Cyber Security Analyst (CySA+)
Vulnerability Management
Identification, prioritization, and remediation of vulnerabilities before a threat can exploit them.An organized approach to scanning and continuous assessment of your organizational security posture.
Regulatory Requirements
Laws and regulations that govern information storage and processing. HIPPA, GLBA, and FERPALaws and regulations that require vulnerability management programs. PCI-DSS, FISMA
HIPPA
GLBA
FERPA
PCI-DSS
Payment Card Industry Data Security StandardSpecific security controls for credit card processors and merchants.Most specific of any requirement for vulnerability management.Examples:Internal and external scans must be conducted.Scanned at least quarterly and all major changes Internal scans by qualified individualsExternal scans by approved scanning vendorRemediate any high-risk vulnerabilities and re-scan until a clean report is achieved.
FISMA
Federal Information Security Management ActSpecifies security controls for government. Both agencies and organizations that run the systems.Systems are classified as low, moderate, or high impact which dictate the requirements.Requirements:Scan systems when new threats emerge.Use tools/techniques that are interoperableAnalyze scan reports from assessments.Remediate vulnerabilities based on risk.share findings with other agencies to eliminate similar vulnerabilities in other systems.
Corporate Policy-Based Requirements
Laws and regulations that require vulnerability management programs (like PCI_DSS, and FISMA) don't apply companies.But....vulnerability management is still very important to them as a key component to security. Therefore, organizations can and do require scanning under their own corporate policies.
Scanning Targets
What systems do you want to be covered by your scans?Do you scan all systems or just critical assets?Scanning tools like QualysGuard can be used to build your asset inventory automatically.Admins then take that information and classify the systems as critical or no-critical.
Scan Frequency
how often do we scan the systems?Schedule determined by your goals to meet security, compliance, or other business requirements.Automate email reports or alerts can be configured.Example: Nessus scanner allows you to setup daily, weekly, monthly, or other scheduled scans by date/time.
Organizational Risk Appetite
How much time between a new threat and scan?
Regulatory Requirements
Do you fall under FISMA or PCI-DSS requirements.
Technical Constraints
Network may not support scanning everything.
Business Constraints
Do you have to avoid high business activity times?
Licensing Limitations
Scanners can control y concurrent scans can be performed through licensing.
Best Practices for New Vulnerability Management Program
Start Small. Start with a small section of your network.Expand slowly. Gradually add more scope to your scans.Prevent overwhelming the enterprise systems and your sys admin team.
Vulnerability Scanning Tools
QualysGuard
Nessus (Tenable)
Walkthrough
Install and load Nessus Web client.LoginPolicies TabSet up scanAdd and give it a name (Windows Scans)Leave default if necessary.--Vulnerability scan you may want to use a credentialed scan.--An attacker will not use credentialed scan.Plug-ins- turn on or off plug-ins depending on scan (Windows)Preferences - If you have DCs on the network.Scans tab and scan now or schedule a scan.Select your policy or the policy you created.Type scan targets.LaunchAfter scan completes it will show up in reports.by default the report will show you the most vulnerable.
Nexpose (Rapid7)
OpenVAS
Open source
Nikto Web App Scanner
Web app spacific
Microsoft Baseline Security Analyzer
Is run on the client.
Scoping Scans
Describes the extent of the scan.What networks and systems are included?How will you test if a system is on the network? Ping sweep.What tests will be performed against the systems during a scan?Importance of your scope.Develop scope properly and gain agreement from staff and management.Ensure you are unlikely to cause issues during your scanning efforts.You do not want to take systems down during work hours.Minimizing the scope.Network segmentation often allows you to minimize your scope for compliance scans.PCI-DSS networks should be segmented from the rest of the organizational network.
Configuring Scans
Scheduling Automated scans.Producing reports.Providing authenticated access for scans.Choosing plugins and scan agents.Conducting scans from different perspectives. (Internal, External)
Scanning Sensitivity Level
Safe Checks
Will not allow an unsafe check to occur.Sometimes vulnerability scans will knock out a service or server for a period of time.
Plug-ins
Plug-ins contain hundreds of vulnerabilities.Enable/Disable plug-ins.If Linux system Disable Windows plug-ins and visa-versaSome scans can disrupt your systems or cause loss of dataEnsure you are scanning safely and with permissions.
Windows
Linux
Templates for Scans
Vendors provide templates for scans with common settings.Admins can also create their own templates for commonly used scans.This prevents errors ans saves time.
Scanning Perspective
Comprehensive scanners provide you with different scan perspectives.External scans provide a viewpoint of the attacker.internal scans provide insider threat viewpoint.Data center scans provide a close internal scan, one that might be blocked by other security devices.PCI-DSS requires both internal and external.
Internal
External
Datacenter
Authenticated Scan
Also called Credential scan.Some security devices can prevent some details of a scan from being successful.Provides the scanner read-only access to the servers.Scanner can access the operating system, databases, and applications on the server.
Agent-Based Scan
Small software agents installed on your server or clients.Provides an inside-out perspective of vulnerabilities on the server or client.Agent-based approaches require more resources on the server and often system administrators fight against their installation.Can get very detailed information.
Maintaining Scanners
Vulnerability management tools are vulnerable also.You should always update the tools and its plug-ins/signatures before use.This can be automated, as well, but check to verify the update has occurred before use.PatchingImplements bug fixFeature enhancementsImproves scan quality.Update plug-ins daily
Standardizing Vulnerabilities
Vulnerability management used to be performed by numerous types of software with no common protocolSecurity Content Automation Protocol (SCAP) led by NIST standardized vulnerability management between different software.Ensures standardization.NIST SP 800-117 Guide to adopting and using SCAPhttps://csrc.nist.gov/publications/detail/sp/800-117/final
SCAP
CCE
Common configuration Enumeration - Standard names for system configuration issues.
CPE
Common platform Enumeration - Standard names for product names and versions.
CVE
Common Vulnerabilities and Exposures - Standard names for security-related software flaws.IMPORTANT
CVSS
Common Vulnerability Scoring System - Standard approach for severity of software flaws.IMPORTANT
XCCDF
Extensible Configuration Checklist Description Format - Language for checklists and reporting results.
OVAL
Open Vulnerability and Assessment Language - Language for low-level testing procedures used by the checklists.
Workflow for Remediation
DetectionRemediationTestingor Continuous Monitoring =Provides for on-going scanning of the network.Checks for vulnerabilities as often as possible based on resources available.Provides earlier detection of vulnerabilities.AutomationMany products include built-in workflows and automation to track vulnerabilities through the cycle.Can automatically close out vulnerabilities when testing shows they are resolved.Some tools can be integrated into your IT Service Management system.
Detection
Vulnerability Reporting.Vulnerability analysts need to communicate the issues found to the system administrators.Scanners provide detailed reporting that can be automated to alert system administrators at periodic intervals.Critical vulnerabilities found can be sent out of cycle because they are soo critical.Dashboards. Managers love dashboards because it provides a high-level summary of issues.Overview of Hosts. Shows which hosts are most vulnerable.Criticality - Shows which vulnerabilities are most critical.
Dashboards
Dashboards. Managers love dashboards because it provides a high-level summary of issues.
Overview Of Hosts
Overview of Hosts. Shows which hosts are most vulnerable.
Criticality
Criticality - Shows which vulnerabilities are most critical.
Remediation
Remediation Priority. Man-hours, money, equipment, and other items are a limited resource.Vulnerability management is all about prioritization of organizational efforts.You can't fix everything right away.
How Critical
How critical is the system and information it contains?Take into account confidentiality, integrity, and availability if the vulnerability was exploited.Example:If an attacker was able to breach your customer database and get all their information. How bad is this?
How Difficult
How difficult is it to fix the vulnerability?How much time and money will it cost to fix?Example:I can spend all my time and money fixing the vulnerability #1, or I can fix vulnerabilities, 2, 3, 4, and 5.
How Severe
How severe is the vulnerability?Each vulnerability is given a criticality value in the Common Vulnerability Scoring System (CVSS).Different vulnerabilities are more severe than others.Example:Known-exploit against a software bug that allows remote-code execution is very severe.Cross-site scripting vulnerabilities might be less severe if its on an intranet server only.
How Exposed
How exposed is the server to the vulnerability?External facing servers are more exposed than intranet servers.Often, you should fix a lower external vulnerability before a higher internal one.
Testing
Implementing and testing a solution.Vulnerability Analysts do not implement the fixesTheir role is to find the issues and pass them to the system administrators to fixFixes may not be quick, often they require approval from the Change Control Board,Fixes should be tested in a lab environment prior to rolling it out to the enterprise.
Coordinate Efforts
Coordinate your efforts.Vulnerability Analysts view fixes as the highest priority.Not everyone in the organization does.You need to coordinate with others to get these vulnerabilities remediated.Service degradation, promises to customers, and IT governance can slow down your efforts.
Service Degredation
Vulnerability scanning places a resource tax upon the network and its servers when scans are conducted.Scans can risk disrupting business functions.Overcoming objections:Consider different scanning times (non-peak hours).Change scanning settings to lower intensity modes.
Promise to Customers
MOUs and SLAs have specific up-time, performance, and other requirements that the organization must meet.Scans can risk disrupting business functions.Overcoming Objections:Ensure the cybersecurity team is involved in the drafting of the MOAs and SLAs.Discuss appropriate times and scope for scans.
IT Governance
Can create hurdles in getting approval to implement changes.Fixes can risk disrupting business functions.Overcoming Objections:Work within the organization policies when possible to get resources and support.Utilize the Emergency Change Control board when critical fixes must be implemented quickly.
