finalize()throws IOException {} -public void write(int w)throws IOException{} -public void write(byte[] w)
**Patterns: Secure Channel :
- ensures that connections between clients and servers are secure, especially when communicating over public networks. This pattern requires the client and server to establish secure connections. Benefits of using this pattern include improved security and minimal development time, due to the use of existing technology to implement secure communications without impacting the exchange of non-sensitive data. I issues with this pattern include a decreased performance from encryption time, scalability of client communication, and increased cost.
**Patterns: Role-Based Access Control (RBAC):
- this pattern is appropriate when a large number of users or a large number of resources share related access privileges.
Specific requirements: Authentication, what is it? Give examples of methods of authentication?
-- is distinct from authorization, it merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Verifies user identity. --methods include PAP(Password Authentication Protocol) or (SPAP) Shiva PAP
Secure requirements: re-authentication, what is it?
--when user is required to authenticate for an additional time.
What is the output from the following print statements, assuming;int myInt = -713; printf("%+04d", myInt); printf("%05d", myInt);
-0713 ;There are total of 5 characters printed: one character for the - sign, one character for the 0 used to pad the printed value, and 3 characters for the value 713.
What value is returned by System.in.read() when data is no longer available?
-1; This value allows a programmer to determine that data is no longer available.
What is the output from the following print statements, assuming;int myInt = -713; printf("%+02d", myInt);
-713 ; myInt is a negative value, so a - sign is printed for all negative values. If the formatted value has more characters than the width, it will not be truncated.
What is the output from the following print statements, assuming; int myInt = -713;
-713 ;myInt is a negative value, so the + sign is not printed. A - sign is printed for all negative values.
**Attribute/Metadata-based Access Control: Control Loosely
-control loosely coupled distributed systems such as the internet, that consist of a variety of computational nodes and where some nodes need to share resource. -For example, a company with several divisions in different countries.
**Patterns: Single Access:
-restricts access into an application to one entry point. -This pattern may be used when a system is a composition of other applications that could result in a duplicated code for logging in a user.
**Data Security: Symmetric encryption
-using a singe key for encryption and decryption -key must be shared between sender and receiver -m--> plaintext message -m/K --> m processed with k -> m/K/K = m
What can be hooking diversions?
Diversion can be •Alter function pointers to point to malicious code •inline function patching - an approach involving overwriting of code, not just pointers
What are advantages of hardware solution?
Does not require an intact kernel on the monitored machine.
Example output formatting for Strings. public class DogAge { public static void main(String[] args) { System.out.printf("Dog age in human years (dogyears.com)\n\n"); System.out.printf("-------------------------\n"); // set num char for each column, left justified System.out.printf("%-10s | %-12s\n", "Dog age", "Human age"); System.out.printf("-------------------------\n"); // set num char for each column, first col left justified System.out.printf("%-10s | %12s\n", "2 months", "14 months"); System.out.printf("%-10s | %12s\n", "6 months", "5 years"); System.out.printf("%-10s | %12s\n", "8 months", "9 years"); System.out.printf("%-10s | %12s\n", "1 year", "15 years"); System.out.printf("-------------------------\n"); } }
Dog age in human years (dogyears.com) ------------------------- Dog age | Human age ------------------------- 2 months | 14 months 6 months | 5 years 8 months | 9 years 1 year | 15 years -------------------------
**Design: Domain vs Solution Objects [SDLC slide 30]
Domain objects represent concepts of the domain that are relevant to the system. Identified by the application domain specialist and b the end users. Solution objects represent concepts that do not have a counterpart in the application domain. Identified by developers
What makes downloaders smaller than droppers?
Don't contain the core malicious library components.
What are the types of Avoidance Techniques?
Dropper; Downloaders; Anti-Debugger; Anti-emulation; Anti-Antivirus; Rootkit; Bootkits; Targeted Delivery; Host-Based Encrypted Data Exfiltration
**Identifying Tuples: Primary keys: [Data Design slides13-15]
During the design of a database(schema) a set of attribute values(in general one!) is selected to be the primary key(pk).
****Characteristics of Primary keys:
Each relation must have a primary key. Primary keys need to be unique (no two different rows have the same pk). Primary keys cannot be null
**Each functional requirement is something that the system _____ do.
Each requirement is something that the system SHALL do.
What type of attack is a USB/Removal of Media?
Infected files are kept in Removable media which afterwards silently infects other systems opening the files.
Explain the input driven strategy to using event logs?
Input driven •most typical Security Information and Event Monitoring (SIEM) •Collect everything with the hope that someday you will figure out what to do with it.
What does InputStream provide?
InputStream provides several overloaded read() methods that allow a programmer to extract bytes from a particular source.
T or F: A program must import the InputStream class in order to use System.in.
False: The System class is predefined and does not require an import statement.
T or F: To use System.out, a program must include the statement import java.io.PrintStream;.
False: The System class is predefined and does not require an import statement.
Floating point values is done how?
Floating point values: Formatting floating-point output is commonly done using the following sub-specifiers options. For the following assume myFloat has a value of 12.34. Recall that %f is used for floating-point values and %e is used to display floating-point values in scientific notation.
What does misuse cases focus on?
Focuses on: Unwanted behavior. Should not happen in the system. Focus on security requirements.
For each format specifier within the format string, explain what must be provided?
For each format specifier within the format string, the value to be printed must be provided in the printf() statement as arguments following the format strings.
Give an example of why we would use two sets of classes?
For example, the character 'e' may be a single byte 69 or a two-byte sequence 0 69, depending on whether you use the UTF-8 or UTF-16 encoding. (These are two different methods of representing Unicode characters as bytes.) The character 'é' is encoded as 195 169 or 0 223 under those encodings.
For metasploitable samba exploit, how must services be configured for the exploit to work?
For this exploit to work, Samba must be configured to allow anonymous logins and a writeable share must exist on the Samba server.
public class OutsideTemperatureFormatting { public static void main (String [] args) { double outsideTemperature; outsideTemperature = 103.46432; /* Your solution goes here */ } }
/* Your solution goes here */ System.out.printf("%.2f\n", outsideTemperature);
What are characteristics of cross-view detection?
•Cross-view detection is a technique aimed to reveal the presence of rootkits. •The idea is to observe the same aspect of a system in multiple ways
What are DKOM attacks and what do they do?
•DKOM Attacks - undermine the kernel by disrupting kernel data structures responsible for bookkeeping operations.
Formatting Integer values:
Formatting of integer values can also be done using sub-specifiers. The behavior of sub-specifiers for integer data behave differently than for floating-point values. For the following assume myInt is an int value of 301.
**How should programmers write Functional Specification?
Functional Specification (FS) should be written by programmers to record all the functions that are provided at a technical level.
What is the Gaining Access of Cyber Operations?
Gaining Access Operating system exploits(Kernel and device Driver exploits, etc) Network Level Exploits (Protocol, router exploits, etc) Application/Software Exploits(Browse, MS, PDF exploits, etc)
T
General type
How do we deal with information about individuals outside this course?
Gleaning information about individuals from anyone outside of the course is disallowed.
What is a disadvantage of code mutation?
Greater runtime overhead and detectable via emulation.
**Equifax misuse case:
Hackers stole a treasure trove of financial data from a top credit-reporting company, potentially exposing the personal information of roughly half of the US population.
Explain happy face backdoor?
Happy face :) backdoor slipped into the source code by an unknown intruder. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence :) [a happy face], the backdoored version will open a listening shell on port 6200.
Type 3 rootkit disadvantages?
Has limited applications.
**Data Security: Hashing principles:
Hashing in general: to compute a (numerical) value of a String(or complex structure). Used in algorithms(e.g. DB access to quickly narrow down the number of candidates for a search. The number of hash codes is small compared to the number of possible inputs!
**Data Security: Not Reversible Hashing:
Hashing is not reversible because it is not injective.
What is Cyber Operations primary purpose?
Have a primary purpose of achieving objectives or effects in or through cyberspace
What is Heartbleed?
Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014
How may Heartbleed be exploited?
Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. Thus, the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed.
What is a Heartbleed exploit?
Heartbleed: nmap -sV -p 443 --script=ssl-heartbleed [IP RANGE]
In the meterpreter process migration, what did we do?
Hid a reverse shell (malware) in an existing windows process.
What is the focus of the attack in Hiding presence?
Hide presence in network by clearing log systems. Meterpreter Process Migration
What is Hiding Presence of Cyber Operations?
Hiding Presence conceal attackers presence in the system. Needed if attackers wants to maintain prolonged access to organization's network and data
What is a Traditional Attacker?
Hiding presence not crucial •If they lose access they can always find other vulnerable machines. •It is a numbers game
What are disadvantages of detecting hooks?
High false positive rates from legitimate benign hooks. If malware uses in-memory hooks, IDSs can detect the malware by detecting its hooks. Since hooks can be legitimate high false alarm rates can occur.
How does malware use hooking?
Hijacks process memory and divert the flow of code execution so that malicious code gets executed.
What are hooks?
Hooks changes the direction of a program.
Explain IDS and what it does?
IDS - basic definition Intrusion Detection System (IDS) detecting intrusion in database, network or any other device. Wireshark: -used to analyze network data (traffic).; -classify data into normal and abnormal data. An initial step is detecting and analyzing port scans
If in doubt, what do you do?
