CEH
Information security
"the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable."
Inverse TCP Flag Scanning
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags. When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host.
reconnaissance
Cyber Kill Chain Phase 1 that collects as much information about the target as possible to probe for weak points before actually attacking.
weaponization
Cyber Kill Chain Phase 2 that analyzes the data collected in the reconnaissance stage to identify the vulnerabilities and techniques that can exploit and gain unauthorized access to the target organization.
delivery
Cyber Kill Chain Phase 3 that measures the effectiveness of the defense strategies implemented by the target organization base on whether the intrusion attempt of the adversary is blocked or not.
exploitation
Cyber Kill Chain Phase 4 that triggers the adversary's malicious code to exploit a vulnerability in the operating system, application, or server on a target system.
installation
Cyber Kill Chain Phase 5 where the adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period.
Command and control
Cyber Kill Chain Phase 6 where the adversary created a command and control channel, which establishes two-way communication between the victim's system and adversary-controlled server to communicate and pass data back and forth.
Actions on Objectives
Cyber Kill Chain Phase 7 where the adversary controls the victims system from a remote location and finally accomplishes their intended goals.
reconnaissance
Hacking phase 1: refers to the preparatory phase in which an attacker gathers as much information as possible about the target prior to launching the attack.
Scanning
Hacking phase 2: Here, the attacker uses the details gathered during reconnaissance to scan the network for specific information.
Maintaining access
Hacking phase 4: refers to the phase when the attacker tries to retain his or her ownership of the system.
Gaining access
Hecking phase 3: This is the phase in which real hacking occurs. Attackers use vulnerabilities identified during the reconnaissance and scanning phases to gain access to the target system and network.
ARP Scan
In the ______, the ARP packets are sent for discovering all active devices in the IPv4 range even though the presence of such devices is hidden by restrictive firewalls.
Network scanning
Lists the active hosts and IP addresses. ______ is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network.
port scanning
Lists the open ports and services. _______ is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in.
Preparation
Phase 1 of IH&R Process. includes performing an audit of resources and assets to determine the purpose of security and define the rules, policies, and procedures that drive the IH&R process.
Incident Recording and assignment.
Phase 2 of IH&R process. In this phase, the initial reporting and recording of the incident take place.
Incident Triage
Phase 3 of IH&R Process. In this phase, the identified security incidents are analyzed, validated, categorized, and prioritized.
Notification
Phase 4 of IH&R Process. the IH&R team informs various stakeholders, including management, third-party vendors, and clients, about the identified incident
Containment
Phase 5 of IH&R Process. This phase helps to prevent the spread of infection to other organizational assets, preventing additional damage.
Evidence gathering and Forensic Analysis
Phase 6 of IH&R Process. In this phase, the IH&R team accumulates all possible evidence related to the incident and submits it to the forensic department for investigation.
Eradication
Phase 7 of IH&R Process. the IH&R team removes or eliminates the root cause of the incident and closes all the attack vectors to prevent similar incidents in the future.
Recovery
Phase 8 of IH&R Process. the IH&R team restores the affected systems, services, resources, and data through recovery.
Post-Incident Activities
Phase 9 of IH&R Process.
Tactics, Techniques, and Procedures (TTP)
Refers to the patterns of activities and methods associated with specific threat actors or groups of threats actors
Risk Tracking and Review
Risk management phase that determine the measures and procedures adopted and ensure that the information gathered to perform the assessment was appropriate.
Email indicators Network indicators Host based indicators Behavioral Indicators
The four categories of IoCs:
Risk Identification
The initial step of the risk management plan. Its main aim is to identify the risks—including the sources, causes, and consequences of the internal and external risks affecting the security of the organization before they cause harm.
risk assessment
This Risk management phase assesses the organization's risks and estimates the likelihood and impact of those risks.
Risk Treatment
This Risk management phase is the process of selecting and implementing appropriate controls on the identified risks in order to modify them.
TCP Maimon scan
This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK.
techniques
To launch an attack successfully, threat actors use several ____________ during its execution.
Operational Threat Intelligence
_________ provides contextual information about security events and incidents that help defenders disclose potential risks, provide greater insight into attacker methodologies, identify past malicious activities, and perform investigations on malicious activity in a more efficient way.
Tactical Threat Intelligence
___________ provides information related to the TTPs used by threat actors (attackers) to perform attacks.
Technical threat intelligence
____________ provides information about resources an attacker uses to perform an attack; this includes command and control channels, tools, and other items.
Hacktivism
_____________ is when hackers break into government or corporate computer systems as an act of protest.
IDLE/IPID Header SCan
a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available.
SHODAN
a computer search engine that searches the Internet for connected devices (routers, servers, and IoT.).
hacker
a person who breaks into a system or network without authorization to destroy, steal sensitive data, or perform malicious attacks.
PCI DSS (Payment Card Industry Data Security Standard)
a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
Threat Modeling
a risk assessment approach for analyzing the security of an application by capturing, organizing, and analyzing all the information that affects it.
Defense in Depth
a security strategy in which security professionals use several protection layers throughout an information system.
Intelligence-based warfare
a sensor-based technology that directly corrupts technological systems.
incident management
a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore the system to normal service operations as soon as possible, and prevent recurrence of the incident.
theHarvester
a tool designed to be used in the early stages of a penetration test. It is used for open-source intelligence gathering and helps to determine a company's external threat landscape on the Internet.
Non-Repudiation
a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
Sarbanes-Oxley Act
aims to protect the public and investors by increasing the accuracy and reliability of corporate disclosures.
Digital Millennium Copyright Act (DMCA)
an American copyright law that implements two 1996 treaties from the World Intellectual Property Organization (WIPO):
risk level
an assessment of the resulted impact on the network.
