Introduction to Cybersecurity
What is a Financial Botnet?
- Financial botnets, such as ZeuS and SpyEye, are responsible for the direct theft of funds from all types of enterprises. -These types of botnets are typically not as large as spamming or DDoS botnets, which grow as large as possible for a single attacker. -Where financial botnets are sold and their impact: Existence: Financial botnets are often sold as kits that allow attackers to license the code and build their own botnets. Impact: The impact of a financial breach can be enormous, including the breach of sensitive consumer and financial information, leading to significant financial, legal, and brand damage
What is Evil Twin?
- Perhaps the easiest way for an attacker to find a victim to exploit is to set up a wireless access point that serves as a bridge to a real network. An attacker can inevitably bait a few victims with "free Wi-Fi access." -Baiting a victim with free Wi-Fi access requires a potential victim to stumble on the access point and connect. The attacker can't easily target a specific victim, because the attack depends on the victim initiating the connection. Attackers now try to use a specific name that mimics a real access point. Click the arrows for more information about how the Evil Twin attack is executed.
What is Spear Phishing?
- Spear phishing is a targeted phishing campaign that appears more credible to its victims by gathering specific information about the target, giving it a higher probability of success. A spear phishing email may spoof an organization (such as a financial institution) or individual that the recipient actually knows and does business with. It may also contain very specific information (such as the recipient's first name, rather than just an email address). - Spear phishing, and phishing attacks in general, are not always conducted via email. A link is all that is required, such as a link on Facebook or a message board or a shortened URL on Twitter. These methods are particularly effective in spear phishing attacks because they allow the attacker to gather a great deal of information about the targets and then lure them through dangerous links into a place where the users feel comfortable.
Tell me about Spamming Botnet
- The largest botnets are often dedicated to sending spam. The premise is straightforward: The attacker attempts to infect as many endpoints as possible, and the endpoints can then be used to send out spam email messages without the end users' knowledge. - Productivity: The relative impact of this type of bot on an organization may seem low initially, but an infected endpoint sending spam could consume additional bandwidth and ultimately reduce the productivity of the users and even the network itself. - Reputation: Perhaps more consequential is the fact that the organization's email domain and IP addresses could easily become listed by various real-time blackhole lists (RBLs), causing legitimate emails to be labeled as spam and blocked by other organizations and damaging the reputation of the organization.
What is turbulence in the cloud?
- computing technologies help organizations evolve their data centers from a hardware-centric architecture to a dynamic and automated environment. -Cloud environments pool computing resources for on-demand support of application workloads that can be accessed anywhere, anytime, and from any device.
Tell me about Targeted Strategy- in a DDoS attack
-A DDoS attack can also be used as part of a targeted strategy for a later attack. While the victim organization is busy defending against the DDoS attack and restoring the network and systems, the attacker can deliver an exploit to the victim network (for example, by causing a buffer overflow in a SQL database) that will enable a malware infection and establish a foothold in the network. The attacker can then return later to expand the (stealthy) attack and extract stolen data. -Examples of recent DDoS attacks include attacks against World of Warcraft Classic and Wikipedia in September 2019.
How does Perimeter Based Security Model Allows Unwanted Traffic?
-A broken trust model is not the only issue with perimeter-centric approaches to network security. -Another contributing factor is that traditional security devices and technologies (such as port-based firewalls) commonly used to build network perimeters let too much unwanted traffic through.
What is Promiscuous Share?
-A legitimate share is created for a user, but that user then shares with other people who shouldn't have access. -Promiscuous shares often result in the data being publicly shared. -These types of shares can go well beyond the control of the original owner.
Give me some Wi-Fi Challenges?
-A security professional's first concern may be whether a Wi-Fi network is secure. However, for the average user, the unfortunate reality is that Wi-Fi connectivity is more about convenience than security. -Security professionals must secure Wi-Fi networks—but they must also protect the mobile devices their organization's employees use to perform work and access potentially sensitive data, no matter where they are or whose network they're on. A. Public Airwaves B. Wi-Fi Network C. Mobile Device & Customer Apps
What is Advanced Persistent Threat? (APT)
-APTs are generally coordinated events that are associated with cybercriminal groups. -Advanced: Attackers use advanced malware and exploits. They typically also have the skills and resources necessary to develop additional cyberattack tools and techniques. -Persistent: An APT may take place over a period of several years. Attackers pursue specific objectives and move slowly and methodically to avoid detection. -Threat: An APT is deliberate and focused, rather than opportunistic. APTs are designed to cause real damage.
What is Exploitation (Attack)?
-After a weaponized payload is delivered to a target endpoint, it must be triggered. -An end user may unwittingly trigger an exploit by clicking a malicious link or opening an infected attachment in an email. -An attacker also may remotely trigger an exploit against a known server vulnerability on the target network.
Tell me about how applications are classified and how difficult it has become to classify applications:
-Allowing and Blocking Applications Classifying applications as either "good" (allowed) or "bad" (blocked) in a clear and consistent manner has also become increasingly difficult. Many applications are clearly good (low risk, high reward) or clearly bad (high risk, low reward), but most are somewhere in between depending on how the application is being used.
For Wireless Security, how do you "Participate in Known or Constrained Networks"
-Although wired network boundaries use cabling and segmentation, wireless networks are conducted over open airwaves -A primary paradigm of wireless networking security is to limit network availability and discovery, which can be accomplished by not broadcasting the wireless network presence and availability, or SSID. -Placement of wireless access points must be considered carefully, with the goal of limiting the range of a wireless network.
What is Compliance and Security?
-An organization can be fully compliant with all applicable cybersecurity laws and regulations, yet still not be secure. -Conversely, an organization can be secure, yet not fully compliant. -To further complicate this point, the compliance and security functions in many organizations are often defined and supervised by separate entities.
What is Weaponization (Attack)?
-Attackers determine which methods to use to compromise a target endpoint. -They may choose to embed intruder code within seemingly innocuous files such as a PDF or Microsoft Word document or email message. -Or, for highly targeted attacks, attackers may customize deliverables to match the specific interests of an individual within the target organization.
What is Command and Control (Attack)?
-Attackers establish encrypted communication channels back to command-and-control (C2) servers across the internet so that they can modify their attack objectives and methods as additional targets of opportunity are identified within the victim network, or to evade any new security countermeasures that the organization may attempt to deploy if attack artifacts are discovered. -Communication is essential to an attack because it enables the attacker to remotely direct the attack and execute the attack objectives. -C2 traffic must therefore be resilient and stealthy for an attack to succeed. Attack communication traffic is usually hidden with various techniques and tools, including encryption, circumvention, port evasion, fast flux (or Dynamic DNS), and DNS tunneling.
What is Delivery (Attack)?
-Attackers next attempt to deliver their weaponized payload to a target endpoint via email, IM, drive-by download (an end user's web browser is redirected to a webpage that automatically downloads malware to the endpoint in the background), or infected file share.
What is an Act on Objective (Attack)
-Attackers often have multiple, different attack objectives, including data theft; destruction or modification of critical systems, networks, and data; and denial-of-service (DoS). This last stage of the cyberattack lifecycle can also be used by an attacker to advance the early stages of the lifecycle against another target.
What is AutoFocus?
-AutoFocus contextual threat intelligence service speeds an organization's ability to analyze threats and respond to cyberattacks. -Instant access to community-based threat data from WildFire, enhanced with deep context and attribution from the Palo Alto Networks Unit 42 threat research team, saves time. -Security teams get detailed insight into attacks with prebuilt Unit 42 tags that identify malware families, adversaries, campaigns, malicious behaviors, and exploits without the need for a dedicated research team.