Interpreting Scan Results
Scanners do a great job of automating the identification of vulnerabilities. However, a trained analyst is required to understand the implications of those vulnerabilities to:Eliminate false positives.Find root causes.Prioritize remediation actions.
aDetailed Scan Results
Look at the Synopsis (Remote windows execution) and Description (much more detail).See Also (For greater detail)SolutionRisk Factor and CVSS(2.0 not 3.0) ScoreReferences Exploitable, Plugin, and HostsSee Nessus sample reports here -https://www.tenable.com/products/nessus/sample-reports
aCVSS
Common Vulnerability Scoring Systems (CVSS)Industry standard for identifying the severity of a vulnerability.Analysts use this score to help prioritize remediation effortsMeasured in six categories:Three for the exploitabilityThree for the impactThere are two versions of CVSSSySA focuses on CVSS not CVSS 3.0CVSS 3.0 adds two additional measures:User Interaction (exploitable metric)Scope (both exploitable and impact metric)SEE CVSS score breakdown here:https://nvd.nist.gov/vuln-metrics/cvss/v2-calculatororhttps://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_SystemCVSS Base Score ChartCVSS v2.0 RatingsCVSS v3.0 RatingsSeverity Base Score Range Severity Base Score Range None 0.0 Low 0.0-3.9 Medium 4.0-6.9 High 7.0-10.0
aAV Metric
Access Vector (AV) Metric - Describes the method an attacker would use to exploit the vulnerability.Three Categories:Local - physical access or logical access to the systemAdjacent Network - Access to LAN for affected systemNetwork - Remote Access from WAN
Access Complexity
Access Complexity (AC) Metric - Describes the difficulty an attacker would have to exploit the vulnerability.High - Requires difficulty/specialized conditions. Medium - Requires "somewhat specialized" conditions.Low - No Specialized conditions required.
Authentication Metric
Authentication (Au) Metric - Describes the number of times an attacker would have to authenticate.Multiple - Requires two or more authentications.Single - Requires one authentication.None - No authentication required.
Confidentiality
Confidentiality (C) Metric - Describes the impact to confidentiality of data processed by the system.None - No impact to confidentiality.Partial - Considerable disclosure of information.Complete - Total disclosure of information.
Integrity
Integrity (I) Metric - Describes the impact to integrity of data processed by the system.None - No impact to integrity of the system.Partial - Modification of some information possible.Complete - Total loss of integrity.
Availability
Availability (A) Metric - Describes the impact to availability of the system.None - No impact to availability of the system.Partial - Reduced performance or loss of functionality.Complete - Total loss of availability.
CVSS Base Score
SEE CVSS score breakdown here:https://nvd.nist.gov/vuln-metrics/cvss/v2-calculatororhttps://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_SystemCVSS Base Score ChartCVSS v2.0 RatingsCVSS v3.0 RatingsSeverity Base Score Range Severity Base Score Range None 0.0Low 0.0-3.9Medium 4.0-6.9High 7.0-10.0
aCVSS Temporal Score
The Temporal score changes over the lifetime of the vulnerability.As exploits are developed, disclosed, and mitigations made available, the score changes.Not covered by the CySA examTemporal Score = Base score x Exploitability x Remediation Level x Report Confidence.
Exploitability
Exploitability (E) Metric - Current state of exploitation techniques or automated exploitation available.UnprovenProof-of-ConceptFunctionalHighNot Defined
Remediation Level
Remediation Level (RL) Metric - Used to decrease temporal score as mitigations and fixes are made available.
Report Confidence
Report Confidence (RC) Metric - Used to show the level of confidence in the existence of the vulnerability and the technical details of the report.
Validation Of Results
CVSS scores are helpful, but they alone don't tell you how a vulnerability affects your systems.
False Positives
Scans can often report a vulnerability exists even if it does not.How often this occurs is known as the false positive error rate.Vulnerabilities can be validated and verified:Check if a patch is missing.Attempt to exploit erroneous code.Verify the system configuration.
Documented Exceptions
Vulnerabilities that are known, but will not be fixed by the organization.Vulnerabilities that are on the system but are to expensive to fix.Once the risk is accepted by management, they should be documented in the scanner to prevent future reporting of them.
Informational Results
Not everything reported by the scanner is considered a vulnerability.Some are reported as "informational".Typical "informational" items are configurations that would allow an attacker to perform reconnaissance.
Compare Results
Compare results with other information sourcesLogs from servers, network devices, applications, and other devices.Configuration management systems.Security information and event monitoring (SIEM).
Conduct Trend Analysis
Conduct Trend Analysis - Trend analysis also allows the analyst to ensure the vulnerability management program is working effectively.
Common Vulnerabilities
Vulnerability scanners can detect 10000's of different types of vulnerabilities.
Server and Host Vulnerabilities
Missing patchesUnsupported Software or AppsBuffer OverflowsPrivilege EscalationArbitrary Code ExecutionInsecure Protocol UseDebugging Modes
Missing Patches
One of the most common issues found. One of the easiest to fix.Missing patches.Comes from improper patch management.
Unsupported Software/Apps
Software vendors do not support software forever, they have an "end of life" date.After the "end of life" date, no more patches are released for the software.
Buffer OverflowsBuffer Overflows
Occurs when the attacker manipulates a program to place more data into memory than it is allocated for causing overflow.Another specific type is integer overflow.These vulnerabilities tend to exist for a long time, but are corrected by a patch.In 2015, over 85% of the data breaches were caused by buffer overflow attacks.
Privilege Escalation
Occurs when an attacker upgrades their level of access to an admin or root user.For example, CVE-2016-7255 is an example in Windows Vista, 2008, 7, 8.1, 10, and 2016 machines.Kernel-mode drivers are exploitable to allow local users to become an admin.
Arbitrary Code Execution
Allows an attacker to run software on a targeted victim machine.Remote code execution is worse, because it allows it to occur over the network.
Insecure Protocol Use
When using older protocols not designed with security in mind.Example: FTP, Telnet, SMBv1, SSL, .........
Debugging Modes
Debugging modes give lots of information to developers, but should be disabled prior to server and code deployment.Debugging information could give attackers a lot of information during a reconnaissance.
Network Vulnerabilities
Missing Firmware UpdatesSSL and TSL IssuesDomain Name Service (DNS) IssuesInternal IP DisclosureVirtual Private Network (VPN) Issues
Missing Firmware Updates
Network devices rely on firmware for their operating systems.Firmware needs patching and upgrades.
SSL and TSL Issues
Secure Socket Layer (SSL) and Transport Layer Security (TSL) are designed to secure information sent over the internet (such as HTTPS).SSL is insecure and should not be used.Admins should disable support for older versions. (SSL and TSL before v1.2)Insecure Cipher Use:SSL/TSL are only the protocol used, not the cipher.Cipher is the encryption algorithm. Do not use RC4Certificate Problems:Certificates identity servers and exchange the encryption keys.
Domain Name Service (DNS) Issues
DNS servers are victims of reconnaissance and other attacks.
Internal IP Disclosure
Networks that use NAT attempt to hide their internal IP structure.Information could be leaked in headers if a server isn't configured properly.
Virtual Private Network (VPN) Issues
VPN's consist of application protocols ans SSL/TSL encrypted tunnels.Configuration issues and missing firmware patches an also affect VPN's.
Virtual Vulnerabilities
VM EscapeManagement Interface AccessVirtual Host PatchingVirtual Guest IssuesVirtual Network Issues
VM Escape
The most serious issue of all virtualization issues. Occurs when an attacker can break out of the virtual machine (guest) and reach the host (hypervisor).In May 2017, a hacking contestant stitched together 3 different exploits and managed to perform a VM escape.
Management Interface Access
This interface controls access to all the virtual machines and can configure them.Should be highly secured, including use of two-factor authentication.
Virtual Host Patching
Just like other servers, Virtual hosts need patching of the OS and software.This can help prevent VM Escape.
Virtual Guest Issues
Each Guest represents another server on the network, and they all need patching.Ensure your remediation and patch management considers all your VMs.Ensure your vulnerability management program also scans Guest VMs.
Virtual Network Issues
Virtual firewalls, routers, and switches all need to be considered as part of your scanning program.If embedded as part of your VM solution, ensure appropriate patching is being done to prevent attacks.
Webb Application Vulnerabilities
Injection AttacksCross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)Nessus and Qualysguard can scan for Web vulnerabilities, but they are not specialized (like Nikto).https://www.owasp.org/index.php/Category:Attack
Injection Attacks
Most common is SQL injection.Allows an attacker to send commands through a web server to a back-end system, bypassing the normal security controls.Prevent this through input validation and using least privilege for the database.Injection flaws, particularly SQL injection, are unfortunately very common in web applications. There are many types of injections:SQL,Hibernate Query Language (HQL),LDAP,XPath,XQuery,XSLT,XML,OS command injectionand many more.
aCross-Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.Attacker embeds scripting commands on a website that is executed by a regular user without knowing it.Victim in this case is the regular user, not the server.If one of these are discovered during a scan, you need to work with the developer to fix the code and setup proper controls to prevent it in the future.https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.Attacker cannot see web server's response, but this attack can be used to have victim transfer funds, change their password, ect.https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Internet of Things (IoT) Vulnerabilities
Smart TV's/Consumer Devices
Big threat inside your network at the office and at home.Smart home.Not often patched or updated.Shodan Tool
SCADA
(SCADA) Supervisory Control and Data Acquisition Systems.Power plants and factories. Monitoring sensors.Not often patched or upgrades.Should be separated and off the network.
ICS
(ICS) Industrial Control Systems - Pumps, valves.
Security Architecture Tool Sets
Security Policy/Compliance
Policy Documents
Information Security Policy Framework:PoliciesStandardsProceduresGuidelinesPolicies, Standards, and Procedures should be followed.Your information security framework should include the method for granting any necessary "exceptions".Exceptions:Specific approval to deviate from a policy, standard, procedure.Approval authority is specified in policy.Exception request includes:Policy, standard, procedure requiring exception.Reason for exception Scope and duration of exceptionDescription of compensating controls to lower risk
Policies
High-level statements of intent. Must be followed. Management Intent.Contain broad statements about cybersecurity objectives in the company.Framework to meet the business goals and to define roles, responsibilities, and terms used in other security documents.Who approves the policies?Usually the C-suite will approve the policy for the organization.Without management buy-in, the policy is a waste of your time and effort.Top-down approach is most effective
Information Security
Acceptable Use
Password
Data Ownership
Data Classification
Data Retention
Account Management
Standards
Used to implement a policy.Includes mandatory actions, steps, or rules needed to achieve cybersecurity.Approved by a lower level than C-suite, such as Director of Information Systems or mid-level manager.Standards can also exist in industry frameworks (COBIT, ITIL, etc.)
Procedures
Detailed step-by-step instructions created for people to perform an action.Actionable steps to create a consistent method for achieving a security objective.Example:The service desk has a procedure for how to create a new user's account.Encompass all the security related policies, standards, and guidelines for action by your front-line employees.