If in doubt at all about whether a given activity falls within the letter or spirit of the course exercise, discuss the activity with the instructors BEFORE exploring the approach further.
How do we deal with account information we have gained access to?
If you discover a way to gain access to any account other than your own (including root), do NOT access that account, but immediately inform the course instructors of the vulnerability. If you have inadvertently already gained access to the account, IMMEDIATELY exit the account and inform the course instructors.
Is impersonation allowed?
Impersonation, e.g. forgery of electronic mail, is disallowed.
A class that uses an interface must use the keyword:
Implements
**What must be ensured when selecting primary keys?
Important!! -pk attributes must be selected in a way that ensures There are guaranteed(!) to be unique. They are guaranteed (!) to never change
Explain how binary form stores data:
In binary form, data items are represented in bytes. A byte is composed of 8 bits and can denote one of 256 values. For example, in binary format, the integer 12,345 is stored as a sequence of four bytes: 0 0 48 57 (because 12,345 = 48 · 256 + 57).
sequential file access processes a file how?
In sequential file access, a file is processed one byte at a time.
Buffer Overflow; Stack vulnerabilities
In software, a stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer.
What are the two different formats to store data?
In text format or binary format.
Explain how text format stores data:
In text format or binary format. In text format, data items are represented in human-readable form, as a sequence of characters. For example, in text form, the integer 12,345 is stored as the sequence of five characters: '1' '2' '3' '4' '5'
What is Installation of a Cyber Kill Chain?
Installation - Malware installs access point (e..g, "backdoor") usable by intruder.
subspecifier: flags:
-: Left justifies the output given the specified width, padding the output with spaces. +: Print a preceding + sign for positive values. Negative numbers are always printed with the - sign. 0: Pads the output with 0's when the formatted value has fewer characters than the width. space: Prints a preceding space for positive value.
What do downloaders connect to and download?
Instead of unpacking an embedded copy of the core malware agent, they connect to a remote file repository and download the core components.
When does Integer/Arithmetic Overflow occur?
Integer/Arithmetic Overflow - occurs when an arithmetic operation attempts to create a numeric value that is outside the range that can be represented with a given number of digits.
**Wiki: What CIA was compromised?
Integrity was compromised.
**Integrity is:
Integrity: The reliability of information resources and data have not been changed inappropriately.
What are Actions and Objectives of Cyber Kill Chain?
Intruder takes action to achieve their goals. data exfiltration - is the unauthorized transfer of data from a computer. data destruction: process of destroying data stored on tapes, hard disks and other forms of electronic media; data is completely unreadable and cannot be accessed or used for unauthorized purposes. encryption for ransom; data is encrypted. intruder threatens to publish the victim's data or perpetually block all access to it unless a ransom is paid.
**CIA+x: Intrusion Detection and Response
Intrusion Detection and Response addresses the detection instead of prevention of certain intrusion. It also covers the potential response activities such as security alarms in case of detecting an intrusion.
**Diffie-Hellman key exchange: History
Invented in the 1970s, it was the first practical method for establishing a shared secret key over an unprotected communications channel.
SDLC Maintenance Phase
Involves performing changes, corrections, additions, and upgrades to ensure the system continues to meet its business goals
What is ingreslock exploit?
Is a backdoor exploit that allows a third-party to gain access to the affected computer.
Data Security: Exploits:Brute-Force Attacks:
Is a trial and error method used to obtain information such as a user password, or personal identification number(PIN). This is primarily used to crack shorter passwords.
Data Security: Exploits: Dictionary Attacks:
Is a type of brute force attack where all the words in the dictionary are used to crack a password. This is primarily used to crack longer passwords, passphrases, and keys.
What is an example of a invariant specification?
•a kernel invariant is the length of the executive and kernel process linked lists should be equal •The length will not be equal if a malware using process hiding
Examples of hooking:
•in memory redirection of code execution •May be legitimate such as hot patching, monitoring, profiling, and debugging.
What is an advantage of using cross-view detection?
•maliciously hooked API calls can be detected with very few false positives •legitimate applications of API hooking rarely change the outputs of the API calls.
What does a Targeted Delivery do?
•submits information to the malware distribution site •attackers can verify that the compromised computer is real •If not real such as a honey pot or is an automated analysis system the attackers would not serve the core malware.
Characteristics of type 3 rootkit?
•subvert the integrity of the kernel by disrupting kernel data structures responsible for bookkeeping operations. •Immune to anti-malware(Anti-Virus) software as anti-malware assumes a trusted kernel.
Design: Substitution principle is:
-Based off of Liskov Substitution Principle: -Objects should be replaceable with instances of their subtypes without altering the correctness of the program. -Subclassing is based on behavior rather than formal properties. -"If it looks like a duck, quacks like a duck, but needs batteries--you probably have the wrong abstraction"
**Design: Domain vs Solution Objects
-Domain objects represent concepts of the domain that are relevant to the system. Identified by the application domain specialist and b the end users. -Solution objects represent concepts that do not have a counterpart in the application domain. Identified by developers.
**Attribute/Metadata-based Access Control: Problem:
-How can we provide authentication and authentication in a distributed environment without the need for redundant user login information? -The concern for corporate data security has grown tremendously and the need for single user sign on to multiple domains and multiple services is becoming more of a management, more accountability, and secure authentication
**Design: Inheritance vs Delegation: [SDLC slide 37]
-Inheritance is the implicit possession by a subclass of features defined in a superclass. Features include variables and methods. **use,extended or copy interface **subclass observes "contract" of the superclass(in a movement) -Delegation pattern in which a method simply calls another method in another class, but which can significantly improve the overall design of a system. **use or copy functionality, i.e. in most cases
**Metadata
-Metadata is "data[information] that provides information about other data." -many distinct types of metadata exist, among these descriptive metadata, structural metadata, administrative data, reference data, and statistical metadata
**Attribute/Metadata-based Access Control: Explain:
-On the internet, we need to deal with non-registered users. -determine effective subjects and objects based on attribute values
**Design: Contracts: pre/post-conditions are: [SDLC slide 51/42]
-Pre-conditions are conditions that must be met when calling a class service. -Post-conditions are conditions that are guaranteed after a service has executed.
Explain what a Sparta Scan is and what it does
-Sparta Scan is a python GUI application that scans and uses enumeration. It allows tester to save time by having point-and-click access to their toolkits and by displaying all the tool output in a very convenient manner. This speeds up the analyzing aspect of scanning.
nmap Aggregate Timing Option; T0?
-T0 Paranoid, used for IDS evasion
nmap Aggregate Timing Option; T1?
-T1 Sneaky, used for IDK evasion
nmap Aggregate Timing Option; T2?
-T2 Polite ~10 times slower slows down the scan to use less bandwidth and less target machine resources
nmap Aggregate Timing Option; T3;?
-T3 Normal
nmap Aggregate Timing Option; T4?
-T4 Aggressive Aggressive mode speeds scans up by making the assumption that you are a reasonably fast and reliable network. may overwhelm targets
nmap Aggregate Timing Option; T5?
-T5 Insane assumes that you are on an extraordinarily fast network and/or are willing to sacrifice some accuracy for speed
**Secure requirements: Misuse cases [SecureSDLC1 slides 22-27]
Misuse Cases: Complete interactions b/w a system and one or more actors. Results are harmful to the system, on of he many actors, or one of the stakeholders in the system. Focuses on: Unwanted behavior. Should not happen in the system. Focus on security requirements.
**Misuse Case: Verify Information Response Falsification:
Misuse case: Verify Information Response Falsification. Actors: Attacker, Specialist, Data Source. Description: Specialist submits UWF Id, Name and Information about secondary id to the system. Attacker uses MITM attack to intercept and falsify the system response.
**Misuse case: Verify Information Data Access:
Misuse case: Verify Information data access. Actors: Attacker, Specialist, Data source. Description: Attacker uses obtains admin privileges on DB server to access or falsify Data Source.
**Misuse case: Verifying Information Data Modification:
Modification Actors: Attackers, Specialist, Data Source. Description: Specialist submit UWF id name and information about secondary id to the system. Attacker uses Packet Sniffer to obtain data.
type 3 Rootkits: direct Kernel Object Manipulation(DKOM). How does it work?
Modify dynamic kernel data structures.
What is given away if the targeting mechanism is detected too soon?
Motivation for the attack is given away if detected to soon
What does %f used for?
Multiple format specifiers can appear within the format string. The %f is used for printing floating-point values, such as float and double. The value stored within the variable years will be printed as a decimal integer in place of the %d format specifier, and the value stored within the variable total will be displayed as a double.
Requirements: Functional vs Non-Funtional: In one word: [13/14]
Need vs want
What are the disadvantages of anti-emulation malware?
Needs to detect the presence of the emulator reliably. May not run in certain virtualized environments.
Explain: [-o] OS Detection:
Nmap Option [-O] Attempts to determine OS of the server. Compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints prints out the OS details if there is a match.
Explain: [-sF]FIN Scan:
Nmap Option: [-sF] Sends: FIN Open Ports: [NULL] Closed Port: RST+ACK
Explain: [-sN] NULL Scan:
Nmap Option: [-sN] Sends: NULL Open Ports:[NULL] Closed Port: RST + ACK
Explain: [-sS] SYN Scan:
Nmap Option: [-sS] Sends: SYN Open Ports: SYN + ACK, RST Closed Port: RST+ACK Note: Half open. Most common. (Also know as a stealth scan)
Explain: [-sT] TCP Connect Scan:
Nmap Option: [-sT] Sends: SYN Open Ports: SYN + ACK, ACK Closed Port: RST + ACK Note: Make a full connection to test for open ports.
