SYO-701 Threats, Vulnerabilities, and Mitigations Study Guide for the CompTIA Security+

Indicators of Malicious Activity

Indicators of a network attack are the tell-tale signs that reveal an attack has occurred, the type of attack that has occurred, and how the attack occurred. These indicators can be digital footprints left behind by the attack or common network reactions to the attack. Indicators of attack can also be used to determine how far into the network the attack has gone and how to combat and recover from the attack.

Note: Questions on these topics will begin with a scenario.

Malware Attacks

Malware is the overarching term for all software or code that is intentionally designed to cause harm to networks, systems, devices, or users. Malware can be designed to gain information from, gain access to, or restrict the functionality of a network or target device. Each distinct type of malware has specific indicators of attack.

Ransomware

Ransomware is a form of malware that debilitates a system and offers to restore the system for a payment. The system can be debilitated by locking the target out of files, encrypting files, threatening exposure of a target’s sensitive information, or even threatening to report a target to the authorities for infractions, such as pirated software or pornography. The key indicator of ransomware is the demand for a monetary payment in return for computer functionality or restoration of access. The most effective defense against ransomware is an isolated backup or restoration point.

Trojan

A Trojan (or Trojan horse) is a form of malware that hides behind legitimate software to gain entry. A Trojan requires a target to willingly download a file with the infected file attached. The most common scenario for the installation of a Trojan is the downloading of unverified software. Anti-malware scanning tools can detect Trojan-like behavior or signatures to determine if a system has been infected by Trojans. Increased user awareness training is also a primary defense against Trojans.

Worm

A worm is a self-propagating form of malware that requires no user interaction to infect a host or spread. Worms can self-load onto a system by actively seeking out vulnerabilities within the system. The best defense against a worm is anti-malware software that is designed to identify worm behavior and signatures.

Spyware

Spyware is specifically designed to gain information about a network, user, or organization. Spyware can be innocent in nature and designed to send information, such as browsing habits, back to big data collection servers, or they can be malicious in nature, intended to harvest sensitive information from the target. The most effective defense against spyware is the use of anti-malware software as well as user education against potentially dangerous downloads and websites.

Bloatware

Bloatware refers to unwanted applications that come preinstalled on a device or OS. Bloatware is not designed to be malicious but may cause excessive resource use or create vulnerabilities through insecure applications.

Virus

A virus is malicious code that has the ability to self-propagate once installed. A virus requires interaction from the target, such as clicking a link, to initiate a trigger that executes the delivery of the payload. There are multiple types of viruses, including memory or non-memory resident, boot sector, and fileless.

Keylogger

A keylogger is a type of malware that is designed to copy and relay keystrokes or user input back to the threat actor. Keyloggers can be used to discern login credentials or other sensitive information, such as credit card numbers or Social Security numbers. Standard security practices like using anti-malware software can be used to prevent keyloggers from being installed on a target machine. The use of multi-factor authentication (MFA) can also reduce the impact of data collected from a keylogger.

Logic Bomb

A logic bomb is a type of malware that deploys when set conditions are met, such as a specific time frame. Logic bombs are designed to lie dormant, typically as lines of code within a program, until the conditions are met. They can be difficult to detect before deployment.

Rootkit

A rootkit is a type of malware that aims to create a backdoor for the threat actor. The backdoor can be used to access the target device without the target’s knowledge. Rootkits are designed to be hidden within the computer system, often in the master boot record (MBR) on the device, to maintain privilege and avoid detection. Rootkit detection and removal is highly challenging and complex. The best recovery method from an expected rootkit is restoration from a known good backup point.

Physical Attacks

A physical attack is a tactic that attempts to gain information or access through physical and tangible means. Physical attacks can include replicating legitimate devices or planting devices for discovery.

Brute Force

A brute-force physical attack is one that attempts to gain access through direct physical means, such as breaking into a server room or stealing a laptop.

Radio Frequency Identification (RFID) Cloning

RFID cloning, or card cloning, is the process of capturing data from card devices that contain RFIDs or magnetic strips. Once this information is captured, it can be reproduced and used for malicious purposes, such as gaining entry to a restricted area or recreating a credit card for unauthorized use.

