Cyber Attacks Documentation

Brute-Force Attack:

• A brute-force attack is an attempt to guess a user's password by systematically trying

all possible combinations until the correct one is found.
• It can be performed manually or using automated tools like Hydra, John the Ripper,
or Hash cat.

Mitigation Strategies-Preventive Measures:

1. Enforce Strong Password Policies

o Use long, complex passwords with uppercase, lowercase, numbers, and

special characters.

o Implement a minimum password length of 12-15 characters.

2. Enable Multi-Factor Authentication (MFA)

o Require an additional authentication factor (OTP, biometrics, or hardware

token) to prevent unauthorized access.

3. Implement Account Lockout Policy

o Lock accounts after multiple failed login attempts (e.g., 5 attempts within 10
minutes).

o Use progressive delays before allowing retries.

4. Use CAPTCHA for Login Forms

o Prevent automated tools from brute-forcing login credentials.

5. Monitor & Detect Unusual Login Attempts

o Use SIEM solutions (e.g., Microsoft Sentinel) to track multiple failed login
attempts from the same IP.

o Configure alerts for suspicious login activity.

6. Restrict Access by IP Whitelisting

o Allow logins only from trusted IP addresses (especially for admin accounts).

7. Use Password less Authentication

o Implement security keys or biometric authentication instead of passwords.

Response & Mitigation After Detection:

1. Disable Compromised Accounts

o Temporarily lock or reset affected accounts to prevent further access.

2. Identify the Source of Attack

o Analyze logs to determine if the attack is coming from a specific IP or botnet.

o Block the attacker’s IP address at the firewall or security gateway.

3. Enforce Immediate Password Reset

o Force affected users to change their passwords.

4. Deploy Threat Intelligence & Honeypots

o Use deception technology to lure attackers and gather information on their

methods.

5. Report & Monitor for Further Attacks

o Report the attack to security teams and monitor for follow-up attempts.

Dictionary Attack: Explanation & Mitigation

• A dictionary attack is a type of brute-force attack where an attacker systematically

tries common words, phrases, or precompiled password lists (e.g., "password123,"
"qwerty," "welcome123") instead of random combinations.
• This method is faster than traditional brute force because it relies on the likelihood
that users choose weak passwords.

Mitigation Strategies-Preventive Measures:

1. Enforce Strong Password Policies

o Require complex passwords that do not contain common words or phrases.

o Implement a passphrase policy (e.g., "Correct-Horse-Battery-Staple").

2. Implement Multi-Factor Authentication (MFA)

o Even if an attacker guesses the password, they cannot access the account
without an additional factor like OTP, biometrics, or a security key.

3. Use Password Blacklists

o Prevent users from setting common passwords using compromised password

lists (e.g., haveibeenpwned’s password API).
 4. Enforce Account Lockout & Rate Limiting

o Lock accounts after a set number of failed login attempts.

o Implement time delays between failed login attempts to slow down

automated attacks.

5. Enable CAPTCHA for Login Attempts

o Prevent automated tools from submitting login requests.

6. Implement Password Hashing & Salting

o Use strong hashing algorithms like bcrypt, Argon2, or PBKDF2 to store

passwords securely.

7. Use Passkeys & Passwordless Authentication

o Replace traditional passwords with biometric authentication or FIDO2

security keys.

Response & Mitigation After Detection:

1. Identify and Block Attack Sources

o Monitor logs for multiple failed login attempts from the same IP.

o Block suspicious IPs at the firewall or security gateway.

2. Force Password Resets for Affected Accounts

o Notify users of potential compromise and enforce password changes.

3. Monitor for Credential Stuffing Attacks

o If dictionary attacks succeed, attackers may attempt credential stuffing with

leaked credentials.

4. Educate Users on Password Security

o Regularly remind users not to reuse passwords across multiple accounts.