Explain: [-sX] Xmas Scan:
Nmap Option: [-sX] Sends: FIN + PSH + URG Open Ports: [NULL] Closed Port: RST + ACK
Explain: [-sU] UDP Scan:
Nmap Option: ]-sU] Sends: UDP Open Ports: [NULL] Closed Port: ICMP Destination Unreachable
How many timing templates does nmap have to help with performance?
Nmap offers six timing templates to help with performance Template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).
Explain: [-sV] Version Scan:
Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet HTTP) the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd) the version number, hostname, device type (e.g. printer, router) the OS family (e.g. Windows, Linux) Uses its nmap-services database of about 2,200 well-known services
What are Centralized C&C not dependent on?
No dependence on the infected machines to relay command control signals.
**Least Privilege Principle. Permissions:
No single role is given more permission than the same role for another user.
Can an interface implement another interface?
No, but the way to accomplish the same thing is to have one interface extend the other. These exercises are for the material on the Comparable interface.
**Wikipedia Vandalism misuse case:
On Wikipedia, vandalism is an act of editing the project in a malicious manner that is intentionally disruptive.
What is the main goal of hiding presence during an attack?
One of the main goals of the attack is to maintain prolonged access to organization's network and, consequently, their data. •To avoid detection presence must be concealed.
**Data Security: One-Way Hash Function:
One-way Hash Function: Transforms input messages of various length into output sequences of fixed length(usually shorter). Fulfill all conditions of one-way functions. It is easy to compute their values based on input data but having only a hash value one can't determine the original input sequence. Should be collision free. Therefore, difficult to find two different sequences that produce the same hash value. Algorithm are known to be public. Used to protect data against intentional or unintentional modifications. Hash tables are used to store data efficiently.
What is a regshot?
Open-source registry compare utility
The Heartbleed bug is an encryption security flaw in the ___________ software package that was an _____________ mistake by the software developer.
OpenSSL; unintended
**RBAC principles.Operations:
Operations on an object are invoked based on the permissions.
OutputStream provides what?
OutputStream provides several overloaded methods for writing a sequence of bytes to a destination. That sequence is normally placed into a buffer, and the system then outputs the buffer at various times.
Stack Buffer Overflow
Overwriting a local variable or data within the stack can change program behavior to an attacker's benefit.
How is Heartbeat is part of SSL/TLS?
Part of SSL/TLS is the Heartbeat: An echo functionality where either side (client or server) requests that a number of bytes of data sent to the other side be echoed back. Reason: To check if the other side is still "alive" (has a heartbeat).
What is passive reconnaissance?
Passive reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems.
**RBAC principles.Permissions:
Permissions are defined based on job authority and responsibilities within a job function.
In a reconnaissance, explain the Identifying factors of the one on one port scan.
Port scanning allows us to determine what ports are open from publicly accessible targets. This is done through scanning a host to determine which TCP and UDP ports are accessible. These protocols are transport mechanisms used by applications such as FTP, Simple Mail Transfer Protocol(SMTP), Dynamic Host Configuration Protocol(DHCP) and HTTP. TCP is a connection-oriented protocol in contrast to UDP, is a connectionless protocol.
System.out is an object of the class _________________. 1. Applet 2. Output 3. System 4. PrintStream
PrintStream
System.out is of type ___
PrintStream
%%
Prints the '%' character.
%n
Prints the platform-specific new-line character.
**SDLC Program Design Phase is:
Product design is started with a clear definition of requirements. Software Requirement Specification (SRS) document which consists of all the details of the product requirements should be approved by the clients or the customers before product design begins.
**Programmers should develop software according to what?
Programmers should develop the software according to the DDS and at the same time follow the coding standards defined by the company's closely.
**Programming tools, how are they limited?
Programming tools should be limited to those provided by the company as well to ensure all programmers can align their works.
**Data Security: Hashing principles: Properties:
Properties: Deterministic: The same object always produces the same hash code. Not injective: Two different objects can produce the same hash code(collision). Strings over 62 characters(52 letters, 10 digits), length 10: 62^10 Strings ~ 3.92x10^17. The set of hash values is mostly smaller -> Collisions will happen. Not reversible(because it is not injective).
**CIA+x: Accountability
Provides functionalities for generating records for system behavior or user actions.
**CIA+x: Security Management
Provides users with certain roles the ability to customize the use of security mechanism in a security product.
Explain Sparta, its basic definition and what it does?
Python GUI application: -simplifies network penetration testing; -allows the tester to save time by having point-and-click access to his toolkit. Allows focusing on and analyzing results since less time to set up environment.
What does reader and writer classes access?
Readers and writers access sequences of characters.
What do Readers and writer classes handle?
Readers and writers handle data in text form.
OutputStreamWriter
Receives characters from a Java program and converts these into bytes according to a specified encoding and writes them onto an underlying output stream.
What is the Reconnaissance of Cyber Operations?
Reconnaissance Target Identification and Selection (whois etc) Target Social Profiling (web, etc) Target System Profiling (ing, nmap etc) Target Validation (SPAM, Social engineering)
What is the definition of reconnaissance?
Reconnaissance is checking out a situation before taking action.. The word reconnaissance is borrowed from its military use, where it refers to a mission into enemy territory to obtain information.
What are the Stages of Cyber Operations?
Reconnaissance; Gaining Access; Hiding Presence; Establishing Presence; Execution; Assessment
What is the Chain of Cyber Kill Chain?
Reconnaissance; Weaponize; Delivery; Exploitation; Installation; Command and Control; Actions and Objectives.
What do Stream classes handle?
Streams handle binary data.
%s
String; Prints the characters in a String variable or literal.
System.in is an input byte stream. Explain:
System.in is an input byte stream, and thus the read() method reads the first 8-bit ASCII value available from the operating system's buffer. Each 8-bit value read from the input stream is returned as an int (instead of byte) in order to allow the programmer to determine if data is no longer available, which is indicated by a return value of -1.
System.out is a ________.
System.out is a predefined output stream object reference that is associated with a system's standard output, usually a computer screen
Single decimal printf statement example.
System.out.printf(" You know %d people.\n", totalPpl);
Multiple format specifiers within a format string, example:
System.out.printf("Savings after %d years is: %f\n\n", years, total);
What are the most common types of portscans?
TCP Connect() scan is a scan that tries to establish a three way handshake with every TCP port. SYN tries to see if a port is open by sending a SYN scan. NULL sends a packet with no flag set. FIN is an inverse scan sending a-FIN bit. ACK is a acknowledge scan that attempts to determine firewalls. Xmas-Tree sends a URG PSH FIN scan all together .
**CIA+x: Privacy
Target's on a user's identity or actions non-observable to others, even TSF. This security objective is specific b/c it sometimes conflicts with other security objectives such as accountability. Unobservability makes user's action unaccountable.
**CC Lingo:[SecureSDLC1 slides 30-32]: Targets of Evaluation(TOEs)
Targets of Evaluation(TOEs) are sets of software, firmware and/or hardware possibly accompanied by user and administrator guidance documentation.
What do these Aggregate timing option templates from nmap allow the user to do?
Templates allow the user to specify how aggressive they wish to be Leaves Nmap to pick the exact timing values
Why are text input and output more convenient?
Text input and output are more convenient for humans, because it is easier to produce input (just use a text editor) and it is easier to check that output is correct (just look at the output file in an editor).
Heartbleed is also known as?
The "hidden" buffer overflow
What does %d format specifier indicate in the previous example? System.out.printf(" You know %d people.\n", totalPpl);
The %d format specifier in the example above indicates that the printf() statement should output a decimal integer value. Specifically, the % indicates we would like to output a value stored within a variable, and the d indicates how we would like that value to be displayed as a decimal integer. Following the format string (separated by a comma), the variable total indicates that the value stored within this variable will be printed in place of the %d format specifier.
Explain the Heartbleed Bug?
The Heartbleed Bug is a vulnerability in the popular OpenSSL cryptographic software library. allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. the service providers and to encrypt the traffic, the names and passwords the users and the actual content.
What is the IRCD backdoor exploit?
The IRCD backdoor checks if an IRC server is backdoored by running a time-based command ping and checking how long it takes to respond. I may run an arbitrary command on the remote system, however, the output is never returned.
The Java Library provides how many sets of classes for handling input and output?
The Java library provides two sets of classes for handling input and output.
What is the definition of metasploitable?
The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.
What is OutputStream used for?
The OutputStream is used for writing data to a destination.
PrintStream class _______.
The PrintStream class extends the base functionality of the OutputStream class and provides the print() and println() methods for converting different types of data into a sequence of characters. The following animation illustrates
What are Windows Event logs?
The Windows event log is a detailed record of system, security and application notifications stored by the Windows operating system that is used by administrators to diagnose system problems and predict future issues.
**CIA+x: Nonrepudiation
The assurance that someone cannot deny something. It refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated
What is the Heartbleed code based on?
The code is based on the Python script ssltest.py authored by Jared Stafford
**Equifax: How many were affected?
The data taken affected as many as 143 million people
How does the metasploitable Samba exploit work?