Environmental

An environmental physical attack is one that attempts to leverage the physical environment to gain access. For example, if a threat actor is aware that a target is being evacuated due to an incoming tropical storm, the threat actor may use this opportunity to infiltrate the target.

Network Attacks

Network attacks attempt to take advantage of vulnerabilities in a network. They can target the network directly or through access points within the network.

Distributed Denial-of-Service (DDoS)

A DDoS attack is a form of DoS attack that originates from multiple locations, networks, and systems. DDoS attacks are difficult to stop due to their distributed nature and are used to overwhelm or incapacitate a target system. A network DDoS attack is the most common type of DDoS attack and is aimed at disrupting an entire target network.

Network DDoS attacks are either volume or protocol based. A volume-based DDoS network attack attempts to disrupt the system through the sheer volume of traffic sent to the network at one time. Common volume-based attacks are User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) floods. A protocol-based DDoS network attack targets the underlying protocols networks use. The most common protocol-based DDoS attack is a SYN flood.

Amplified

An amplified DDoS attack is a volume-based attack that leverages protocols that return large volumes of results to small queries, such as DNS queries, to disrupt service.

Reflected

A reflected DDoS attack uses a single protocol on both the sending and receiving sides to disrupt a system. These attacks commonly use the target’s spoofed IP address to create excessive traffic.

Domain Name System (DNS) Attacks

DNS is an internet protocol that allows for translating domain names into their corresponding IP address. A DNS attack targets the DNS system to send traffic to an alternate IP. Common DNS attacks include domain hijacking, which changes the registration/ownership of a domain, URL redirection, which most commonly occurs when alternate IP addresses for URLs are entered into a system’s host files, and DNS poisoning.

DNS poisoning can occur in two ways, either through an on-path attack or through direct poisoning of the cache. With a DNS on-path poisoning attack, the DNS request is intercepted and redirected to a malicious site. A DNS cache poisoning attack is similar to a MAC poisoning attack in which the cache that contains the DNS files is tainted.

Wireless

Wireless network attacks attempt to take advantage of vulnerabilities in wireless protocols as well as interfere with the wireless network or create false wireless access points to gain entry to a network or steal information.

On-Path

An on-path attack intercepts traffic as it is sent from one host to another. Intercepted traffic packets can be altered, delayed, or blocked by the interceptor. This was formerly known as (and is often still referred to as) a man-in-the-middle attack.

Replay

A replay attack occurs when a data packet is intercepted by a threat actor who delays or misdirects the packet. A replay attack is a form of a on-path attack, which is when a threat actor situates themselves between two parties to secretly intercept communications.

Credential Replay

A credential replay attack occurs when a data packet containing authentication data is intercepted and used in an attempt to impersonate the credentialed user. A credential replay attack is a replay attack.

Malicious Code

Malicious code is code that can be inserted or used for malicious means. Similar to malware, malicious code is designed to disrupt or intercept communications. Malicious code often uses built-in tools and protocols to leverage a system or network.

Application Attacks

An application attack is an attack aimed at Layer 7, or the application layer, of the Open Systems Interconnection (OSI) model. It aims to take advantage of vulnerabilities in the application layer to gain access to a system or network.

Injection

Injection attacks are used to gain access to the systems supporting the application, such as databases. Injection attacks include SQL injections, command injections, and Lightweight Directory Access Protocol (LDAP) injections.

Buffer Overflow

A buffer overflow attack occurs when more data is written into a memory area than is allowed. This results in the overwriting of data in the memory with new data that can be used to execute malicious processes on the target network.

Privilege Escalation

Privilege escalation is the process of attempting to increase the privileges an attacker has access to. For example, if a threat actor gains access to a system by cracking the password of a standard user, they will then attempt to find vulnerabilities in the system to increase their privilege status to a high status, such as a root user or admin.