Tell me about SaaS Security Challenges
-Because of the nature of SaaS applications, their use is very difficult to control - or have visibility into - after the data leaves the network perimeter. -This lack of control presents a significant security challenge: End users are now acting as their own "shadow" IT department, with control over the SaaS applications they use and how they use them. -The inherent data exposure and threat insertion risks of SaaS: 1. Malicious Outsiders 2. Malicious Insiders 3. Accidental Data Exposure -3.1: Accidental Share -3.2: Promiscuous share -3.3: Ghost (or Stale) Share
How does the Prevention Architecture " Reduce the Attack Surface"
-Best-of-breed technologies that are natively integrated provide a prevention architecture that inherently reduces the attack surface. -This type of architecture allows organizations to exert positive control based on applications, users, and content, with support for open communication, orchestration, and visibility.
What is Blockchain?
-Blockchain is a data structure containing transactional records (stored as blocks) that ensures security and transparency through a vast, decentralized peer-to-peer network with no single controlling authority. -Cryptocurrency, such as Bitcoin, is an example of a blockchain application.
How to Disable a Botnet?
-Botnets themselves are dubious sources of income for cybercriminals. -Botnets are created by cybercriminals to harvest computing resources (bots). -Control of botnets (through C2 servers) can then be sold or rented out to other cybercriminals.
What is Exploitation (Defense)?
-Breaking the cyberattack lifecycle at this phase of an attack begins with proactive and effective end-user security awareness training that focuses on topics such as malware prevention and email security. -Other important security countermeasures include vulnerability and patch management; malware detection and prevention; threat intelligence (including known and unknown threats); blocking risky, unauthorized, or unneeded applications and services; managing file or directory permissions and root or administrator privileges; and logging and monitoring network activity.
What is Reconnaissance (Defense)?
-Breaking the cyberattack lifecycle at this phase of an attack begins with proactive and effective end-user security awareness training that focuses on topics such as social engineering techniques (for example, phishing, piggybacking, and shoulder surfing), social media (for example, safety and privacy issues), and organizational security policies (for example, password requirements, remote access, and physical security). -Another important countermeasure is continuous monitoring and inspection of network traffic flows to detect and prevent unauthorized port and vulnerability scans, host sweeps, and other suspicious activity. -Effective change and configuration management processes help to ensure that newly deployed applications and endpoints are properly configured (for example, disabling unneeded ports and services) and maintained.
What is Weaponization (Defense)?
-Breaking the cyberattack lifecycle at this phase of an attack is challenging because weaponization typically occurs within the attacker's network. -However, analysis of artifacts (both malware and weaponizer) can provide important threat intelligence to enable effective zero-day protection when delivery (the next step) is attempted.
How does the Prevention Architecture "Detect and Prevent New, Unknown Threats with Automation"
-Building security that detects threats and requires a manual response is too little, too late. -Automated creation and delivery of near-real-time protections against new threats enables dynamic policy updates, which allow enterprises to scale defenses with technology, rather than people.
Tell me about BEC
-Business Email Compromise -One of the most prevalent types of cyberattacks that organizations face today. -The FBI Internet Crime Complaint Center (IC3) estimates that "in aggregate" BEC attacks cost organizations three times more than any other cybercrime and BEC incidents represented nearly a third of the incidents investigated by Palo Alto Networks Unit 42 Incident Response Team in 2021. -According to the Verizon 2021 Data Breach Investigations Report (DBIR), BEC is the second most common form of social engineering today. - Spam and phishing emails are the most common delivery methods for malware. The volume of spam email as a percentage of total global email traffic fluctuates widely from month to month - typically 45 to 75 percent. Although most end users today are readily able to identify spam emails and are savvier about not clicking links, opening attachments, or replying to spam emails, spam remains a popular and effective infection vector for the spread of malware. Phishing attacks, in contrast to spam, are becoming more sophisticated and difficult to identify.
Tell me about Cybercrime Vendors
-Capitalizing on the service model of cloud computing, many threat actors now rent or sell their malware and exploits - including business email compromise (BEC) and ransomware - as cybercrime-as-a-service (CCaaS) offerings on the dark web. -Vendors profit from the purchase or rental of their services and potentially earn a commission from the attacks themselves. -Additional services often include mix-and-match bundles, collection services, volume discounts, and 24-hour support.
Tell me about "Management Infrastructure" in Zero Trust
-Centralized management capabilities are crucial to enabling efficient administration and ongoing monitoring, particularly for implementations involving multiple distributed Zero Trust segmentation platforms. -A data acquisition network also provides a convenient way to supplement the native monitoring and analysis capabilities for a Zero Trust segmentation platform. -Session logs that have been forwarded to a data acquisition network can then be processed by out-of-band analysis tools and technologies intended, for example, to enhance network visibility, detect unknown threats, or support compliance reporting.
For Wireless Security, how do you "Limit Access Through Authentication"
-Complications with Wi-Fi and wireless network protection are defined by the devices themselves -Whenever possible, apply mobile device management to ensure devices are properly hardened and to limit the types of applications (particularly sharing and social networking services) that end users can install and use
What is Web 2.0?
-Core business applications are now commonly installed alongside Web 2.0 apps on a variety of endpoints. -Networks that were originally designed to share files and printers are now used to collect massive volumes of data, exchange real-time information, transact online business, and enable global collaboration. -Many Web 2.0 apps are available as software-as-a-service (SaaS), web-based, or mobile apps that can be easily installed by end users or that can be run without installing any local programs or services on the endpoint. -The use of Web 2.0 apps in the enterprise is sometimes referred to as Enterprise 2.0. -Many organizations are recognizing significant benefits from the use of Enterprise 2.0 applications and technologies, including better collaboration, increased knowledge sharing, and reduced expenses
What is Cortex Data Lake?
-Cortex Data Lake enables AI-based innovations for cybersecurity with the industry's only approach to normalizing an enterprise's data. It automatically collects, integrates, and normalizes data across an organization's security infrastructure. -The cloud-based service is ready to scale from the start, eliminating the need for local compute or storage, providing assurance in the security and privacy of data.
What is Cortex XDR?
-Cortex XDR breaks the silos of traditional detection and response by natively integrating network, endpoint, and cloud data to stop sophisticated attacks. -Taking advantage of machine learning and AI models across all data sources, it identifies unknown and highly evasive threats from managed and unmanaged devices.
Tell me about how we can Secure the Enterprise with Cortex
-Cortex is designed to simplify security operations and considerably improve outcomes. Cortex is enabled by the Cortex Data Lake, where customers can securely and privately store and analyze large amounts of data that is normalized for advanced AI and machine learning to find threats and orchestrate responses quickly. 1. Cortex XDR 2. Cortex XSOAR 3. Cortex Data Lake 4. AutoFocus
What is Advanced Introduction to Ransomware?
-Cryptographic ransomware is the most common and successful type of ransomware, but it is not the only one. -It's important to remember that ransomware is not a single family of malware but is a criminal business model in which malware is used to hold something of value for ransom. -While holding something of value for ransom is not a new concept, ransomware has become a multibillion-dollar criminal business targeting both individuals and corporations -Due to its low barriers to entry and effectiveness in generating revenue, it has quickly displaced other cybercrime business models and become the largest threat facing organizations today. -It is also important to note that although threat actors generally do decrypt your data after the ransom is paid (the ransomware business model depends on a reasonable expectation that paying a ransom will restore access to your data), there are no guarantees that this will be the case. -Additionally, many threat actors are now exfiltrating a copy of their victims' data - particularly PII and credit card numbers - before encrypting it, then selling the data on the dark web after the ransom is paid.
Tell me about Cybercriminals
-Cybercriminals are the most common attacker profile. -The dramatic increase in the number of ransomware attacks over the last five years generally is attributed to cybercriminal groups, which are also invested in other crime-for-profit activities. -They are also known for the proliferation of bots and botnet attacks, where endpoints are infected and then organized collectively by a command-and-control, or C&C, attack server.
What is Data Center? in the context of Perimeter-Based Security Model
-Data centers today are remotely accessed by millions of remote endpoint devices from anywhere and at any time. -Unlike the RJEs of the mainframe era, modern endpoints (including mobile devices) are far more powerful than many of the early mainframe computers and are themselves targets.
