Chapter 6

What is one way to minimize the effectiveness of social engineering attacks?

Teaching users about social engineering tactics and underlying principles

What is the potential risk associated with opening a malicious attachment associated with invoice scams?

The user’s system might get infected with ransomware or other malware

What is the primary goal of a watering hole attack?

To infect a trusted website with malware and target its visitors

What is one way to thwart keyloggers as discussed in the text?

Using two-factor authentication (2FA)

What is the purpose of the Trusted Automated eXchange of Indicator Information (TAXII)?

Defines a set of services and message exchanges used to share information

The Trusted Automated eXchange of Indicator Information (TAXII) is an open standard that defines a set of services and message exchanges used to share information. It provides a standard way for organizations to exchange cyber threat information.

What is one reason an attacker might buy a domain name similar to a legitimate website, as discussed in the ’Earning ad revenue’ section?

To host pay-per-click ads

The text mentions that one reason attackers buy similar domains is to host pay-per-click ads. When visitors accidentally visit the site and click on these ads, advertisers pay revenue to the attacker.

What is the function of threat maps?

They provide a visual representation of active threats

What is the primary function of a beacon in an email phishing attack?

To verify the validity of recipient’s email address

In the context of email phishing, a beacon is used to verify the validity of the recipient’s email address. It includes a unique code that identifies the receiver’s email address, and once the user’s email program attempts to retrieve the linked image stored on the Internet server, it is confirmation to the server that the email address is valid.

What does closed/proprietary intelligence refer to in the context of cybersecurity?

Trade secrets and intellectual property of an organization

Which are some of the reported names for the APTs sponsored by the Iranian government?

Elfin Team, Helix Kitten, Charming Kitten

What is the main purpose of a whaling attack?

To target high-level executives for confidential company information

What are some common types of open source intelligence (OSINT) utilized by penetration testers or attackers?

Vulnerability databases and social media platforms

How do attackers use social media as an attack vector?

Gathering information on targets via social media

What is hybrid warfare?

A military strategy combining conventional warfare with unconventional methods to influence people

Why do social engineers often attempt to build rapport with a victim before launching an attack?

To make the victim like them and more likely to comply

What is the difference between identity theft and identity fraud based on the provided text?

Identity theft refers to stealing personal information while identity fraud refers to misuse of this stolen information.

What defines an Advanced Persistent Threat (APT) in the cyber security context?

An organized and sophisticated group of threat actors often sponsored by nation-states or governments.

Which of the following is usually a strong indicator of a system being part of a botnet?

There are large amounts of outgoing spam

Large amounts of outgoing spam from a desktop computer are usually a strong indicator that the system has been added to a botnet and is sending phishing emails as a zombie.

What is one of the reasons an attacker might purchase a domain similar to a legitimate one?

To resell the domain to the original owner at a profit

The text explicitly states that attackers can purchase similar domains with the intention of reselling them back to the original site owner at a large profit. This takes advantage of the owner’s need to maintain their brand’s integrity and prevent potential customer confusion or cyber attacks.

What is phishing?

It is an attempt to trick users into revealing sensitive information or clicking on a malicious link.

What is the role of a local industry group in the context of cybersecurity?

 To share and collaborate on information related to their industry

What are some effective methods to prevent shoulder surfing as mentioned in the text?

Positioning monitors and screens so unauthorized personnel cannot see them

Criminal syndicates and Advanced Persistent Threats (APTs) are both types of organized cyber threat actors, but have different primary motivations. What are the chief motivations of these groups?

APTs are motivated by political agendas, while Criminal syndicates aim for personal gain

Which of the following best describes a ’Black Hat’ as discussed in the given text?

A group of highly organized attackers, typically sponsored by nation-states or governments, that engage in targeted cyberattacks over a long period of time.

The given text describes ’Black Hat’ or an advanced persistent threat (APT) as a group of highly organized threat actors. These actors typically receive sponsorship and resources from nation-states or governments and conduct targeted, sophisticated cyberattacks over long periods of time. Such attacks often result in unauthorized access to systems and data for extended durations, allowing the actors to exfiltrate significant amounts of data.

