Q1.

Describe the attack cycle

The lifecycle of an attack refers to the series of stages that an attacker

goes through when attempting to compromise a target system or
network. These stages can vary depending on the specific attack, but
generally include the following:

1. Reconnaissance: In this first stage, the attacker collects information

about the target or network. This may include scanning for open
ports, identifying potential vulnerabilities, or gathering
intelligence about the target's systems.
2. Weaponization: When attackers identify flaws or weaknesses in a
plan, they develop or acquire the necessary tools and techniques
to exploit those flaws. This may include creating or modifying
malware, creating malware, or preparing exploit code.
3. Delivery: During this time, the attacker delivers a weapon to the
target. This can be done in a variety of ways, such as sending
phishing emails with malicious information, exploiting
vulnerabilities in web applications, or using social engineering
techniques to trick users into installing malware.
4. Exploitation: When a weapon is sent to a target, the attacker takes
advantage of that weapon's vulnerability or weakness. This may
include running code, gaining unauthorized access, or controlling
a target or network.
5. Installation: After gaining first-time access, an attacker can install
additional tools or malware on the infected system to increase
the risk and facilitate further exploitation. This may include
strangers, remote access Trojans (RATs) or other types of
malware.
6. Command and Control: At this stage, the attacker creates a
command and control system to manage and control the virus.
This allows them to issue commands, steal information, or attack
further.
7. Actions on Objectives: With the established control, the attacker can
now achieve his goal. This could include stealing sensitive data,
disrupting services, altering or destroying data, or using infected
viruses as a starting point for further attacks.
 8. Covering Tracks: Once attackers reach their destination, they can
try to block their path by extracting logs, modifying the system,
or removing evidence of their existence. The purpose of this is to
make it harder for the victim to detect and respond to the attack.

It's important to note that the lifecycle of an attack can vary depending
on the specific attack vector and the goals of the attacker. Different
attacks may follow different stages or may combine multiple stages
into a single step. Additionally, defenders can use this lifecycle as a
framework to understand and mitigate attacks by identifying and
disrupting the attacker's activities at each stage.

Q2. Explain UseCase with the help of two examples.

Use Case 1: Online Shopping

Actor: Customer
Goal: To purchase a product online.
Steps:

1. The customer visits the online shopping website.

2. The customer searches for the desired product.
3. The customer selects the product and adds it to the shopping
cart.
4. The customer proceeds to the checkout process.
5. During checkout, the customer provides personal details,
shipping address, and payment information.
6. The customer confirms the order.
7. The system processes the payment and sends a confirmation
email.
8. The purchased product is shipped to the customer's provided
address.

Use Case 2: Mobile Banking App Use Case

Actor: Customer
Goal: To transfer funds from one bank account to another.
Steps:
1. The user launches the mobile banking app on their smartphone.
2. The user logs in to their bank account using their credentials.
3. Within the app, the user navigates to the funds transfer section.
 4. The user enters the recipient's account number, specifies the
transfer amount, and confirms the transaction.
5. Upon completion of the transaction, the user receives a
notification confirming the successful transfer.

Q3. Explain the terms:

a) Botnets
b) Rootkits

a) Botnets:
Botnets are networks of compromised computers or devices that are
controlled by a malicious actor, known as the botmaster. These
compromised devices, also known as bots or zombies, are typically
infected with malware that allows the botmaster to remotely control
and coordinate their activities. Botnets are often used for malicious
purposes, such as launching distributed denial-of-service (DDoS)
attacks, sending spam emails, spreading malware, or conducting large-
scale cybercriminal activities.

Botnets are created by infecting vulnerable devices with malware

through various means, such as exploiting software vulnerabilities,
tricking users into downloading malicious files, or using social
engineering techniques. Once infected, the compromised devices
become part of the botnet and can be used to carry out the
botmaster's commands. Botnets can range in size from a few dozen to
millions of compromised devices, depending on the scale and objective
of the attack.

b) Rootkits:
Rootkits are a type of malicious software that is designed to hide its
presence and activities on a compromised system. They are often used
by attackers to gain unauthorized access and maintain control over a
compromised system while avoiding detection by system
administrators and security tools.
Rootkits typically operate at a low level of the operating system,
directly interacting with the kernel or other critical system
components. By modifying system files, processes, or drivers, rootkits
can alter the behaviour of the operating system, hide files and
processes, intercept system calls, and disable security mechanisms.