Tell me about Disabling Internet Access - when disabling a bot
-Disabling internet access is a highly recommended first action, along with aggressively monitoring local network activity to identify the infected devices. -The first response to discovery of infected devices is to remove them from the network, thus severing any connections to a C2 server and keeping the infection from spreading.
Tell me about Remove Infected Devices and Botnet Software - when disabling a bot
-Effective deterrence of a botnet infection may be an ongoing process. -Devices may return to a dormant state and appear to be clean of infection for prolonged periods of time, only to one day be "awakened" by a signal from a C2 service.
What is Emotent?
-Emotet is a Trojan, first identified in 2014, that has long been used in spam botnets and ransomware attacks. -Recently, it was discovered that a new Emotet variant is using a Wi-Fi spreader module to scan Wi-Fi networks looking for vulnerable devices to infect. The Wi-Fi spreader module scans nearby Wi-Fi networks on an infected device and then attempts to connect to vulnerable Wi-Fi networks via a brute-force attack. After successfully connecting to a Wi-Fi network, Emotet then scans for non-hidden shares and attempts another brute-force attack to guess usernames and passwords on other devices connected to the network. It then installs its malware payload and establishes C2 communications on newly infected devices.
Core Zero Trust Principles - "Ensure Resource Access"
-Ensure that all resources are accessed securely, regardless of location. -This principle suggests the need for multiple trust boundaries and increased use of secure access for communication to or from resources, even when sessions are confined to the "internal" network. -It also means ensuring that the only devices allowed access to the network have the correct status and settings, have an approved VPN client and proper passcodes, and are not running malware.
How are Exploits Executed?
-Exploits can be embedded in seemingly innocuous data files (such as Microsoft Word documents, PDF files, and webpages), or they can target vulnerable network services. Exploits are particularly dangerous because they are often packaged in legitimate files that do not trigger anti-malware (or antivirus) software and are therefore not easily detected. -How Exploits are Executed? 1) Creation 2) Action 3) Techniques 4) Heap Spray
What is Pre-ATT&CK?
-Focuses on "pre-exploit" adversarial behavior. Pre-ATT&CK is included as part of the ATT&CK for Enterprise matrix. -Techniques represent "how" an adversary achieves a tactical goal by performing an action. -For example, an adversary may dump credentials to achieve credential access. The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. -Those objectives are categorized as tactics in the ATT&CK Matrix. -The Enterprise ATT&CK matrix is a superset of the Windows, MacOS, and Linux matrices. -MITRE regularly updates the techniques discovered in the wild by both cybersecurity researchers and hackers alike. As of 2022, there are 218 techniques defined in the Enterprise model.
Attacker's five steps
-For a ransomware attack to be successful, attackers must execute the following five steps. If the attacker fails in any of these steps, the scheme will be unsuccessful. Although the concept of ransomware has existed for decades, the technology and techniques, such as reliable encrypting and decrypting, required to complete all five of these steps on a wide scale were not available until just a few years ago. a) Step 1: Compromise and Control a System or Device b) Step 2: Prevent Access to the System c) Step 3: Notify Victim d) Step 4: Accept Ransom Payment e) Step 5: Return Full Access
Trust Zones:
-Forrester Research refers to a trust zone as a micro core and perimeter (MCAP). -A trust zone is a distinct pocket of infrastructure where the member resources not only operate at the same trust level but also share similar functionality. -Functionality such as protocols and types of transactions must be shared in order to minimize the number of allowed pathways into and out of a given zone and, in turn, to minimize the potential for malicious insiders and other types of threats to gain unauthorized access to sensitive resources. -Remember, too, that a trust zone is not intended to be a "pocket of trust" where systems (and therefore threats) within the zone can communicate freely and directly with each other. For a full Zero Trust implementation, the network would be configured to ensure that all communications traffic - including traffic between devices in the same zone - is intermediated by the corresponding Zero Trust Segmentation Platform.
What are Flexibility and Ability?
-Given their flexibility and ability to evade defenses, botnets present a significant threat to organizations. -The ultimate impact of a botnet is largely left up to the attacker, from sending spam one day to stealing credit card data the next. -Because many cyberattacks go undetected for months or even years, botnets can cause a great deal of damage.
Tell me about State-Affiliated Groups
-High-profile attacks against infrastructure, governments, voting systems, or major corporations are often linked to state-affiliated groups. -These nation-state-sponsored attackers have political motivations. -They are often organized to influence or disrupt the confidence of a social, political, or economic market.
Tell me about Zero Trust Implementation
-Implementation of a Zero Trust network security model doesn't require a major overhaul of an organization's network and security infrastructure. -A Zero Trust design architecture can be implemented with only incremental modifications to the existing network, and implementation can be completely transparent to users. Advantages of such a flexible, non-disruptive deployment approach include minimizing the potential impact on operations and being able to spread the required investment and work effort over time.
What is SolarWinds?
-In December 2020, the cybersecurity firm FireEye and the U.S. Treasury Department both reported attacks involving malware in a software update to their SolarWinds Orion Network Management System perpetrated by the APT29 (Cozy Bear/Russian SVR) threat group. -This attack is one of the most damaging supply chain attacks in history, potentially impacting more than 300,000 SolarWinds customers, including the U.S. federal government and 425 of the Fortune 500 companies.
What is Government of Ukraine?
-In January 2022, several Ukrainian government websites including the ministry of foreign affairs and the education ministry were hacked by suspected Russian attackers. -Threatening messages were left on the websites during a period of heightened tensions between the governments of Ukraine and Russia.
What is JBS S.A?
-In May 2021, Brazil-based JBS S.A. - the largest producer of beef, chicken, and pork worldwide - was hit by a ransomware attack attributed to the REvil threat actor group. -Although the company paid the $11 million ransom, its U.S. and Australia beef processing operations were shut down for a week
What is the Colonial Pipeline?
-In May 2021, the Colonial Pipeline Company - which operates one of the largest fuel pipelines in the U.S. - was hit by the DarkSide threat actor group with a Ransomware-as-a-Service (RaaS) attack. -Although the company acted quickly to shut down its network systems and paid the $4.4 million ransom, operations were not fully restored for six days, which caused major fuel shortages and other supply chain issues along the U.S. eastern seaboard. -Additionally, the personal information -including the health insurance information, social security numbers, driver's licenses, and military identification numbers - of nearly 6,000 individuals were compromised.
What are instances of bots and botnets?
-In a botnet, advanced malware works together toward a common objective, with each bot growing the power and destructiveness of the overall botnet. -The botnet can evolve to pursue new goals or adapt as different security countermeasures are deployed. -Communication between the individual bots and the larger botnet through C2 servers provides resiliency in the botnet.
Tell me about "Single Component" in Zero Trust
-In practice, the Zero Trust segmentation platform is a single component in a single physical location. -Because of performance, scalability, and physical limitations, an effective implementation is more likely to entail multiple instances distributed throughout an organization's network. -The solution also is called a "platform" to reflect that it is made up of multiple distinct (and potentially distributed) security technologies that operate as part of a holistic threat protection framework to reduce the attack surface and correlate information about discovered threats.
What is Reconnaissance (attack)?
-Like common criminals, attackers meticulously plan their cyberattacks. -They research, identify, and select targets, often extracting public information from targeted employees' social media profiles or from corporate websites, which can be useful for social engineering and phishing schemes. -Attackers will also use various tools to scan for network vulnerabilities, services, and applications that they can exploit, such as network analyzers, network vulnerability scanners, password crackers, port scanners, web application vulnerability scanners, and Wi-Fi vulnerability scanners.
Tell me about the MITRE Started ATT&CK Against Enterprise Networks
-MITRE started ATT&CK in 2013 to document the tactics, techniques and procedures (TTPs) that advanced persistent threats (APTs) use against enterprise networks. -It was created out of a need to describe adversary TTPs that would be used by a MITRE research project called FMX. -The objective of FMX was to investigate how endpoint telemetry data and analytics could help improve post-intrusion detection of attackers operating within enterprise networks. -The ATT&CK framework was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.