Which of the following best describes pretexting in the context of social engineering?

It is a fictitious scenario added to a conversation to make a request more believable

Pretexting, in social engineering, involves creating a convincing false narrative (pretext) to persuade a target to reveal information or perform certain actions.

What is the classic Nigerian scam (also called a 419 scam) usually about?

Requesting a relative or acquaintance to access funds

The classic Nigerian scam, also known as a 419 scam, is typically an email from someone claiming that a relative or acquaintance has millions of dollars. The sender asserts that they can’t access the funds without the recipient’s help, often requiring them to pay a small sum of money with the promise of a large return that never materializes.

Which of the following best describes the term ’Advanced Persistent Threat (APT)’?

A sophisticated group of threat actors that is typically sponsored by nation-states

Which of the following is NOT a common security control used to protect against malware according to the text?

Bypassing email servers and directly sending emails to users

Why is it important to verify information shared in social media groups before acting on it as a cybersecurity personnel?

Because social media groups aren’t authoritative and can contain inexact information

What is the primary function of anti-malware software on mail gateways?

It blocks and strips potentially malicious attachments off emails.

What can be a strong indicator of infection in a network regarding traffic to specific IPs?

Firewall logs indicate traffic attempting to access blacklisted IPs

Firewall logs indicating attempts to access blacklisted IPs is a strong indicator of network infection. Bot zombies often try to connect to command and control servers and firewalls that are aware of these harmful IP addresses can blacklist traffic to these servers. Monitoring these attempts is a strong sign of malware infection.

What is a possible malicious intention for an attacker purchasing a domain similar to a legitimate one?

To host a malicious website intending to install malware.

Given the context of the text, an attacker could buy a similar domain name for the purpose of hosting a malicious website, with the intention of installing malware on the systems of users who inadvertently visit the site instead of the legitimate one.

What is the Automated Indicator Sharing (AIS) used for?

For real-time exchange of threat indicators and defensive measures

The Automated Indicator Sharing (AIS) is maintained by the Cybersecurity and Infrastructure Security Agency (CISA). It is used for the real-time exchange of threat indicators and defensive measures.

What is NOT a common type of Open Source Intelligence (OSINT) as described in the text?

Insider Trading Reports

The other correct answers
A. Dark Web
B. National Vulnerability Database (NVD)
C. STIX and TAXII standards

What is the main purpose of a backdoor?

To provide a shortcut for normal authentication methods

A backdoor is primarily used as a means to access a system by bypassing normal authentication methods, often used by malware for continued discreet access even after its presence is discovered and supposedly eradicated.

What tactics are considered effective for a person to get others to comply through impersonation?

A. Posing as a government official
B. Pretending to be a technician
C. Implying lawsuits or subpoenas
D. All of the above - correct answer

What is the primary motivation for criminal syndicates in the context of cyberattacks?

Money

Which of the following is used by social engineers during elicitation to encourage a target to speak more ?

Active listening

What is the importance of academic journals in cybersecurity?

They contain technical research documents on cybersecurity, reviewed by peers for credibility.

Which types of attacks are most effective when exploiting authority?

Impersonation, whaling, and vishing

Which of the following is NOT a technique used by fileless malware?

Disk partitioning

Which of the following is NOT a reported name for an APT sponsored by the Russian government?

Alpha Bear

The Advanced Persistent Threats (APTs) associated with the Russian government that are outlined in the text include Fancy Bear, Cozy Bear, Venomous Bear, and Voodoo Bear. The name Alpha Bear does not appear and therefore is not one of the reported APTs affiliated with Russia.

What is the technique of vishing as used in cyber security?

Impersonating authority figures over the phone to deceive individuals into revealing sensitive information

Which of the following best describes a zero-day vulnerability based on the provided text?

It is a vulnerability unknown to trusted sources such as operating system and antivirus vendors, and it remains until these vendors know about the issue and release patches.

What description is accurate regarding the threat actor referred to as a ’script kiddie’?

They use existing computer scripts or codes to launch attacks, usually with little expertise or sophistication.

What is a characteristic of fileless malware?

It runs in memory and can inject into legitimate applications

What is the purpose of using a spam filter on mail gateways?