The exploit logs in to the Samba system anonymously and writes a link from the writeable file share to the root file system. Once this happens, a user can log in anonymously to the written file share (tmp in the class example) and execute a simple change directory command to access the root filesystem, "roots".
What are format specifiers?
The first argument of the printf() method is referred to as the format string, which specifies the format of the text that will be printed along with any number of placeholders for printing numeric values. These placeholders are known as format specifiers. Format specifiers specify the type of values being printed in place of the format specifier.
what can format specifiers within the format string of printf() include? Explain:
The format specifiers within the format string of printf() can include format sub-specifiers. These sub-specifiers specify how a value stored within a variable will be printed in place of a format specifier.
**CC Lingo:[SecureSDLC1 slides 30-32]: What are TOEs Security Function(TSF)
Those poritons of TOE that must be releid on for the correct enforcement of the SFRs are collectively referred to as TOEs Security Function(TSF)
When using an InputStream, what must a programmer append to the definition of main()?
When using an InputStream, a programmer must append the clause throws IOException to the definition of main().
Output Driven Strategy Steps are:
White list filter. Blacklist list filter.
**Are the same format as the functional requirement used for non-functional requirements?
Yes, The same format as the functional requirements is to be used for the non-functional requirements.
Can you have a variable of an interface type?
Yes, an interface is a type and can be used like any other type.
Can you have a parameter of an interface type?
Yes. An interface is a type and can be used like any other type.
Can an abstract class ever implement an interface?
Yes. Any of the interface methods that it does not fully define must be made abstract methods.
What happens if you violate the course guidelines?
You can participate in the course exercise only if you are registered for a grade in the class. ANY violation of the course guidelines may result in disciplinary or legal action.
**In a functional requirement, how do you provide a brief design rationale? Is a narrative necessary?
You may provide a brief design rationale for any requirement which you feel requires explanation for how and/or why the requirement was derived.
**In a non-functional requirement, how do you provide a brief design rationale?
You may provide a brief design rationale for any requirement which you feel requires explanation for how and/or why the requirement was derived.
What is a dropper?
a program that will install and run the malware to a target system.
A Java interface type declares ____.
a set of methods and their signatures.
A class that implements an interface but only gives definitions for some of the method headings given in the interface is called a/an:
abstract class
A Java interfaces is an example of:
abstraction
What are characteristics of invariant specification?
does not vary; direct kernel object manipulation(from last week lab); bookkeeping operation
Design: Database terminology key:
each row has one or more attributes, which can identify the row in the table uniquely.
%e
float, double; Prints a floating-point value in scientific notation.
%f
float, double; Prints a floating-point value.
Polymorphism shows that behavior can vary ____.
for objects of the same type.
Methods of an inner class can access local variables_____.
from surrounding blocks and field from surrounding classes.
Such a method can occur in a class that in itself is not ___.
generic.
What do downloaders hide?
hide core components
What does a dropper try to hide?
hides the installed malware.
Use the implements keyword to ___.
indicate that a class implements an interface type.
In Java, generic programming can be achieved with ____.
inheritance or with type parameters.
an inner class is declared ___.
inside another class.
%h
int, char, long, short; Prints a hexadecimal integer value.
%d
int, long, short; Prints a decimal integer value.
%o
int, long, short; Prints an octal integer value.
**User Stories/Use Cases; what are their differences? [SDLC slides 16-23]
-User story is a short description of what your users will do when they come to your website or use your software.("I want..." approach). -Use case is a set of interactions between a system and one or more actors, with actors being people, other systems, or both.(think about actors and specific cases or interactions).
What is the output from the following print statements, assuming: float myFloat = 45.1342f; System.out.printf("%09.2f", myFloat);
000045.13 ; There are total of 9 characters printed: 6 digits before the decimal point, the decimal point, and 2 digits after the decimal point. The 0 pads the output with 0's when the formatted value has fewer characters than the width.
What is the output from the following print statements, assuming: float myFloat = 45.1342f; System.out.printf("%09.3f", myFloat);
00045.134 ; There are total of 9 characters printed: 5 digits before the decimal point, the decimal point, and 3 digits after the decimal point.
What is the purpose of a rootkit?
1. Maintaining a hidden presence by: i. Hiding files, directories, registry keys, and processes. ii. Masking resource utilization and network connections. 2. Continued access including many times even after a reboot.
What is a downloader?
is a program that downloads and installs/executes one or more other instances of malware from the internet
Design: Database terminology attribute:
is a property or characteristic, may describe a component of the database, such as a table or field, or may be used by itself as another term or field.
How do we use data we have used in this course?
ANY data that is stored outside of the course accounts can be used only if it has been explicitly and intentionally published, (e.g. on a web page), or if it is in a publicly available directory, (e.g. I etc, l usr ).
What is active reconnaissance?
Active reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities.
S, U
Additional general types
**SDLC Program Coding [Implementation]Phase: what happens after the Design Phase?
After the best or the most appropriate design has been selected, implementation starts immediately.
What is an Exploit?
is an attack on a computer system, especially one that takes advantage of a particular vulnerability of system offers to intruders.
Explain what is an nmap Aggregate Timing Option?
Aggregate Timing Options, Nmap development priorities has always been performance. A default scan can take a fifth of a second which adds up when you are scanning hundreds or thousands of hosts.
Design: Database terminology entity:
is an object in the system that we want to model and store information about. Are usually recognizable concepts, either concrete or abstract. Ie, person place, things, or events.
What is the main aim of using decentralized C&C?
Aim is scalability •Infected machines are used as nodes •Each node is responsible only for a subset of the total botnet). •Fault tolerance - redundant communication links •Removes the single point of failure.
How should all explorations be handled?
All explorations should be targeted specifically to the assigned course accounts. ANY tool that indiscriminately explores noncourse accounts for vulnerabilities is specifically disallowed.
All format specifiers begin with%, explain:
All format specifiers begin with %, thus % is a special character. To print a % character using printf(), the sequence %% is used, as in: printf("Annual percentage rate is %f %%.\n", rate);.
Are all rootkits malicious?
All rootkits are NOT malicious
What does a targeting mechanism malware allow?
Allows it to remain in the wild longer
Characteristic of an APT?
An Advanced Persistent Threat (APT) have a specific target
What is an InputStream class?
An InputStream is a class for achieving such input.
OutputStreamWriter is a ________.
An OutputStreamWriter is a bridge from character streams to byte streams: Characters written to it are encoded into bytes using a specified charset.
What is an Advanced Persistent Threat(APT)?
An advanced persistent threat is a stealthy computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period.
Secure Coding: Trust Boundaries; What does an execution trust boundary violation do?
An execution trust boundary violation happens if an application wrongly attains an increased privilege level (such as root).
An interface is a property of a class _____.
An interface is a property of a class that says what methods a class that implements the interface must have.
An output stream accepts ____ ____ and sends them to some ____.
An output stream accepts output bytes and sends them to some sink.
**CIA+x: Recoverability
Data recoverability and system function recoverability. Data recoverability includes data correction after unauthorized modifications. System function recoverability requires that system recovers to a secure state and/or is still able to provide key functionalities after certain failure happens.
Defending to establishing persistence requires what ?
Defending requires efficient anti-malware solutions with improved generalization to detect novel types of malware
What is a Drive by Download Target?
is forced to download appealing malicious content from internet. Malicious content could be a image file, pdf/word document or software setup file
**SDLC System Design Phase is:
is the process of defining the components, modules, interfaces, and data for a system to satisfy specified requirements.
What is emulation in software context?
is the use of an application program or device to imitate the behavior of another program or device. Common uses of emulation include: Running an operating system on a hardware platform for which it was not originally engineered.
The Comparable interface is in the __ package.
java.lang
SDLC Delivery Phase is:
Delivery of the product to the customer.
In asymmetric encryption, each site has a ________ for encoding messages.
key
What does a system registry contain?
keys and values.
Use interface types to ___.
make code more reusable.
Interfaces create a set of methods but ___.
no implementation.
What do downloaders obscure or obfuscate?
obfuscate the infection vector
System.out is an _________
object
Use type parameters for the types _______.
of generic instance variables, method parameters, and return values.
In Java, a derived class can have ___ base class(es).
one
A generic class has ___.
one or more type parameters.
**Data Security: Exploits: Collision attacks;
-a collision attack on a cryptographic hash tries to find two inputs producing the same hash value...hash collision. Two types: Collision attack: Two different messages m1 and m2 such that hash(m1) = hash(m2). Ie. SHA-1. Chosen-prefix collision attack: given two different prefixes p1 and p2, find two appendages m1 and m2 such that hash(p1// m1) = hash(p2// m2), where // denotes the concatenation operation.
**SDLC Requirement Analysis Phase is:
organizing the information that has been gathered, and making decisions about what in fact the software should do. The term 'requirements analysis' is often used more broadly to include some of the other steps in this list.
PrintStream supports ____.
output.
What is a Targeted Delivery?
performs a quick inventory of the victim's machine at the dropper/downloader stage
**Eavesdroppers for Diffie-Hellman only know:
prime number; related integer; and intermediate values[Not enough to compute shared secret s]
subspecifier: flags: example:
printf("%+f", myFloat); +12.340000 printf("%08.2f", myFloat); 00012.34
subspecifier: .precision: example:
printf("%.4f", myFloat); 12.3400 printf("%3.4e", myFloat); 1.2340e+01
subspecifier: width; example;
printf("Value: %7.2f", myFloat); Value: 12.34
Type variables of a generic class follow ______.
the class name and are enclosed in angle brackets.