Security Controls to Prevent Both Attacks:

• Strong Password Policies – Require long, complex passwords that do not appear in
common wordlists.
• Multi-Factor Authentication (MFA) – Prevents unauthorized access even if a
password is guessed.
• Account Lockout & Rate Limiting – Temporarily locks accounts or slows down login
attempts after multiple failures.
• Password Blacklisting – Restricts users from setting commonly used passwords.
• CAPTCHA on Login Attempts – Prevents automated tools from brute-forcing
passwords.
• IP Blocking & Geo-Fencing – Blocks repeated failed login attempts from suspicious
IPs or regions.
• Use Passkeys or Biometric Authentication – Eliminates reliance on passwords.

Rainbow Attack:

• A rainbow table attack is a type of password cracking technique that uses

precomputed hash values stored in large lookup tables. Instead of brute-forcing or
guessing passwords one by one, attackers use these precomputed tables to quickly
find a matching hash and retrieve the original password.
• This attack is effective against weakly hashed and unsalted password databases.

Mitigation Strategies-Preventive Measures:

1. Use Salting with Hashing

o Append a unique, random salt to each password before hashing.
o Prevents attackers from using precomputed rainbow tables.
2. Implement Strong Hashing Algorithms
o Use computationally expensive hashing methods like bcrypt, Argon2,
PBKDF2, or scrypt instead of weak ones like MD5 or SHA-1.
3. Enforce Strong Password Policies
 oRequire long and complex passwords that are harder to crack.
4. Use Key Stretching Techniques
o Increase the number of iterations in hashing algorithms to slow down
attacks.
5. Regularly Rotate Passwords & Hashes
o Encourage users to change passwords periodically.
o Upgrade to stronger hashing algorithms when possible.

Response & Mitigation After Detection:

1. Force a Password Reset for All Users

o If a password database is compromised, enforce immediate password
changes.
2. Rehash Stored Passwords Using a Stronger Algorithm
o If passwords were stored using a weak hashing method, rehash them with a
stronger function.
3. Monitor for Unauthorized Access Attempts
o Track login failures and suspicious authentication attempts in SIEM tools like
Microsoft Sentinel.

Pass-the-Hash (PtH) Attack:

Attack Description:

A Pass-the-Hash (PtH) attack is a credential theft technique where an attacker captures a

hashed password and reuses it for authentication without cracking it.

Instead of requiring plaintext passwords, the attacker directly passes the hash to
authenticate into systems that accept NTLM or Kerberos authentication.

This attack is common in Windows Active Directory environments where NTLM

authentication is used.

Mitigation Strategies-Preventive Measures:

1. Disable NTLM Authentication

o Use Kerberos instead of NTLM wherever possible.
o Restrict NTLM usage using Group Policy (GPO).
2. Enforce Least Privilege & Privileged Account Security
o Ensure users do not have unnecessary admin privileges.
o Use Privileged Access Management (PAM) to restrict admin account usage.
3. Use Local Administrator Password Solution (LAPS)
o Randomizes local admin passwords across devices, preventing lateral
movement.
 4. Enable Credential Guard (Windows 10/11, Windows Server 2016+)
o Protects hashes from being dumped using LSASS isolation.
5. Implement Multi-Factor Authentication (MFA)
o Even if an attacker steals a hash, they cannot authenticate without the
second factor.
6. Use Endpoint Detection & Response (EDR) Tools
o Deploy Defender for Endpoint, CrowdStrike, or SentinelOne to detect and
block credential theft attempts.

Response & Mitigation After Detection:

1. Identify Compromised Accounts & Reset Passwords

o Force a password reset for affected accounts.
o Use Kerberos Ticket Lifetime Policies to expire old credentials quickly.
2. Investigate LSASS Process & Memory Dumps
o Check for unauthorized access to LSASS.exe, which stores credential hashes.
o Use tools like Sysmon, Event Logs, or EDR alerts to monitor for process
injection.
3. Block Lateral Movement
o Restrict administrative access to only necessary machines.
o Use firewall rules to block unnecessary SMB, RDP, and RPC traffic.
4. Monitor & Detect Anomalous Authentication Attempts
o Use Microsoft Sentinel, Splunk, or QRadar to detect repeated hash-based
authentication attempts.

