Intrusion Detection Comprehensive Q&A
Exam 2024/2025
Classes of Intruders: Answer: Cyber criminals, activists, state-sponsored organization's, others
Cyber Criminals Answer: Either individuals or members of an organized crime group with a goal of
financial award. To achieve this, their activities may include identity theft, theft of financial credentials,
corporate espionage, data theft, or data ransoming. Meet in underground forums to coordinate attacks.
Activists Answer: Either individuals, usually working as insiders, or members of a larger group of
outsider attackers, who are motivated by social or political causes. Known as hacktivists. Often of a low
skill level. Aim of attack is to promote/publicize their cause, typically through website defacement, DoS,
or theft of data.
State-sponsored organizations Answer: Groups of hackers sponsored by governments to conduct
espionage or sabotage activities. Known also as Advanced Persistent Threats due to covert nature and
persistence over extended periods involved with many attacks in this class.
Others Answer: Hackers with motivations other than those listed above, including classic
hackers/crackers motivated by technical challenge or peer-group esteem and reputation. "Hobby
hackers"
Skill Levels of Hackers/Crackesr Answer: Apprentice, Journeyman, Master
Apprentice Answer: Minimal technical skill who primarily use existing attack toolkits. Likely
comprise the largest number of attackers, including many criminal and activist hackers. "script-kiddies"
, Journeyman Answer: Sufficient technical skills to modify and extend attack toolkits to use newly
discovered, or purchased, vulnerabilities; or to focus on different target groups. May be able to locate
new vulnerabilities to exploit. A number at this skill level found in all classes.
Master Answer: High level tech skills capable of discovering brand new categories of vulnerabilities,
or writing new powerful attack toolkits.
Intrusion Detection Systems (IDS) and intrusion prevention systems (IPS) Answer: Designed to aid
countering threats, specifically against known, less-sophisticated attacks by activist groups, large email
scams, etc.
Intruder Behaviors Answer: Target Acquisition and Information Gathering, Initial Access, Privilege
Escalation, Covering Tracks
Target Acquisition and Information Gathering Answer: Where the attacker identifies and
characterizes the target systems using publicly available information, both technical/non- technical and
the use of network exploration tools to map target resources.
Initial Access Answer: The initial access to a target system, typically by exploiting a remote network
vulnerability, by guessing weak authentication credentials used in a remote service, or via the
installation of malware on the system using some form of social engineering or drive-by download.
Privilege Escalation Answer: Actions taken on the system, typically via a local access vulnerability, to
increase the privileges available to the attacker to enable their desired goals on the target system.
Maintaining Access Answer: Actions such as the installation of backdoors or other malicious
software, or through the addition of covert authentication credentials or other configuration changes to
the system, to enable continued access by the attacker after the initial attack.
Covering Tracks Answer: Where the attacker disables or edits audit logs, to remove evidence of
attack activity, and uses rootkits and other measures to hide covertly installed files or code.