Guidelines
Not required actions, just recommendations.Flexible in nature to allow for exceptions and allowances during a unique situation.Example:The organization may create a guideline showing users how to store data files in a cloud service and how to encrypt the files.These aren't required, but may be useful to the end user and can be changed quickly.
Policy-Based Controls
Policies provide the control objectives the organization wants to achieve.This is the desired end state, not the method to accomplish them.Security controls are used to achieve the control objectives.Physical ControlsLogical ControlsAdministrative Controls
Physical Controls
Controls that impact the physical world.CamerasFencesGatesLocksLightingAlarm SystemFire Suppression Systems
Logical/Technical Controls
Technical controls to enforce (CIA) confidentiality, integrity, and availability. Even Non-repudiationACL's in a firewall or routerEncryption schemes.
Administrative Controls
Procedural controls to implement good cybersecurity practices.Policies and procedures.Separation of dutiesBackground checksReviewing log files
Combining Control Objectives
Physical, logical, and administrative controls are most effective when they are combined.To prevent theft of data from a server:Physical controls for building accessLogical controls like encrypting the HDAdministrative controls like requiring two people to open lock/door
Audits and Assessments
Evaluation of your cybersecurity program is essential to it being effectively run.Evaluation occurs as audits and assessments.You get what you inspect, not what you expect.
Audits
Formal review of organizational cybersecurity program. Usually done internally.Or it can be for a specific compliance requirement (externally) like PCI-DSS.Rigorous, formal testing of controls resulting in formal declaration by the auditor of compliance.
Assessments
Much less formal than a audit.Usually requested by the organization itself for process improvement purposes.Information gathered through interviews with employees (which is considered the truth) instead of independent verification.
Laws and Regulations
The US has various laws and regulations that must be adhered to, based on your industry (CySA+ focus).
HIPAA
Health Insurance Portability and Accountability Act (HIPAA)Security and privacy rules for healthcare.Affects healthcare providers, insurers, and others storing health information.
GLBA
Gramm-Leach-Bliley Act (GLBA)Requires financial institutions to have formal security programs in place.Must designate a "responsible" individual.
SOX
Sarbanes-Oxley (SOX) ActRequires publicly traded companies to maintain good security around their IT systems storing and processing their financial records.
FERPA
Family Education Rights and Privacy Act (FERPA)Requires educational institutions to implement security and privacy controls for educational records.
PCI-DSS
Payment Card Industry Data Security Standard (PCI-DSS)Rules about storage, processing, and transmission of credit/debit card info.Not a law, but a contractual obligation.
Data Breach Notifications
Various State Laws.Requires companies to notify victims of data breaches in a timely manner.
Security Framework
Standard Frameworks:Creating your own cybersecurity framework is a daunting task.Standard frameworks exit to help provide a standard approach.
NIST Cybersecurity Framework
Designed to meet 1 or more of the 5 objectives.Describe current postureDescribe desired stateIdentify and prioritize areas for improvementAsses progress toward desired stateCommunicate risk among internal and external stakeholdersSpecificly modeled for Cybersecurity.Framework Core is a set of five security functions that apply to all industries.Framework Implementation tiers measure how the organization is positioned to meet cybersecurity objectives.Framework Profiles describe how the organization might approach the functions covered by Framework Core.
ISO 27001
Used to be the most commonly used information security standard.Declining in usage outside of regulated regulated companies that require ISO compliance.To become ISO 27001 certified, an external accesor validates organizational compliance.
ITIL
Information Technology Infrastructure Library (ITIL)Comprehensive approach to ITSM
COBIT
Control Objective for Information and Related Technologies (COBIT).Set of best practices for IT governance developed by ISACA.Divides IT activities into four domains:Plan and OrganizeAcquire and ImplementDeliver and SupportMonitor and Evaluate
TOGAF
The Open Group Architecture Framework (TOGAF)Widely adopted approach to Enterprise Architecture.Four Domains: Business Architecture:Application Architecture:Data Architecture:Technical Architecture:
SABSA
Sherwood Applied Business Security Architecture (SABSA).Alternative model for security architecture that maps to architectural layers from different perspectives.Used in Enterprise Architecture
Defense in Depth
Foundation of good security architecture.Does not rely on a single defensive measure or control for protection.Not fulproof.
Layered Security Defense
Data - EncryptionApplication - PatchesEndpoint Security - Antivirus/Malware protectionNetwork - IDS/IPSPerimeter - FirewallsDifficult to design and implement, but it is important.Must consider business needs and usability in the design of layered controls.Four Design Models:Uniform Protection - Protected Enclaves - Risk or Threat Analysis-Based - Information Classification-Based
Uniform Protection
Gives same level of protection to all data, systems, or networks.Can be expensive for large networks. Focus is everything and everywhere.
Protective Enclaves
Enclaves that house more sensitive data are given additional protection.Network is segmented and firewalls are placed between your most critical/sensitive assets.
Risk or Threat Analysis-Based
Addresses specific risks or threats in the design of the networks and systems.Example:If you are concerned with phishing as a threat vector, you could employ additional controls to securely scan and filter your incoming emails.
Information Classification-Based
Maps data protection to different classes of information.Higher classification levels get additional attention and security controls.Niper and Siper
Types of Controls
Controls prevent, detect, counteract, or limit certain security risks.TechnicalAdministrativePhysicalPreventativeDetectiveCorrectiveCompensating
Technical Controls
Designed to provide security through technical measures.FirewallsIDS/IPSAuthentication SystemsNetwork Segmentation
Administrative Controls
Also called Procedural ControlsDesigned to provide security through processes and procedures.Legal controls are a type of these controls that are put in place by the law.Incident Response PlansUser Awareness TrainingAccount Creation PolicyAcceptable Use Policy
Physical Controls
Designed to provide security by preventing physical access or harm to the organization's systems or facilities.FencesMantrapsSecurity GuardsFire Suppression Systems
Preventative Controls
Designed to stop an incident before it happens.Proactive MeasuresFirewalls - Preventative and TechnicalAntivirusTrainingSecurity Guards - Preventative and Physical
Detective Controls
Designed to detect when an incident occurs, capture details about it, and send an alert/alarm so someone can act.Intrusion Detection Systems Security CamerasLogs
Corrective Controls
Designed to fix an issue after an incident has occurred.Part of Incident Response Process.Reactive measures.Patches System rebuildingRestore from backups
Compensating Controls
Designed to satisfy a security requirement not being met by other controls.Minimizes threat down to an acceptable level of risk.Blocking certain ports instead of upgrading all the OSsSegmenting vulnerable software to a separate part of the network.
Layered Network Design
Combining the network architecture, configuration management, practices, and policies.Can be accomplished through:Network SegmentationFirewallsOutsourcing Network Segments
Network Segmentation
Compartmentalization of the NetworkBenefits:Reduces the network's attack surfaceLimits scope of regulatory complianceIncreases availability of critical servicesIncreases network efficiencyImplemented through:FirewallsRoutersSwitchesVLAN's
Firewalls
Single Firewall/Router
Simplest network design utilized to create a DMZ for a lower trusted segment of the network.
Multiple Interface Firewalls
Different ACL and rule sets applied to each interface, creating multiple network segments.Often called service-leg DMZ
Multi-Firewall
Dual-firewall puts a firewall at each control point.Allows for more stringent controls as you move deeper into the network.
Outsourcing Network Segments
Remote services - SaaS and PaaS rely on providers for security and network designs.Directly Connected Remote Network:Acts as an extension of your intranet.Utilizes LaaS with direct point-to-point VPNs.To users, it appears the IaaS is just part of your network.Low-level host protections at IaaS are still handled by the third-party service provider.
Layered Host Security
End-point security:Servers, desktops, laptops, smartphones, are all considered hosts on your network.Often the most at-risk part of the network since your users directly use them.Common Security Controls:Passwords and strong authenticationEncryption - File/Full DiskHost Firewalls/Host-based IPSData Loss Prevention (DLP) softwareWhitelisting/Blacklisting softwareAnti-malware/Antivirus softwarePatch managementConfiguration ManagementFile Integrity MonitoringLogging of events and issues
Cryptography
Encrypting and hashing.Encrypting files or the full disk can protect data at rest.Proper storage of the encryption keys/passphrases is critical to security.Hashing (file integrity check)files can be used to ensure file integrity, as well.
Logging/Monitoring/Validation
Logs must be securely stored and centrally monitored.Specialized log server or (SIEM) Security Information and Event Management......Tripwire, AlienVault, SplunkConfiguration Management (Microsoft SCCM) allow you to validate system settings and software across the connected hosts.
Data Analytics
Integrating logs across the devices provides the most value and information.You need to conduct data aggregation and correlation, trend analysis, and historic analysis.
Data Aggregation and Correlation
Combine data from multiple sources to identify events impacting different systems.System logsAuthentication logsApplication logsEvent logsand othersDetective control Splunk
Trend Analysis
Analyzes system, events, and devices to detect trends and patterns.Identifies issues that are outside of expected growth or usage patterns.Looks forward based on past history.
Historical Analysis
Analyzes system, events, and devices over time to detect trends and patterns.Helpful during incident responses as it looks back over a long period of time.
Personnel Security
Separation of Duties
Separation of Duties - Requires more than one person to perform a task by breaking the task into additional parts. Provides a system of checks and balances to prevent fraud and abuse.
Dual Control
Process requires two individuals to perform the action together.
Succession Planning
Focuses on ensuring important duties will always have someone who can perform them.Prevents issues from task not being performed during personnel turnover.
Cross Training Employees
Background Checks
Mandatory Vacation
Allows us to identify any issues being hidden since the person will not maintain access to the systems.
Termination
Policies and procedures focuses on what to do when an employee is terminated.Retrieving company property, disabling accounts, changing security codes, ect.
Outsourcing concerns
Proper vetting of the provider.Employment practiceAccess ControlData ownership and controlIncident Response and notification process.
Proper Vetting and Employment Practices
What kind of background checks are you doing on the service provider, employees.What internal personnel controls are used.how do they handle employee issues.
Access Control
How is access control handled to the systemHow is your data physically or logically segmented from other organizations that the service provider handles.