What is Malware?
-Malware (short for "malicious software") is a file or code that typically takes control of, collects information from, or damages an infected endpoint. -Malware is an inclusive term for all types of malicious software -Malware usually has one or more of the following objectives: to provide remote control for an attacker to use an infected machine, to send spam from the infected machine to unsuspecting targets, to investigate the infected user's local network, and to steal sensitive data.
What are File Sync and Sharing Services?
-Manage, distribute, and provide access to online content, such as documents, images, music, software, and video. -Ex. Apple iCloud, Box, Dropbox, Google Drive, Microsoft OneDrive, Spotify, YouTube
Tell me about Application Classification
-Many applications are designed to circumvent traditional port-based firewalls, so that they can be easily installed and accessed on any device, anywhere and anytime.
What is Change and Complicity?
-Many laws and regulations are obsolete or ambiguous and are not uniformly supported by international communities. Laws are constantly changing. -Some regulations may also be inconsistent with other applicable laws and regulations, thus requiring legal interpretation to determine relevance, intent, or precedence. -As a result, businesses and organizations in every industry struggle to achieve and maintain data compliance.
Tell me about Public and Private Cloud Environments
-Many organizations have been forced into significant compromises regarding their public and private cloud environments. -Organizations can trade function, visibility, and security for simplicity, efficiency, and agility. -If an application hosted in the cloud isn't available or responsive, network security controls are typically "streamlined" out of the cloud design. -Cloud Security trade-offs often include; 1 Simplicity or function 2. Efficiency or visibility 3. Agility or security
Tell me about Mobile Device & Customer Apps
-Mobile devices themselves have significant vulnerabilities. -Mobile device management is difficult to maintain when end users use "bring-your-own-device" features. For many users, patching and securing their mobile devices is an afterthought, and they often consider convenience and performance before security. End users often install apps that bring significant risk to both the device and the network, and they often disable security features that impact device performance.
What is the Cyberattack Lifecycle?
-Modern cyberattack strategy has evolved from a direct attack against a high-value server or asset ("shock and awe") to a patient, multistep process that blends exploits, malware, stealth, and evasion in a coordinated network attack ("low and slow"). -The cyberattack lifecycle illustrates the sequence of events that an attacker goes through to infiltrate a network and exfiltrate (or steal) valuable data. Blocking just one step breaks the chain and can effectively defend an organization's network and data against an attack.
What is Advanced or Modern Mawlare?
-Modern malware is stealthy and evasive. It plays a central role in a coordinated attack against a target. -Advanced or modern malware leverages networks to gain power and resilience. Modern malware can be updated—just like any other software application—so that an attacker can change course and dig deeper into the network or make changes and enact countermeasures. -This is a fundamental shift compared to earlier types of malware, which were generally independent agents that simply infected and replicated themselves.
What is an Act on Objective (Defense)
-Monitoring and awareness are the primary defense actions performed at this phase. The 2018 Verizon Data Breach Investigations Report (DBIR) describes this strategy as a secondary motive in which web applications are compromised to aid and abet in the attack of another victim. For example, an attacker may compromise a company's extranet to breach a business partner who is the primary target. -According to the DBIR, in 2014 there were 23,244 incidents where web applications were compromised with a secondary motive. The attacker pivots the attack against the initial victim network to a different victim network, thus making the initial victim an unwitting accomplice.
What are Malicious Outsiders?
-Most common source of breaches (malicious outsiders) for networks is also a critical concern for SaaS security -SaaS application becomes a new threat vector and distribution point for malware used by external adversaries -Some malware will even target the SaaS applications themselves, ex: changing their shares to "public" so that the data can be retrieved by anyone
Tell me about Compliance Challenges
-Most companies and industries face constant data regulatory and compliance challenges. Compliance and security are not the same thing. A. Change and Complicity B. Compliance and Security
Tell me about Attacker Profiles
-News outlets are usually quick to showcase high-profile attacks, but the sources of these attacks are not always easy to identify. Each of the different attacker types or profiles generally has a specific motivation for the attacks they generate. -Here are some traditional attacker profile types. Because these different attacker profiles have different motivations, information security professionals must design cybersecurity defenses that can identify the different attacker motivations and apply appropriate deterrents.
Tell me about "Establish Zero Trust Zones"
-Next, security teams can progressively establish trust zones and boundaries for other segments of the computing environment based on their relative degree of risk. -Examples of where secure trust zones can be established include IT management systems and networks, where a successful breach could lead to compromise of the entire network; partner resources and connections (business to business, or B2B); high-profile, customer-facing resources and connections (business to consumer, or B2C); branch offices in risky countries or regions, followed by all other branch offices; guest access networks (both wireless and wired); and campus networks.
What is PAN-OS?
-PAN‑OS® software runs Palo Alto Networks® next-generation firewalls. -PAN-OS natively uses key technologies (App‑ID, Content‑ID, Device-ID, and User‑ID) to provide complete visibility and control of applications in use across all users, devices, and locations all the time. -Inline ML and application and threat signatures automatically reprogram the firewall with the latest intelligence so allowed traffic is free of known and unknown threats.
Tell me about the Prevention First Architecture at PAN
-Palo Alto Networks is helping to address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, Palo Alto Networks is at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. -The Palo Alto Networks portfolio of security technologies and solutions addresses three essential areas of cybersecurity strategy: 1) Secure the Enterprise with Strata 2) Secure the Cloud with Prisma 3) Secure the Future with Cortex
What is the Perimeter-Based Security Model?
-Perimeter-based network security models date back to the early mainframe era (circa late 1950s), when large mainframe computers were located in physically secure "machine rooms." -These rooms could be accessed by a limited number of remote job entry (RJE) terminals directly connected to the mainframe in physically secure areas.
Tell me about how we can Secure the Enterprise with Strata
-Prevent attacks with the industry-leading network security suite, which enables organizations to embrace network transformation while consistently securing users, applications, and data, no matter where they reside. 1. PAN-OS 2. Panorama 3. Cloud-Based Subscriptions Services
What is Prisma Access?
-Prisma Access is a Secure Access Service Edge (SASE) platform that helps organizations deliver consistent security to their remote networks and mobile users. -It's a generational step forward in cloud security, using a cloud-delivered architecture to connect all users to all applications. - All of an organization's users, whether at headquarters, in branch offices, or on the road, connect to Prisma Access to safely use cloud and data center applications, as well as the internet. Prisma Access consistently inspects all traffic across all ports and provides bidirectional software-defined wide-area networking (SD-WAN) to enable branch-to-branch and branch-to-headquarters traffic.
What is Prisma Cloud?
-Prisma Cloud is the industry's most comprehensive threat protection, governance, and compliance offering. -It dynamically discovers cloud resources and sensitive data across AWS, GCP, and Azure to detect risky configurations and identify network threats, suspicious user behavior, malware, data leakage, and host vulnerabilities. -It eliminates blind spots across cloud environments and provides continuous protection with a combination of rule-based security policies and class-leading machine learning
What is Prisma SaaS?
-Prisma SaaS functions as a multimode cloud access security broker (CASB), offering inline and API-based protection working together to minimize the range of cloud risks that can lead to breaches. -With a fully cloud-delivered approach to CASB, organizations can secure their SaaS applications through the use of inline protections to safeguard inline traffic with deep application visibility, segmentation, secure access, and threat prevention, as well as API-based protections to connect directly to SaaS applications for data classification, data loss prevention, and threat detection
What is Ransomware?
