1.

0 Threats, Attacks, and Vulnerabilities

Comparing Social Engineering Techniques:
Social engineering exploits human psychology and organizational
processes to deceive individuals into revealing sensitive information or
performing actions that compromise security.
• Pharming: This technique involves redirecting users from
legitimate websites to fraudulent ones. Attackers manipulate DNS
records or inject malicious code into routers to reroute traffic to
malicious sites.
• Tailgating: Attackers gain unauthorized physical access to
restricted areas by closely following authorized personnel through
secure entrances.
• Whaling: Targets high-profile individuals such as executives or
celebrities to obtain sensitive information, like financial data or
credentials, through personalized attacks.
• Invoice scams: Attackers send fraudulent invoices or payment
requests to organizations, tricking them into transferring funds to
attacker-controlled accounts.
• Credential harvesting: Involves gathering usernames, passwords,
or other credentials through phishing emails, fake login pages, or
social media manipulation.
• Influence campaigns: Manipulates public opinion or behavior by
spreading misinformation, propaganda, or fake news through
social media platforms or other communication channels.
• Hybrid warfare: Combines traditional military tactics with cyber
operations to achieve strategic objectives, such as disrupting
critical infrastructure or destabilizing governments.
Principles of Social Engineering:
• Authority: Exploits individuals' tendency to obey authority figures
or comply with requests from perceived superiors.
• Intimidation: Uses threats or fear to coerce individuals into
divulging sensitive information or complying with attackers'
demands.
• Consensus: Relies on social conformity, where individuals are
more likely to adopt behaviors or beliefs endorsed by a majority.
• Familiarity: Leveraging existing relationships or personal
connections to gain trust and lower victims' guard.
• Trust: Establishing credibility or rapport with targets to deceive
them more effectively and increase the likelihood of compliance.
Analyzing Indicators of Attacks:
Understanding indicators of various attacks helps in identifying and
responding to security incidents effectively.
• Malware: Malicious software designed to disrupt, damage, or
gain unauthorized access to computer systems or networks.
• Potentially Unwanted Programs (PUPs): Software that may
harm a computer or its user, typically bundled with
legitimate software downloads.
• Fileless virus: Malware that operates entirely in memory
without leaving traces on disk.
• Command and control (C&C): Malware that communicates
with a remote server to receive commands or exfiltrate
data.
 • Keyloggers: Programs that record keystrokes to capture
sensitive information such as passwords or credit card
numbers.
• Remote Access Trojan (RAT): Malware that provides
attackers with unauthorized access to infected systems.
• Rootkit: Malware that enables unauthorized users to gain
privileged access and hide malicious activities.
• Backdoor: Unauthorized access mechanism left by attackers
to gain future access to compromised systems.
• Password attacks: Attempts to gain unauthorized access to
systems by guessing or stealing passwords.
• Spraying: Method of attempting to authenticate using a few
commonly used passwords across multiple accounts or
systems.
• Plaintext/unencrypted: Passwords stored or transmitted
without encryption, making them susceptible to interception
or theft.
• Physical attacks: Involves physical manipulation or compromise of
hardware or systems.
• Malicious universal serial bus (USB) cable: USB cables
modified to execute malicious commands when connected
to a device.
• Malicious flash drive: USB drives containing malware
designed to infect systems when inserted.
• Card cloning: Unauthorized duplication of credit or debit
card information for fraudulent use.
 • Skimming: Illegally collecting data from magnetic stripes on
credit or debit cards.
• Adversarial artificial intelligence (AI): Exploits vulnerabilities in AI
systems or uses AI techniques for malicious purposes.
• Tainted training data for machine learning (ML):
Manipulating training data to bias AI models or generate
incorrect predictions.
• Security of machine learning algorithms: Identifying and
exploiting vulnerabilities in machine learning algorithms to
manipulate outcomes.
• Supply-chain attacks: Target vulnerabilities in the supply chain to
compromise the integrity of products or services.
• Cryptographic attacks: Exploits weaknesses in cryptographic
algorithms or protocols to compromise data confidentiality or
integrity.