Data Ownership
Who owns the dataIs it encryptedDoes the service provider have access to just the data, or do also have the encryption keys
Incident Response and notification process
User Awareness Training
Users are the biggest threat to networks.Proper security training is the most cost effective control that can be applied in an organization.All the technical controls in the world won't stop a threat if a user lets the bad guys in.Acceptable use policy
Spearphishing and Phishing
Analyzing Secure Architectures
Single point of Failure
Data Validation and Trust
Users
Largest cause of a security failure.
Authentication and Authorization
Architecture Review
Identity/Access Management
Centralized Identity and Access Management (IAM).Systems built to create, store, and manage identity information including group memberships, roles, permissions and more.What can IAM do?Provision accountsAuthenticationSingle-Sign-On (SSO)LDAP DirectoryAccount MaintenanceReportingMonitoringLogging Auditing
Authentication
Individual proves who they are.
Authorization
Individual is provided access to a given resource.
Accounting
Logs and monitors a user when a authentication or authorization attempt is made or completed.
Directories
LDAP
Security in Software Development
Threat Management
CIA Triad
Confidentiality
Confidentiality is about not disclosing sensitive information to other people.How secure is the information?How secure does it need to be?Best methods to protect are:Physical Security - Locks, Fence, Guards, Cameras, a Safe.Electronic Security - Encryption (at rest and in transit), Passwords, Firewalls, 2FAFailure of Confidentiality occurs when someone can obtain or view the data.
Integrity
Integrity is about preserving the state of the system—we don’t want attackers to change our data.How correct is the information?Has the data been modified at retrieval, in transit or in storage?Best methods to protect integrity are:Hashing of files and information.Checksum during data transmission.Failure of integrity occurs when someone modifies the data being stored or on transit.
Availability
How much up time is the system providing?Is the data accessible at all times by all users?Best methods:Redundancy in system design including components and data paths.Backup strategies and disaster recovery plans.Failure of Availability occurs when data cannot be accessed by the end user.
Risk Consideration
Risk - the probability (Likelihood) of the realization of a threatRisk = Vulnerability + ThreatVulnerability -Threat = No Risk
Asset
Asset - Any item that has value in the organization.People InformationEquipment Network/Servers/ComputersSoftwareProcesses
Vulnerability
Vulnerability - Weakness in the system design, implementation, software code, or lack of preventative mechanisms.Vulnerabilities are internal factors. Software bugMisconfigured software or network deviceImproper physical securityCybersecurity Professionals control vulnerabilities.
Threat
Threat - Any condition that can cause harm, loss, damage, or compromise an asset. External factors.External Threats Natural disasterCyber attackBreach of integrity of dataDisclosure of confidential dataMalwareCybersecurity professionals cannot control threats, however they can be mitigated.
Risk Assessments
Risk Assessments - Measure your current level of risk based on threats, vulnerabilities, and mitigations in place.Should be conducted routinely.(NIST) National Institute of Standards and Technology 800-30 page 32https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
aIdentifying Threats
Adversarial Threats
Consider their capability, intent, and likelihood.Trusted InsidersCompetitorsSuppliersCustomersBusiness partnersNation States
Accidental Threats
Occurs when someone makes a mistake that hurts the security of the system.System Administrators take servers offline.
Structural Threats
Occurs when equipment, software, or environmental controls fail.IT server fails due to hard drive failure.HVAC fails in server farm.OS bug or crash (software failure).
Environmental Threats
Occurs when natural or man-made disasters occur.FiresFloodingStormsLoss of power from city gridFiber cut
Identifying Vulnerabilities
Internal FactorsOur focus is to match vulnerabilities to the threats identified.Remember if you have a threat without a vulnerability it is not a risk.
Likelihood, Impact, Risk
Likelihood and Impact - Measurement of the risk that the combined threat and vulnerability imposed is based on the likelihood and impact.Likelihood - The chance that the risk will be realized.Impact - The severity of damage that occurs if the risk is realized.Likelihood and Impact are Qualitative. low, medium or high.Qualitative is subjective.Quantitative is based on numbers or dollars. factual
Quantitative
ALE
Annual Loss Expectancy - Quantitative is based on numbers or dollars.ALE = Cost x OccuranceLet’s discuss the single loss expectancy (SLE). It contains information about the potential loss when a threat occurs (expressed in monetary values). It is calculated as follows: SLE = AV x EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as percentage value). SLE is $30,000 in our example, when EF is estimated to be 0.3.Let’s continue this case. Annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE x ARO. ALE is $15,000 ($30,000 x 0.5), when ARO is estimated to be 0.5 (once in two years).
Qualitative
Lilelihood
Impact
Risk Handling
Cyber Security professionals work to minimize risk through risk management and controls.
Risk Acceptance
Common when the risk is low. Or controls are already in place.Does not mean there is no risk.
Risk Avoidance
Risk is too high to accept. So the system configuration or design is changed to avoid the risk or vulnerability.
Risk Mitigation
Minimize risk to an acceptable level.Not necessarily to eliminate all risks.By adding risk controls we can mitigate the risk down to an acceptable level.
Risk Transference
If and organization cannot afford to accept, avoid, or mitigate the risk they can transfer the risk to another business.Example: Insurance companyData breach protection insurance.
Controls
Administrative Controls
Practices, policies, and procedures to increase security.Security Awareness TrainingPen testingVulnerability ManagementUtilize standard operating procedures
Technical Controls
System, Devices, Software, and settings used to enforce CIA requirements.Firewalls, IDS, IPSInstalling anti-virus and endpoint Security
Physical
Locks, Fence, CCTV, Guards,
Network Security
Network Perimeter Security
Firewall
Most common network perimeter security.Usually at network boundaries.**Generally setup as triple-homed devices. Internet, DMZ, and Intranet.***DMZ: Semi-trusted zone.ACL - Access Control List - All traffic passing through the firewall is checked against the ACLACL contains rules to define what traffic can pass through the firewall.Deny by default.Common Ports. --- http://packetlife.net/media/library/23/common_ports.pdf ---20,21 FTP22 SSH23 Telnet25 SMTP53 DNS69 TFTP80/443 HTTP/HTTPS110 POP3123 NTP143 IMAP161 SNMP389 LDAP443 HTTPS1433 SQL Server1521 Oracle1720 H.3231723 PPTP3389 RDP
aPacket Filtering
Checks each packet against rules (ACL) for IP and Port
Statefull Inspection
Maintains information about the state of each connection.In addition to IP and Port.
Next-Generation (NGFW)
Uses contextual information about users, apps and processes to make decisions.Layer 7 firewall.
Web Application (WAF)
Protects against Web application attacks like SQL Injection and Cross-site Scripting. (SQL/XSS).Placed in front of Web servers.
Network Segmentation
Separates networks into different levels of security.Much like Intranet, internet, and DMZ.We apply this same principle to break apart our large networks into more secure enclaves.
Network Access Control
Limits network access to only authorized individuals or systems.Ensures the systems connecting to the network meet basic security requirements.
802.1x
The protocol most commonly used for network access control.Works for wired and wireless connections.RADIUS Server.The typical authentication procedure consists of:Sequence diagram of the 802.1X progressionInitialization On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the Internet Protocol (and with that TCP and UDP ), is dropped.Initiation To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address (01:80:C2:00:00:03) on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.Negotiation (Technically EAP negotiation) The authentication server sends a reply (encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can start using the requested EAP Method, or do an NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.Authentication If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
aAgent-Based
Agent-Based - Requires the device requesting access to have special software to communicate with the NAC service (Such as 802.1x).
Agentless
Agentless - NAC authentication is conducted in a web browser and does not need special software (such as wifi in a hotel).
In-band/Out-of-Band
In-Band
Uses dedicated appliances placed between the devices they services they are requesting.Example: Hotel networks that require you enter your name and room number before gaining access.
Out-of-Band
Relies on existing network and has device communicate to authentication server (like 802.1x).
NAC Approval Criteria
Time of Day
User Role
User Location
System Health Status
Defense Deception Methods
An attempt to lure an attacker to specific targets.Honeypot DNS Sinkholes
Honeypot
Designed to falsely appear vulnerable and fool malicious attackers.They simulate successful attacks and allow us to monitor attack techniques.Designed to look like a lucrative target due to the types of services being run and vulnerabilities.
DNS Sinkhole
Provides false DNS information to malicious software.A compromised system requests DNS information from the server, but the server detects the suspicious request and gives the IP address of the sinkhole instead of the Command and Control server.
Secure Endpoint Management
Securing Desktops, Laptops, Tablets, and Cell Phones.
Hardening System Configurations
Make it as resistant to attacks as possible.Disable unnecessary services.Disable unnecessary ports.Verifying secure configurations.Centrally controlling device security settings. Only admins can change.
Patch Management
Making sure patches are installed properly and as quickly as possible.(SCCM) System Center Configuration Manager.
Compensating Controls
If you can't implement a security control, you can compensate for it.Provides a similar level of security by using an alternate means.Examples:
Group Policies (GPO)
Provides admins an efficient way of managing system and security configuration settings across many devices in a network. Example:Run scripts at login to verify compliance.Require the use of a firewall on all hosts.Mapping to a share drive on login.
Endpoint Security Software
Specialized software the enforces the company's security policies.This software should report to a centralized management system for cyber security analysts to view and analyze.Examples: Host-based IDS/IPSAntivirus
MAC
Mandatory Access Control - Sets all security permissions centrally and the users cannot change permissions locally.Great security, but is an administrative nightmare....only used in very sensitive environments.
DAC
Discretionary Access Control - Allows the owners of a file or resource to control the permissions of that resource.
Pen Testing
NIST SP 800-115 - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf page 5-2.Simulate a cyber attack against a company using the same information, tools, and techniques available to an attacker.Goal: to gain access to your systems and report the findings.Performed by internal staff or external consultants.Time consuming and costly.
aDiscovery
Testers conduct reconnaissance and gather as much information on the network, systems, users, and applications.Examples: Open source researchPort scanningEnumerationVulnerabilitiesWeb application scanning
Attack
Seek to bypass the security controls and gain access to the system.Attack Phase (Exploitation):Gain access Escalating Privileges - Admin rightsSystem Browsing - May refer back to discovery phase.Installing additional tools
Reporting
Detailed report after the test.Contains results of the Pen Test.Successful attacks and suggestions on how to fix them.Things that could not be attacked.Prioritize based on risk posed by vulnerability exploited.