-Ransomware is malware that locks a computer or device (locker ransomware) or encrypts data (crypto ransomware) on an infected endpoint with an encryption key that only the attacker knows, thereby making the data unusable until the victim pays a ransom (usually in cryptocurrency such as Bitcoin). -Reveton and LockeR are two examples of locker ransomware, while Locky, TeslaCrypt/EccKrypt, Cryptolocker, and Cryptowall are examples of crypto ransomware
Tell me about Script Kiddies
-Script kiddie is the name associated with novice attackers who use publicly available attack tools without fully realizing the implications of their actions. -You may be surprised to see script kiddies listed here, yet many global incidents were initiated by script kiddies who acted alone and without specific intent.
Tell me about Patching Vulnerabilities?
-Security patches are developed by software vendors as quickly as possible after a vulnerability has been discovered in their software. 1. Discovery: An attacker may learn of a vulnerability and begin exploiting it before the software vendor is aware of the vulnerability or has an opportunity to develop a patch. 2. Development of Patch: The delay between the discovery of a vulnerability and development and release of a patch is known as a zero-day threat (or exploit). 3. Test and Deploy Patch: It may be months or years before a vulnerability is announced publicly. After a security patch becomes available, time inevitably is required for organizations to properly test and deploy the patch on all affected systems. During this time, a system running the vulnerable software is at risk of being exploited by an attacker.
Core Zero Trust Principles
-Security profiles are defined based on an initial security audit performed according to Zero Trust inspection policies. -Discovery is performed to determine which privileges are essential for a device or user to perform a specific function. 1. Ensure Resource Access 2. Enforce Access Control 3. Inspect and Log All Traffic
What is Ghost (Or Stale) Share?
-Share remains active for an employee or vendor that is no longer working with the company or should no longer have access. -Without visibility and control of the shares, tracking and fixing of shares to ensure that they are still valid is very difficult.
What is SaaS?
-Software as a Service -Data is located everywhere in today's enterprise networks, including in many locations that are not under the organization's control. -New data security challenges emerge for organizations that permit SaaS use in their networks. -With SaaS applications, data is often stored where the application resides - in the cloud. -Thus, the data is no longer under the organization's control, and visibility is often lost. SaaS vendors do their best to protect the data in their applications, but it is ultimately not their responsibility. -Just as in any other part of the network, the IT team is responsible for protecting and controlling the data, regardless of its location.
Different types of BEC
-Spam: the process of spreading unsolicited content to target endpoints -Spim: spreading unsolicited content via instant messaging -Vishing: performing a phishing attack via voicemail or robocalling
Tell me about the different types of TTPs and what a TTP is
-Tactics, Techniques, and Procedures (TTPs) -Different types of TTPs: 1. Port Hopping 2. Using Non-Standard Ports 3. Tunneling 4. Hiding Within SSL Encryption
Tell me about how we can Secure the Enterprise with Prisma
-The Prisma suite secures public cloud environments, SaaS applications, internet access, mobile users, and remote locations through a cloud-delivered architecture. - It is a comprehensive suite of security services to effectively predict, prevent, detect, and automatically respond to security and compliance risks without creating friction for users, developers, and security and network administrators. -Core components of Prisma. 1. Prisma Cloud 2. Prisma Access 3. Prisma SaaS
What is WEP?
-The WEP encryption standard is no longer secure enough for Wi-Fi networks. WPA2 and the emerging WPA3 standards provide strong encryption capabilities and manage secure authentication via the 802.1x standard. -As mobile device processors have advanced to handle 64-bit computing, AES as a scalable symmetric encryption algorithm solves the problems of managing secure, encrypted content on mobile devices.
What is WPA2?
-The WEP encryption standard is no longer secure enough for Wi-Fi networks. WPA2 and the emerging WPA3 standards provide strong encryption capabilities and manage secure authentication via the 802.1x standard. As mobile device processors have advanced to handle 64-bit computing, AES as a scalable symmetric encryption algorithm solves the problems of managing secure, encrypted content on mobile devices.
What is Wi-Fi Protected Access?
-The Wi-Fi Protected Access (WPA) security standard was published as an interim standard in 2004, quickly followed by WPA2. WPA/WPA2 contain improvements to protect against the inherent flaws in the Wired Equivalent Privacy (WEP), including changes to the encryption.
Tell me about the Zero Trust Architecture?
-The Zero Trust model identifies a protect surface made up of the network's most critical and valuable data, assets, applications, and services (DAAS). -Protect surfaces are unique to each organization. -Because the protect surface contains only what's most critical to an organization's operations, the protect surface is orders of magnitude smaller than the attack surface-and always knowable. -1. Identify the Traffic -2. Zero Trust Segmentation Platform
Tell me about the Zero Trust Security Model
-The Zero Trust security model addresses some of the limitations of perimeter-based network security strategies by removing the assumption of trust from the equation. -With a Zero Trust model, essential security capabilities are deployed in a way that provides policy enforcement and protection for all users, devices, applications, and data resources, as well as the communications traffic between them, regardless of location.
How it works for Zero Trust to "Zero Trust Segmentation Platform"
-The Zero Trust segmentation platform (also called a network segmentation gateway by Forrester Research) is the component used to define internal trust boundaries. That is, the platform provides the majority of the security functionality needed to deliver on the Zero Trust operational objectives. -Abilities of the segmentation platform: a) Secure: Enables secure network access b) Control: Granularly controls traffic flow to and from resources c) Monitor: Continuously monitors allowed sessions for threat activity
Tell me about the Challenges to Disabling a Botnet
-The key to "taking down" or "decapitating" a botnet is to separate the bots (infected endpoints) from their brains (C2 servers). -If the bots cannot get to their servers, they cannot get new instructions, upload stolen data, or do anything that makes botnets so unique and dangerous. -Although this approach may seem straightforward, disabling a botnet presents many challenges. Challenges that may occur while disabling a botnet: 1. Resources 2. Servers 3. Redundancy 4. Quick Recovery 5. DDoS Attacks
What are Malicious Insiders?
-The least common but real SaaS application risk is the internal user who maliciously shares data for theft or revenge purposes -Ex. An Employee who is leaving the company might set a folder's share permissions to "public" or share it with an external email address to later steal the data from a remote location
Tell me about Monitor Local Network Activity - when disabling a bot
-The next response is to ensure that current patches and updates are applied. -If infected endpoints are still persistently attempting to connect to a C2 service or an attack target, then the endpoints should be imaged and cleansed.
What is Processing Power? in the context of Perimeter-Based Security Model
-The primary value of the mainframe computer was its processing power. -The relatively limited data that was produced was typically stored on near-line media, such as tape. -Today, data is the target. -Data is stored online in data centers and in the cloud, and it is a high-value target for any attacker.
Tell me about Prevention Architecture
-The product portfolio's prevention architecture allows organizations to reduce threat exposure by first enabling applications for all users or devices in any location and then preventing threats within application flows, tying application use to user identities across physical, cloud-based, and software-as-a-service (SaaS) environments. -1. Provide Full Visibility -2. Reduce the Attack Surface -3. Prevent All Known Threats, Fast -4. Detect and Prevent New, Unknown Threats with Automation
What are the different Wi-Fi Attacks?
-There are different types of Wi-Fi attacks that hackers use to eavesdrop on wireless network connections to obtain credentials and spread malware. 1. Doppelganger: Doppelganger is an insider attack that targets WPA3-Personal protected Wi-Fi networks. The attacker spoofs the source MAC address of a device that is already connected to the Wi-Fi network and attempts to associate it with the same wireless access point. 2. Cookie Guzzler: Muted Peer and Hasty Peer are variants of the cookie guzzler attack which exploit the Anti-Clogging Mechanism (ACM) of the Simultaneous Authentication of Equals (SAE) key exchange in WPA3-Personal.
What is MSSP & MSSPs
-There is a global shortage of cybersecurity professionals -many organizations partner with third-party security services organizations for Managed Security Services -These managed security service providers (MSSPs) typically operate a fully staffed 24/7 security operations centers (SOCs) and offer a variety of services like log collection and aggregation in a security information and event management (SIEM) platform, event detection and alerting, vulnerability scanning and patch management, threat intelligence, and incident response and forensic investigation, etc.