Forgery

A request forgery is an attack that attempts to exploit the trust relationship between a user and a server to get the user to execute commands against the server or vice versa. Request forgeries can originate from either the client side via a server-side request forgery (SSRF) or the server side via a cross-site request forgery (CSRF/XSRF). With a SSRF, the client tricks the server into visiting a malicious URL by entering the malicious URL into a user-input value. With a CSRF/XSRF, the server has a malicious URL embedded in a website that executes when the user visits the infected URL.

Directory Traversal

Directory traversal is the process of attempting to jump to different parts in a directory through the use of operators. A directory traversal attack is typically performed using the ../../../ operator.

Cryptographic Attacks

A cryptographic attack is an attack that attempts to bypass the security of a code by discovering weaknesses in the code, cipher, key management scheme, or cryptographic method. A cryptographic attack is designed to attempt to break the code. By breaking the code, access can be gained by the threat actor.

Downgrade

A downgrade attack is an attempt to get a protocol changed from a more secure protocol to a less secure protocol that is easier to crack.

Collision

A collision is when two different inputs create the same output, such as a hash value. When two inputs equal the same output, either input will work to gain access.

Birthday

A birthday attack is based on the birthday theorem, which states that in a given room with 23 or more people, there is a strong probability that two people in that room will have the same birthday. Basically, this means only 51% of the probable inputs are needed to create a collision. A birthday attack can be used to attack hash values.

Password Attacks

A password attack is a technical attack used to discover a target password. Password attacks can be either brute-force or hash-based attacks. A brute-force attack attempts to discover a password by looking for the exact password used, while a hash-based attack attempts to discover a value that results in the same hash value of the password.

Note: A hash is a one-way algorithmic representation of a password that cannot be reverse-engineered and is used for securing the password. Rather than storing a password value in plain text, a hash value is stored for authentication purposes.

Brute Force

A brute-force attack is the iteration of potential password after potential password until the correct password is discovered. A brute-force attack can be either offline or online. An offline attack is one carried out in a closed environment (i.e., not connected to the internet or outside resources). An online attack is an attack on an open or connected environment. For example, a brute-force attack against a PayPal password is an online attack because the password is connected to the PayPal server.

Spraying

A password spraying attack is a brute-force attack that attempts to use a single password or a set of just a few common passwords against numerous accounts.

Indicators

When a vulnerability has been exploited, there may be common signs, or indicators of compromise (IoCs), which can be identified on a device, system, or network.

Account Lockout

Account lockout occurs when a user is unable to access their account, most likely due to excessive use of false passwords. It is a common sign of brute-force password attacks.

Concurrent Session Usage

Concurrent session usage occurs when a single user’s credentials are active on different devices or systems at the same time in different locations or unexpected locations. It is a common sign of compromised credentials.

Blocked Content

Blocked content occurs when data or information cannot be accessed, either due to legitimate filtering or malicious intent.

Impossible Travel

Impossible travel occurs when a user connection is made in two different locations, with the distance between the two locations being too great for the user to have feasibly been at both in the time period between connections.

Resource Consumption

Resource consumption occurs when an unexpected amount of resources are being utilized without associated authorized usage. Excessive resource consumption is often caused when a malicious program is active in the background.

Resource Inaccessibility

Resource inaccessibility occurs when a resource typically available for usage is unavailable. Resource inaccessibility is not necessarily due to malicious activity but may be a sign of resource issues.

Out-of-Cycle Logging

Out-of-cycle logging occurs when a user credential is used during an unexpected time frame. For example, if an employee works between 9:00 and 5:00 p.m., and the credential is used at 3:00 a.m., it is a potential indicator of compromise.

Published/Documented

Published and documented indicators of compromise refer to vulnerabilities and threats that have been previously identified by the cyber community and published in cybersecurity publications and forums.

Missing Logs

All activity on devices and systems leaves cyber trails in the form of logs. Threat actors may remove or delete these logs in an attempt to cover the malicious activity, resulting in missing logs.

Mitigation Techniques

A mitigation technique is an action, tool, or technique used in response to a potential threat to limit its likelihood or impact. You should be familiar with common general mitigation concepts and be able to explain their purposes.