Cyber Kill Chain
an efficient and effective way of illustrating how an adversary can attack the target organization.
netscantools pro
an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network.
https://pentest-tools.com
an online tool used for discovering subdomains and their IP addresses, including network information and their HTTP servers.
Metasploit
an open-source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing.
Internal Reconnaissance Use of Powershell Unspecified Proxy Activities Use of Command-Line Interface HTTP user agent Command and Control Server Use of DNS tunneling Use of webshell Data Staging
behaviors of an adversary that can be used to enhance the detection capabilities of security devices:
Economic warfare
can affect the economy of a business or nation by blocking the flow of information.
Tactics
describe the way the threat actor operates during different phases of an attack.
Risk Identification Risk Assessment Risk Treatment Risk Tracking and Review
four key steps commonly termed as risk management phases are:
clearing tracks
hacking phase 5: refers to the activities carried out by an attacker to hide malicious acts.
state-sponsored hackers
individuals employed by the government to penetrate, gain top-secret information from, and damage the information systems of other governments.
suicide hackers
individuals who aim to bring down critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment.
black hats (cracker)
individuals who use their extraordinary computing skills for illegal or malicious purposes.
white hats
individuals who use their hacking skills for defensive purposes.
gray hats
individuals who work both offensively and defensively at various times.
cyber terrorists
individuals with a wide range of skills, motivated by religious or political beliefs, to create fear of large-scale disruption of computer networks.
procedures
involve a sequence of actions performed by the threat actors to execute different steps of an attack life cycle.
Passive Attacks
involve intercepting and monitoring network traffic and data flow on the target network and do not tamper with the data.
Adversary Behavioral Identification
involves the identification of the common methods or techniques followed by an adversary to launch attacks to penetrate an organization's network.
Sublist3r
is a Python script designed to enumerate the subdomains of websites using OSINT. It enables you to enumerate subdomains across multiple sources at once.
D&B Hoovers
leverages a commercial database of 120 million business records and analytics to deliver a sales intelligence solution that enables sales and marketing professionals to focus on the right prospects so that they can generate immediate growth for their business.
Censys
monitors the infrastructure and discovers unknown assets anywhere on the Internet. It provides a full view of every server and device exposed to the Internet.
Distribution attack
occur when attackers tamper with hardware or software prior to installation
Insider Attacks
performed by trusted persons who have physical access to the critical assets of the target
Close-in Attacks
performed when the attacker is in close physical proximity with the target system or network. (shoulder surfing)
Electronic Data Gathering, Analysis, and Retrieval system (EDGAR)
performs automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others who are required by law to file with the U.S. Securities and Exchange Commission (SEC).
www.netcraft.com
provides Internet security services, including anti-fraud and anti-phishing services, application testing, and PCI scanning.
Lexis-Nexis
provides content-enabled workflow solutions designed specifically for professionals in the legal, risk management, corporate, government, law enforcement, accounting, and academic markets.
HIPPA (Health Insurance Portability and Accountability Act)
provides federal protections for the individually identifiable health information held by covered entities and their business associates and gives patients an array of rights to that information.
Strategic Threat Intelligence
provides high-level information regarding cybersecurity posture, threats, details about the financial impact of various cyber activities, attack trends, and the impact of high-level business decisions. T
Hacking
refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources.
Information Assurance (IA)
refers to the assurance of the integrity, availability, confidentiality, and authenticity of information and information systems during the usage, processing, storage, and transmission of information.
Authenticity
refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted.
risk
refers to the degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or its resources, under specified conditions.
C2 Warfare
refers to the impact an attacker possesses over a compromised system or network that they control.
UDP ping scan
scan that has the benefit of detecting systems behind firewalls
vulnerability scan
shows the presence of known weaknesses
ISO/IEC 27001:2013
specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization.
Active Attacks
tamper with the data in transit or disrupt communication or services between the systems to bypass or break into secured systems. (DOS)
Confidentiality
the assurance that the information is accessible only to authorized
Availability
the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users.
indicators of compromise (IOCs)
the clues, artifacts, and pieces of forensic data that are found on a network or operating system of an organization that indicate a potential intrusion or malicious activity in the organization's infrastructure.
Cyber Threat Intelligence
the collection and analysis of information about threats and adversaries and the drawing up of patterns that provide an ability to make knowledgeable decisions for preparedness, prevention, and response actions against various cyberattacks.
Footprinting
the first step in ethical hacking, refers to the process of collecting information about a target network and its environment.
ethical hacking
the practice of employing computer and network skills in order to assist organizations in testing their network security for possible loopholes and vulnerabilities.
Risk Management
the process of identifying, assessing, responding to, and implementing the activities that control how the organization manages the potential effects of risk.
Incident handling and response (IH&R)
the process of taking organized and careful steps when reacting to a security incident or cyberattack.
Hacker Warfare
the purpose of this type of warfare can vary from the shutdown of systems, data errors, theft of information, theft of services, system monitoring, false messaging, and access to data.
Integrity
the trustworthiness of data or resources in the prevention of improper and unauthorized changes
Cyberwarfare
the use of information systems against the virtual personas of individuals or groups.
Psychological warfare
the use of various techniques such as propaganda and terror to demoralize one's adversary in an attempt to succeed in battle
XMAS Scan
type of inverse TCP scanning technique with the FIN, URG, and PUSH flags set to send a TCP frame to a remote device. If the target has opened the port, then you will receive no response from the remote system. If the target has closed the port, then you will receive a remote system reply with an RST.
script kiddies
unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers.
TOR Browser
used to access the deep and dark web, where it acts as a default VPN for the user and bounces the network IP address through several servers before interacting with the web.
Electronic Warfare
uses radio-electronic and cryptographic techniques to degrade communication.