Scanning Attacks:

Attack Description:

• A scanning attack involves probing a target network, system, or application to gather

information about open ports, services, vulnerabilities, and configurations.
• Attackers use scanning to identify potential weaknesses before launching targeted
exploits.

Scanning is commonly performed using tools like:

• Nmap – Network scanning & service detection

• Nessus – Vulnerability scanning
• OpenVAS – Security assessment
• Masscan – High-speed port scanning
• Shodan – Internet-wide device scanning
Mitigation Strategies-Preventive Measures:

1. Firewall & Intrusion Detection/Prevention Systems (IDS/IPS)

o Configure firewall rules to block unnecessary inbound and outbound traffic.
o Use IDS/IPS (e.g., Snort, Suricata, Cisco Firepower) to detect and block
scanning activities.
2. Implement Network Segmentation
o Isolate critical systems using VLANs and subnetting.
o Restrict access to sensitive networks from external sources.
3. Use Rate Limiting & Port Knocking
o Limit the number of connection requests per second.
o Implement port knocking to hide open ports from unauthorized users.
4. Enable Logging & Monitoring
o Monitor logs in SIEM tools like Microsoft Sentinel, Splunk, or QRadar for
unusual scanning patterns.
o Use honeypots to detect unauthorized scanning.
5. Disable Unused Ports & Services
o Close unnecessary ports (e.g., disable Telnet, FTP, SMBv1 if not needed).
o Regularly audit and remove unused services from servers.
6. Deploy Endpoint Security & Network Access Control (NAC)
o Use EDR solutions like Defender for Endpoint, CrowdStrike, or Palo Alto
Cortex XDR to detect suspicious network scans.
o Implement NAC solutions to restrict unauthorized devices.

Response & Mitigation After Detection:

1. Block the Attacker’s IP Address

o Use firewall rules or IPS signatures to block scanning attempts.
2. Identify and Investigate the Source of Scanning
o Determine if the scanning is coming from an internal or external actor.
o Check logs and threat intelligence feeds for further context.
3. Conduct a Security Assessment
o Run internal vulnerability scans to ensure no exposed services exist.
4. Implement Incident Response Procedures
o If the scan is part of a larger attack, escalate to the SOC or security team.
Sniffing Attack:

Attack Description:

A sniffing attack occurs when an attacker captures network traffic to eavesdrop on sensitive
information such as usernames, passwords, emails, or financial data. This is done using
packet-sniffing tools like:

• Wireshark – Packet analysis

• Tcpdump – Command-line packet capture
• Ettercap – Man-in-the-middle (MITM) sniffing
• dsniff – Captures plaintext passwords

Sniffing attacks are especially dangerous in unencrypted networks, such as public Wi-Fi or
poorly secured enterprise networks.

Types of Sniffing Attacks:

Mitigation Strategies-Preventive Measures:

1. Use Encryption (HTTPS, TLS, VPNs)

o Enforce TLS encryption for all communications.
o Use VPNs to protect traffic on untrusted networks.
2. Implement Network Segmentation
o Restrict access to sensitive VLANs and isolate untrusted devices.
o Disable port mirroring on network switches.
3. Enable MAC Address Binding & Secure ARP
o Prevent ARP spoofing by enabling Dynamic ARP Inspection (DAI).
o Use MAC address filtering to block unauthorized devices.
4. Use IDS/IPS to Detect Sniffing Attempts
o Deploy Snort, Suricata, or Zeek to identify unusual packet capture behavior.
o Monitor for duplicate ARP requests or unusual DNS responses.
5. Disable Unnecessary Protocols
 o Turn off LLMNR, NetBIOS, and mDNS to prevent MITM attacks.
o Block unnecessary ports and services on endpoints.
6. Enforce Secure Authentication Methods
o Use MFA to prevent credential theft even if passwords are sniffed.
o Disable plaintext authentication protocols (e.g., Telnet, FTP).

