False Positive

A "false positive" in vulnerability scanning refers to when a security tool incorrectly identifies a system as having a vulnerability, even though there is no actual security issue present, essentially raising a false alarm and wasting time investigating a non-existent threat; effectively, it means the scan reported a vulnerability that doesn't actually exist, requiring careful management to avoid unnecessary remediation efforts and maintain the accuracy of scan results.

Key points about false positives in vulnerability scanning:

Impact:

False positives can lead to wasted time and resources spent investigating non-existent vulnerabilities, potentially diverting attention away from real security issues.

Causes:

Overly broad scanning rules: When a scanner uses overly general detection criteria, it might flag benign configurations as vulnerabilities.

Incomplete information: If the scanner doesn't have access to all necessary information about a system, it might misinterpret certain aspects as vulnerabilities.

Outdated scanner logic: Older scanning tools may not be updated to recognize specific configurations that are no longer considered vulnerabilities.

Mitigating strategies:

Customizing scan profiles: Tailoring scan settings to the specific application or system being tested, including excluding known safe configurations.

Whitelisting: Defining known safe components or patterns to prevent false positives

Regular review and tuning: Regularly reviewing scan results and adjusting scanner settings to reduce false positives

Using advanced scanning tools: Utilizing tools with intelligent detection mechanisms that can better differentiate genuine vulnerabilities from false positives.

 CVSS Metrics

This is covered in the CompTIA CySA+ course.

Here are some examples of metrics used in the Common Vulnerability Scoring System (CVSS):

Attack Vector (AV)

How an attack can be executed, with higher scores for remote attacks:

Network (N): Remotely exploitable

Adjacent (A): Requires network adjacency for exploitation

Local (L): Not exploitable over a network

Physical (P): Requires physical interaction with the target system

Attack Complexity (AC)

How difficult it is to execute the attack:

Low: Easier to exploit

High: More challenging to exploit

Privileges Required (PR)

The level of access needed to exploit the vulnerability:

None: Unauthenticated

User Interaction (UI)

Whether the attacker needs to involve a user in the exploit:

Passive: The user needs to do something, like accidentally visiting a malicious website

Active: The user needs to do something, like executing a malicious office macro

Scope (S) indicates whether the exploit affects only the local security context

(U) Unchanged or not (C) Changed

Confidentiality (C)

High (H), Low (L), or None (N)

Integrity (I)

High (H), Low (L), or None (N)

Availability (A)

High (H), Low (L), or None (N)

Score Categories

Score                Description

0	None
0.1+	Low
4.0+	Medium
7.0+	High
9.0+	Critical

Here is a link to a CVSS calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

This is covered in CompTIA CySA+.

 Amplification Attack

An amplification attack is a cyberattack in which an attacker exploits vulnerabilities in certain network protocols, like DNS or NTP, by sending small requests that trigger significantly larger responses from open servers. This effectively "amplifies" the traffic and overwhelms the intended target with a massive amount of data, often causing a denial-of-service (DoS) condition.

Key points about amplification attacks:

Exploiting protocol weaknesses:

These attacks rely on inherent protocol design flaws, allowing attackers to manipulate requests to generate significant responses from vulnerable servers.

Spoofing source IP:

To amplify the attack, attackers usually spoof the source IP address in their requests, ensuring a large response is sent to the intended victim instead of the attacker.

Commonly targeted protocols:

DNS (Domain Name System): A popular choice due to the enormous response size compared to the initial query.

NTP (Network Time Protocol): Can generate large-time synchronization responses.

CLDAP (Connectionless Lightweight Directory Access Protocol): Another protocol susceptible to amplification attacks.

Memcached: A database caching system that can be exploited for amplification attacks when improperly configured.

How an amplification attack works:

1. Sending small requests:

The attacker sends a small, crafted request to a vulnerable open server, often using a spoofed source IP address that points to the intended victim.

2. Large response generated:

Unaware of the spoofing, the server responds with a much larger data packet containing the requested information.

3. Traffic flood to the target:

This significant response is sent to the victim's IP address, creating a flood of traffic and potentially overwhelming the target's network resources.

