SY0-601

Domain 1: Threats, Attacks, and Vulnerabilities

1.1: Compare and Contrast Social Engineering Techniques

1.1.1: Principles

Reciprocity: Receiving and returning a favor.

Commitment & Consistency: Verbal or writing commitment.
Social Proof: Seeing one person doing something, larger group starts joining in. Being a “SHEEP”.
Authority: Threatening using authority.
Liking: Persuading people to do something.
Scarcity & Urgency: Used in marketing. Saying something is only available in limited quantity causing panic & emotion.

1.1.2: Spam

Found in Email, Forums, social media, SMS/IM (SPIM), SPIT

**Spam Over Instant Message AKA Instant Messaging
**Spam Over Internet Telephone (SPIT)
Spam is used for – 1) Commercial advertising
2) Non-commercial proselytizing (making people join a cause or organization)
3) Phishing attempts – bulk emails sent out.
Concerns with Spam: Security, Storage cost

1.1.3: Blocking & Managing Spam

Filters: 1) Filtering for specific keywords

2) Blocking specific domains
3) Blocking IP/IP Ranges
Cons of Filter: 1) Blocking legitimate emails
2) May still let spam through
Allowlists: 1) Only allows approved senders
2) Really good at blocking spam
Cons of Allowlists: 1) Very high maintenance
2) Will block legitimate emails
SMTPS Standards: 1) Perform SMTP checks to block any emails which does not comply with Request for Comments
(RFC) standards
Cons of SMT Standards: 1) Spam emails compliant with Request for Comments (RFC) standards will not be
blocked.
rDNS (Reverse DNS): 1) Perform reverse DNS checks
2) Block emails not coming from correct IP addresses associated with sender’s domain.
Cons of rDNS: 1) Spam emails that pass DNS checks will not be blocked.
Blocking Online Spam: 1) CAPTCHAs (blocks bots)
2) Security questions before posting
3) Registering before posting
Cons: 1) Improper implementation can alter user experience.

1.1.4: Phishing

Very common attack. Attack sent in bulk, which means it is SPAM.

Attacker acts as a trusted entity to try and gain access to sensitive info (SS #, Credit Card).
Phishing can also be used to spread malware through attachments/fake downloads on websites.
Examples: 1) Locked out of PayPal
2) Update info on Citizens Bank
Detect Phishing Emails: 1) Typos/Grammar
2) Missing/bad logos
3) Fake domain
4) Fake URL’s
5) Check email headers
**Spoof: Fake as a trusted source
Defend Against Phishing: 1) MFA
2) Unique password per website

1.1.5: Smishing

Type of Phishing attack but comes through as a SMS/Text message.

SMS + Phishing = Smishing
Link will redirect to a fake website that looks like the real website.

 Remember PayPal issue where you typed in real username and password.

1.1.6: Vishing

Subcategory of Phishing.
Voice + Phishing = Vishing
Examples: 1) Call saying you owe IRS money.
2) Amazon account purchase
 1.1.7: Spear Phishing

Individuals/specific groups are targeted compared to Phishing where it is sent out as bulk.

1.1.8: Whaling

Form of Spear Phishing, but targeting a high value target.

Focuses of government officials, CEO etc.

1.1.9: Impersonation

Faking to be a friend and asking for money on social media. Like what happened to Shawn chettan and asking for money.

1.1.10: Dumpster Diving

Going through trash to get important information.

Types of shredders: 1) Strip Cut [P1 & P2]. Kinda like the one at home
2) Cross Cut [P3 & P4] - Recommended
3) Micro-Cut [P5 or higher] - Recommended

1.1.11: Shoulder Surfing

Trying to observe you over your shoulder. Can be a colleague.

Can attacker use webcam, binoculars etc.
Use a privacy filter.

1.1.12: Pharming

Getting redirected to a fake website. Happens from typos etc.

Attackers can manipulate DNS to redirect to a fake website.
Can modify a computers local record if a hacker gains access to a device.

Pharming Phishing
Typing correct website, but getting directed to a wrong Attacking is taking you to a different URL/website
website due to DNS record alteration by the attacker.

DNS record is altered by DNS poisoning.

Prevention against Pharming: 1) Change default DNS settings
2) Check if the site is http or https
3) Change default router settings (username/passwords)
4) Enable 2FA

1.1.13: Tailgating

Walking behind someone else to an unrestricted area.

 1.1.14: Eliciting Information

Technique to acquire information that is not readily available without suspicion.