Response & Mitigation After Detection:

1. Identify and Remove Malicious Devices

o Check the network for unauthorized sniffing tools.
o Use NetFlow or Wireshark to find rogue devices capturing traffic.
2. Block ARP Spoofing Attacks
o Flush ARP cache (arp -d on Windows/Linux) and restart network services.
3. Force HTTPS and Secure Communication
o Implement HSTS (HTTP Strict Transport Security) to prevent SSL stripping.
4. Conduct Incident Response Investigation
o Check logs for unauthorized access or data leakage.
o If credentials were stolen, reset affected passwords immediately.

Spoofing Attack:

Attack Description:

• A spoofing attack occurs when an attacker impersonates a trusted entity to gain

unauthorized access, steal data, or spread malware.
• Attackers manipulate identities such as IP addresses, MAC addresses, ARP requests,
DNS responses, or emails to deceive systems and users.
Mitigation Strategies-Preventive Measures:

1. Implement Strong Network Security Controls

o Use firewalls, IDS/IPS (e.g., Snort, Suricata, Zeek) to detect spoofing attempts.
o Enable anti-spoofing rules on routers and firewalls (RFC 2827 filtering).
2. Use Authentication & Encryption
o Implement IPsec to authenticate network traffic.
o Enforce TLS encryption for email and web communications.
3. Enable ARP & DNS Security
o Enable Dynamic ARP Inspection (DAI) to prevent ARP spoofing.
o Use DNSSEC to verify DNS responses and prevent poisoning.
4. Deploy Email Security Controls
o Implement SPF, DKIM, and DMARC to validate sender identities.
o Use email filtering solutions to detect phishing attempts.
5. Monitor Network & Host Activities
o Detect unusual IP or MAC address changes with SIEM tools (Microsoft
Sentinel, Splunk, QRadar).
o Log and analyze DNS traffic for anomalies.

Response & Mitigation After Detection:

1. Identify and Block Malicious Traffic

o Use firewall rules to block suspicious IPs and ARP spoofing attempts.
2. Flush and Reset Network Caches
o Flush ARP cache (arp -d * on Windows, ip -s -s neigh flush all on Linux).
o Reset DNS cache (ipconfig /flushdns).
3. Investigate Logs & Incident Response
o Analyze logs for unusual authentication failures or redirected traffic.
o If email spoofing occurs, alert affected users and reset credentials if needed.
4. Educate Users on Spoofing & Phishing Risks
o Train employees to verify sender addresses and avoid clicking on suspicious
links.

Phishing Attack:

Attack Description:

• A phishing attack is a social engineering tactic where an attacker impersonates a

trusted entity to trick users into revealing sensitive information such as login
credentials, financial details, or personal data.
• Phishing is commonly delivered via email, SMS, websites, or phone calls and often
includes malicious links or attachments.
Mitigation Strategies-Preventive Measures:

1. Email Security Controls

o Implement SPF, DKIM, and DMARC to prevent email spoofing.
o Use email filtering solutions (e.g., Microsoft Defender for Office 365,
Proofpoint).
2. User Awareness & Training
o Conduct regular phishing simulations to educate employees.
o Train users to check for red flags (typos, suspicious URLs, urgent requests).
3. Multi-Factor Authentication (MFA)
o Enforce MFA on all critical accounts to reduce risk even if credentials are
stolen.
4. Web & Endpoint Protection
o Use DNS filtering to block malicious phishing domains.
o Deploy endpoint security tools (e.g., Defender for Endpoint, CrowdStrike) to
detect phishing payloads.
5. Limit Account Privileges
o Implement least privilege access to prevent unauthorized actions.
o Restrict financial transactions to verified personnel only.