Early binding of methods occurs ___.
the compiler selects a method from several possible candidates.
Simply call the method with appropriate parameters, and ____.
the compiler will match up the type parameters with the parameter types.
Interfaces can reduce ___.
the coupling between classes.
What is the output for: import java.io.IOException; public class InputStreamReader { public static void main (String[] args) throws IOException { int usrInput; // Read 1st byte usrInput = System.in.read(); // Read 2nd byte usrInput = System.in.read(); // Read 3rd byte usrInput = System.in.read(); // Read 4th byte usrInput = System.in.read(); // Read 5th byte (empty buffer) usrInput = System.in.read(); } }
1. The operating system automatically reads the standard input and fills a buffer with the input data. 2. System.in is a predefined InputStream object that is associated with a system's standard input. The read() method reads the first 8-bit ASCII value available from the operating system's buffer. 3. If data is no longer available, the InputStream's read() method returns -1.
** Properties of Hash Functions
1. deterministic; That some object always produces the same hash code. 2. Not injective: Two different objects can produce the same hash code [collision]. 3. Not reversible[because it is not injective].
What is the output from the following print statements, assuming: float myFloat = 45.1342f; System.out.printf("%.3e", myFloat);
4.513e+01 ; e is used to display float values in scientific notation, .3 specifies the digits to print following the decimal point.
Output Formatting: public class OutputFormatting { public static void main(String[] args) { int myInt; myInt = 853; System.out.printf("%2d\n", myInt); System.out.printf("%4d\n", myInt); } }
853 853
How many bits of data are returned by System.in.read()?
8; System.in.read() returns a byte of data. Because one byte is 8 bits, the method returns 8 bits of data.
**RBAC (Role Based Access Control)
A "real-world" access control model in which access is based on a user's job function within the organization.
How does PrintStream add functionality?
A PrintStream adds functionality to another output stream, namely the ability to print representations of various data values conveniently.
OutputStream is:
A class that supports output
**Stolen credentials
A computer is infected with malware, which steals the owner's email credentials. These are used by an attacker to send threatening emails to strangers.
Secure Coding: Trust Boundaries:What does a data trust boundary violation refer to?
A data trust boundary violation refers to a vulnerability where computer software trusts data that has not been validated before crossing a boundary
Can a derived class have two base classes? Can it implement two interfaces?
A derived class can have ONLY one base class, but it can implement any number of interfaces.
Explain a format specifier:
A format specifier begins with the % character followed by a sequence of characters that indicate the type of value to be printed.
**Data Security: Collision in Hashing:
A hash function with more inputs will necessarily have collisions. ie...SHA-256 that produces 256 bits of output from a large input(<=2^64 -1 bits). Collision resistance does not mean that no collisions exist; simply that they are hard to find. Collision probability depends on the number n of possible hash codes. Example: Generalized Birthday Paradox. Collisions increase the chance of a lucky guess.
What is the hypervisor?
A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines.
Why can a program throw an IOException.
A program can throw an IOException when it encounters certain errors as it is trying to read from an input stream. Certain input and output streams require the programmer to append a throws clause to the definition of main().
A programmer can adjust the way that output appears, know as_____.
A programmer can adjust the way that output appears, a task known as output formatting.
what is a reverse shell?
A reverse shell ( also known as a connect-back) requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.
**Least Privilege Principle. Role:
A role contains the minimum amount of permissions to operate on an object.
What is the definition of a rootkit?
A set of software tools that enable an unauthorized user to gain control of a computer system without being detected.
**Least Privilege Principle
A subject should be given only those privileges necessary to complete its task.
What does a throws clause tell Java virtual machine?
A throws clause tells the Java virtual machine that the corresponding method may exit unexpectedly due to an exception, which is an event that disrupts a program's execution. In this case, the throws clause indicates that the program may terminate due to an input/output exception (i.e., IOException).
**DYN DDoS Attack
A ton of websites and services, including Spotify and Twitter, were unreachable because of a distributed denial of service(DDoS) attack on Dyn, a major DNS provider. Details on how the attack happened remain vague, but one thing seems certain. Our internet is frightfully fragile in the face of increasingly sophisticated hacks.
**RBAC principles. Explain:
A user has access to an object based on the assigned role.
**Least Privilege Principle. User:
A user is assigned to a role that allows her/him to perform only what's required for that role.
Late binding occurs if ____.
the method selection takes place when the program runs.
Why would anti-malware use their own rootkit?
Anti-malware suites may use their own rootkit to evade detection by malware.
What are the repercussions of any academic misconduct?
Any academic misconduct or action during the course of the class can result in that course not being eligible to count toward any security certificate.
**key exchange
Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
**How are the functional requirements written?
Are going to be written in a narrative form identified with with numbers.
**What are Requirement Analysis Non-functional requirements?
Are properties that the system must have such a performance, re-usability, usability, user friendliness, etc.
**What are Requirement Analysis: Functional requirements?
Are those functions which are included in this software under development.
As a result, you can form array lists that collect elements of different types, such as _____.
ArrayList<String>, ArrayList<BankAccount>, and so on.
What is Assessment of Cyber Operations?
Assessment Assessment - evaluate damage based on Data compromised and mission impact
Data Security: Standards: AES:
Asymmetric Encryption Standard: Sender requests Secure Channel from Receiver. Receiver creates asymmetric key pair. Receiver sends a public key to Sender(unencrypted) . Sender creates strong symmetric key. Sender encrypts symmetric key with Receiver's public key. Sender sends symmetric key to Receiver. Both communicate now over symmetric encryption.
Data Security: Asymmetric encryption:
Asymmetric encryption, also known as public key cryptography, uses two keys to encrypt a plain text. Secret keys are exchanged over the internet or large network. No key sharing necessary. A sender uses a public key to encrypt, the receiver uses the private key to decrypt. -> Keys come to pairs! pubK and privK
Type 4 rootkits Cross Platform Rootkits and rootkits in Hardware: How does it work?
Attack systems using very low-level rootkits.
**DYN DDoS Attack: What part of CIA was compromised?
Availability
**Availability is:
Availability: When something needs to be accessed by the user, it is available
What is an advantage of code mutation?
Avoids simple signature matching.
Why has Backdoor.Ingreslock received attention recently?
Backdoor.Ingreslock has received recent attention because of Google Chrome notifications indicating the presence of Backdoor.Ingreslock in its memory processes.
Before executing the malware code, what does a dropper do?
Before executing the malware code, dropper nowadays tries disabling host based security controls at the target
Buffer Overflow
Buffer overflow - an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Why does reader and writer classes use by default?
By default, these classes use the default character encoding of the computer executing the program.
What does C&C do?
C&C system is used to give remote covert instructions to compromised machines.
What are rootkits and what do they do?
Can be thought of as performing man-in-the-middle attacks between different components of the operating system.
What are the attacker takeaways from the hiding presence lab?
Can hide presence in a target system by eliminating logs. Can hide presence by migrating meterpreter process to something more innocuous. These actions allows attacker to carry actions with reduced risk of detection.
Buffer Overflow; Canaries
Canaries are implemented by the compiler. For example, GCC's stack-protector option causes canaries to be used in any function that is potentially vulnerable. The function prologue loads a magic value into the canary location, and the epilogue makes sure the value is intact. If it's not, a buffer overflow (or bug) likely happened and the program is aborted via __stack_chk_fail. Due to their strategic location on the stack, canaries make the exploitation of stack buffer overflows much harder.
what are the mainly three types of C& C communication structures?
Centralized C&C; Decentralized C&C; Social Networks Based C&C
Why use two sets of classes?
Characters are made up of bytes, but there is some variation how each character is represented.
How did we perform the meterpreter process migration?
Checked current running process. Opened a new windows process through meterpreter Obtained new process id(PID) Add meterpreter to that new process so it will run hidden within that process.
Secure Coding: What aspect of the program is under my control?
Code Data
Type 2 Rootkits: Hooking and In-Memory Redirection of Code execution: How does it work?
Code injection by modifying pointers to libraries/functions or by explicit insertion of code.
What is an important part of the remotely executed cyber-attacks?
Command and Control(or C&C)
What is a cross-view detection and Specification Based Method?
Compare the output of API calls with that of low-level calls that are designed to do the same thing.
**Stolen credentials: What part of CIA was compromised?
Confidentiality
**Equifax: What part of CIA was compromised?
Confidentiality was compromised.
**Confidentiality is:
Confidentiality: Limits access of authorized users and prevents access to unauthorized users.
General Security: What are the CIA Principles?
Confidentiality: Limits access of authorized users and prevents access to unauthorized users. Integrity: The reliability of information resources and data have not been changed inappropriately. Availability: When something needs to be accessed by the user, it is available.
**SQL[Structured Query Language] DDL vs QL [Data Design slide 16]
DDL-Data Definition Language To define a DB Schema QL-Query Language To extract data from tables To modify/delete data
What are advantages of virtualization technique?
•Can be used to detect kernel-level rootkits and interfere with them. •Small attack surface as-->30,000 LOC vice millions for Windows.