Detect and filter spam before it reaches users

What is the primary risk associated with Shadow IT?

Unmanaged systems and applications may be susceptible to emerging vulnerabilities

Shadow IT refers to systems and apps installed without the IT department’s knowledge. Since these are unmanaged by the IT, they will not be kept up-to-date or back up regularly, making them susceptible to emerging vulnerabilities.

What does the term ’consensus’ refer to in the context of cyber threats?

The technique where criminals manipulate users by creating an illusion of social approval for their fraudulent products or software.

What is an Advanced Persistent Threat (APT) typically characterized by?

They are typically groups of organized threat actors that engage in targeted attacks against organizations over long periods of time

What is the primary purpose of Cuckoo Sandbox?

To analyze suspicious files and URLs

The main purpose of Cuckoo Sandbox is to provide an analysis of suspicious files, such as malware, and URLs, by running them in a virtual machine (VM) and creating a report on its activity.

Which of the following is a viable solution to prevent spear phishing attacks?

Using digital signatures

Using digital signatures provides a high level of certainty to personnel on who sent the email and can deter the success of spear phishing attacks.

What is a key challenge when implementing spam filters?

Filters may mistakenly flag and filter out legitimate emails.

As noted in the text, a primary challenge when employing spam filters is ensuring they don’t mistake legitimate emails for spam and filter them out. This can result in missed business opportunities and important communications.

According to the text, which of the following is NOT a method used by social engineers to gain unauthorized access or information?

Physically stealing user credentials

According to the passage, which of the following is not a technique used by social engineers in the elicitation process?

Internet phishing

Internet phishing is not mentioned in the passage as a technique used by social engineers in the elicitation process. The techniques discussed include active listening, reflective questioning, false statements, and bracketing.

What does data exfiltration refer to in the context of malware attacks?

Unauthorized transfer of data out of a network

Which of the following attacks are most likely to use urgency as a technique?

Ransomware

What does heuristic-based detection in antivirus software aim to detect?

Previously unknown viruses and zero-day exploits

Heuristic-based detection in antivirus software attempts to detect previously unknown viruses that do not have known signatures, including zero-day exploits. It does this by running questionable code in a protected, virtualized environment (sandbox) and observing its behaviors for anything malicious or unusual.

Which of the following is NOT an indicator of a malware attack?

Regular data transfer within a network

Regular data transfer within a network is a normal business activity and does not directly indicate a malware attack. All other options listed are potential indicators of malware attacks such as extra traffic added by malware, encrypted traffic to bypass detection techniques, and suspicious traffic to known malicious IPs.

Which of the following correctly describes the Dark Web?

It is a sector of the web that requires specific software or authentication to access.

What is one possible reason an attacker might purchase a domain name similar to a legitimate one, according to the passage?

To host pay-per-click ads for revenue

According to the text, one reason an attacker might buy a similar domain could be to host pay-per-click ads, earning ad revenue from visitors who mistakenly visit the attacker’s site and click on the ads.

Why might encrypted traffic be considered an indicator of a malware attack?

Encrypted messages can’t be read by data loss prevention (DLP) systems

Some malware will encrypt the data before data exfiltration attempts. This can bypass typical DLP techniques because a DLP system can’t read the encrypted data. However, a large amount of encrypted data can indicate data exfiltration, even if the data can’t be identified.

Which of the following best describes a ’hacktivist’ as presented in the provided text?

An attacker who launches cyber attacks as part of an activist movement or to raise awareness about certain causes.

Which of the following best describes Indicators of Compromise (IoC)?

Evidence that a cyberattack is in progress or has occurred, often taking the form of antivirus alerts or detected potential attacks.

Which of the following is NOT provided as a source for taking the assistance of cybersecurity personnel during threat research?

Online forums

According to the given text, Online forums are not mentioned as a source for cybersecurity personnel to research threats. Other sources mentioned include vendor websites, conferences, academic journals and several others.

What is the primary purpose of a virus?

To replicate and deliver its payload

The main characteristic of a virus is its ability to replicate itself and spread its payload to other host applications. This payload can consist of harmful actions, such as deleting files, causing random reboots, joining a computer to a botnet, or enabling backdoors for remote system access.