• Birthday: Exploits the probability of two people sharing the
same cryptographic hash output.
• Collision: Forces two different inputs to produce the same
hash output.
• Downgrade: Forces systems to use weaker cryptographic
protocols or algorithms, making them susceptible to attacks.
I'll continue with the next sections in separate messages for clarity.
Continuing with the expansion:
Analyzing Indicators of Application Attacks:
Application attacks target software applications to gain unauthorized
access, steal data, or disrupt services.
• Injections: Exploits vulnerabilities in input handling to inject and
execute malicious code.
• Structured Query Language (SQL): Injecting SQL commands
into input fields to manipulate databases.
• Dynamic Link Library (DLL): Injecting malicious DLL files into
legitimate processes to execute arbitrary code.
• Lightweight Directory Access Protocol (LDAP): Manipulating
LDAP queries to gain unauthorized access to directory
services.
• Extensible Markup Language (XML): Exploiting
vulnerabilities in XML parsers to execute malicious code or
extract sensitive information.
• Pointer/object dereference: Manipulates memory pointers or
objects to gain unauthorized access or execute arbitrary code.
• Directory traversal: Attempts to access files or directories outside
the intended directory structure.
• Race conditions: Exploits timing dependencies in software to
execute malicious actions.
• Time of check/time of use: Exploits the time gap between
checking a resource's status and using it, allowing for
unauthorized changes.
• Error handling: Exploits vulnerabilities in error-handling
mechanisms to bypass security controls or crash applications.
• Integer overflow: Manipulates integer values to overflow memory
buffers, leading to unexpected behavior or system compromise.
 • Application Programming Interface (API) attacks: Abuses APIs to
gain unauthorized access, manipulate data, or disrupt services.
• Resource exhaustion: Overwhelms system resources, such as
memory or CPU, to degrade performance or cause denial of
service.
• Memory leak: Exploits programming errors that cause
applications to improperly allocate or release memory, potentially
leading to system instability.
• Secure Sockets Layer (SSL) stripping: Downgrades HTTPS
connections to unencrypted HTTP, allowing attackers to intercept
or modify traffic.
• Driver manipulation: Exploits vulnerabilities in device drivers to
gain unauthorized access or manipulate system functionality.
• Shimming: Injects code into device drivers to intercept and
modify system calls.
• Refactoring: Rewrites driver code to introduce
vulnerabilities or add malicious functionality.
• Pass the hash: Exploits weaknesses in authentication protocols to
gain unauthorized access by using hashed passwords instead of
plaintext credentials.
Analyzing Indicators of Network Attacks:
Network attacks target network infrastructure or communication
protocols to gain unauthorized access or disrupt services.
• Domain Name System (DNS) attacks: Manipulates DNS
infrastructure to redirect traffic, perform cache poisoning, or
hijack domains.
 • Domain hijacking: Unauthorized transfer of control over a
domain name registration to another entity.
• DNS poisoning: Injects false DNS records into DNS caches to
redirect traffic to malicious destinations.
• Universal Resource Locator (URL) redirection: Redirects
users from legitimate websites to phishing or malicious sites.
• Domain reputation: Assessing the reputation of domains to
identify potential threats or malicious activity.
• Layer 2 attacks: Exploits vulnerabilities in Layer 2 protocols to
intercept or manipulate network traffic.
• Address Resolution Protocol (ARP) poisoning: Manipulates
ARP cache tables to associate IP addresses with incorrect
MAC addresses.
• Media Access Control (MAC) flooding: Overwhelms switch
MAC address tables with bogus entries to disrupt network
communication.
• MAC cloning: Spoofs MAC addresses to impersonate
legitimate devices on the network.
• Malicious code execution: Executes malicious code or scripts to
compromise networked devices or systems.
• PowerShell: Exploits PowerShell scripts or commands to
execute malicious actions or download additional payloads.
• Python: Utilizes Python scripts or libraries to carry out
malicious activities, such as network reconnaissance or data
exfiltration.
• Bash: Executes malicious Bash scripts or commands to
manipulate system configuration or escalate privileges.
• Macros: Exploits vulnerabilities in document macros to
execute malicious code when documents are opened.
