Security+ SY0-601: 1.2 Indicators of Attack

This entry is part 6 of 47 in the series [ Security+ SY0-601 ]

Chapter 2: Indicators of Attack


Viruses – These attach themselves to something, whether a document or a program. They are executable code. The most common vector is e-mail attachments. The victim has to do something to activate a virus; typically this is clicking on the attachment. Anti-virus software is the (putative) cure.


Trojans – Some programs disguise themselves as one thing, then reveal an ugly side when they’re opened. People addicted to internet freebie programs are very susceptible to this threat. These things are tough to fight, typically requiring anti-virus and other software to prevent, and often forcing disinfection after an infection occurs. These in particular force me to enforce a rule: “If you don’t HAVE to have a piece of software to do your job, you are FORBIDDEN to have it.” Needless to say this is very unpopular; but I’ve seen more than one business literally bankrupted by violating this practice.

Worms – These travel by themselves. They do not have to attach themselves to something else. They do not require action by the victim to be launched into action. They do often use e-mail as a convenient vector of propagation. You’ll need both procedures (“Never even open e-mails from unknown sources!”) and products (hardware and software firewalls) to protect against worms.

PUPs: Potentially unwanted programs

Fileless viruses

C2: Command and Control



Logic Bombs – A specific event triggers a logic bomb, which then does its damage. This can be a date or an event like a person’s account being deactivated. Policies like code reviews, practices like network surveillance and monitoring programs, and products like Tripwire (which monitors signatures of executable files for changes) are all necessary, but not sufficient to protect against logic bombs.



RATs: Remote access trojans


        • Firmware
        • Virtual
        • Kernel
        • Library
        • Application

Backdoors – Worms, trojans or viruses may install secret entrances to systems. Sometimes an innocent intent opens this vulnerability, like a programmer’s testing procedure that’s never removed. Sometimes an evil virus like MyDoom creates the opening. Your only protection is network scanning. Visit, for instance, Gibson Research and follow the ShieldsUp! link for a scan of your home PC.

For more malware types and examples, see my Certified Ethical Hacker section:


Password Attacks


Dictionary – hashing every word in the dictionary to compare that hash value to user’s hashed password, looking for matches

Brute force – throwing thousands of passwords at a system



Rainbow tables


<Demo Cain and Abel>

Physical Attacks

Malicious USB cables

Malicious flash drives

Card cloning


Adversarial Artificial Intelligence (AI)

Tainted training data

ML (machine learning) algorithm security

Supply-Chain Attacks

Cloud-Based vs. On-Premises Attacks

Cryptographic Attacks

Birthday Attacks (601) – taking advantage of the birthday paradox, which is the greater possibility of finding something in common (like a birthday) if you start looking from a known value (like a certain date) rather than trying to analyze all values (like all dates).

Collision (601)

Downgrade (601)

Weak Keys (501) – algorythms that allow the creation of keys with detectable patterns or structures allow weak keys.

Mathematical Attacks (501) – usually these are statistical analyses that attempt to discover keys

Indicators of Compromise

IOC Tools

from FireEye (Mandiant)


from MITRE