Response & Mitigation After Detection:

1. Identify and Remove Malicious Emails

o Use SIEM (Microsoft Sentinel, Splunk, QRadar) to detect phishing campaigns.
o Block sender domains and remove emails from inboxes.
2. Investigate & Contain
 o Check if any user clicked on the link or entered credentials.
o Force password resets for compromised accounts.
3. Analyze Indicators of Compromise (IOCs)
o Inspect malicious URLs, sender IPs, and attachment hashes for threats.
o Update security rules to block similar future attacks.
4. Educate Affected Users
o Inform impacted employees and reinforce phishing awareness training.

DoS and DDoS Attack:

Attack Description:

• A Denial-of-Service (DoS) attack is an attempt to make a system, network, or service

unavailable by overwhelming it with excessive traffic or resource-consuming
requests.
• A Distributed Denial-of-Service (DDoS) attack is a large-scale DoS attack where
multiple compromised systems (botnets) flood the target, making mitigation more
difficult.

Mitigation Strategies-Preventive Measures:

1. Use a Web Application Firewall (WAF)

o Deploy Cloudflare, AWS WAF, or Azure WAF to filter malicious traffic.
2. Enable Rate Limiting & Traffic Filtering
o Use rate limiting to restrict excessive requests from a single source.
o Implement geofencing to block traffic from known botnet regions.
3. Deploy DDoS Protection Services
o Use CDNs (Cloudflare, Akamai) and DDoS protection (AWS Shield, Azure
DDoS Protection) to absorb traffic spikes.
4. Network-Level Defenses
o Configure firewalls and IDS/IPS to detect and drop abnormal traffic.
o Use TCP SYN Cookies to prevent SYN Flood attacks.
5. Traffic Anomaly Detection
o Implement SIEM (Microsoft Sentinel, Splunk) to detect unusual traffic spikes.
o Use NetFlow or packet analysis tools to identify attack sources.
SYN Flood Attack:

Attack Description:

• A SYN Flood attack is a type of Denial-of-Service (DoS) attack that exploits the TCP
three-way handshake process.
• The attacker sends a large number of SYN (synchronize) requests to a target server
but never completes the handshake by sending the ACK (acknowledge) response.
This keeps the server waiting, consuming resources, and eventually making the
service unavailable.

Attack Process:

1. Attacker sends SYN requests to the target server.

2. Server responds with SYN-ACK, expecting a final ACK from the client.
3. Attacker does not send the ACK, leaving the connection half-open.
4. Server’s connection table fills up, leading to resource exhaustion and denial of
service.

Mitigation Strategies-Preventive Measures:

1. Enable SYN Cookies

o Stores connection state in the SYN-ACK response rather than in memory.
o Prevents exhaustion of connection queues.
2. Limit SYN Requests (Rate Limiting)
o Use firewalls or IDS/IPS to throttle excessive SYN requests from a single IP.
3. Deploy DDoS Protection Services
o Cloud-based solutions (AWS Shield, Azure DDoS Protection, Cloudflare) can
absorb excessive SYN packets.
4. Use Load Balancers & CDNs
o Distribute traffic across multiple servers to reduce the impact of an attack.
5. Timeout Unfinished Connections Quickly
o Reduce TCP SYN timeout to free up resources faster.
6. Implement Firewall Rules
o Block spoofed or repetitive SYN requests using security appliances like Palo
Alto, Fortinet, or Cisco ASA.

Response & Mitigation After Detection:

1. Identify and Block Malicious IPs

o Use SIEM tools (Microsoft Sentinel, Splunk, QRadar) to detect traffic
anomalies.
 o Block attack sources via firewall ACLs or IPS rules.
2. Activate SYN Flood Protection on Routers/Switches
o Enable TCP SYN rate limiting to drop excessive SYN requests.
3. Redirect Attack Traffic (Scrubbing Centers)
o ISPs and cloud providers can reroute attack traffic to scrubbing centers.
4. Use Packet Inspection (IDS/IPS)
o Detect malformed or spoofed SYN packets and drop them before they reach
the server.