What is URL hijacking or typo squatting?

Buying a domain name that is close to a legitimate domain name.

URL hijacking, also known as typo squatting, involves buying a domain name that closely matches a legitimate domain name in a bid to trick users into visiting the attacker’s website. The idea is to take advantage of typographical errors made by Internet users when typing a website address into a web browser.

What type of cyber attack leverages the authority of legal entities to coerce executives into opening malicious attachments?

Whaling

What term best describes the group of threat actors who are usually highly organized, funded by nation-states, and target specific organizations for long periods of time?

Advanced Persistent Threats (APTs)

What is the technique called that attackers use by sending text messages to trick users into giving up personal information and uses the method of phishing?

Smishing

Smishing is a form of phishing that utilizes text messages (SMS) to trick users into giving up personal information. This method is often used by attackers to gain illegal access to personal accounts such as email by deceiving the user into revealing a verification code over text.

What is the purpose of Trusted Automated eXchange of Indicator Information (TAXII)?

It’s an open standard that defines services for sharing threat information without specifying what should be shared.

TAXII is an open standard that offers a framework for sharing threat information. However, it doesn’t dictate the specifics of the information to be shared.

What is the purpose of reflective questioning in social engineering?

To demonstrate active listening and encourage a target to talk more

Which of the following is NOT a common security control used to protect against malware?

Software updates on all systems

What is the primary purpose of dumpster diving in the context of cybersecurity?

Gaining information from discarded documents

What is the purpose of using file integrity monitors in antivirus scanners?

To detect modified system files.

What is the impact of Potentially unwanted programs (PUPs) on a user’s computer?

They can change the user’s browser settings without clear consent

While some PUPs can be legitimate, they often tend to make changes to a user’s computer, usually without clear consent. This can include changes to browser settings, such as the default search engine or the homepage, as well as injecting advertising.

What is a common method attackers use to spread Trojans?

By embedding the Trojan in a website’s code

Website drive-by downloads are a popular vector for spreading Trojans. Attackers compromise a website and embed the Trojan in its code. When users visit the site, the Trojan attempts to download onto the users’ systems.

What can be expected when you opt out of email services from a legitimate company?

You will no longer receive any more emails from that company

When you opt out of a mailing list of a legitimate company, you should no longer receive any emails from that company. This is a legal requirement that such companies have to comply with.

What is the primary purpose of a Request for Comments (RFC) published by the Internet Engineering Task Force (IETF)?

To standardize technical specifications on the internet

The Internet Engineering Task Force (IETF) publishes documents called RFCs for a variety of purposes. Many are Internet standards, and they are the authoritative source of knowledge for technical specifications. For instance, RFC 6749 describes how authorization tokens are created and exchanged on the Internet. Websites that comply with the specifications in RFC 6749 can exchange authorization tokens with relative ease.

Which of the following is NOT an indicator of a malware-infected system based on the provided text?

The system operates faster

What potential damage could serious virus hoaxes cause?

They encourage users to delete important files, potentially making their systems unusable.

Ex - The text specifies that a serious virus hoax may persuade a user to delete significant files, which could render their systems unusable.

What is the purpose of ’active listening’ in the context of social engineering?

To encourage the target to continue talking by giving them your full attention

What is the goal of impersonation by social engineers according to the text?

To convince an authorized user to provide some information or help the attacker defeat a security control.

What is the primary motivation for criminal syndicates in launching cyber attacks?

Their main goal is to get more money typically through criminal activities

What is the classic method of credential harvesting used by attackers?

By asking users directly

Classic credential harvesting is based on a simple idea. If you want a user’s credentials, just ask. Attackers send phishing emails out to users claiming a problem with an account and encouraging users to click a link and log on to their account to fix it. The link brings them to a malicious website that often looks like the real thing. If the user enters credentials, the site captures them and then redirects the user to the actual logon page.

What technique do attackers often use along with malware?

Social engineering

Which of the following is NOT a typical indicator of a malware attack?

Reduction in network traffic

How do criminals impersonate your friends through email according to the text?