• Visual Basic for Applications (VBA): Uses VBA macros in
documents or spreadsheets to execute malicious actions
when opened in compatible applications.
•

Summarizing Security Assessment Techniques:

• Security assessments help identify and mitigate security risks
and vulnerabilities within an organization's infrastructure.
• Threat hunting: Proactively searches for indicators of
compromise or potential security threats.
• Intelligence fusion: Integrates various sources of threat
intelligence to identify patterns or trends indicating
potential threats.
• Threat feeds: Subscribes to threat intelligence feeds to
receive real-time updates on emerging threats or attack
trends.
• Advisories and bulletins: Monitors security advisories and
bulletins issued by vendors, security organizations, or
government agencies for relevant threats or vulnerabilities.
• Maneuver: Uses threat intelligence to adapt defensive
strategies and tactics to counter evolving threats.
• Vulnerability scans: Identifies weaknesses and
vulnerabilities in systems, networks, or applications.
• Credentialed vs. non-credentialed: Uses privileged
credentials to access system configurations and settings for
more comprehensive vulnerability assessment.
• Intrusive vs. non-intrusive: Conducts scans that either
actively probe systems for vulnerabilities or passively gather
information without directly interacting with systems.
• Application: Focuses on identifying vulnerabilities specific to
software applications or web services.
• Web application: Scans web applications for common
security vulnerabilities, such as SQL injection, cross-site
scripting (XSS), or insecure authentication mechanisms.
• Network: Scans network infrastructure for
misconfigurations, outdated software, or known
vulnerabilities in network protocols.
• Syslog/Security Information and Event Management
(SIEM): Collects and analyzes security event data to detect
and respond to security incidents.
• Review reports: Analyzes reports generated by SIEM
systems to identify anomalies, patterns, or indicators of
compromise.
• Packet capture: Captures network traffic for analysis,
forensics, or incident response purposes.
• Data inputs: Integrates data from various sources, such as
logs, network traffic, or endpoint security solutions, into
SIEM platforms for centralized analysis.
• User behavior analysis: Monitors user activities and
behaviors to detect unauthorized or suspicious actions that
may indicate a security incident.
• Sentiment analysis: Analyzes textual data, such as social
media feeds or customer feedback, to identify potential
security threats or reputational risks.
• Security monitoring: Monitors network, system, and
application logs in real-time to detect and respond to
security incidents promptly.
• Log aggregation: Collects and consolidates log data from
multiple sources for centralized analysis and correlation.
• Log collectors: Deployed agents or appliances that collect
log data from various sources and forward them to
centralized SIEM or log management systems.
• Security Orchestration, Automation, Response (SOAR):
Automates incident response processes to improve
efficiency and effectiveness.
• Orchestration: Coordinates and automates incident
response workflows, such as triage, analysis, containment,
and remediation.
• Automation: Implements automated response actions, such
as blocking malicious IP addresses, quarantining infected
systems, or updating firewall rules.
• Response: Facilitates timely and coordinated responses to
security incidents, leveraging predefined playbooks,
workflows, and response actions.
• Explaining Penetration Testing Techniques:
• Penetration testing evaluates the security posture of
systems and networks by simulating real-world attacks.
• Penetration testing: Systematically tests security defenses
to identify weaknesses and vulnerabilities.
• Lateral movement: Expands access within a network or
system after initial compromise.
• Cleanup: Restores systems to their original state and
ensures no lasting damage after testing is complete.
• Passive and active reconnaissance: Gathers information
about the target environment, including infrastructure,
applications, and personnel.
• Drones/Unmanned Aerial Vehicle (UAV): Uses drones
equipped with scanning or surveillance capabilities to gather
information about physical or wireless infrastructure.
• War flying: Conducts reconnaissance of wireless networks
by flying drones equipped with Wi-Fi sniffing tools to
identify access points and potential vulnerabilities.
• War driving: Drives or walks through target areas with a
scanning device to identify and map wireless networks and
access points.
• Footprinting: Gathers information about the target
organization's infrastructure, systems, and networks using
open-source intelligence (OSINT) techniques.