ARP Poisoning Attack

Attack Description:

ARP (Address Resolution Protocol) Poisoning, also known as ARP Spoofing, is a Man-in-the-
Middle (MitM) attack where an attacker sends fake ARP replies on a local network to
associate their MAC address with the IP address of another device (e.g., a router or
gateway).

This allows the attacker to:

• Intercept network traffic (e.g., login credentials, session cookies).

• Modify or inject malicious data into communications.

• Launch further attacks like session hijacking or DNS spoofing.

Attack Process:

1. Attacker sends forged ARP responses to devices in the network.

2. Victims update their ARP cache with the attacker's MAC address for a critical IP (e.g.,
the default gateway).

3. Traffic is redirected through the attacker, allowing interception or modification.

4. Attacker can sniff sensitive data or use the connection for further exploitation.

Mitigation Strategies-Preventive Measures:

1. Enable Dynamic ARP Inspection (DAI)

o Available in managed switches (Cisco, Juniper, Aruba).

o Blocks untrusted ARP replies and verifies MAC-IP bindings.

2. Use Static ARP Entries

 o Manually set permanent MAC-IP bindings on critical devices (e.g., servers,
routers).

3. Enable Port Security on Switches

o Restrict MAC addresses allowed on specific ports.

o Prevent attackers from injecting spoofed ARP responses.

4. Use VLAN Segmentation

o Isolate sensitive systems to reduce attack surface.

o Prevent unauthorized devices from communicating with critical assets.

5. Implement ARP Spoofing Detection Tools

o Use ARPWatch, XArp, or IDS/IPS (Snort, Suricata) to detect unusual ARP

activity.

6. Use HTTPS & VPNs

o Encrypt communication to prevent attackers from reading intercepted data.

Response & Mitigation After Detection:

1. Identify the Attacker’s MAC Address

o Run arp -a (Windows) or arp -n (Linux) to check suspicious MAC-IP mappings.

o Use Wireshark or network monitoring tools to analyze ARP packets.

2. Flush & Restore Correct ARP Entries

o Run arp -d [IP] to delete malicious ARP entries.

o Re-add correct static ARP entries if necessary.

3. Disconnect the Attacker from the Network

o Use port shutdown on the switch to isolate the rogue device.

4. Check for Further Exploitation

o Review logs for MITM activity, credential theft, or data tampering.

o Reset compromised passwords if necessary.

MITM Attack:

Attack Description:

• A Man-in-the-Middle (MITM) attack occurs when an attacker intercepts, relays, and

possibly alters communications between two parties without their knowledge.
• This allows the attacker to eavesdrop, steal sensitive data, or manipulate messages in
transit.

Mitigation Strategies-Preventive Measures:

1. Use Strong Encryption (TLS/SSL)

o Enforce HTTPS-only connections to protect data in transit.

o Regularly update SSL/TLS certificates and enforce TLS 1.2/1.3.

2. Enable HTTP Strict Transport Security (HSTS)

o Ensures browsers only connect to the website over HTTPS, preventing SSL
stripping attacks.

3. Deploy DNS Security Extensions (DNSSEC)

o Prevents DNS spoofing by ensuring DNS responses are authenticated and

verified.

4. Use Multi-Factor Authentication (MFA)

o Even if credentials are stolen, MFA can prevent unauthorized access.

5. Secure Wi-Fi Networks

o Use WPA3 encryption and avoid open or weak Wi-Fi networks.

 o Disable automatic Wi-Fi connections on devices to prevent rogue AP attacks.

6. Use VPN on Untrusted Networks

o Encrypts all internet traffic, making it unreadable to attackers on public Wi-Fi.

7. Monitor Network Traffic & Implement IDS/IPS

o Use Intrusion Detection Systems (IDS) like Snort or Suricata to detect unusual
patterns.

o Deploy SIEM tools (Microsoft Sentinel, Splunk, QRadar) for real-time alerts.