Types of Elicitation: 1) Assumed Knowledge – pretend to have knowledge or association in common with a person.
2) Bracketing – Provide high & low estimates to get a specific number from someone.
3) Confidential Bait – Pretend to share confidential info, so that other person feels the need to.

1.1.15: Prepending

There are definitions:

1) Definition 1: Using social media mentions (@username). This increases visibility & engagement. Can be used for
Spear phishing.
2) Definition 2: Influence the subject before an event occurs. Ex - Last minute password request.
3) Definition 3: Prepend a domain address. Using typos as metod. Ex- google.com to ggoogle.com

1.1.16: Identity Fraud

Stealing my identity and using as theirs.

Credit Card Fraud – open credit accounts under your name.
Bank Fraud – Withdraw funds from your account, or open new bank account.
Loan Fraud – Open loan to purchase expensive items.
Government Benefit Fraud – someone using dead persons Social Security to get pensions.

1.1.17: Invoice Scams

Sending fake invoice through invoice impersonating as someone else.

1.1.18: Credentials/Password Harvesting

Malware can capture credentials.

This method doesn’t focus on certain information, but it is about getting whatever possible.

1.1.19: Reconnaissance

To observe/locate/gather information about a particular target.

2 Types of Reconnaissance:
1) Passive – Observing & gathering information without directly interacting with a person or system.
a. OSINT (Open-Source Intelligence) – using public records to gather information.
2) Active – Engaging with a target to gather additional information.
a. Climb fence
b. Asking Question indirectly to find answers – like from the movie Now You See Me

1.1.20: Hoax

Displaying or explaining threats that doesn’t exist. Like the “Your computer is infected” banners on websites.
Defenses: Spam filters for phone and email.
 1.1.21: Watering Hole Attack

Group or attackers preying or a certain organization.

1) Start my monitoring commonly used resources (Ex – websites)
2) Attacker tests websites for vulnerabilities
3) After finding vulnerability, exploits can be used using injection attacks, for example.
4) Attackers will then wait for one/more employees to fall into trap.

1.1.22: Typo Squatting & URL Hijacking

Takes advantage of poor spelling, typing errors, or misspellings of domains to:

1) Set up phishing websites
2) Redirect to competitors
3) Redirect to pages with ads
4) Infect the visitor with drive-by downloads
a. Download unwanted files to devices without consent

1.1.23: Influence Campaigns

Backed/funded through government to divide, distract, and persuade populations.

Methods: 1) Traditional & digital advertising
2) Creating/amplifying posts on social media
a) Creating fake user ID’s, posting it multiple times on social media platforms.

1.1.24: Hybrid Warfare

Techniques used by militaries and governments to wage war in a non-traditional way.

Methods: 1) Cyber Warfare
1.2: Analyze Potential Indicators to Determine the Type of Attack

1.2.1: Malware

Malicious software = Malware

Malware Spreads by: 1) Drive-by downloads
2) Spam & Phishing (fake attachments)
3) Vulnerabilities (leveraged to download and/or execute malware)
4) Software Bundles (Bundleware): Part of Torrents
5) Mal-vertising
Common Signs of Infection: 1) Slower network/network performance
2) Uknown installed software’s
3) Uknown social media posts/emails being sent.
4) OS functionality getting randomly disabled
Defenses: 1) Anti-malware & Anti-virus (keep up to date)
2) Keep OS software up to date

1.2.2: Virus

Virus is a type of malware. Not all malware of virus

Virus: computer programs designed for malicious purposes
Virus: can self-replicates. Can replicate through attached flash drives
Types of Viruses: 1) Polymorphic Viruses – can modify their own code to evade detection.
2) Boot Sector Viruses – Takes control of computer as soon as it starts by infecting boot sector of
hard disks.
3) Web Scripting Virus – exploits browser vulnerabilities
4) Resident Virus – embeds into devices memory
5) Direct Action Virus – attaches itself to files. One you open, it spreads
6) Macro Virus – virus written in macro language (Excel, PowerPoint)
Need a program/human to execute. Major difference between Worms & Virus. Viruses latch on to other software’s.
Types of Damage: 1) Modify files/programs
2) Delete data
3) Change system settings
4) Turns devices into bots
Defense: 1) Anti-virus
2) Software up-to-date
 1.2.3: Worms

Worms can replicate without any human execution, compared to Virus.

