📚 Key Terms

TTPs stand for Tactics, Techniques and Procedures. TTPs are patterns of activities or methods associated with a specific threat actor or group of threat actors.

Brute-force is a password guessing attack. It tries various combinations of usernames and passwords again and again until it gets in. Mitigation: Encourage users to use complex passwords, Lockout accounts after few attempts, Use Captcha to slow down brute-force, Use multifactor authentication.

Dictionary attack is type of brute-force attack. It uses a list of words in a dictionary as passwords. Mitigation: Advise users not to keep a simple word or easily identifiable information as password, Encourage users to use complex passwords, Lockout accounts after few attempts, Use Captcha to slow down brute-force, Use multifactor authentication.

Rainbow attack is a type of brute-force attack that uses pre computed password hashes. Mitigation: Rainbow table attacks can easily be prevented by using salt techniques, Lockout accounts after few attempts, Use Captcha to slow down brute-force, Use multifactor authentication.

Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying hash of a user's password. Mitigation: Restrict and protect high privileged domain accounts, Restrict and protect local accounts with administrative privileges, Restrict inbound traffic using the Windows Firewall.

Scanning is a method for discovering exploitable communication channels. Mitigation: Use Firewall and IPS, OS Hardening, Use honeypots to detect scanning activities.

Sniffing corresponds to theft or interception of data by capturing the network traffic when it flows through a computer network. Mitigation: Avoid using insecure protocols (like HTTP, FTP, telnet etc. and use secured versions like HTTPS, SFTP, SSH etc.), Use encryption whenever possible for data transmission.

Phishing is a cyber attack that uses disguised email as a weapon. Mitigation: Use Email Security Solutions, Educate users, Use DMARC.

Spear phishing is an email scam targeted towards a specific individual, organization or business.

Whaling is a type of phishing that targets senior management/leadership teams/important individuals at an organization.

Exploit is a tool that takes advantage of a vulnerability. Payload is the actual malware. Example – EternalBlue and WannaCry.

Vishing works similar to phishing, instead of sending an email, the attacker tricks the target to give critical/sensitive information over phone call.

Spoofing is a malicious practice employed by cyber scammers and hackers to deceive systems, individuals, and organizations into perceiving something to be what it is not. Mitigation: Deploy IPS, Educate users, Enable port level security.

Denial-of-Service (DOS) is a type of cyberattack in which the attacker seeks to make a machine or network resource unavailable to its intended users. Distributed Denial-of-Service (DDOS) is a type of attack where multiple systems are used to launch DOS attack on one targeted system. Mitigation: Use Anti-DDOS technology, Rate limit, Reduce connection wait time, Deploy load balancers.

SYN Flood attack is a type of DOS attack where it exploits the normal TCP three-way handshake. Mitigation: Use Anti-DDOS technology, Rate limit, Reduce connection wait time, Deploy load balancers.

ARP poisoning is when an attacker sends falsified ARP messages over a local area network (LAN) to link an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Mitigation: Use Static ARP, Detect ARP poisoning using tools like XARP, Set up Packet filtering, Install AV and keep signatures updated.

Man-in-the-Middle is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Mitigation: Use Static ARP, Use Encryption, IPS system.

DNS Poisoning is a type of cyberattack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones. Mitigation: Regularly audit DNS Zones, Keeping DNS Servers up-to-date, Restrict Zone Transfers, Limit recursive queries, Store only data related to the requested domain.

DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNS queries and responses. Mitigation: IPS Systems, Block communication to IPs, Use DNS firewall, Deploy standalone DNS protection solution.

A drive-by download refers to the unintentional download of malicious code onto a computer or mobile device that exposes users to different types of threats. Mitigation: Encourage users to keep their software up to date, Install AV that is capable of scanning internet traffic, Install web-filtering software, Restrict add-ons on browsers, Educate users not to visit untrusted websites.

Malware is a (malicious) software intentionally designed to cause damage to a computer or computer network. Mitigation: Use AV with up-to-date signature, Use Ad-blockers, Educate users not to download files from unknown sources.

Virus: Viruses attach themselves to clean files and infect other clean files. Trojans: This kind of malware disguises itself as legitimate software but has malicious intent. Worms: Worms infect entire networks of devices, either local or across the internet. Spyware: Spyware is malware designed to spy on you. Ransomware: This kind of malware typically locks down your computer and your files, and threatens to erase everything unless you pay a ransom. Adware: Aggressive advertising software. Botnets: Networks of infected computers. RAT: Remote Access Trojan.

Virus: Viruses attach themselves to clean files and infect other clean files. Trojans: They appear as useful programs, but have malicious intentions. Worms: Worm spread in the network without user actions.

File less malware sneaks in without using traditional executable files as a first level of attack. Mitigation: Use EDR tools, Disable command line shell scripting language.

The Open Web Application Security Project (OWASP) is an online community that produces articles, methodologies, documentation, tools, and technologies in the field of web application security.

SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field for execution. Mitigation: Input validation, Sanitize all inputs, Use IPS and WAF solutions, Turn off visibility of Database errors on production servers.

Cross-site Scripting (XSS) is a client-side code injection attack. Mitigation: Input validation, Sanitize all inputs, Encode data on output.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. Mitigation: Synchronizer token pattern, Cookie-to-header token, Double Submit Cookie.

Broken Authentication weaknesses can allow an attacker to either capture or bypass the authentication methods that are used by a web application. Mitigation: Implement multi-factor authentication, Do not ship or deploy with any default credentials, Implement weak-password checks, Lock user accounts after certain failed attempts.

Broken Access Control is a weakness in web application that will let the users do more than what they are authorized. Mitigation: Deny access to functionality by default, Use Access control lists and role-based authentication mechanisms, Log access control failures, alert admins when appropriate.