They create emails with your friends’ names in the ’From’ block but use unrelated email addresses

According to the text, criminals impersonate your friends by creating emails that appear to come from your friends. They do this by including your friends’ names in the ’From’ block but use unrelated email addresses that belong to someone else or are forged. The actual sender must be identified by looking at the full header of the email address.

What is a common delivery method for a Remote Access Trojan (RAT)?

Via drive-by downloads or malicious email attachments

What is a logic bomb?

A string of code embedded into an application that executes in response to an event

Which of the following methods is NOT used by fileless viruses?

Network traffic analysis

What are some common types of Open Source Intelligence (OSINT)?

Vulnerability databases and the dark web

OSINT includes any information that is available to the general public. This ranges from vulnerability databases such as the National Vulnerability Database and the Common Vulnerabilities and Exposures list, to the dark web where vulnerabilities are sometimes posted before they make it to these databases.

Which of the following best describes the main purpose of spyware?

To gather user information without their consent

Which of the following statements about cybersecurity conferences is true according to the text?

They allow attendees to choose what workshops they want to attend

According to the text, cybersecurity conferences often let attendees select from various training tracks and choose the workshops they would like to participate in.

How does the concept of ’Scarcity’ apply to phishing and Trojan attacks?

Scarcity is a technique where attackers offer exclusive access to a limited product to lure victims to a malicious website.

Which one of the following statements elucidates the ’upgrade’ phishing technique?

 A prompt asking to upgrade a software for better functionality
 
 The ’upgrade’ phishing technique tries to trick users into downloading and installing malware by posing as a software update or upgrade. The users are misled into believing that their software is outdated and needs an upgrade, and by clicking ’yes’ to the upgrade, they unintentionally install malware.

What is a characteristic of an advanced persistent threat (APT)?

They often represent a long term, highly organized threat

Who sponsors Advanced Persistent Threats (APTs) and what is their characteristic?

They are sponsored by state actors and launch targeted, sophisticated attacks over long periods.

What is a significant challenge when encountering Spam over Internet Messaging (SPIM)?

It bypasses typical antivirus and spam filters.

SPIM represents a significant challenge as it bypasses common antivirus software and spam filters, making it more difficult to detect and prevent.

What is the role of a ’Bot herder’ in a botnet?

They manage botnets, attempting to infect as many computers as possible and control them through systems on the Internet

Which of the following attack vectors is estimated to be the starting point of up to 91 percent of all attacks?

Email

Which of the following best describes the primary difference between a worm and a virus?

A worm consumes more network bandwidth.

According to the given text, one of the significant problems caused by worms is that they consume network bandwidth. This is uniquely stated as a characteristic of worms and not viruses.

What are attack vectors and how do attackers use them?

They are the paths that attackers use to gain access to computers and networks in order to exploit vulnerabilities

What security attack tactic involves combining intimidation with urgency and impersonation?

Social Engineering

What is the technique called ’Bracketing’ that is used by social engineers?

Stating a specific number or a range of numbers to elicit correct information.

Bracketing refers to the technique used by social engineers where they state a specific number or a range of numbers to elicit specific information. The attacker counts on the probability that the target will correct them if they are wrong, or will reveal more information to show off their knowledge.

What is the role of the Structured Threat Information eXpression (STIX) in open source intelligence (OSINT)?

It provides a common language for addressing a wide range of cyber threat information.

STIX is an open standard that identifies what cyber threat information organizations should share. It provides a common language for addressing a wide range of cyber threat information.

According to the passage, how do social engineers try to gain the trust of their victims?`

All of the above

The passage explains that social engineers often pretend to be security experts and show victims errors on their own computers, then offer to help fix them. These tactics are used to build trust between the engineer and the victim.

Why are building rapport and likability important in the context of tailgating attacks?

People are more likely to allow someone they know or like to tailgate behind them

What is an Advanced Persistent Threat (APT) typically understood to be in the context of cyber attacks?

A group of organized threat actors, typically sponsored by nation-states

What is one of the main benefits of Peer-to-Peer (P2P) botnets from the perspective of a cybercriminal?