Response & Mitigation After Detection:

1. Identify & Isolate the Attack Source

o Use Wireshark or network logs to detect suspicious packet routing.

o Identify unusual ARP/DNS responses that indicate redirection.

2. Terminate Compromised Sessions

o Force logout from all accounts and revoke compromised authentication

tokens.

3. Reconfigure & Harden Network Security

o Reset ARP tables if ARP poisoning is detected.

o Flush DNS cache and ensure proper DNS configurations.

4. Educate Users on MITM Risks

o Warn against entering credentials on HTTP sites.

o Encourage verifying SSL certificates before entering sensitive data.

DNS Poisoning Attack:

Attack Description:

• DNS poisoning (also known as DNS spoofing) occurs when an attacker manipulates
DNS records to redirect users to malicious websites instead of legitimate ones.
• This can lead to phishing, malware infections, and data theft.
How DNS Poisoning Works:

1. Compromising a DNS Cache – The attacker injects false DNS entries into a caching
DNS resolver, causing users to be redirected to malicious sites.

2. Intercepting DNS Queries – The attacker manipulates DNS responses to trick users
into visiting fraudulent sites.

3. Modifying Hosts Files – Some malware modifies the local hosts file to override
legitimate DNS lookups.

Types of DNS Poisoning Attacks:

Mitigation Strategies-Preventive Measures:

1. Use DNS Security Extensions (DNSSEC)

o Ensures DNS responses are cryptographically signed and verified.

o Prevents attackers from injecting forged DNS records.

2. Enable DNS Over HTTPS (DoH) or DNS Over TLS (DoT)

o Encrypts DNS traffic to prevent interception and manipulation.

3. Use Secure and Trusted DNS Providers

o Configure enterprise systems to use Google Public DNS (8.8.8.8), Cloudflare

(1.1.1.1), or Quad9 (9.9.9.9) for added security.

4. Implement Network Segmentation and Firewall Rules

o Restrict unauthorized DNS traffic and block external DNS resolvers within
corporate networks.
 5. Monitor DNS Logs & Use SIEM for Threat Detection

o Detect unusual DNS requests (e.g., rapid lookups for random domains).

o Use Microsoft Sentinel, Splunk, or QRadar to correlate DNS anomalies.

Response & Mitigation After Detection:

1. Flush DNS Cache & Reset Configurations

o Run ipconfig /flushdns on Windows or sudo systemd-resolve --flush-caches on

Linux.

2. Check & Reset Hosts File

o Review the hosts file to remove unauthorized modifications.

3. Inspect DNS Logs for Unusual Activity

o Identify DNS queries resolving to unexpected IP addresses.

4. Change DNS Servers to Secure Providers

o Ensure systems are using trusted DNS resolvers instead of rogue DNS servers.

5. Educate Users on Safe Browsing Practices

o Encourage verifying URLs before entering credentials.

o Warn against ignoring SSL certificate warnings.

DNS Tunnelling Attack:

Attack Description:

DNS Tunnelling is a technique used by attackers to exfiltrate data or establish a covert

command-and-control (C2) channel by encoding malicious traffic within DNS queries and
responses. Since DNS traffic is often allowed through firewalls, this method bypasses
security controls.

How DNS Tunneling Works:

1. Compromised System Sends DNS Requests

o The infected system encodes data (e.g., commands, credentials) into DNS
queries.

2. Malicious DNS Server Decodes Queries

o The attacker's server extracts and processes the encoded data.

3. Attacker Sends Responses Back

o Data is embedded within DNS responses, allowing bidirectional

communication.

Common Use Cases of DNS Tunneling:

Popular DNS Tunnelling Tools & Malware:

Mitigation Strategies-Preventive Measures:

 1. Monitor & Analyze DNS Traffic

o Look for unusually large DNS queries or high query rates to uncommon
domains.

o Use SIEM tools (Microsoft Sentinel, Splunk, QRadar) to detect anomalies.

2. Enforce DNS Logging & Filtering

o Log all DNS queries using Windows DNS logs, Cisco Umbrella, or Google Cloud
DNS.

o Block or flag queries with excessive subdomains or long TXT records.

