Threats and Attacks on Endpoints
Machine Learning (ML)
"Teaching" a device to "learn" by itself without the continual instructions of a computer programmer. It also learns through repeated experience.
Worm
A malicious program that uses a computer network to replicate (sometimes called a network virus)
Fileless virus
A virus that does not attach itself to a file but instead takes advantage of native services and processes that are part of the OS to avoid detection and carry out its attacks (it loads the code directly into the computer's random access memory (RAM).
Trojan
An executable program that masquerades as performing a benign activity but also does something malicious.
API
Application program interference
Three types of external software component hacking:
Application program interference (API) Device driver Dynamic-link library (DLL)
Tainted training data for machine learning
Attackers can attempt to alter the training data that is used by ML in order to produce false negatives to cloak themselves.
Application Attacks
Attacks that are targeted at web-based and other client-server applications.
Prime advantage to using AI to combat threats:
Continual learning and greater speed in response. AI can predict and prevent future attacks.
DLL
Dynamic-link library
Remote Access Trojan (RAT)
Has the basic functionality of a Trojan but also gives the threat actor unauthorized remote access to the victim's computer by using specially configured communication protocols. this creates an opening to the victim's computer allowing the threat agent unrestricted access
What is the primary action that cryptomalware performs?
Imprison
Pointer/object dereference
Improper exception handling situation is a NULL. When an application dereferences a pointer that has a value of NULL, it will typically cause a program to crash or exit.
ML
Machine learning
PUP
Potentially Unwanted Program
RAT
Remote Access Trojan
Adversarial Artificial Intelligence
Risks associated with AI and ML
Which type of application attack might use the following syntax? 'whatever' AND email IS NULL
SQL injection
Improper input handling
Software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.
Malware
Software that enters a computer system without the user's knowledge or consent and then performs an unwanted and usually harmful action.
potentially unwanted program (PUP)
Software that often is not wanted, although it may not be explicitly malicious (advertising that obstructs content or interferes with web browsing, pop-up windows, search engine hacking, home page hacking, etc.)
SQL
Structured Query Language
Security of the ML algorithms (first risk)
These could be attacked and compromised, allowing threat actors to alter algorithms to ignore attacks.
What three things does Cybersecurity AI allow organizations?
To detect, predicts, and respond to cyberthreats in real time using ML
spyware
Tracking software that is deployed without the consent or control of the user.
logic bomb
a computer code that is typically added to a legitimate program but lies dormant and evades detection until a specific logical event triggers it
Request forgery
a request that has been fabricated
cryptomalware
a type of malware that imprisons users and encrypts all files on the device so that none of them can be opened. the cost for the key to unlock the cryptomalware increases every few hours or days.
Cross-Site Scripting (XSS)
a website that accepts user input without validating it and users that input in a response can be exploited. they can trick a valid website into feeding a malicious script to another user's web browser
Replay Attack
after intercepting and copying data, the threat actor retransmits selected and edited portions of the copied communications later to impersonate the legitimate user. these are usually between a user and an authentication server
resource exhaustion
attacks that "deplete" parts of memory and thus interfere with the normal operation of the program in RAM
Three types of evade malware
backdoor, logic bomb, rootkit
CSFR
cross-site request forgery
Two types of request forgeries
cross-site request forgery (CSFR) and server-site request forgery (SSRF)
Five advantages of a fileless virus
easy to infect extensive control persistent difficult to detect difficult to defend against
Three attacks that are directly focused on vulnerabilities in the software applications:
exploiting memory vulnerabilities, improper exception and error handling, external software components
Two types of viruses
file-bases and fileless
backdoor
gives access to a computer, program, or service that circumvents normal security protections
armored file-based virus
goes to great lengths to avoid detection
What are the 5 types of primary actions of malware
imprison, launch, snoop, deceive, evade
injections
introduce new input to exploit a vulnerability
file-based virus
malicious code that is attached to a file that reproduces itself on the same computer without any human intervention
rootkit
malware that can hide its presence and the presence of other malware on the computer. its does this by accessing "lower layers" of the OS to make altercations
buffer overflow attack
occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer
SQL Injection
one of the most common injection attacks that inserts statements to manipulate a database server. targets SQL servers by introducing malicious commands into them
Ransomware
prevents a user's device from properly operating until a fee is paid
What are the 2 types of imprisons malware
ransomware and cryptomalware
SSRF
server-site request forgery
keylogger
silently captures and stores each keystroke that a user types on the computer's keyboard. it can be a software program or a small hardware device.
Two techniques of the armored file-based virus
split infection and mutation
Two common types of snooping malware
spyware and keyloggers
server-site request forgery (SSRF)
takes advantage of a trusting relationship between web servers. it exploits how a web server processes external information received from another server
Cross-Site Request Forgery (CSRF)
takes advantage of an authentication "token" that a website sends to a user's web browser. if a user is currently authenticated on a website and is then tricked into loading another webpage, the new page inherits the identity and privileges of the victim, who may then perform an undesired function on the attacker's behalf
Bot
the infected robot computer is known as a bot or zombie. the malware is placed under the remote control of an attacker for he purpose of launching attacks. infected bot computers receive instructions through a command and control (C&C) structure from the bot herders
what does a virus do to perform malicious action
the virus first unload a payload to perform a malicious action, then the virus replicates itself by inserting its code into another file on the same computer
What 3 attacks can malware launch onto computers
virus, worm, and bot
integer overflow attack
when an attacker changes the value of a variable to something outside the range that the programmer had intended by using an integer overflow