Security Exercises and Training
Beyond a Pen Test.Security exercise where Pen Testers and Defenders are put against each other to provide additional training.Performed in a simulated environment not the production network.Conducted by three types of teams:RedBlueWhite
Red
AttackerReconnaissance and exploitationSimilar to a Pen Tester
Blue
DefenderSecures the network and attempts to keep the red team out through the use of security tools.Usually made up of system and network admins.
White
Referee. Mediator.Coordinates the exerciseMaintains the simulated environment and monitors the exercise.
Reverse Engineering
Technique used to take a finished product and understand its inner workings through docomposition.Conducted through Dynamic Analysis or Static Analysis
Dynamic Analysis
Malware is placed in a Sandbox(Virtual) and its behavior is observed on the system and the virtual network.Automated solutions can do this in near real-time, where email attachments are launched and automatically analyzed for malicious activity.What becons, ports, services, ect. is it trying to talk to.
Sandbox
Static Analysis
Software or hardware.
Software
Analysis of the code of the malware. Difficult and time consuming.Readable - Ruby, PythonNot readable - C/C++ Java (Compiled)Static Analysis of compiled code requires a decompiler or analysis in binary format.
Hardware
Difficult to perform due to embedded software in firmware.Most often, dynamic analysis is conducted on hardwareHardware should be purchased from a trusted supplier to minimize the risk of malware.
Reconnaissance and Intelligence
Gathering information to better understand the security landscape.Some security standards and laws, such as PCI-DSS, require information gathering from inside and outside your network to ensure compliance through quarterly vulnerability scans.Numerous tools and techniques for conducting discovery.
Footprinting
Creating a map of the network, systems, and other infrastructure of the companyCreate using a mix of information gathering tools a manual research.NIST SP 800-115 and Open Source Security Testing Methodology Manual (OSSTMM)(OSSTMM) http://www.pen-tests.com/open-source-security-testing-methodology-manual-osstmm.html
aActive Reconnaissance
Utilizes host scanning tools to gather information about systems, services, and vulnerabilities in the network.Does not include exploitation of the vulnerabilities, only identification of them.Permission should be sought before conducting active reconnaissance because it could be mistaken as an attack.
Network Mapping
Can approximate the network by using Time to live (TTL), Traceroute information, or other responses from the network.
Challanges
Firewalls and Layer 3 Switches. ACL's can make it difficult to map a network fully.Wireless networks - Being able to determine what is wired or wireless.Virtualized newtworks -Cloud services -
NMAP
nmap -O iptoscan ***OS scannmap -sV iptoscan *** Service Version. banner grabs and packet analasysnmap -O -sV iptoscannmap -sS iptoscan **Syn scannmap -sT iptoscan ** Full 3way handshakenmap -sA iptoscan ** AcknowledgmentNMAP cheat sheat: https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/
aZenmp
Graphical version of NMAP
aAngry IP
MultiplatformGraphical port scannerDoes not provide service or OS information by default.Must use "fetchers" to get more information.Well-known, but not as full featured as NMAP or Zenmap
Nessus
Others
Metasploit has built-in scannersQualys Vulnerability ManagementTenable Nessus or write your own using Python.
Port Scanning
Most common method for information gathering on a network and devices.Port scanners perform:Host Discovery. What is online or off linePort scanning and service.Service version identificationOperating System Identification.Port scanners also used for network inventory tasks and security audits.Well known ports - (0 - 1023)Registered ports - (1024 - 49151)Where you scan from matters.Internal scans will see more information than external scans.If you are trying to simulate a cyber attack during a Pen Test, you should be scanning from outside the network to match the attackers perspective.
Service Scanning
Service identification attempts to identify the service and its version through banner grabbing or comparing TCP/UDP packet responses to known signatures.Scanning the subnet.
OS Scanning
OS fingerprinting uses TCP/IP stack responses from the TCP and UDP packets sent to identify Windows, Linux, or OSX, and if possible, the version.
Passive Reconnaissance
More difficult than active reconnaissance.Relies on logs and other data.Data you receive may be out of date.Often used during a cyber incident response. You don't want to let an attacker know you are looking for them.
Log and Configuration Files
Local system configuration data and log files can be used to build a network map.Some tools exist to parse configuration files into a usable topology.Much of this is done manually.
Network Device Logs
Network devices log many activities, their status, and events.Includes traffic patterns and utilization.Log files, configuration files, and network flows are great for passive recon.
Cisco Logs
Level Name Example 0 Emergencies Failure causing a shutdown1 Alerts Temperature exceeded2 Critical Software failure3 Errors Interface down4 Warning Configuration change5 Notifications Line Protocol up/down6 Information ACL violation 7 Debugging Debugging Messages
aConfiguration Files
Invaluable when mapping a network.Identifies all routes and devices in detail.Provides details of SNMP and SYSLOG servers on the network, user and admin accounts, and more.
Netflow Data
Cisco specific protocol. Volume of data and how much is going out at a certain amount of time.Captures IP traffic information for traffic monitoring to provide flow and volume(Not Packet Capture).Contains IP, source port, destination port, and class of service.Other vendors have "flows", like Juniper - Jflow and cflowd, Citrix - AppFlow, and HP -NetStreamNetFlow facilitates solutions to many common problems encountered by IT professionals.• Analyze new applications and their network impactIdentify new application network loads such as VoIP or remote site additions.• Reduction in peak WAN trafficUse NetFlow statistics to measure WAN traffic improvement from application-policy changes; understand who is utilizing the network and the network top talkers.• Troubleshooting and understanding network pain pointsDiagnose slow network performance, bandwidth hogs and bandwidth utilization quickly with command line interface or reporting tools.• Detection of unauthorized WAN trafficAvoid costly upgrades by identifying the applications causing congestion.• Security and anomaly detectionNetFlow can be used for anomaly detection and worm diagnosis along with applications such as Cisco CS-Mars.• Validation of QoS parametersConfirm that appropriate bandwidth has been allocated to each Class of Service (CoS) and that no CoS is over- or under-subscribed.How does NetFlow give you network information?What is an IP Flow?Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets.Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.IP Packet attributes used by NetFlow:• IP source address• IP destination address• Source port• Destination port• Layer 3 protocol type• Class of Service• Router or switch interfaceAll packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.
Netstat
Built-in Windows utility, Linux, MacOS, and UnixProvides active TCP and UDP connections.Identify process using a connection.Provides statistics on sent/received date. Route table information.netstat -a active connectionsnetstat -o process using the connectionnetstat -e ethernet stats - like netflownetstat -r routing table informationnetstat -ano
aDHCP Logs
Dynamic Host Configuration ProtocolProvides an IP address, default gateway, subnet mask, and DNS server to a host.DHCP server logs and configurations are useful during passive recon.Combined with firewall logs, you can determine which hosts use dynamic or static IPs.
aFirewall Logs
Indicates what is accepted and what is blocked.Is a good way to passively understand your network design.Reading configurations is quicker than reverse engineering the log files.Often use log levels to categorize information and debug messages.Cisco, Palo Alto and Check Point all log things a little different, but have common items. IE: date/time stamp, Details of the event.Logs are designed to be human readable.Access logs on Cisco using "show logging" command.
Host/Server Logs
System logs are collected by the system.Useful for troubleshooting and reconstructing a cyber attack.Log files provide information system configuration, applications, and user accounts.You need system access to get these logs,
Linux
Everything is going to be logged in the var/log directory. /var/logOther applications may store their own log files elsewhere.
Windows
Application Logs- Logged by programs/applicationsSecurity Logs- Records login events, resource usage, files created/open/deletedSetup Logs- Records application setup actions./installs.System Logs- Events from Windows components.Forwarded Event Logs - Event subscriptions from remote computers.
DNS Harvesting
Often our first step in information gathering.DNS information is publicly available.A quick Whois search can give you many details to use.Host names can tell you about the server. (DC1.walmart.store120.com might be a domain controller.NSLOOKUPWHOIS Lookup Websites:https://who.is/http://whois.domaintools.com/http://www.whois.nethttps://www.exploit-db.com/google-hacking-database/
aDomain Names/IP Ranges
Human readable names we use to locate servers.Managed by registrars.Generic top level domains: .com, .net, .org, .edu, .mil, .govCountry code top-level domain: .com.uk, .edu.itIP RangesThere are 5 regional authorities;AFRINIC (Africa)ARIN (US,Canada, Antarctica, and Caribbean)APRIN (Asia. Australia, New Zealand, ect.)LACNIC - (Latin America, Carribean)RIPE - (Europe, Russia, Middle East)Each authority provides Whois services for their IP space.
Traceroute
TracerouteTraceroute is using UDP or ICMP ECHO to send out the packet with a Time To Live (TTL) of one, and incrementing it until reaching the target, the tcptraceroute is using TCP SYN to send out the packet to the target.tcptraceroute will receive a SYN/ACK packet if the port is open, and it will receive a RST packet if the port is closed.Figure:TracerouteAfter route number 17, we are no longer able to get the route information. Usually this is because our traceroute is being blocked by a filtering device.
