The interviewer is looking for the major categories of attacks. Most vendors organize attacks into various categories regardless of severity. When an attack is detected from a signature match or from the anomaly engine, it is generally categorized. Take McAfee IntruShield, for example. Major attack categories
include: reconnaissance, volume denial of service (DoS), exploits, and policy violation. If you reference these, you can then answer any follow-up questions as to a specific type of attack. Here are examples of each category.
The reconnaissance category includes network traffic that may be benign but not desired based on specific protocol behavior. Threats include brute force, isolated probes, host scans and sweeps, port scans and sweeps, and fingerprinting. Many of these threats are used in correlation analysis. Examples include TCP/UDP host sweeps, TCP SYN host sweeps, and TCP ACK host sweeps.
For more information on reconnaissance attacks, Google “intrusion reconnaissance attack site:sans.org.”
For more information on TCP SYN attacks, Google “SYN site:securitydocs.com.”
The volume Denial of Service (DoS) category, to include Distributed (DDoS), includes traffic patterns that potentially affect network service. Threats include attempts to disable a host, network device, or application; also included are threats that could affect performance. Examples include TCP control segment anomalies and high ICMP/UDP/TCP RST packet volume.
Exploits are all other malicious activities with specific attention to the actual content of packets. Threats include buffer overflows, viruses, and worms as well as threats involving file privileges and modification through root authorization attempts. Examples include the Back Orifice Trojan, ASP IIS buffer overflow,
and the MyDoom worm.
Policy violations are attacks that are detected with higher-layer content matching but may violate the company policy. This includes access to sensitive content, installation of illegal applications, and so on. Examples include P2P traffic such as BitTorrent, Kazaa, and eDonkey; Instant Messaging traffic such as
AIM; and adware such as SaveNow and Hotbar.