How to protect networks and cloud environments?
-To effectively protect their networks and cloud environments, enterprise security teams must manage the risks associated with a relatively limited, known set of core applications, as well as the risks associated with an ever-increasing number of known and unknown cloud-based applications. -The cloud-based application consumption model has revolutionized the way organizations do business, and applications such as Microsoft Office 365 and Salesforce are being consumed and updated entirely in the cloud.
Tell me about the how the Perimeter-based Security Model Relies on Physical Security?
-Today's data centers are the modern equivalent of machine rooms, but perimeter-based physical security is no longer sufficient. 1. Mainframe Computers 2. Processing Power 3. Data Center
Tell me more about the Zero Trust Conceptual Architecture..please.. i beg of you
-Traditional security models identify areas where breaches and exploits may occur, the attack surface, and you attempt to secure the entire surface. Unfortunately, it is often difficult to identify the entire attack surface. Unauthorized applications, devices, and misconfigured infrastructure can expand that attack surface without your knowledge. -With the protect surface identified, you can identify how traffic moves across the organization in relation to the protect surface. Understanding who the users are, which applications they are using, and how they are connecting is the only way to determine and enforce policy that ensures secure access to your data. With an understanding of the interdependencies between the DAAS, infrastructure, services, and users, you should put controls in place as close to the protect surface as possible, creating a micro-perimeter around it. This micro-perimeter moves with the protect surface, wherever it goes. -In the Zero Trust model, only known and permitted traffic is granted access to the protect surface. A segmentation gateway, typically a next-generation firewall, controls this access. The segmentation gateway provides visibility into the traffic and users attempting to access the protect surface, enforces access control, and provides additional layers of inspection. Zero Trust policies provide granular control of the protect surface, making sure that users have access to the data and applications they need to perform their tasks but nothing more. This is known as least privilege access.
Tell me about Vulnerabilities and Exploits
-Vulnerabilities and exploits can be leveraged to force software to act in ways it's not intended to, such as gleaning information about the current security defenses in place.
What is Timeline of Eliminating a Vulnerability?
-Vulnerabilities can be exploited from the time software is deployed until it is patched. -Information about the timeline to eliminate a vulnerability: 1. Software Deployed 2. Vulnerability Discovered 3. Exploits Begin 4. Public Announcement of Vulnerability 5. Patch Released 6. Patch Deployed 7. Protected by Vendor Patch
What is Accidental Data Exposure?
-Well-intentioned end users are often untrained and unaware of the risks their actions pose in SaaS environments -Because SaaS applications are designed to facilitate easy sharing, it's understandable that data often becomes unintentionally exposed. -Accidental data exposure by end users is surprisingly common and includes accidental share, promiscuous share, and ghost share.
What is Accidental Share?
-When a share meant for a particular person is sent by accident to the wrong person or group. -Accidental shares are common when a name autofills or is mistyped, which may cause an old email address, the wrong name or group, or even an external user to have access to the share.
How to Apply Wireless Security?
-Wi-Fi and wireless connected devices present additional challenges that might not be considered with wired networks. -A. Limit Access through Authentication -B. Secure Content Via Encryption -C. Participate in Known or Constrained Networks
Tell me about "Define Zero Trust Zones"
-With a detailed understanding of the network traffic flows in the environment, the next step is to define trust zones and incrementally establish trust boundaries based on relative risk or sensitivity of the data involved. -Security teams should deploy devices in appropriate locations to establish internal trust boundaries for defined trust zones. Then, they should configure enforcement and inspection policies to effectively put each trust boundary "online."
Tell me about the Conceptual Architecture for the components Zero Trust
-With the protect surface identified, security teams can identify how traffic moves across the organization in relation to the protect surface. -Understanding who the users are, which applications they are using, and how they are connecting is the only way to determine and enforce policy that ensures secure access to data. -Main components of a Zero Trust conceptual architecture: 1. Fundamental Assertions 2. Single Component 3. Management Infrastructure
WFH/WFA
-Work from Home/ Work from Anywhere -In the wake of the global pandemic, many organizations have implemented remote working models that include WFH and WFA. -Benefits= increased operational efficiencies, higher employee productivity and morale, greater access to a diverse talent pool
How does Zero Trust enable "Compartmentalize"?
-Zero Trust models establish trust boundaries that effectively compartmentalize the various segments of the internal computing environment. -The general idea is to move security functionality closer to the pockets of resources that require protection. -In this way, security can always be enforced regardless of the point of origin of associated communications traffic.
Tell me about "Implement at Major Access Point"
-Zero Trust principles and concepts must be implemented at major access points to the internet. -Security teams will have to replace or augment legacy network security devices with a Zero Trust segmentation platform at this deployment stage to gain the capabilities and benefits of a Zero Trust security model.
Tell me about modern business conditions and computing environments that perimeter-based strategies fail to address.
1. "Internal" and "External" Distinction 2. Wireless Technologies 3. Insiders 4. Cyberthreats 5. Stolen Credentials 6. Internal Networks
Tell me about the three iterations of MITRE ATT&CK
1. ATT&CK for Enterprise 2. ATT&CK for Mobile 3. Pre-ATT&CK
Tell me about the shortcomings and inabilities of perimeter-centric approaches
1. Application Control 2. Encrypted Traffic 3. Identity Users 4. Protect Against Attacks 5. Net Result
How to implement Zero Trust?
1. Configure Listen-Only Mode 2. Define Zero Trust Zones 3. Establish Zero Trust Zones 4. Implement at Major Access Points
Tell me about the Profile Type of Each Attacker
1. Cybercriminals 2. State-affiliated Groups 3. Hacktivists 4. Cyberterrorists 5. Script Kiddies 6. Cybercrime Vendors
How to disable a botnet?
1. Disabling Internet Access 2. Monitor Local Network Activity 3. Remove INfected Deviced and Botnet Software 4. Install Current Patches
Web 2.0 apps and services (many of which are also SaaS apps):
1. File Sync and Sharing Services 2. Instant Messaging (IM) 3. Microblogging 4. Office Productivity Suites 5. Remote Access Software 6. Remote Team Meeting Software 7. Social Curation 8. Social Networks 9. Web-Based Email 10. Wikis
To implement a Zero Trust least privilege access model in the network, the firewall must:
1. Have Visibility of and Control Over the Applications and their Functionality in the Traffic 2. Be able to Allow Specific Applications and Block Everything Else 3. Dynamically Define Access to Sensitive Applications and Data Based on a User's Group Membership 4. Dynamically Define Access from Devices or Device Groups to Sensitive Applications and Data and From Users and User Groups to Specific Devices 5. Be able to Validate a User's Identity Through Authentication 6. Dynamically Define the Resources that are Associated with the Sensitive Data or Application 7. Control Data by File Type and Content: 8. Zero Trust Segmentation Platform: 9. Trust Zones:
What are the benefits of having a Zero Trust Model?
1. Improved Effectiveness: Clearly improved effectiveness in mitigating data loss with visibility and safe enablement of applications, plus detection and prevention of cyberthreats 2. Greater Efficiency: Greater efficiency for achieving and maintaining compliance with security and privacy mandates by using trust boundaries to segment sensitive applications, systems, and data 3. Improved Ability: Improved ability to securely enable transformative IT initiatives, such as user mobility, bring your own device (BYOD) and bring your own access (BYOA) policies, infrastructure virtualization, and cloud computing 4. Lower Total Cost of Ownership: Lower total cost of ownership with a consolidated and fully integrated security operating platform, rather than a disparate array of siloed, purpose-built security point products
How the Evil Twin attack is executed?
1. Mimic a real access point 2. Catch a greater number of users 3. Reach a large number of people, not targeted
Tell me about the Zero Trust Security Model traits
1. No Default Trust 2. Monitor and Inspect 3. Compartmentalize
Tell me about the Cyberattack Landscape Order
1. Reconnaissance 2.Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and Control 7. Act on Objective
Tell me about the characteristics of the Perimeter Based Security Model
1. Relies on Physical Security 2. Assumes Trust on Internal Network 3. Allows Unwanted Traffic
What is a Distributed Denial of Service Attack?