Segmentation

Segmentation is the process of placing different pieces of a network into different zones on a network. Segmentation can be used as a preemptive mitigation technique by separating potentially vulnerable portions of a network from the rest of the network or as a mitigation response by separating known good portions of a network away from the possibly affected portion of a network.

Access Control

Access control is the process of creating rules and boundaries for entities within a system. Access control can be physical, such as through control of physical entry, or logical, such as through the use of access control lists. Access controls are commonly based on users or groups and the permissions associated with their requirements.

Access Control List (ACL)

An ACL is a predefined set of rules for filtering and controlling network traffic. An ACL is similar to a firewall but can be configured directly on a networking device or appliance.

Permissions

Permissions in the ACL refer to what actions or resources a user is authorized to carry out. Depending on the need, permissions may be applied to individuals or groups.

Application Allow List

An application allow list, also known as a whitelist, specifies which applications are allowed to be installed on a device or system. Reconfiguring the application allow list to only include known good applications is a good option if the source of the incident is unknown.

Isolation

Isolation is a mitigation technique that places an affected device or system into a completely separate place from the rest of the network environment. While quarantine and isolation are similar, quarantine typically involves placing an infected device in temporary separation while more information is gathered. Isolation is more drastic and completely removes the infected device or system from any contact with the network.

Patching

Patch, or patch management, is an important part of the mitigation process. Patch management is the process of controlling and managing the patching process by identifying new patches and ensuring the timely installation of new patches on systems and endpoints.

Encryption

Encryption is a mitigation technique that applies cryptographic algorithms to data to protect the security of the encrypted data. Encryption as a mitigation technique should be applied to data at all states: at rest, in transit, and in use.

Monitoring

Monitoring is a mitigation technique that uses data collected to discern potential indicators of compromise. Monitoring techniques range from basic, such as reviewing Windows Defender alerts, to highly complex, involving the use of specialized software and monitoring systems.

Least Privilege

A least privilege policy requires user permissions to be set at the minimum amount needed to complete job functions. For example, an accounting employee would not have privileges set to allow them access to human resources files. The principle of least privilege is a mitigation technique designed to limit the extent of access if a system is compromised.

Configuration Enforcement

Configuration enforcement is the process of managing and monitoring configurations set by company policy. Configurations can only be effective if they are properly applied and enforced.

Decommissioning

Decommissioning is the process of removing a device, program, or system from active use. Proper decommissioning includes accounting for all aspects of the process, from procurement to replacements and the destruction or removal of data after use.

Hardening Techniques

Hardening techniques are mitigation techniques that can protect a device, system, or network at different points in the OSI model. They are designed to act in conjunction with one another to create a layered security approach.

Encryption

Encryption can be applied at multiple levels of the OSI model to create layered security. When using encryption for hardening, it is important to remember to balance security and accessibility.

Installation of Endpoint Protection

An endpoint is a terminal point in any network, such as desktops, mobile devices, or servers. Endpoints are the most prolific as well as the most vulnerable points in a network and require numerous security methods, controls, and protocols to properly manage.

Host-Based Intrusion Prevention System (HIPS)

An IPS is a threat detection system that not only detects but also takes action to prevent or remediate the intrusion. A host-based IPS system analyzes traffic on the host machine before interacting with services or applications on the host. The HIPS will block traffic if it is deemed malicious.

Host-Based Firewall

A host-based firewall is a firewall on the host machine that is capable of allowing or blocking traffic based on a set of preconfigured parameters regarding applications, services, ports, and protocols. The host-based firewall, unlike an HIPS (or host-based intrusion detection system [HIDS]), does not offer insight into the block threat.

Disabling Ports/Protocols

During endpoint configuration, unnecessary and vulnerable ports and protocols should be disabled to harden endpoints.

Default Password Changes

Endpoints are commonly assigned default passwords through the manufacturer and should be changed immediately to secure the endpoint device.

Removal of Unnecessary Software

New devices, such as computers and cellular devices, often come with preinstalled and unnecessary software. This software is commonly referred to as bloatware and may create potential vulnerabilities. All unnecessary software should be removed to harden the device.