What do hooks detect?
Detect malware's that use hooking.
Output formatting for integers: public class CelestialBodyDist { public static void main(String[] args) { final long KM_EARTH_TO_SUN = 149598000; // Dist from Earth to sun final long KM_SATURN_TO_SUN = 1433449370; // Dist from Saturn to sun // Output distances with min number of characters System.out.printf("Earth is %12d", KM_EARTH_TO_SUN); System.out.printf(" kilometers from the sun.\n"); System.out.printf("Saturn is %11d", KM_SATURN_TO_SUN); System.out.printf(" kilometers from the sun.\n"); } }
Earth is 149598000 kilometers from the sun. Saturn is 1433449370 kilometers from the sun.
Disadvantages of type 1 rootkit:
Easy to detect and remove.
What is an advantage of hooks?
Easy to implement.
Advantages of type 1 rootkit:
Easy to install, survives reboots.
How do you detect Hooks?
Effective approach to detect hooks is to hook common attack points.
E
Element type in a collection
What are the category of exploits?
Email Attachments; Phishing Attacks; Drive by Download Target; USB/Removal of Media; DNS Cache Poisoning Vulnerabilities.
What is Email Attachment Exploit Category?
Email content is composed to entice the user by using appealing content
**Data Security: Encryption vs Hashing:
Encryption is a two way function; what is encrypted can be decrypted with the proper key. Hashing is a one-way function that scrambles plain text to produce a unique message digest. With a properly designed algorithm, there is no way to reverse the hashing process to reveal the original password.
What is the output of: import java.util.Scanner; public class FlyDrive { public static void main(String[] args) { Scanner scnr = new Scanner(System.in); double miles; // User defined distance double hrsFly; // Time to fly distance double hrsDrive; // Time to drive distance // Prompt user for distance System.out.print("Enter a distance in miles: "); miles = scnr.nextDouble(); // Calculate the correspond time to fly/drive distance hrsFly = miles / 500.0; hrsDrive = miles / 60.0; // Output resulting values System.out.printf("%.2f miles would take:\n", miles); System.out.printf("%.2f hours to fly\n", hrsFly); System.out.printf("%.2f hours to drive\n", hrsDrive); } }
Enter a distance in miles: 10.3 10.30 miles would take: 0.02 hours to fly 0.17 hours to drive
**Equifax: What did the thieves steal?
Equifax said that thieves stole customer names, Social Security numbers, birthdates, and addresses in a hack that stretched from mid-May and July.
What is Establishing Persistence of Cyber Operations?
Establishing Persistence the attacker maintains access create backdoor rootkits anti-antivirus
Explain the first Output Driven Strategy step, white list filter.
Event Filtering first step : Whitelist •list of all events to be forwarded to a collector •everything else that does not match the whitelist is not forwarded to a collector •applied at the client level to minimize the number of events •does not change what events are stored on the local workstation just what is forwarded to the collector
What is Execution of Cyber Operations?
Execution develop a plan of attack based on the scenario provided that included details of what the team will do in each of the kill chain phases execute the plan of attack keeping a log of the attack including any unforeseen developments, mitigation or work arounds.
type 3 rootkit advantages?
Extremely difficult to detect.
How are event logs important in security?
Extremely valuable resource to detect security incidents. •Many companies collect logs from security devices and critical servers •Few collect them from their windows workstations; •Even fewer proactively analyze these logs. •Collecting and analyzing workstation logs is critical •Initial compromise often happens at the workstation level. •Important to detect these initial compromises •Develop an efficient, common sense approach to collecting and analyzing these events.
Will failure of random infected machines affect centralized C&C?
Failure of random infected machines won't affect C&C architecture. Number of bots limited to hardware/software resources. •If server down the entire C&C infrastructure is down.
T or F: A class may only implement one interface.
False.
T or F: An interface specifies the headings and definitions for methods that must be defined in any class that implements the interface:
False.
T or F: The Serializable interface is like all the other Java interfaces in that it contains defined constants and method headings.
False.
T or F: The compiler and the run-time system enforces semantics on the Comparable interface.
False.
T or F: You can not derive an interface from a basic interface.
False.
T or F: Characters written to System.out are immediately written to a system's standard output.
False: Characters written to System.out are placed into a buffer, and the system outputs the buffer at various times.
What is unreal_ircd_ exploit?
Is an open-source IRC daemon IRC(Internet Relay Chat) The chat process works on client/server networking model, These clients communicate with chat servers to transfer messages to other clients. Protocol communicates in the form of text. IRC is mainly designed for group communication in discussion forums. Can be used chat and data transfer, including file sharing.
What is the definition of establishing persistence?
Is designed to evade detection mechanisms by gathering sensitive information or positioning itself for a high-impact zeroday attack
**How are the functional requirements described?
It describes the features of the product and needed behavior.
Secure requirements: Misuse cases, What is it and what does it do?
It describes the process of executing a malicious act against a system. Describes potential system behaviors that a system's stakeholders consider unacceptable. Actions which result in loss for the organization or some specific stakeholder.
What does ingreslock exploit?
It exploit RPC (remote procedure call) services. Used legitimately to lock parts of an Ingres database.
K
Key type in a map
How is printf() different from println() and print()?
Like the print() and println() methods, printf() allows a programmer to print text along with variable values. printf(), however, affords the programmer more freedom in specifying the format of the output.
Which company adapted the kill chain concept to information security modeling intrusion on a computer network?
Lockheed Martin
What is the MS08-067 exploit?
MS08-607 vulnerability is a flaw in the default implementation of remote procedure called RPC as it relates to the use of the Server message block SMB protocol. This vulnerability is in all Windows systems from Windows 2000 to Windows 7 pre-Beta. The attacker will gain free and unrestricted access to the exploited computer. When exploit was run, I had unrestricted access to the computer and was able to review all files.
What are characteristics of code mutation?
Malware authors encrypt the code of the viruses to avoid detection by simple block code hash checking(signatures). •Re-encrypted with a different key upon each replication.
How does Anti-emulation malware work?
Malware behaves differently when running in an emulated environment.
What is Command and Control of Cyber Kill Chain?
Malware enables intruder to have "hands on the keyboard" persistent access to target network.
What are the advantages of anti-emulation malware?
Malware evades detection during emulation.
Does malware also use hooking?
Malware may also use Hooking
Explain how malware uses a mixture of sheath technology?
Malware often uses a mixture of these technologies •For example •Rootkit might maintain malicious files on disk that survive reboots which alter or create dlls to hide these files and processes so that they cannot be easily detected(hooking). •Code mutation techniques to prevent anti-malware systems from detecting running code.
What is Exploitation of a Cyber Kill Chain?
Malware program triggers. Takes action on target network to exploit vulnerability.
Rootkit Type 1 Malicious System Files on Disk: How do they work?
Mimic system process files.
How do targeting mechanism malware minimize risk of detection?
Minimize risk of detection by managing the spread of malware
What are the monitoring takeaways from the hiding presence lab?
Regshot is a good tool to monitor registry changes Event viewer, observes logs, also good for monitoring changes. HIV File will still show presence of occurrence, so not all presence can be removed by attacker.
What is a regshot?
Regshot is a utility that takes a before and after snapshot of the system registry.
**Diffie-Hellman (DH); what is required?
Requires Alice and Bob to each agree upon a large prime number and related integer; two numbers can be made public, yet Alice and Bob, through mathematical computations and exchanges of intermediate values, can separately create the same key
Disadvantages of type 4 rootkits.
Requires custom low-level hypervisor, BIOS, hardware or physical/supply chain compromise to be effective.
What are disadvantages of cross-view detection?
Requires meticulous low-level code replication of the functionality of most of the system API.
Resolution from establishing persistence?
Resolution requires as little burden on human experts as possible(Automation)
**RBAC principles. Roles:
Roles are defined based on job functions.
**Least Privilege Principle. Explain:
Roles are engineered based on the principle of least privilege.
Data Security: Standards: RSA:
Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is based on the fact that there is no efficient way to factor very large numbers. Deducing an RSA key, therefore, requires an extraordinary amount of computer processing power and time.
What are the four types of sheath Technology
Rootkits; code mutation; anti-emulation; targeting mechanisms
What are the Sparta features?
Run nmap including transparent staged nmap. Configurable context menu for each service. Any tool that can be run from a terminal, can be run from SPARTA. Run scripts or tool on a services across all the hosts with a click of the mouse. Define automated tasks for services. Default credentials check for most common services. can be configured to run automatically Identify password reuse on the tested infrastructure. Any usernames/passwords can be stored in internal wordlists and reused since sysadmins reuse passwords. Ability to mark hosts that you have already worked on so that you don't waste time looking at them again.. Website screenshot taker so that you don't waste time on less interesting web servers.
What is SSL/TLS?
SSL/TLS is a protocol that allows a client (browser) and a server to exchange encrypted data over an insecure line (networked).
What is a 3 Way handshake process?
SYN SYN-ACK ACK
An example of a anti-malware using their own rootkit:
Samhain • an HIDS • anti-malware/anti-rootkit software • Hides its presence from the system
How stable is happy face exploit?
Secure, stable and extremely fast.
**CC Lingo:[SecureSDLC1 slides 30-32]: Security Function Policies(SFPs)
Security Function Policies(SFPs) represent the rules that TOE must be enforced. Each such SFP must specify its scope of control, by defining the subjects, objects, and resources or information, and operations to which it applies.