Defense against amplification attacks:

Filtering at network perimeter:

Implementing network filters to block suspicious traffic based on source IP addresses and protocol types.

Rate limiting:

Configuring servers to limit requests from a single source within a specific time frame.

Proper server configuration:

Securing network services like DNS and NTP by limiting response sizes and filtering invalid requests.

Monitoring network traffic:

Actively monitoring network activity to detect unusual patterns indicative of an amplification attack.

Distributed Reflected Denial of Service

 DRDoS Attack

DRDoS, or Distributed Reflection Denial of Service, is a type of cyberattack that aims to make a network resource unavailable to its intended users. It is a more advanced form of a DDoS attack known as a Reflected DDoS attack.

In a DRDoS attack, a hacker spoofs the target's IP address and sends requests to a third-party server. The third-party server then sends its response to the target's IP address, which can significantly increase traffic. This can overwhelm the target's resources and make it difficult to trace back to the original attacker.

DNS servers, NTP servers (using the monlist command), and Memcached servers are some examples of services that can be used in a DrDoS attack.

Some potential consequences of a DrDoS attack include:

• Damage to relationships with partners, customers, and other stakeholders
• Reputational damage
• Revenue loss
• Operational downtime

Lateral Movement and Pivoting

The concepts of "lateral movement," "pivoting," and "privilege escalation" in cybersecurity explain how attackers use these techniques to navigate through a network, access different systems, and gain higher levels of access, often requires sophisticated detection methods like machine learning to identify suspicious activity amidst normal user behavior.

Key points:

Lateral movement:

This refers to an attacker moving from one compromised system to another within a network to reach their target data or system, often by exploiting shared credentials or vulnerabilities.

Pivoting:

Similar to lateral movement, pivoting involves using an initially compromised system as a launchpad to access other systems within the network, essentially "hopping" from one compromised machine to another to penetrate the network further.

Privilege escalation:

Once an attacker gains initial access to a system, they may attempt to elevate their user privileges to gain administrative control, allowing them to perform more sensitive actions.

PtH (Pass the Hash) attacks help facilitate these types of attacks.

Detection challenges:

Normal vs. anomalous behavior:

Differentiating between legitimate user actions and malicious activity can be complex, making detection reliant on advanced techniques like machine learning algorithms to identify unusual behavior patterns.

Anomalous logins and privilege use:

Monitoring for suspicious logins from unusual locations, excessive failed login attempts, or sudden elevation of user privileges can indicate potential lateral movement or privilege escalation attempts.

Impossible Travel Time

 Impossible Travel

"Impossible travel" in cybersecurity means a user is attempting to access an account from two geographically distant locations within a timeframe that is too short to realistically travel between them, suggesting a potential security breach where someone else is using the account from a different location than the legitimate user.

Key points about "impossible travel":

Anomaly detection:

An anomaly detection method analyzes user logins based on their geographical location to identify suspicious activity.

How it works:

If a user logs in from New York and then a few minutes later from London, it triggers an "impossible travel" alert because it's impossible to physically travel between the two cities that quickly.

Indicator of compromise:

This can be an early indicator that a malicious actor has compromised a user's account.

Factors considered:

Security systems look at the time difference between logins, the distance between locations, and the user's typical login patterns to determine if "impossible travel" is occurring.

SCAP (Security Content Automation Protocol)

 Security Content Automation Protocol

The most critical components of SCAP (Security Content Automation Protocol) that enable vulnerability scanners to determine if a computer meets a configuration baseline are Extensible Configuration Checklist Description Format (XCCDF) which defines security policies and checks, and Open Vulnerability and Assessment Language (OVAL) which provides the technical details on how to perform those checks on a system, along with Common Platform Enumeration (CPE) for identifying specific software and hardware platforms.

Key points about these components:

XCCDF:

This format specifies the high-level security requirements and configuration checks, mapping policies to technical tests.

OVAL:

This language details how to perform the checks defined in XCCDF on a specific system, including the steps to verify compliance.

CPE:

This component provides a standardized way to identify software and hardware components on a system, allowing for accurate vulnerability assessment