Worms spread to other computers over the network, using vulnerabilities.
Morris Worm: First Worm to be ever distributed.
Spread via e-mail

1.2.4: Backdoor

On a previously infected computer, an attacker leaves a “backdoor”, even after patching it, for accessing it some other
time.
Major issue with Ransomware attacks.
Backdoors are not malicious and can be created by developers.
Backdoors can be reverse engineered.
Bad security practices.

1.2.5: Trojan Horses

Malware that pretends to be harmless, but takes over control of devices. Meaning they are “door openers”.
Can have the Trojan horse look like an image file, or video file.
Uses of Trojan Horse: 1) Used to steal information (ie: harvest credentials)
2) Monitor what gets typed.
3) Take control of peripherals.
4) Install additional malware.
Trojans are not Virus. They do not self-replicate, unlike Virus.
Real like examples: 1) Qbot – banking trojan.
2) Have Command & Control (C2 or C&C) feature.
3) Execute Ransomware.
Spread via Phishing.

1.2.6: Remote Access Trojan (RAT)

RATs provide attackers with remote access to the target device.

Email is the main way it spreads.
RATs can be used to launch Distributed Denial of Service (DDoS) attacks.
Have a C2 or CNC control Server which lets hacker send commands to all of the infected devices at once.
Spreads using: 1) Phishing attacks.
2) Software bundles
3) Through Macros (ie: Word, Excel, PowerPoint)
 1.2.7: Ransomware & Crypto Malware

Why is Ransomware popular: 1) Profitability

2) Cryptocurrency – making easy to move money
3) High Impact
Difference between Ransomware vs Crypto Malware

Crypto Malware Ransomware

Encrypts data to make it unusable Any malware that can be used to create a ransom situation
Decryption key or tool is needed to retrieve the data Not always done with encryption

Locker-Ransomware: infects PCs and locks the user’s files, preventing access to data and files located on the PC until a
ransom or fines are paid.
Scareware: cyberattack tactic that scares people into visiting spoofed or infected websites or downloading malicious
software (malware). Examples are: pop-up ads that appear on a user's computer.

1.2.8: Ransomware Functionality

How Ransomware Functions: 1) Systems gets infected with malware

2) Ransomware encrypts data
3) Device stops functioning
4) Request payment to decrypt data
Defenses against Ransomware: 1) Back up data in air gapped environment
2) Keep software/devices updated
3) Be careful with phishing
**Air Gap = disconnect network/devices from one another**

1.2.9: Potentially Unwanted Programs (PUPs)

PUPs are also referred to as Junkware, Bundleware, Potentially Unwanted Applications (PUAs)
Comes with software you download. (Ex – McAfee being download with other programs)
PUPs are not called Malware, because the user had to agree with installing it, without knowledge.
Effects on PUPs: 1) Slow computer
2) Ads  Adware
3) Add toolbars browser  Browser Hijackers
4) Collect and sell information  Spyware
5) Mine Cryptocurrency using computers resource
Adware – displays high amount of ads
Browser Hijackers – PUPs that install additional extensions
Spyware – PUPs that collect and sell private information.
 1.2.10: Spyware

Spies user activity and reports back stolen information

Records: 1) Keystrokes aka Keylogger
2) Tracks browser history
3) Network activity
Defense: 1) Anti-virus and Anti-Malware software’s up to date.
2) Watch for bundled installations
3) Frequent backup of systems.

1.2.11: Adware & Malvertising

Advertising Models: 1) Pay-per-click

2) Pay-per-view (Gets paid each time an advertisement loads)
3) Pay-per-install
Clickjacking – Trick users into clicking something other than what they thought they clicked on. Like those ads on
streaming sites.
Malvertising (Malware Advertising) – act of using ads to spread malware.

1.2.12: Keyloggers

Records keyboard entries.

1.2.13: Fileless Malware/Virus

Lives in memory, and does not rely on executables files. This makes it stealthy.
Process: 1) User open attachment
2) Loads malware directly in memory
3) Downloads additional payload/collect info/escalate privileges/move through networks.
Technique used by Fileless Malware/Virus is called Living-off-the land. This means, it uses trusted, legitimate processes
running on the OS.
Programs used by Fileless Malware is PowerShell, Macros, .NET

1.2.14: Logic Bombs

Designed to execute something malicious at a specific date, time, or event.

Difficult for anti-virus/anti-malware software to detect.
Defense: 1) Processes & Procedures: Implementing change control procedures
2) Monitoring & Auditing: Can detect changes in code/environments and trigger alerts
3) Host Based Intrusion Detection System (IDS)
 1.2.15: Rootkit

Malware designed to make OS modifications and completely take over.