**CC Lingo:[SecureSDLC1 slides 30-32]: Security Functional Requirements(SFRs)
Security functional requirements(SFRs) are enforced over the TOE resources. The SFRs defined the rules by which the TOE governs access to the use of its resources, and thus information and services controlled by the TOE.
What is Reconnaissance of a Cyber Kill Chain?
Selects Target researches it attempts to identify vulnerabilities in the target network
What is the definition of code-mutation?
Self-modifying malicious code.
What is a Phishing Attack?
Sensitive information like usernames, passwords, credit card details etc. are extracted by masquerading a trustworthy entity in communication.
subspecifier: width;
Specifies the minimum number of characters to be printed. If the formatted value has more characters than the width, it will not be truncated. If the formatted value has fewer characters than the width, the output will be padded with spaces (or 0's if the '0' flag is specified).
subspecifier: .precision:
Specifies the number of digits to print following the decimal point. If the precision is not specified a default precision of 6 is used.
What do streams access?
Streams access sequences of bytes.
What are the two sets of classes for handing input and output?
Streams and Readers.
The formatting sub-specifiers are included between the % and format specifier characters. Explain:
The formatting sub-specifiers are included between the % and format specifier characters. For example, printf("%.1f", myFloat); causes the floating-point variable, myFloat, to be output with only 1 digit after the decimal point; if myFloat was 12.34, the output would be 12.3. Format specifiers and sub-specifiers use the following form:
What is the goal of the activities of the course?
The goal of the activities in the course are to search for technical means of discovering information about others with whom you share a computer system. As such, nontechnical means of discovering information are disallowed (e.g., following someone home at night to find out where they live).
**RBAC principles. Object is concerned with?
The object is concerned with the user's role and not the user.
What are the semantics of the Comparable interface?
The semantics of the Comparable interface with respect to the compareTo method returns says that if the calling object "comes before" the parameter, then a negative number is returned. If the calling object "equals" the parameter, then zero is returned. Finally, if the calling object "comes after" the parameter, a positive number is returned.
The standard output stream System.out provides what?
The standard output stream System.out provides the methods printf() and format() for this task. Both methods are equivalent, so this discussion will only refer to printf().
Explain the term kill chain?
The term kill chain was originally used as a military concept related to the structure of an attack consisting of: target identification, force dispatch to target, decision and order to attack the target, destruction of the target.
What is the difference between traditional attackers vs APT?
The traditional attacker does not find it necessary to hide its presence, an APT, prefer to remain undetected in order to attack in a prolonged time or gain information prior to attack.
**What are the Classical Software Development Life Cycle?
There are seven steps to the SDLC: Requirement Analysis Design Coding[Implementation] Testing Delivery and Installation
How must each format specifier argument be separated within the parenthesis?
These arguments are additional input to the printf() method, with each argument separated by a comma within the parentheses.
What are the techniques included in the component-based stealth countermeasures?
These techniques include •Hook detection •Cross-view detection •Invariant specification •Hardware •Virtualization solutions.
InputStream
This abstract class is the superclass of all classes representing an input stream of bytes.
This abstract class InputStream is ___
This abstract class is the superclass of all classes representing an input stream of bytes.
OutputStream
This abstract class is the superclass of all classes representing an output stream of bytes.
abstract class OutputStream is ____of all classes representing an output stream of ____.
This abstract class is the superclass of all classes representing an output stream of bytes.
What service does metasploitable Samba exploit use?
This exploit uses the Samba service, typically identified by open ports 139 and 445. Samba is a service used to integrate linux/unix systems into Windows environment, allowing for the sharing of files and printers between linux/unix
**SDLC Testing Phase is:
This is the process of systematically executing the software to see if it behaves as expected.
What are the obligation of a class that implements a specific interface?
To implement an interface, a programmer must do two things: 1st: the phrase implements interface_name must be included at the start of the class definition. To implement more than one interface, the interface names must be separated by commas. The programmer must then implement all the methods listed in the definition of the interface.
How do you initialize a Scanner object.
To initialize a Scanner object, a programmer can pass an InputStream, such as System.in, as an argument to the constructor as in Scanner scnr = new Scanner(System.in);.
T or F: An interface can contain defined constants as well as method headings or instead of method headings.
True.
T or F: An interface is a type.
True.
T or F: Java interfaces are a way of simulating multiple inheritance.
True.
T or F: System.in is a predefined InputStream associated with the system's standard input.
True: System.in is a predefined InputStream that is pre-associated with a system's standard input, which is usually a computer keyboard.
T or F: A read from System.in will read bytes from a buffer filled by the operating system.
True: System.in reads bytes from a memory region initialized by the operating system.
T or F; The output of print() and println() for a reference type includes the object's class.
True: The output is a string representation consisting of the object's class followed by "@" and the hexadecimal value of the object's hash code.
T or F: Various standard data types are converted to a character sequence by print() and println().
True: print() and println() are overloaded to support various standard data types.
In secure coding, what are trust boundaries?
Trust boundary is a term used to describe a demarcation where program data or execution changes its level of "trust"
Design: Database terminology tuple:
Tuple: a single row of a table, which contains a single record for that relation
Advantages of type 4 rootkits?
Undetectable by conventional software countermeasures.
What is the purpose of code mutation?
Unlike root kits code mutation purpose is not to change the dynamic functionality of the code.
Describe Cyber Operations?
Use cyber capabilities, such as computers, software tools, or networks
What is a virtualization technique?
Use virtual environments to detect malware.
How do you use the web to explore and as a resource?
Using the web to find exploration tools and methods is allowed. In your reports, provide full attribution to the source of the tool or method.
V
Value type in a map
**Wiki: What does vandalism include?
Vandalism includes the addition, removal, or modification of the text or other material that is either humermous, nonsensical, a hoax, or that is an offensive, humiliating, or otherwise degrading nature.
•The hypervisor has access to the CPU •Can change the CPU state and thus it's actions
Very valuable ability in •rootkit detection •prevention and mitigation of malware •computer forensics.
Happy face exploit is:
Vsftpd (Very Secure File Transfer Protocol) a popular FTP serve
What are disadvantages of virtualization technique?
Vulnerable to anti-emulation. •Involve a virtual machine monitor, a.k.a. the hypervisor, in the inspection of system resources.
What happens when we migrate the meterpreter process to a new PID?
We then migrate the meterpreter process to that new one , obscuring its existence.
What is AB Backdoor exploit?
Went unnoticed for months triggered by sending the letters "AB" following by a system command to the server on any listening port. Metasploit has aa module to exploit this in order to gain an interactive shell.
How do APTs hide their presence?
What APTs will do: •install rootkits •modify event and audit log entries •periodically enter a sleeping state •delete traces of their files on the system
Design: Database terminology table:
an arrangement of related information in columns and rows.
**Diffie-Hellman key exchange
an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.
Event listeners describe the action taken when ____.
an event occurs.
Interfaces, polymorphism, and event listeners _____.
are often used in GUI.
What is a Rootkit Installation?
are programs which hide the executed payload. •Payload file hiding, process hiding are the core functionalities
For example, we may want to declare a method that can print an ___,
array of any type.
A class can implement ___.
as many interfaces as needed.
Local variables that are accessed by an inner class-method must ____.
be declared final.
What makes Binary Storage also very convenient?
binary storage is more compact and more efficient.
What can a hypervisor inspect?
can be used to inspect these resources even if the guest OS is entirely compromised.
Generic programming is the creation of programming constructs that _____.
can be used with many different types.
Like a class, an interface type ___.
can contain constants.
%c
char ; Prints a single Unicode character.
Type parameters can be instantiated with ___.
class or interface types.
You need a cast to convert from an interface type to a ___.
class type.
Interfaces reduce coupling between ___.
classes.
An interface may contain:
constant variables
What does the hypervisor control?
controls the access of the guest OS to hardware resources
What is hooking?
covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or message or events passed between software components.
What is the Weaponization of a Cyber kill Chain?
create remote access malware weapon such as a virus or worm, tailored to one or more vulnerabilities.
Polymorphism denotes the principle that behavior can vary____.
depending on the actual type of an object.
**Hash collision probability
depends on the number n of possible hash codes.
How are downloaders similar to droppers?
designed to perform the same actions as Droppers disabling the victims security and monitoring software
What does a programmer use read bytes from System.in into the desired data type?
programmer often needs a way to extract strings or integers from an input stream. Instead of directly reading bytes from System.in, a program typically uses the Scanner class as a wrapper that augments System.in by automatically scanning a sequence of bytes and converting those bytes to the desired data type.
What is smbclient exploit?
provides file and print services for various Microsoft Windows clients. can integrate with a Microsoft Windows Server domain Runs on Unix, OpenVMS and Unix-like systems. Samba is standard on nearly all distributions of Linux if misconfigured with a writable file share can also be used as a backdoor of sorts to access files that were not meant to be shared.
Unlike a class, an interface type ___.
provides no implementation.