A DDoS attack is a type of cyberattack in which extremely high volumes of network traffic such as packets, data, or transactions are sent to the target victim's network to make their network and systems (such as an e-commerce website or other web application) unavailable or unusable.
Tell me about Use of Bots - in a DDoS attack
A DDoS botnet uses bots as part of a DDoS attack, overwhelming a target server or network with traffic from a large number of bots. In such attacks, the bots themselves are not the target of the attack. Instead, the bots are used to flood some other remote target with traffic. The attacker leverages the massive scale of the botnet to generate traffic that overwhelms the network and server resources of the target.
What is Trojan Horses
A Trojan horse is malware that is disguised as a harmless program but actually gives an attacker full control and elevated privileges of an endpoint when installed. Unlike other types of malware, Trojan horses are typically not self-replicating.
What is Backdoors?
A backdoor is malware that allows an attacker to bypass authentication to gain access to a compromised system.
What is Bootkits?
A bootkit is malware that is a kernel-mode variant of a rootkit, commonly used to attack computers that are protected by full-disk encryption
Tell me about Redundancy
A botnet almost never relies on a single C2 server but rather uses multiple C2 servers for redundancy purposes. Each server also is typically insulated by a variety of intermediaries to cloak the true location of the server. These intermediaries include P2P networks, blogs, social networking sites, and even communications that proxy through other infected bots. These evasion techniques make even finding C2 servers a considerable challenge.
What are Botnets?
A botnet is a network of bots (often tens of thousands or more) working together under the control of attackers using numerous servers.
Tell me about Cyberthreat Protection, in the context of Zero Trust
A combination of anti-malware, intrusion prevention, and cyberthreat prevention technologies provides comprehensive protection against both known and unknown threats, including threats on mobile devices. Support for a closed-loop, highly integrated defense also ensures that inline enforcement devices and other components in the threat protection framework are automatically updated.
How does the Prevention Architecture "Prevent All Known Threats, Fast"
A coordinated security platform accounts for the full scope of an attack across all security controls, enabling organizations to quickly identify and block known threats.
What is Pharming?
A pharming attack redirects a legitimate website's traffic to a fake site, typically by modifying an endpoint's local hosts file or by compromising a DNS server (DNS poisoning).
What is Rootkits?
A rootkit is malware that provides privileged (root-level) access to a computer. Rootkits are installed in the BIOS of a machine, which means operating system-level security tools cannot detect them.
What is Virus?
A virus is malware that is self-replicating but must first infect a host program and be executed by a user or process
What is Worms
A worm is malware that typically targets a computer network by replicating itself to spread rapidly. Unlike viruses, worms do not need to infect other programs and do not need to be executed by a user or process.
What is Natural Language Search?
Ability to understand human spoken language and context to find information
Tell me about Wi-Fi Network
Additional problems exist because Wi-Fi device settings and configurations are well known, published openly, shared, and even broadcast. To begin securing a WLAN network, you should disable the Service Set Identifier Broadcast configuration. If the SSID is configured to broadcast, it is easier for an attacker to define simple attack targets and postures because the network is already discoverable.
Core Zero Trust Principles - "Enforce Access Control"
Adopt a least privilege strategy and strictly enforce access control. The goal is to minimize allowed access to resources to reduce the pathways available for malware and attackers to gain unauthorized access.
What is Obfuscation?
Advanced malware often uses common obfuscation techniques to hide certain binary strings that are characteristically used in malware and therefore easily detected by anti-malware signatures. Advanced malware might also use these techniques to hide an entire malware program.
What is Distributed?
Advanced malware takes full advantage of the resiliency built into the internet itself. Advanced malware can have multiple control servers distributed all over the world with multiple fallback options. Advanced malware can also leverage other infected endpoints as communication channels, thus providing a near-infinite number of communication paths to adapt to changing conditions or update code as needed.
Tell me about Advanced/Modern Malware
Advanced or modern malware generally refers to new or unknown malware. These types of malware are highly sophisticated and often have specialized targets. Advanced malware typically can bypass traditional defenses.
SSL Strip
After a user connects to a Wi-Fi network that's been compromised-or to an attacker's Wi-Fi network masquerading as a legitimate network-the attacker can control the content that the victim sees. The attacker simply intercepts the victim's web traffic, redirects the victim's browser to a web server that it controls, and serves up whatever content the attacker desires.
What is Action in terms of Exploits?
After the exploit data file is created, a legitimate application, such as a document viewer or web browser, will perform actions on behalf of the attacker, such as establishing communication and providing the ability to upload additional malware to the target endpoint. Because the application being exploited is a legitimate application, traditional signature-based antivirus and whitelisting software have virtually no defense against these attacks.
What is Microblogging?
Allow a subscriber to broadcast short messages to other subscribers. -Ex. Tumblr & Twitter
Be able to Allow Specific Applications and Block Everything Else:
Allowing a specific set of applications through an allow-list and denying everything else significantly reduces the number of ways an organization can be attacked.
What is Techniques in terms of Exploits?
Although there are thousands of exploits, they all rely on a small set of core techniques. Some attacks may involve more steps, and some may involve fewer, but typically three to five core techniques must be used to exploit an application. Regardless of the attack or its complexity, for the attack to be successful the attacker must execute a series of these core exploit techniques in sequence.
Tell me about Public Announcement of Vulnerability, in terms of Eliminating a Vulnerability
An attacker may learn of a vulnerability and begin exploiting it before the software vendor is aware of the vulnerability or has an opportunity to develop a patch.
What is Using Non-Standard Ports?
An example of using non-standard ports is running Yahoo! Messenger over TCP port 80 (HTTP) instead of the standard TCP port for Yahoo! Messenger (5050).
Tell me about Exploit?
An exploit is a type of malware that takes advantage of a vulnerability in installed endpoint or server software such as a web browser, Adobe Flash, Java, or Microsoft Office. An attacker crafts an exploit that targets a software vulnerability, causing the software to perform functions or execute code on behalf of the attacker.
What is Web-Based Email?
An internet email service that is typically accessed via a web browser. -Ex. Gmail., Outlook.com, & Yahoo! Mail
What is Tunneling?
Another method is tunneling within commonly used services, such as running peer-to-peer (P2P) file sharing or an IM client such as Meebo over HTTP.
What is Anti-AV?
Anti-AV is malware that disables legitimately installed antivirus software on the compromised endpoint, thereby preventing automatic detection and removal of other malware.
Tell me about Complex Network
Application development and IT operations teams are accelerating the delivery of new applications to drive business growth by adopting DevOps tools and methodologies, cloud and container technologies, big data analytics, and automation and orchestration. Meanwhile, applications are increasingly accessible. The result is an incredibly complex network that introduces significant business risk. Organizations must minimize this risk without slowing down the business.
Tell me about Inspection of All Traffic, in the context of Zero Trust
Application identification accurately identifies and classifies all traffic, regardless of ports and protocols, and evasive tactics, such as port hopping or encryption. Application identification eliminates methods that malware may use to hide from detection and provides complete context into applications, associated content, and threats.
Tell me about Step 5: Return Full Access
Attackers must return access to the device(s). Failure to restore the compromised systems destroys the effectiveness of the scheme as no one would be willing to pay a ransom if they didn't believe their valuables would be returned.
Tell me about Step 2: Prevent Access to the System
Attackers will either identify and encrypt certain file types or deny access to the entire system.
Give me an example of APT - Lazurus
Attacks against nation-states and corporations are common, and the group of cybercriminals that may have done the most damage is Lazarus. The Lazarus group is known as an APT. The Lazarus group has been known to operate under different names, including Bluenoroff and Hidden Cobra. They were initially known for launching numerous attacks against government and financial institutions in South Korea and Asia. In more recent years, the Lazarus group has been targeting banks, casinos, financial investment software developers, and crypto-currency businesses. The malware attributed to this group recently has been found in 18 countries around the world.