P2P networks are difficult for legal professionals to take down

In a Peer-to-Peer (P2P) botnet, each infected system looks for other infected systems, progressively building a larger list of infected machines that can work together. Each of these infected systems can act as a command and control system issuing commands to other systems. Because P2P networks do not centralize command and control, it is difficult for legal professionals to completely dismantle the botnet by just taking down a few central servers.

What does the term ’gaslighting’ mean in the context of information security?

It is a form of psychological manipulation where the manipulator tries to replace one idea or belief with another one.

In the context of social engineering attacks, why is the principle of liking and rapport building effective in shoulder surfing?

It makes the victim less likely to recognize and stop a shoulder surfing attack

When the attacker is someone familiar or likable to the victim, the victim is less likely to recognize that the attacker is looking over their shoulder to see confidential data (shoulder surfing).

What is hybrid warfare and how is it applied in influence campaigns?

It is a blend of conventional warfare with unconventional methods to influence people.

What is the main difference between ransomware and cryptomalware?

Ransomware locks out users whereas cryptomalware encrypts data

Ransomware refers to the type of malicious software that locks out users from their system or network whereas cryptomalware refers to the malware that encrypts the data on computers within the network to prevent the users from accessing it.

How soon can an attacker typically begin lateral movement within a network after the initial infection?

Less than two hours

The text states that the time it takes for an attacker to begin lateral movement within a network after initial infection is typically less than two hours.

What do rootkits use to modify system behavior and avoid detection?

Hooking techniques

Rootkits use hooking techniques to modify the system behavior and avoid detection. Hooking refers to intercepting system-level function calls, events, or messages. The rootkit installs the hooks into memory and uses them to control the system’s behavior.

What is a common use of file/code repositories in the realm of cybersecurity?

To provide a location for prewritten code that developers can use for a variety of purposes, including gathering intelligence

Which of the following resources is especially true for finding reliable information on vulnerabilities and patches used to fix them?

Vendor websites

Vendor websites provide reliable information about their products, including any potential vulnerabilities their products may have and patches available to fix those issues.

Which of the following strategies is commonly utilized to mitigate the risk of malware entering the network through network traffic?

Implementation of Unified Threat Management (UTM) systems

Unified Threat Management (UTM) is a significant security measure mentioned in the context of ’boundaries or firewalls’. UTM systems monitor network traffic through the firewall and thereby reduce the risk of malware entering the network.

What is the main motivation behind the cyber activities of criminal syndicates?

 Money

What is the role of InfraGard in the context of public/private information sharing centers?

It is a non-profit organization that shares information between the FBI and members in specific sectors.

In the context of public/private information sharing centers, InfraGard serves as a non-profit organization that shares information on cyber threats between the Federal Bureau of Investigation (FBI) and members in specific sectors.

What is ’vishing’ in the context of cyber security?

A form of phishing that uses voice messages or phone calls

What does ’reconnaissance’ refer to within the context of social engineering?

 Gathering as much information as possible on a target

What are the two common methods by which antivirus software detects viruses?

Signature-based detection and heuristic-based detection

Antivirus software detects viruses using two main methods: signature-based detection, which involves looking for specific patterns of data that are known to be related to already-identified malware, and heuristic-based detection, which involves analyzing the characteristics and behaviors of an unknown piece of software to determine if it is likely to be malware.

Which types of attacks can be launched via email according to the provided text?

All of the above

According to the text, email attacks can include spam, phishing, smishing, vishing, spear phishing, and whaling. So all the types of attacks mentioned in the options can be launched via email.

What is Predictive analysis in the context of cybersecurity?

It involves techniques that attempt to predict what attackers will do next and methods to thwart their attacks.

What is the primary function of signature files in antivirus software?

Providing a pattern for scanning files for viruses and other known malware.

The text explains that ’signature files (also called data definition files) define the patterns, and the antivirus software scans files for matching patterns. When the software identifies a matching pattern, it reports it as an infection and takes action.’ Therefore, the primary function of signature files is to provide a pattern for scanning files for viruses and other known malware.

Which of the following is NOT a technique used by fileless malware?

Installing fake antivirus software