Attacks and modified files in the kernel. Thus, it can stay undetected and do major damage.
What it can do: 1) Download additional malware
2) Disable security features
3) Create backdoors thus making the OS a bot.
4) Install spyware

1.2.16: Bots & Botnets

Bots: Compromised devices turned into remotely-controlled devices.

Botnet (Bot Network): Collection of bot devices.
Bot & Botnets used for? 1) Spread misinformation across social-media or e-commerce platforms
2) Attack legitimate web services with overwhelming traffic (DDoS Attacks).
3) Attack networks
Botnets used to Relay spam at a large scale.
Proxy Network Traffic: Used to anonymize online actions

1.2.17: Command & Control

Command & Control (C&C/C2) = used to establish control over the targeted device. Need to have backdoor setup already
with phishing or other forms of attacks.
Uses: 1) Receive stolen information
2) Push additional malicious files to the target
3) Issue commands remotely
Block unwanted traffic: 1) Use firewall
2) IDS
3) Use Security Groups & Network Access Control List (NACL) if using cloud resources.

1.2.18: Password Attacks

Types of Password Attacks:

1) Spraying Attacks:
2) Dictionary Attacks:
3) Brute Force Attacks:
4) Rainbow Table Attacks:
5) Credential Stuffing:
Defense: 1) Implement password policy.
a) Password length > complexity
b) Force password changes after known compromises
c) Password deny list
 d) Inactive account lockout
2) Use password manager
3) Enforce MFA.
a) Combination of Known (Password/PIN) + Something you have (Authenticator App/RSI Key)
+ Something you are (Fingerprint/Biometric scan)
Two Factor Authentication (2FA) uses Password/PIN + App/RSI key
Multi-Factor Authentication uses 3 forms of authentication (for high level security)

1.2.19: Plaintext, Encrypted, & Hashed Passwords

Plaintext Password: does not use encryption or hashing to mask the information.
Encrypted Password: Transforms plaintext data into Ciphertext. Ciphertext is unencrypted by a secret key.
a) Symmetric Encryption: Uses secret key for encrypting data & decrypting data. Faster
b) Asymmetric Encryption: Uses public key to encrypt and private key to decrypt
c) Hashing: functions that convert an input into an encrypted, fixed-length output. Once hashed, its can be called
a “Message Digest” or “Fingerprint”. Hashes cannot be reversed.

Hashes Encryption
1) Protect the integrity of information 1) Secure confidentiality of data
2) Produces a fixed length function 2) Different length

Encryption is used to securely send info from users’ devices to a web server for processing.
Uses Hashing to store those data in a database.

1.2.20: Brute Force

Trying as many combinations to try and guess what the correct username and password combination is.
Limitations: 1) Rate Limiting: Limits number of requests in a given period of time.
2) Account Lockouts

1.2.21: Dictionary Attacks

These attacks use lists that contain common words/phrases used in passwords.
Form of Brute Force attacks. Difference is, Dictionary Attacks will only use password from a list.
Faster than Brute Force Attacks
Does not work against complex passwords.

1.2.22: Spraying Attacks

Type of Brute Force attack.

Uses a constant password (or short list of passwords) to attempt against numerous usernames, or using default credentials.
Will try only enough attempts, before getting locked out.
Uses default usernames/passwords
Targets SSO accounts.
 1.2.23: Rainbow & Hash Tables

Hash functions are one-way functions meaning it cannot be decrypted, but can only be cracked.
Hash Tables: Stored a list of computed hash values of commonly used password/or from a dictionary list.
Rainbow Tables: Stores a list of computed hash values, and organized similar has values in a way to reduce storage space
requirements.

Pros Cons
Common Hash attacks can be done much faster than Brute Force. * Large storage requirements
* Need tables for each hashing
algorithm
Rainbow Table Faster lookup than hash tables * More computing time required
Hash Table Less computationally intensive * More storage space required
* Slower lookup than rainbow tables

Main weakness of Hash/Rainbow Tables: Salting

Adding an additional, random, string to the password before the hash is calculated. (Ex- Football2  Salt1245Football2)
According to NIST policy: use SHA-2 or SHA-3 Hash functions.

1.2.24: Credential Stuffing

Using stolen usernames and passwords from one organization (obtained in a breach or purchased off of the dark web) to
access user accounts at another organization.
Defenses: 1) Enforce MFA
2) Add a PIN, 2nd-ary password, or security question
3) Check user passwords against known leaked passwords
Defense in Depth: Layering of defenses.