Rootkits can be installed on a system through various means, such as

exploiting vulnerabilities, using social engineering techniques, or
leveraging other malware infections. Once installed, a rootkit can
provide the attacker with persistent and privileged access to the
compromised system, allowing them to carry out malicious activities,
such as stealing sensitive information, modifying system
configurations, or launching further attacks.

Detecting and removing rootkits can be challenging due to their ability

to hide from traditional security tools. Specialized tools and
techniques, such as rootkit scanners and forensic analysis, are often
required to identify and mitigate rootkit infections.

Q4. Describe Man in the Middle Attack with relevant examples and
diagrams.
A Man-in-the-Middle (MitM) attack is a type of cyber attack where an
attacker intercepts and relays communication between two parties
without their knowledge. The attacker secretly relays and possibly
alters the communication between the two parties, making them
believe that they are directly communicating with each other. Here's
an example to illustrate a Man-in-the-Middle attack:

Example: Alice wants to securely communicate with Bob over an

insecure network. However, Eve, the attacker, positions herself
between Alice and Bob to intercept their communication.

1. Initial Setup:
● Alice and Bob are connected to the same network.
● Eve positions herself as a network attacker and sets up a
rogue access point.
2. Attack Execution:
● Alice tries to establish a secure connection with Bob by
initiating a session.
● Eve intercepts Alice's request and acts as a proxy,
forwarding the request to Bob.
● Bob receives the request, but he believes it is directly
coming from Alice.
● Bob responds to the request, thinking he is communicating
directly with Alice.
● Eve intercepts Bob's response and forwards it to Alice,
pretending to be Bob.
3. Impersonation and Eavesdropping:
● Now, Alice and Bob think they are securely communicating,
but Eve is in the middle, intercepting and possibly altering
their messages.
● Eve can read, modify, or inject malicious content into the
communication without the knowledge of Alice or Bob.
● Eve can also impersonate either party, leading to
unauthorized actions or theft of sensitive information.
4. Mitigation:
● To mitigate Man-in-the-Middle attacks, it is crucial to
implement secure communication protocols, such as
Transport Layer Security (TLS) or Secure Sockets Layer
(SSL), which provide encryption and authentication.
● Users should also be cautious when connecting to public or
untrusted networks and verify the authenticity of websites
and certificates.
5. Diagram
Q5. Explain the term Sniffing with relevant example and diagram
Sniffing refers to the act of capturing and analyzing network traffic to
intercept and view data packets transmitted over a network. It is often
used by network administrators for troubleshooting, but it can also be
exploited by attackers to eavesdrop on sensitive information. Here's an
example to illustrate sniffing:
Example: Alice and Bob are communicating over an unencrypted Wi-Fi
network, and Eve, an attacker, wants to intercept their communication
using a sniffing technique.

1. Diagram
2. Setup:
a. Alice and Bob are connected to the same Wi-Fi network.
b. Eve positions herself within the Wi-Fi network range and
runs a packet sniffing tool.
3. Packet Capture
a. Alice sends a message to Bob over the network.
b. The message is broken down into data packets that are
transmitted over the Wi-Fi network.
c. Eve's sniffing tool captures these packets as they pass
through the network.
4. Packet Analysis
a. Eve analyzes the captured packets to extract information
such as usernames, passwords, or any other sensitive data.
b. Eve can also analyze the packets to gain insights into the
network traffic, identify vulnerabilities, or exploit
weaknesses.
5. Mitigation
a. To protect against sniffing attacks, it is important to use
secure protocols, such as HTTPS, which encrypts the data
being transmitted.
b. Implementing strong Wi-Fi encryption, such as WPA2 or
WPA3, can also help prevent unauthorized access to
network traffic.
c. Network administrators should monitor network traffic for
any signs of suspicious activity and use intrusion detection
and prevention systems.