nslookup
open a command prompt and type nslookupsee infoDNS RecordsMX (Mail server records)A (Address records)C (cononical records)PTR (Pointer records).WHOIS Lookup Websites:https://who.is/http://whois.domaintools.com/http://www.whois.net
aDNS Zone Transfers
Designed to replicate DNS Databases between two DNS serversThis is a vulnerability if some transfers are allowed, so most prevent zone transfers to servers that aren't trusted.You can use dig to perform the transfer.#dig axfr @dns-server domain.nameDigiNinja provides a couple DNS servers that allow zone transfers Zone transfersDNS Zone Transfer is generally used for DNS database replications and backups. The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network. Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers, host names, MX and CNAME records, zone serial number, Time to live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays.Figure: Query for name serverThe above image shows the how to get the dns server names.Figure: Zone Transfer FailedAs the response to our query is been failed thus we can say that zone transfer is configured properly
DNS Brute Forcing
Used when you perform a DNS zone transfer.Simply sends manual or scripted DNS queries for each IP of the organization.Organizations can protect against this by sending responses slowly or with IDS/IPS rules to prevent this.DNS ReconnaissanceWe can interact with a DNS server using various DNS clients such as host, nslookup, dig,etc.nslookup is a computer program used in Windows and Unix to query Domain Name System(DNS) servers to find DNS details, including IP addresses of a particular computer, MX records for a domain and the NS servers of a domain. The name nslookup means “name server lookup”.Figure: NslookupThe above image explains that we connected to local server and asked to resolve a record for us. The server responded with the IP address of the victim.Before going ahead try to understand some DNS records. For more details please visithttps://en.wikipedia.org/wiki/List_of_DNS_record_types– A – Points to host IP address – MX – Points to domain mail server. – NS- Points to host name server – CNAME-Canonical naming allowing aliases to host. – SOA- Indicate authority for domain. – SRV-Service Record. – PTR-Maps IP address to hostname. – RP-Responsible Person. – INFO- Host Information.In order to retrieve mail server information we can use the following commandsFigure: Nslookup query for mail serverWhile gathering information can divided into 3 main techniques:-Forward lookup bruteforceReverse lookup bruteforceVerifying SPF RecordZone transfers1. Forward lookup bruteforceThe main idea behind this technique is to guess correct valid server names of organization. We can try this using the host command. The output gave us an IP address of the server.Figure: Forward lookup2. Reverse lookup bruteforceThis is a technique which is reverse to forward lookup bruteforce, in this case victim’s IP address is known and we need to find the server names and other information pertaining to the organization.Figure: Reverse lookup3. Verifying SPF RecordAn SPF record is a TXT record that is part of a domain’s DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name.Figure: Verifying spf recordThe purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
Whois/Host Commands
Allows search of databases for domain and IP blocks.Provides detailed registration information used when claiming the domain name.Names, Addresses, IPs, Phone numbers, and more can be gained.WHOIS Lookup Websites:https://who.is/http://whois.domaintools.com/http://www.whois.net
aInformation Gathering/Aggregation
Can be done using packet captures.Requires an intruder to breach a company's network to gather information.Treasure trove of information:-What hosts are on the network.-What OSs are running.-What shares are available.This is done using tools like Wireshark. https://www.wireshark.org/INFORMATION AGGREGATION:Gathering information from various platforms and tools for analysis with a single tool.theHarvester:-Gathers emails, domains, hostnames, employee names, open prots, banners, ect.-Text-based tool installed in Kali LinuxMaltego: Great harvesting tool. https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.phpShodan: Search engine for IoT devices and vulnerabilities.https://www.shodan.io/
aOrganizational Intelligence
Your organization has an online profile, whether you know it or not.This can be used by an attacker against you.In a Pen Test, we act as the attacker, so we must use this information.
Organizational Data
Locations of facilities and buildings.Your physical security postureBusiness hoursWork routine of the organizationOrganizational charts. (Google)Relationships between departments and people.Documents contain metadataFinancial dataPersonal information of employees
Document Harvesting
Where can you get these documents?On the internet nothing is gone forever.Th internet archive: https://archive.org/Time travel service:http://timetravel.mementoweb.org/https://cachedview.com/Social mediaPaid public record searches;Zaba searchNETR online
aMetadata
Contains authors name and software versions used.IE: Word 2003
EXIF Data
Uses Geo location coordinates from photos.Track patterns of lifehttp://exifdata.com/
aEmails
Can be used to perform contact chaining and conduct social engineering campaigns. phishingTools: Immersion.Email HarvestingThe theharvester tool available in Kali-Linux is an e-mail accounts, username, and hostname/ subdomains gathering tool.As an example, if you want to find e-mail addresses and hostnames for a target domain using Google, following is the appropriate command: #./theHarvester.py -d targetdomain -l 100 -b googleFigure: Email HarvestingEmail harvesting can be used by hackers to carry out a phishing campaign against an entire organization. This is one aspect of how emails can be misused. Computer users, who are often unaware of phishing attacks can fall victim and end up loosing confidential information to the hackers.
Social Engineering
Exploits the human element of securityOccurs via phone, email, social media, or in person.https://www.social-engineer.org/
SET
Social Engineering Toolkithttps://www.social-engineer.org/framework/se-tools/computer-based/social-engineer-toolkit-set/
Creepy
Geolocation Toolhttps://www.geocreepy.com/
aMetasploit
Phishing and other tools.https://www.metasploit.com/
Detecting, Preventing and Responding to Reconnaissance
Successful reconnaissance does not always mean a successful attack, however we want to limit the damage that could occur as much as possible.We utilize the same technique to limit both casual and directed reconnaissance.
Detect
Monitoring must occur at connection points between two network zones.Often between Intranet and Intranet or Intranet and DMZ.Perform data collection so you can analyze the data at a later time.Data Sources:Network traffic analysis using IDS, IPS, HIDS, NIDS, Firewalls, and other security devices. Can be done through the following:Packet AnalysisProtocol AnalysisTraffic and Flow AnalysisDevice ans System LogsPort and Vulnerability ScansSecurity Information and Event Management LogsIf you outsource your services, you might have to rely on your SaaS or PaaS provider to detect it for you.
Data Analysis
Anomaly Analysis
What is different about this? What's not normal?
Trend Analysis
Helps to identify future problems based on past.IE: Traffic congestion
Signature Analysis
Fingerprint or hash used to detect threats.
Heuristic/Behavioral Analysis
Detects threat behavior.Useful to detect unknown threats.
Manual Analysis
Human expertise is used to analyze the data.Security Analyst
Prevent
Control the information you release.Blacklist systems that are abusing your services.Use CAPTCHAs to prevent scripts and bot.Utilize third-party registration for domains/IPsSet rate limits for lookups and searches.Avoid publishing zone files, if possible.Educate your users about social media risks.
Network Defences
Employ network defenses. HIPS, IDS, Firewall, ect.
Fingerprint your Network
Limit external exposure of services and know your forward facing footprint
Limit/Stop Probes/Scans
Utilize an IPS to limit or stop probes and scans.
Monitoring
Utilize monitoring and alert systems based on signature, behavior, or anomaly.
Respond
Cyber Incident Response
What is a Cyber Incident Response?Actions taken in response to a security incident or event.An organized apporach to understanding the incident, mitigating its negative effects, planning the recovery, and investigating the root cause.NIST SP 800-61https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
aPhases of an Incident Response
The process is not linear but cyclical. NIST SP 800-61 page 30.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfCyber incidents will happen.No matter what your organization does to prevent a cyber incident...eventually one will happen.How will you respond?How will you react?How will you recover?Plan in advance.Allows you to have a coordinated and methodical response.Prior planning minimizes the damage and decreases your response time.
aPreparation
Takes preparation to build a well-prepared CSIRT.Requires proper policy foundation within the organization.Preparation includes building proper cyber defenses in the organization.Includes indentifying/training personnel and building response kits.Preparation Toolkits:Digital forensic workstationsForensic softwarePacket capture devicesSpare servers/network gearBackup devicesBlank removable mediaCollection, analysis, and laptopsPortable printersOffice suppliesEvidence collection materialsand more
Detection
and Analysis
The Hardest to StandardizeTools help in detection, but it takes a trained analyst to understand all the details during analysis.When detection,occurs, analysts shift to validation mode, then into analysis.Primarily passive activities designed to uncover and analyze incidents.
Event Indicators
Alerts
IDS/IPS, SEIM, Anti-virus, or other software alerts.
Logs
From operating systems, services, applications, network devices, and network flows
People
Suspicious activity reported by users or admins
Publically Available Info
News, media, and other open-source information.Ransomware out on the market ect.....
Best Practices for Analysis
Profile networks/systems.Understand your baseline.Create good logging policies/practices.Conduct event correlation by synchronize network and system clocks.Maintain organization knowledge base.Capture network traffic ASAP in incident.Filter information to reduce confusion.Know when to bring in outside help.
Containment
,Eradication
,and Recovery
Focus on stopping the spread of the incident, remove it from the network, and recovering from it.Phase focuses on active detection and removal of the incident.5 Steps:Pick containment strategy.Use Strategy to Limit Damage Incident CausesGather evidence needed for potential future legal actionsIdentify attacking system or attackerRemove effects of the incident and recover normal business operations
Pick a Containment Strategy
Objective of Containment:Limit the damage to the organization.Provide incident handlers an opportunity to collect evidence and repair the issue.Maintain and operate services for your customers.Perform containment as quickly as possible.Isolate the issue.Stop the spread of the incident.Containment Considerations:Containment is not perfect. It's quick and dirty.Can cause some loss of business functionality.Coordinate with stockholders before you take actions.
Segmentation
Proactive strategy to prevent spread from one part of network to another.Isolate or RemovalRemove a system from your network and directly connect to internet.Remove the attacker (disconnect PC)
Use Strategy to Limit Damage Incident Causes
Gather Evidence
Gather evidence needed for potential future legal actions.
Identify Attacking System/Attacker
Remove Effects of the Incident
Remove effects of the incident and recover normal business operations
Post-
Incident Activity
CSIRT isn't done once the incident is contained and eradicated, they still need to conduct:Event ReconstructionLessons LearnedEvidence Retention
Event Reconstruction
Recreate a timeline of the incident.Identify the root cause of the intrusion and/or incident.Conduct consultations with system admins and management.
Lessons Learned
Utilizes the timeline to aid improvement of procedures and tools used by CSIRT.Group discussion to determine how the incident was handled, and how it could have been handled better.Lessons learned must be fed into the ITSM processes in order to follow-on actions to be taken.What happened and when?How did staff perform?Were procedures followed?Were procedures adequate?What should have been done differently?Was information shared effectively?How could we detect incidents sooner?What new tools or resources does the organization need?
Evidence Retention
Large quantities of evidence have been collected.What do we do with all the evidence?The CSIRT must identify internal/external retention requirements.If legal actions will be conducted, consult an attorney before deleting anything.
Timelines
US Government Agencies must retain all incident handling items for 3 years due to legal requirements.Most organizations maintain records for 2 years, unless otherwise required by regulatory requirements.HIPPAFIRPASOX
Creating an Incident Response Team
Members are permanent or temporary.Core team is cybersecurity professionals with incident response experience.Temporary members brought in for specific cases (DBA or SQL Admin).Smaller organizations have CSIRT as a collateral role in addition to their day job.
Management
What does management do?Active role in an incident response.Ensure the team has funding, resources, and expertise needed to conduct incident response.Make critical business decisions.Communicate with legal or news media.Communicate with key stakeholders.