3. Restrict External DNS Resolvers

o Configure endpoints and servers to use trusted internal DNS servers only.

o Block outbound DNS queries to unauthorized external resolvers.

4. Deploy DNS Firewalls & Threat Intelligence Feeds

o Use security tools like Infoblox, Palo Alto DNS Security, or Cisco Umbrella to
filter malicious domains.

o Implement DNS RPZ (Response Policy Zones) to block known C2 domains.

5. Enable DNSSEC (DNS Security Extensions)

o Prevents DNS response tampering, reducing the risk of forged responses.

Response & Containment After Detection:

1. Identify & Quarantine Infected Systems

o Use EDR/XDR tools (Microsoft Defender XDR, CrowdStrike) to isolate affected

hosts.

2. Block Malicious Domains & IPs

o Use threat intelligence sources (e.g., AlienVault OTX, VirusTotal) to block

malicious C2 domains.

3. Reconfigure Firewall Rules

o Restrict external DNS traffic and enforce strict outbound access controls.

4. Educate Employees on DNS-Based Threats

Awareness training on suspicious domain lookups and phishing tactics.

Malware:

• Malware (malicious software) is any software designed to harm, exploit, or

compromise systems, networks, or data.
• It includes viruses, worms, trojans, ransomware, spyware, adware, and rootkits.

Types of Malware & Mitigation Strategies:

• Virus needs user execution and attaches to files.

• Trojan disguises itself as legitimate software and opens backdoors.
• Worm spreads autonomously across networks without user action.
General Malware Mitigation Techniques:

• To effectively prevent and respond to malware threats, organizations should

implement a multi-layered security approach.

Below are key mitigation strategies categorized by security layers:

Drive by download Attack:

A Drive-By Download is an attack where malicious software is automatically downloaded
and executed on a system when a user visits a compromised or malicious website—without
their consent or interaction.

Mitigation Techniques:
Fileless Attack & Mitigation:
• A Fileless Attack is a type of cyberattack that does not require installing traditional
malware files.
• Instead, it leverages built-in tools (like PowerShell, WMI, and macros) to execute
malicious code directly in memory, making it harder to detect.
SQL Injection Attack:

SQL Injection (SQLi) is a web attack where an attacker injects malicious SQL queries into
input fields to manipulate a database, steal sensitive data, or bypass authentication.

Mitigation Techniques:

XSS Attack:

Cross-Site Scripting (XSS) is a web vulnerability where an attacker injects malicious scripts
(JavaScript, HTML, etc.) into a website to steal user data, hijack sessions, or deface
webpages.

Types of XSS Attacks:

Mitigation Techniques:

By sanitizing inputs, encoding outputs, and restricting script execution, XSS attacks can be
effectively prevented.
CSRF Attack:
Cross-Site Request Forgery (CSRF) is an attack where an attacker tricks a user into
unknowingly executing unauthorized actions on a trusted website where they are
authenticated. This can result in changing account settings, making transactions, or
modifying data without the user’s consent.

Mitigation Techniques:

Broken Authentication Attack & Mitigation:

Broken Authentication occurs when attackers exploit weak authentication mechanisms to

compromise user accounts. This can lead to account takeovers, privilege escalation, or data
breaches due to:

• Weak or default passwords

• Credential stuffing and brute-force attacks

• Poor session management

• Lack of Multi-Factor Authentication (MFA)

Mitigation Techniques:

Broken Access Control:

Broken Access Control occurs when attackers exploit improper authorization mechanisms to
access, modify, or delete data they shouldn't have permission for. This can lead to data leaks,
privilege escalation, or unauthorized system modifications.
Mitigation Techniques:

OWASP (Open Web Application Security Project):

• OWASP is a non-profit organization focused on improving web application security

through open-source projects, tools, and security standards.
• The most well-known project is the OWASP Top 10, which lists the most critical web
security risks.