An interface and all of its method headings are normally declared to be:
public
Any constant variables defined in an interface must be defined as:
public
public abstract class InputStream extends ___ implements ___.
public abstract class InputStream extends Object implements Closeable
public abstract class OutputStream extends ____ implements___, ___.
public abstract class OutputStream extends Object implements Closeable, Flushable
OutputStream sytax is:
public abstract void write(int b) throwsIOException public void write(byte[] data) throws IOException public void write(byte[] data, int offset, int length) throws IOException public void flush() throws IOException public void close() throws IOException
The method that must be implemented in a class using the Comparable interface is:
public int compareTo(Object other)
In Java, an interface may contain:
public static final data and public abstract methods.
OutputStreamWriter receives________.
receives chars converts to bytes writes bytes to underlying outputStream
What are three monitoring tools we used to determine hiding presence?
regshot, event viewer, and HIV file
Where does the hypervisor reside?
resides at a higher level of privilege than the guest OS
Interfaces makes code more ___.
reusable.
Type parameters make generic code ____.
safer and easier to read.
A stack buffer overflow is also referred to as ___________ .
stack smashing
What are disadvantage of hardware solution?
t can't adapt and it can be expensive...Cannot interrupt execution of malicious code. •A rootkit will take over the OS kernel, and maybe the virtual layer and BIOS •The rootkit can manipulate the information it sends to HIDS such that the HIDS has no way of detecting the attack. •Hardware solution uses hardware on the host machine to send kernel memory to another machine.
What is the definition of hardware solution? What does it do?
take it out of software and monitor the hardware by having the hardware report to another machine. So another machine is watching what is going on even if one machine is infected. Via hardware interface, use a clean machine to monitor another machine for the presence of rootkits or stealth malware
For example, the Java library programmers who implemented the ArrayList class used the ____.
technique of generic programming.
How many types of Avoidance Techniques?
ten
How do downloaders compare in size to droppers?
tend to be smaller than Droppers
You can think of it as a template for a set of methods ____.
that differ only by one or more types.
Inner classes are commonly used for tactical classes _____.
that should not be visible elsewhere in a program.
You can convert from a class type to an interface type, provided ___.
the class implements the interface.
**symmetric encryption
the same key is used to encode and decode
What clause needs to be appended to the definition of main() when using an InputStream?
throws IOException
What is distccd exploit?
tool for speeding up compilation of source code by using distributed computing with the right configuration, distcc can dramatically reduce a project's compilation time. an attacker can easily abuse it to run a command of their choice.
What is Delivery of a Cyber Kill Chain?
transmits weapon to target. via e-mail attachments, websites or USB drives). Exploitation - Malware weapon's program code triggers, which takes action on target network to exploit vulnerability. Installation- Malware weapon installs access point (e.g., "backdoor") usable by intruder. Command and Control - Malware enables intruders to have "hands on the keyboard" persistent access to target network. Actions on Objective - Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.
**Asymmetric encryption: Keys:
two keys are used; one key encodes the message, and the other key decodes the message
A generic method is a method with a ___.
type parameter.
We need to choose variables for the ___.
type parameters.
InputStream is used how?
used to read data from a source
What are some disadvantages of invariant specification?
very technical and platform dependent. Constraints need to be well-specified, often by hand, and are highly platform-dependent •Involves pinpointing kernel invariants •aspects of the kernel that should not change under normal OS behavior •periodically monitoring these invariants.
What is the the VSFTPD exploit?
vsftpd stands for Very Secure FT daemon. It is a FTP server for Unix-like systems, including Linux. Possible attack goals for this threat model are corrupt resources(ie. Files, malware) or remote code injection. This script is attempting to exploit the backdoor.
Design: Database terminology Relationship:
where two entities are participating.
As with generic classes, _____.
you cannot replace type parameters with primitive types.
When you call the generic method, ____.
you need not specify which type to use for the type parameter.
What are some of the issues of hardware solutions?
• added expense • annoyance of requiring a supervisory machine • can only detect rootkits, cannot intervene in the hosts execution.
What is an analogy of a cross-view detection?
• interviewing witnesses at a crime scene may have s conflicting stories thus likely someone is lying • different observations of a system return different results, the presence of a rootkit is likely.
What are component-based stealth countermeasures?
•Anti-stealth malware techniques that aim to protect the integrity of areas of systems
Explain the output driven strategy second step, blacklist filter:
•Blacklist - a list of things that are not wanted. •Applied in addition to the whitelist. •Serve to remove any unwanted events (noise) that made it through the whitelist. •Applied at the collection point or preferably at the client level •White list will overwhelming capture "new process created" events. •Goal is to baseline all of the normal "new process created" events add them to the black list to reduce noise.
What can a regshot be used for?
•Can be used to detect a compromise
What to look for in the analysis of Windows event logs:
•Detect an unusual running process. •Techniques similar to malware via memory analysis •Look for •unusual processes names •unusual process paths •unusual process relationships •System process name misspelled thus hiding in plain sight •Process that has a path that begins with a lower case drive letter. A lower case drive letter suggests that the process was started on the command line, or from a script or batch file. •Process name that contains a long string of empty spaces. •Used to trick the end user into thinking the file is something it is not. •Consider the following process name: "Employee Hanbook.pdf .exe" •This is an example of a malicious executable file that pretends to be a PDF document. Remember many windows system are set up not to show file extension. •Running from a non standard path should be considered extremely suspicious. • Examples: Which is correct •C:\Windows\System32\svchost.exe or •C:\Windows\svchost. •C:\Windows\explorer.exe or C:\Windows\System32\explorer.exe
Anti-Debugger and Anti Emulation?
•Dropper and downloader components are typically armored. •Using a variety of packers, crypters and inspection-detection engines, malware authors can ensure that common debugger and emulation analysis techniques will not work. •The addition of advanced anti-virtual machine analysis technologies also deters malware analysis to a high extent.
Characteristics of type 1 rootkit:
•Easily detectable via a comparison of their hashes or checksums to system files. •File integrity checkers such as Tripwire cause first-generation rootkits use to decreased •Modern rootkits have trended toward memory residency over disk residency
How do you detect the initial compromise of Process Id's(PID) in Windows?
•Every process had a •process ID number (PID) •a parent process ID number (Parent PID or PPID). •PID uniquely identity that process. •Parent PID represents the process that created the process. •Analysis of parent/child relationships is critical •Most system processes have well defined parents •cmd.exe should not be the parent of lsass.exe. •Most user processes are started by Explorer.exe. •It's suspicious when they're not.
Disadvantage of APT?
•Harder to establish connection every time they are detected.
What are examples of detecting hooks?
•Hook the API functions used to inject DLLs into a target processes •Anti-malware may be able to detect a rootkit loading into memory, preempt the attack.
What are the two strategies for detecting intrusion using Event logs?
•Input Driven •Output Driven
What is an invariant specification?
•Invariant Specification (Invariant mean doesn't vary, doesn't change)--we are messing with the kernel •Summary: Define constraints of an uninfected system.
What is the Least Frequency of Occurrence Principle?
•Least Frequency of Occurrence (LFO) principle states the least frequently used processes are unusual. •Suspicious events such as •Application crash •Event log service was stopped •Large number of failed logon attempts or locked out accounts.
What is an Anti-Antivirus?
•Many malware packages include toolsets for automatically disabling anti-virus and IDS •changing local DNS settings to ensure that no future updates to the operating system or packages are possible •Add tools that recheck and re-disable protection settings frequently.
What is a Host-Based Encrypted Data Exfiltration?
•Most malware does not encrypt outbound network communication. •Critical data stolen from the victim's computer is typically packed and file-encrypted at the host-level •Send out over a clear text network protocol such as HTTP and SMTP •Evades anomaly detection systems and data-leakage prevention systems
What is Social network C&C?
•Now huge part of peoples lives. •Most of the social network services are free to use •Many have little organizational security policies. •A viable option for malware authors. •Pass on information in a centralized/decentralized way to the infected machines.
Explain the output driven strategy to using event logs?
•Output Driven Strategy •Only collect any particular events •if you know beforehand what you are going to do with it •if that event is going to build towards some known output such as an alert or a report metric. •High quality events in will produce high quality alerts out. •Allows for prioritization •Allows organization to decide what information obtained and analyzed. •Less expensive, more efficient •Downside - must know precisely what to look for before beginning. •Upfront planning is required.
Characteristics of type 4 rootkit:
•Reside at a lower level than the operating system •Cannot be detected through the operating system •OS independent •Currently Theoretical only
What is Decentralized C&C?
•Some Advantages over Centralized. •Peer-to-peer architecture
Needs to detect the presence of the emulator reliably. May not run in certain virtualized environments.
•Suspicious executables are often analyzed by running these executables in virtual sandboxed environments (Dynamic Malware Analysis ) •Anti-emulation detect these sandboxes •Alter the execution flow of malicious code in order to stay hidden.
What does a regshot do?
•Takes a snapshot of a windows registry •Compare it with a second one - done after doing system changes or installing a new software product.
What can the hypervisor enforce? Give an example:
•The hypervisor can be used to enforce site specific hardware policies, Example the hypervisor can prevent promiscuous mode network interface operation
What does the hypervisor have access to? What does it do?
•The hypervisor has access to the CPU •Can change the CPU state and thus it's actions
What are examples of cross-view detection?
•Traversing the file system, the results returned are inconsistent between the API and low level calls then a rootkit that hides files from the system is likely present
How does dynamic malware analysis detect code mutation?
•Virus code must decrypt itself in memory •Susceptible to hash comparison and behavioral/heuristic analysis.