(CSIRT) Computer Security Incident Response Team
Who is on the CSIRT team?Team of professionals responsible for handling a security incident within an organization by using a standardized procedure.Leader is a skilled Incident Responder.Subject matter expert. (Linux, Windows, DBA,)IT support staff.Legal counsel. (advisors)Human resource staff.Public relations and marketing staff.
Outsource CSIRT?
Can you outsource the CSIRT?Retaining a third-party gives you instant capability without daily resourcing.Can be very expensive.Ensure your organization is comfortable with the third-party's guaranteed response time.Agree upon the scope of work to be performed. What does the organization have to do for themselves.
Scope of Control for a CSIRT
What would trigger activation of CSIRT?Who authorizes the activation?Do they respond for all parts of the organization, or just specific ones? only ecommerce or internal network.Can CSIRT talk to law enforcement?Can CSIRT talk to the media? Generally CEO, CIO, CSO.How would CSIRT escalate an issue?
Test the Team
Testing the teams.Plans without testing are ineffective.You must ensure the teams are trained and ready for an incident response.Testing allows a walk-through of the policy, procedures, and playbooks.Can be combined with a penetration test to simulate a real attack.
Incident Response Policy/Procedures
Foundation of the organization's Incident Response program.Guides efforts at a high-level.Provides authority for response efforts.Approved by CEO or CIO.Should be fairly timeless.
Policy
Contents of the PolicyStatement of management commitment.PurposeObjectiveScope of policyDefinition terms.....What is a event....Roles, responsibilities, and authority.Incident prioritization schemeMeasures of performance for CSIRTReporting requirementsContact information
Procedures
Detailed information.Step-by-step guidelines.Not a replacement for CSIRT's professional judgement and expertise.Often developed as a specific playbook.Playbook:Describes a response to a high severity incident such as:Data breach of financial information.Data breach of PII.Phishing attack against customers.Web server defacement.Loss of corporate laptop.Intrusion into the corporate network.Windows Golden Ticket reset.
Communication and Information Sharing
During an incident, how will you communicate and share information?
Internal
How will the CSIRT communicate amongst themselves and to leadership?How will management communicate to other employees?EmailTextPhoneMeetingYour incident response plan dictates how you will communicate during an incident.Use an out-of-band communication method.If voip is attacket do not use phones.Printer
External
When will you communicate with outside people like law enforcement, media, shareholders, and others?Your incident response plan should state when.......What information are you going to give them.Press releases....statements.Who?Law Enforcement....If incident involves criminal acts.Information sharing partners......Do you want to share indications of the incident?Vendors....Can provide patches and support during incident.Other Organizations affected..........Do you have evidence others were targeted?Media or General Public.............May be mandatory depending on type of incident.Do you volunteer the information to the media?
Incident Classification
All incidents should be classified by their threat and severity.Allows comparison of current incident with past and future ones.Aids in personnel's understanding of the incident being worked on.10 classifying threats:External or Removable MediaAttritionWebEmailImpersonationImproper UsageLoss or Theft of EquipmentUnknown
Security Events and Incidents
Event - Any observable occurrence in a system or network. Adverse Event - Any event that has negative consequences. Incidents - An imminent threat of violation, or a violation itself, of a security policy, acceptable use policy, or standard security practice. Not every event is an incident, however every incident contains at least one event.
Classifying Threats
10 classifying threats:External or Removable MediaAttritionWebEmailImpersonationImproper UsageLoss or Theft of EquipmentUnknown
External or Removable Media
Attack executed by removable media or peripheral.
Advanced Persistent Threat (APT)
Not a category under NIST, but prevalent today.Often funded by nation states, organized crime, or other sources.Highly skilled and sophisticated attackers.Often takes advantage of zero-day vulnerabilities.
Attrition
Attack employing brute-force to compromise, deny, or degrade services, systems, or networks.
Web
Attack executed from web-based applications or site.
Attack executed from email or attachment.
Impersonation
Attack that replaces something benign with something malicious (spoofing, SQL injection, etc.)
Improper Usage
Violation of organization's Acceptable Use Policy (P2P program).
Loss or Theft of Equipment
Computing device or media is lost or stolen.
Unknown
Attack that comes from an unknown origin.
Other
Attack that comes from a known origin, but doesn't fit into the other categories.
Classifying Severity
Scope of Impact
Degree of impairment that an incident causes an organization and the effort to recover from the incident.Functional Impact...Degree of impairment to an organization.Economic Impact...Amount of financial loss to an organization.Recoverability Impact...Amount of time lost by an organization.
Functional Impact.
Degree of impairment to an organization.Do not need to memorize tableNIST 800-61 (Table 3-2)https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
aEconomic Impact
Amount of financial loss to an organization.Do not need to memorize tableNIST 800-61 (Table 3-2)https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
aRecoverability Impact
Amount of time lost by an organization.Do not need to memorize tableNIST 800-61 (Table 3-4)https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
aTypes Of Data
The type of date involved in the incident also affects the classification of severity.Information Impact...Degree of information compromised during the incident.
Information Impact
Degree of information compromised during the incident.Government side only. NIST 800-61 Table 3-3 Do not need to memorize.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfPrivate Company not covered by NIST 800-61NoneRegulated Information BreachIntellectual Property BreachConfidential Proprietary BreachIntegrity Loss
aNetwork Event Monitoring
Network event analysis is a common task for cybersecurity analysts.Gather, correlate, and analyze data from different systems/sensors on the network.Used to detect or prevent incidents.
Router-Based Monitoring
Provides data flow on the network and information on the status of the device.Relies on capturing the data about the traffic passing through a router.Called Network Flows.NetFlow, slow, J-Flow: Depending on the manufacturer.All are standardized for monitoring traffic flow.Count information about the traffic at the interface.Sample traffic (1:100, 1:1000, ect). Gives information a connection types, not the data itself.RMON:Operates at layers 1, 2, 3, 4 of the OSI model.Operates as client/server model with probes.Provides statistics, history, alarms, and events to a Management Information Base.SNMPv3 (Simple Network Management Protocol): port 161Collects information about routers/switches.Information is about the devices themselves, not the traffic crossing through those devices.
Active Monitoring
Request is sent to a remote system and data is collected from the end point to a centralized server.Data contains information about:AvailabilityRoutesPacket delaysPacket lossBandwidth
Ping
PingData acquired by using ICMP on remote system.Basic up and down information and latency only.
iPerf
iPerfMeasures maximum bandwidth of a given network.Remote testing of a link.Useful to determine a baseline of the network.
Passive Monitoring
Uses a network tap to copy all traffic between two devices.Useful for after-the-fact analysis.Detailed information about:Rate of trafficProtocols usedContent
Network Monitoring Tools
Many network monitoring tools are available for different cases.Combination of network data is more powerful than a single piece of data.Different tools can analyze data in different ways.
Wireshark
Passive Monitoring and packet capture.Used for packet analysis.https://www.wireshark.org/
SolarWinds
Netflow Traffic Analyzerhttps://demo.solarwinds.comNetwork Performance Monitor
aPRTG
Paessler Router Traffic Grapher. https://www.paessler.com/prtgServer monitoring, network monitoring, and bandwidth monitoring.Open-source FreePacket Sniffing: Monitors packet headers to determine traffic type.Flows: Collects information about connections.SNMP: Network devices report about events through traps.WMI: Windows Management Instrumentation. Management data of the OS using scripts or application access.
Nagios
https://www.nagios.org/Network and system log monitoring tool.Provides GUI for system, services, and monitoring capabilities.
Cacti
Cacti https://www.cacti.net/Uses SNMP polling of network devices for status information and shows a GUI.
aDetecting Network Events
Cybersecurity analysts should be able to determine an incident based on events.Analysis of logs and other data are key to understanding if an event will become an incident.Types of Network Events:BeaconingUnusual Bandwidth ConsumptionLink Connection FailuresUnexpected Traffic
Beaconing
Beaconing or a heartbeat sends a signal to a command and control system/sevver due to a botnet or malware infection.Usually sent over HTTP (80) or HTTPS (443)Can be difficult to detect.Generally occurs at a certain frequency or pattern. Every 5 minutes for seconds.Indication of malware.
Bandwidth Consumption
Unusual Bandwidth Consumption.Unusual bandwidth consumption could cause service issues or can be a sign of a larger issue.
Link/Connection Failures
Link Connection FailuresGenerally occurs due to a hardware, firmware, or software issue.Could be as simple as a bad module, broken cable, or unplugged connector.Bad or malicious software.DOS attack
Unexpected Traffic
Unexpected Traffic.Detected by IDS/IPS, traffic monitoring systems, or by manual observation.Understand your baselineNot all unexpected traffic is malicious, but it should be investigated/understood.Could be unusual based on type of traffic, end point location, or amount.Connections from other countries if you are a US company? not good
Detecting Unexpected Traffic
Baseline/Anomaly-Based
Baseline or Anomaly-BasedMonitoring system alarm based on traffic that is outside the normal baseline.
Heuristics/Behavior-Based
Heuristics/Behavior-BasedUses signatures and defined rules to detect.
Protocol Analysis
Protocol AnalysisSeeks to detect protocols where they aren't expected, like VPNs or IPv6 tunnels.
Network Probes and Attacks
Much of your incident handling will involve network probes and attacks.Network probes are usually part of reconnaissance efforts and are easy to detect......like a port scan.
DOS
Denial of Service (DOS) Detection:Attacks on a given network, system, or service from a single source.Attempts to overwhelm system or network.Prevention:Block the attacker using your firewall or IPS.Distributed Denial of Service (DDOS)Attack on a given network, system, or service from simultaneous/multiple sources.Detection:Traffic coming from unknown botnet IPsMonitoring your traffic and usage patterns.Prevention:Network designed with distributed network of endpoints...(like Akamai). https://www.akamai.com/Ensure your networks can scale upwards.
Detecting Rogue Devices
MAC Address Validation:Ensure all devices are "Known Devices"Check device MAC against vendor codes. First 6 digits of the MAC address is the vendor.Scan the Network to ID devices.Conduct physical site inspections.Analyze traffic for irregular behavior.
Rogue Wired Devices
Usually occurs when an employee or attacker connects a wired device such as a hub/switch.Prevention: Network Access Control and Port Security (802.1X).
Rogue Wireless Devices
Can be detected by conducting wireless surveys and mapping the area.Often used as an Evil Twin to trick users and steal information.