1.2.25: Physical Attacks

Need Physical proximity or Physical device

Physical Devices: 1) Malicious USB cables
2) Malicious Flash Drives
3) Card Cloning
5) Skimming

1.2.26: Malicious Universal Serial Bus (USB) Cable

Once plugged into a target computer, USB cables can inject keystrokes to download payloads (Trojan).
Once the USB cable is plugged in, OS will recognize the USB as HID (Human Interface Device)

1.2.27: Malicious Flash Drive

Once plugged into a target computer, Flash drives can inject keystrokes to download payloads (Trojan).
Once Flash drive is plugged in, OS will recognize the Flash drive as HID (Human Interface Device).
Flash drives can also be used as boot devices. After a reboot, system will boot from the flash drive.
Flash drives can act as a wireless gateway/ethernet adapters.

1.2.28: Card Cloning

Chips used in credit cards, instead of magnetic strips is to prevent cloning attacks.
Duplicate of a real credit card.

1.2.29: Skimming

Types: 1) Point of Sale Skimming

a) Someone uses a skimming device  Copies credit information  Attacker uses card for purchases
2) Point of sale swaps or device tampering
a) Attacker replacing real point of sale system with fake one.
3) Self-service skimming
a) Add a card reader at a point of self-service (Ex – Gas station)
4) Dummy ATMs
a) Fake ATM add-ons. Adding a fake ATM and placing it on top of real ATM.
5) Web Skimming
a) Purchasing from compromised/shady websites.

1.2.30: Adversarial AI & Tainted Training for Machine Learning (ML)

AI & ML requires needs a lot of data for learning is called “Training Data”.
Poisoning Data: Sending modified data to mess up Machine Learning.
Data Poisoning Defense: 1) Data Validation
2) Verifying results/Constant Re-training
3) Resilience to poisoning

1.2.31: Supply-Chain Attacks

Supply Chain is Organizations/People/Information/Resources that are involved in supplying products/services to

consumers.
Defenses: 1) Allowing only authorized applications to run
2) Developing incident response processes
3) Using end-point detection

1.2.32: Cloud-based vs. On-Premises Attacks

Shared Responsibility Model: The Shared Responsibility Model is a security and compliance framework that outlines the
responsibilities of cloud service providers (CSPs) and customers for securing every aspect of the cloud environment,
including hardware, infrastructure, endpoints, data, configurations, settings, operating system (OS).
Basically – Customer is responsible for security “IN” the cloud. Customer is responsible for security “OF” the cloud.
 1.2.33: Cryptography Concepts

Cryptography is used to encrypt data to maintain its Confidentiality, Integrity, & Authenticity.
Encrypting data that is sitting in storage is called “Encrypting data at REST”.
Encrypting data that is being transferred is called “Encrypting data IN TRANSIT”.
Encrypting data that is being used is called “Encrypting data IN USE”.
Data at Rest needs: 1) Disk Encryption
2) File Encryption
3) Data Encryption
Data in transit needs: 1) Data is encrypted before being sent over the wire to the recipient (https://)
Data in Use needs: 1) Hash of the passwords
2) File Encryption

Cyphertext: Encryption converts plaintext into cipher text. Once it reaches destination cipher text is converted back to
plaintext using a key.
Key that is used is:

Symmetric Encryption Asymmetric Encryption

Same key used to encryption & decryption Different key used to encryption (Public Key) &
decryption (Private Key)

Private Key to Public Key is easy. Beware of MITM attacks.

Public Key to Private Key is hard. Beware of MITM attacks.

1.2.34: Cryptographic Attacks

Types of attacks:
a) Known Plaintext Attacks (KPAs) – Attacks knows both plaintext & Cyphertext (encrypted version), attacker
figures out Secret Key.
b) Downgrade Attacks – Downgrading security by forcing communications to use a weak encryption algorithm.
Example is using an older browser which doesn’t support the latest TLS version.
c) Weak Implementations – Never, ever design your own encryption algorithms.
d) Replay Attacks – Malicious attacker intercept/eavesdrop a communication & either repeat or delay transmission.
 e) Birthday Attacks – Birthday paradox can be used to reduce the complexity of cracking hash functions. Attackers
aim to create hash collisions.
f) Collision Attacks – Collisions happen when two different inputs result in the same hash value output. This is
because hash values have infinite input length, but a pre-defined output length, there is a possibility that two
different inputs can produce the same output.

1.3: Analyze Potential Indicators Associated with Application Attacks