Server and Host Events
System Monitoring
Processor (CPU), Memory, and Drives.CPU attacks usually occur as DOS or malicious software.Memory is monitored by the OS based on given thresholds:Memory leaks occur when programs don't release memory after being terminated. Eventually, all memory can be used up. System restarts to release the memory.
Tools
System Monitoring Tools -Windows:Resource Monitor (RESMON):Built-in Windows tool for monitoring.CPU, Memory, Disk, and Network Utilization.Performance Monitor (PERFMON):Built-in Windows tool for monitoring. Supports collection from remote systems.Linux:ps - CPU and memory utilization, process info.top - Like ps, but provides sorting by top usage.df - Report of disk usage.w - Accounts logged on, who ran process.
Malware and Unsupported Software
Use centralized management tools to conduct installs and inventory.Antivirus and anti-malware tools.Conduct blasklisting of unsupported software/files.Application whitelisting - more effective than blacklisting.
Unauthorized Access, Changes, Privileges
Users and permissions are complex with the number systems in use.Central Management tools (SIM/SIEM) can correlate logs for analysis.Authentication LogsUser Creation LogsSystems LogsApplication LogsSecurity Event Logs
Service/Application Events
Services and Applications should be monitored per good ITSM processes.Are they up/down?Are they responding properly?Are they functioning properly?Are they conducting transactions properly?Are they logging properly?
Service Anomalies
Non-security issues:Authentication errors.Permission Issues.Services do not start on boot up.Service Failures.Investigate the issues to ensure it is not security related.Use antivirus, antimalware, file integrity checks, and whitelisting to verify.Windows:services.msc (GUI) or sc (command line)Event Viewer to view application logsLinux:service-status-all (command line)/var/log directory to view application logsuse tail to view the end of the log files.
Behavior
Create and understand your baseline.Log/alert on anything outside of baseline.HIPS
Attacks to Service/Applications
Anomalous Activity
Anything that does not match the typical behavior.Investigate the activity and solve.
New Accounts
Were they authorized?Do they have excessive permissions?
Unexpected Output
Improper output or garbage output.User and admin training imperative to determining the root cause.
Unexpected Outbound Communication
Why is the application sending out data?Detect with network monitoring.
Service Interuption
Simple issue or DDOS attack?Monitoring tools can help determine reason.
Memory Overflows
Causes OS errors and crashes.Monitoring for them is hard.Detecting after a crash is easier.
Digital Forensics
Forensics are used to determine any changes, activities, or actions that have occurred on a host/server/computer.Allows incident responders to determine what occurred by putting together various pieces of information.Similar techniques are used by incident response teams and law enforcement.
Documentation
Documentation is one of the most important steps in digital forensics.Everything you do needs to be repeatable by third-party investigators.Chain of Custody is imperative for use in law enforcement.
Forensics Toolkits
Contain a wide variety of software and hardware needed to conduct collection and analysis of data in the field.Toolkits vary widely in cost and capability. $10-20k
Digital Forensic Workstation
Conducts data capture and analysis.Multicore CPUMaximum RAMLarge, Fast Storage, SSD, RAID
Forensic Investigation Software
Capture and analyze forensic images.Document and track investigations:Forensic Toolkit (FTK) - Commercial ProductsEnCase - Commercial ProductsSANS Investigative Forensic Kit (SIFT) - Open-sourceThe Sleuth Kit (TSK) - Open-source
Write Blocker
Ensures hard drives being imaged cannot be written to or its data changed. There are hardware (expensive) and software (not as forensicly sound) variants.Ensures integrity of the captured disk.
Forensic Drive Duplicator
Designed to copy HD without changing the original. Bit-by-Bit copy.Dedicated device that copies drive and hashes the disk image.Creates images, hashes, and chain of custody metadataExpensiveDedicated device
Wipe Drives and Removable Media
Clean HDs that are ready to receive disk images on.Drives are prepared using a drive wipe before use in the field.
Cables/Drive Adapters
Be ready to copy/collect any type of media you come across while in the field.IDESATAeSATA
Digital Camera
Used to photograph system layout, system configurations, drive labels, how a machine is cabled, etc.
Label Maker
Label cables, components, and other items collected while in the field.
Mobil Forensics Toolkits
Mobile devices have different operating systems and security issues.Capturing data from mobile devices can be more difficult and needs special tools.TabletsMobil phones
SIM Card Access
Different phones require small screwdrivers or a push pin tool to access the SIM card.Address bookcontactscall history
Cables
Apple - Lightning cables or 30-pinAndroid - USB, UCB-C, Micro USB, Mini,
Mobil Forensic Software
Specialized software for accessing mobile devices.
Forensic Software
Commercial and Open-Source for:ImagingAnalysisHashing and ValidationProcess and Memory DumpsPassword CrackingLog Viewer
Imaging Media/Drives
Bit by bit copy of a drive, including the slack space and unalocated space.FTK Imager -- Free to use--ProprietaryEnCase Imager -- Free to use--Proprietarydd -- open-source -- free
dd
dd is a standard Linux/UNIX toolCan clone drives using bit-by-it copy.#dd bs=64k if=/dev/disk1/sda1 of=/mnt/usb1/sda1.imgconnect usb through write blockerfdisk -lmd5sum (filename)
FTK Imager
Commercial product that is free to use.Documents chain of custody, adds hash, and creates metadata tags for later analysis.GUI basedOpen FTKFile-create disk imageselect drivewhere to savetype a file name and other infowhere to store
Analysis Software
Creates timeline of system changes.Validates file against known good copy.File system analysis for hidden files, changes, access, and metadata.Windows Registry analysis.Log file parsing and analysis.Commercial:FTK and EnCaseOpen-Source:SIFT, CAINE, and Autopsy
Hashing and Validation
Creates a unique file integrity check of a disk image after creation.Used as part of Chain of Custody.EnCase uses built-in hashing with its .EO1 format.Should use both MD5 and SHA1/SHA256.
Process and Memory Dumps
State of the OS and data in-resident memory at the time of collection.Difficult to collect without changing the contents of the memory.Useful to capture decryption keys for full disk encryption.Hibernation files and crash dumps can also contain some of this data.
Tools
Linux:fmem and LiMEWindows:DumpItALL: windows, linux, os xVolatility FrameworkEnCaseFTKMemory dumps on system can be found at %SystemRoot%\MEMORY.DMPAnalyze dumps with Microsoft,s WinDbg
Password Cracking
Encrypted and password protected files require cracking or guessing.Hacking tools like John the Ripper and Cain and Able can be used.DOC, XLS, PPT, and ZIP files have other specialized password cracking tools:Advanced Office Password BreakerElcomSofts Distributed Password RecoveryZip2John........numerous others.
Log Viewer
Used to analyze log files from collected system images.Can create timelines and allow you to visualize the data cleanly.
Forensics Investigation Process
7 Step Process:Determine what you want to find out.Determine location to find the info.Document your plan.Acquire/preserve the evidence.Perform initial analysis (log actions).Conduct deeper analysis (log actions).Report on your findings.
Order of Volitility
Date Collection Priorities:CPU, Cache, Registers, Running Processes, and MemoryNetwork TrafficHDD and USB drivesBackups, Printouts, Optical Media
Unexpected Findings
What do you do when you find something you don not expect?There is always a rick you will find what you did not want to find .......Employee breaking the AUP.......Evidence of illegal activities'''''''Removing malware and finding XXX
ID Attacker
Do you need to ID the attacker?Is there a good business reason why?Attackers cover their tracks well, and indentifying them can take a lot of time and resources, where your goal is simply to minimize the business impact.Law enforcement has a different viewpoint on this.
Eradication/Recovery
Remove any artifacts of the incident by removing the malware and any changes it made.Restore the network back to full functionality.Correct any security deficiencies.Remove malicious code, sanitize compromised media, and fix any of the affected user accounts.Recovery is NOT:Rebuilding the entire network.Fully redesigning of the system.Not a reason to buy all new equipment.
Reconstruct and Reimaging
Once an attacker touches your system, consider it compromised.Reconstruct or reimage the system from a known good backup.Consider the root cause of the incident so that the system isn't susceptible to the same attack vector.
Patching
Patching any system that may be vulnerable to the same attack vector.This is a good time to re-scan and patch ALL of your systems......
Sanitization and Disposal
Clear:Logical techniques used to sanitize data (reset to factory state or overwriting a disk with all 0s).Purge:Physical or logical techniques to make data recovery from a disk infeasible using newest techniques (degaussing or or overwrite 0s 35x)Destroy:Date recovery infeasible and disk drive unusable for storage (melting, incinerating, destroying) PII, secret stuff
Validation Effort
Only authorized user accounts exist on each system in the network.Verify permissions assigned to each user.Verify all systems are logging correctly.Verify vulnerability scans on all systems are routinely conducted.
Finishing the Response
Change Management Process:Emergency Change Management Board may have authorized numerous actions during the incident response.Follow-up to ensure all changes have been documented properly.Need to ensure that network diagrams and vulnerability scan profiles are updated.Lessons-Learned:Document the details, the root cause, and the solution to a security incident.Fact-finding meetings should be conducted as close to the end of an incident response as possibleNeeded changes identified during the lessons-learned process should be fed into the resourcing and Change Mgmt process.Final Report:Every incident should finish with a compiled written report.Establish organizational "memory".Can serve as documentation in case further legal action occurs in the future.Can identify other deficiencies in the incident response that need to be addressed by mgmt.
Change Management Process
Emergency Change Management Board may have authorized numerous actions during the incident response.Follow-up to ensure all changes have been documented properly.Need to ensure that network diagrams and vulnerability scan profiles are updated.
Lessons-Learned
Document the details, the root cause, and the solution to a security incident.Fact-finding meetings should be conducted as close to the end of an incident response as possibleNeeded changes identified during the lessons-learned process should be fed into the resourcing and Change Mgmt process.
Final Report
Every incident should finish with a compiled written report.Establish organizational "memory".Can serve as documentation in case further legal action occurs in the future.Can identify other deficiencies in the incident response that need to be addressed by mgmt.Should Include:Timeline of incident and response eventsRoot causeLocation and description of evidenceActions taken to contain, eradicate, and recoverEstimated impact to organizationPost-recovery validation effort resultsDocumentation of lessons-learned
Planning
Important Phase.No technical work is performed.Timing, Scope, and Authorization is gained during this phase.NEVER conduct a Pen Test without authorization.