Control Data by File Type and Content:
Blocking risky file types reduces the number of ways you can be attacked and reduces the number of ways attackers can exfiltrate data. The result is granular control that safely allows access to the right applications for the right sets of users while automatically eliminating unwanted, unauthorized, and potentially harmful interactions. The main components of a Zero Trust conceptual architecture.
What is AI & Machine Learning?
Both AI & Machine learning enables systems to understand and act on information like a human being -AI acquires and applies knowledge to find the most optimal solution, decision, or course of action. -Machine learning is a part of AI that applies algorithms to large datasets to find common patterns in the data which can then be used to improve the performance of the system
Tell me about DDoS Attacks
Botnet C2 servers are used to control infected endpoints (bots) and to exfiltrate personal and valuable data from bots. Botnets can be easily scaled up to send massive volumes of spam, spread ransomware, launch distributed denial-of-service (DDoS) attacks, commit click fraud campaigns, or mine cryptocurrency (such as Bitcoin).
What are Bots?
Bots (or zombies) are individual endpoints that are infected with advanced malware that enables an attacker to take control of the compromised endpoint.
What is Delivery (Defense)?
Breaking the cyberattack lifecycle at this phase of an attack requires visibility into all network traffic (including remote and mobile devices) to effectively block malicious or risky websites, applications, and IP addresses and prevent known and unknown malware and exploits.
What is Command and Control (Defense)?
Breaking the cyberattack lifecycle at this phase of an attack requires: -Inspecting all network traffic (including encrypted communications) -Blocking outbound C2 communications with anti-C2 signatures (along with file and data pattern uploads) -Blocking all outbound communications to known malicious URLs and IP addresses -Blocking novel attack techniques that employ port evasion methods -Preventing the use of anonymizers and proxies on the network -Monitoring DNS for malicious domains and countering with DNS sinkholing or DNS poisoning -Redirecting malicious outbound communications to honeypots to identify or block compromised endpoints and analyze attack traffic
Tell me about how each of the shortcomings of perimeter-centric dealing with Application Control
Cannot definitively distinguish good applications from bad ones (which leads to overly permissive access control settings)
What is Cloud-Based Subscriptions Services?
Cloud-based subscription services, including DNS Security, URL Filtering, Threat Prevention, and WildFire® malware prevention, deliver real-time advanced predictive analytics, AI and machine learning, exploit/malware/C2 threat protection, and global threat intelligence to the Palo Alto Networks Security Operating Platform.
What are Office Productivity Suites?
Consist of cloud-based word processing, spreadsheet, and presentation software.. - Ex. Google Apps & Microsoft Office 465
Tell me about Secure Access, in the context of Zero Trust
Consistent secure IPsec and SSL VPN connectivity is provided for all employees, partners, customers, and guests wherever they're located (for example, at remote or branch offices, on the local network, or over the internet). Policies to determine which users and devices can access sensitive applications and data can be defined based on application, user, content, device, device state, and other criteria.
What is Cortex XSOAR?
Cortex XSOAR is the only security orchestration, automation, and response (SOAR) platform that combines security orchestration, incident management, and interactive investigation to serve security teams across the incident lifecycle.
What is Creation in terms of Exploits?
Creation of an exploit data file is a two-step process. The first step is to embed a small piece of malicious code within the data file. However, the attacker still must trick the application into running the malicious code. Thus, the second part of the exploit typically involves memory corruption techniques that allow the attacker's code to be inserted into the execution flow of the vulnerable software.
Security Approaches and challenges
Current approaches to security, which focus mainly on detection and remediation, do not adequately address the growing volume and sophistication of attacks. 1. Automation and Big Data Analytics 2. Decentralization of IT infrastructure 3. Traditional Security Products 4. Complex Network
Tell me about Automation and Big Data Analytics
Cybercriminals leverage automation and big data analytics to execute massively scalable and increasingly effective attacks against their targets. They often share data and techniques with other threat actors to keep their approach ahead of point security products. Cybercriminals are not the only threat: Employees may often unknowingly violate corporate compliance and expose critical data in locations such as the public cloud
Tell me about Cyberterrorists
Cyberterrorist attacks often are associated with state affiliations and are focused on causing damage and destruction. Attacks against power grids or public infrastructures are common targets for cyberterrorists.
Tell me about Target -in a DDoS attack
DDoS attacks often target specific organizations for personal or political reasons, or to extort a ransom payment in exchange for stopping the DDoS attack. DDoS attacks are often used by hacktivists to promote or protest a particular political agenda or social cause. DDoS attacks may also be used for criminal extortion purposes to extract a hefty ransom payment in exchange for ending the attack.
Tell me about Dual Risk- in a DDoS attack
DDoS botnets represent a dual risk for organizations: The organization itself can be the target of a DDoS attack. And even if the organization isn't the ultimate target, any infected endpoints participating in the attack will consume valuable network resources and facilitate a criminal act, albeit unwittingly.
For Wireless Security, how do you "Secure Content Via Encryption"
Design of the client-to-access-point security association also needs careful attention: -Combining advanced authentication methods, like 2-factor authentication, with strong encryption should ensure that only authorized users and devicies are allowed to connect on the network.
Tell me about Traditional Security Products
Devices are proliferating and the network perimeter has all but disappeared, leaving enterprise security teams struggling to safely enable and protect their businesses, customers, and users. With new threats growing in number and sophistication, organizations are finding that traditional security products and approaches are less and less capable of protecting their networks against today's advanced cyberattacks.
Tell me about Servers
Disabling C2 servers often requires both physically seizing the servers and taking ownership of the domain and IP address range associated with the servers. Very close coordination between technical teams, legal teams, and law enforcement is essential to disabling the C2 infrastructure of a botnet. Many botnets have C2 servers all over the world and will specifically function in countries that have little or no law enforcement for internet crimes.
Tell me about how each of the shortcomings of perimeter-centric dealing with Identify Users
Do not accurately identify and control users (regardless of where they're located or which devices they're using)
Tell me about how each of the shortcomings of perimeter-centric dealing with Encrypted Traffic
Do not adequately account for encrypted application traffic
Tell me about how each of the shortcomings of perimeter-centric dealing with Protect Against Attacks
Do not filter allowed traffic for known application-borne threats or unknown threats
Protected by Vendor Patch, in terms of Eliminating a Vulnerability
During this time, a system running the vulnerable software is at risk of being exploited by an attacker.
What is Wikis?
Enable users to contribute, collaborate, and edit site content. -Ex. Socialtext & Wikipedia
What is Data Mining?
Enables pattern discovery in large datasets through machine learning, statistical analysis, and database technologies
What are Instant Messaging (IM)?
Exchange short messages in real time. -Ex. Facebook Messenger, Skype, Snapchat, Whatsapp
Tell me about New Application Threat Vectors
Exploiting vulnerabilities in core business applications has long been a predominant attack vector, but threat actors are constantly developing new tactics, techniques, and procedures (TTPs).
Tell me about Resources
Extensive resources are typically required to map the distributed C2 infrastructure of a botnet. Mapping a botnet's infrastructure almost always requires an enormous amount of investigation, expertise, and coordination between numerous industry, security, and law enforcement organizations worldwide.
What is ATT&CK for Enterprise?
Focuses on adversarial behavior in Windows, Mac, Linux, and cloud environments
What is ATT&CK for Mobile?
Focuses on adversarial behavior on iOS and Android operating systems
Be able to Validate a User's Identity Through Authentication:
For access to the most sensitive data, the firewall should validate user information obtained from the organization's authentication servers with another authentication method before allowing access. This ensures the traffic is coming from the expected user and not from someone impersonating them.
Tell me about Software Deployed, in terms of Eliminating a Vulnerability
For local systems, the only way to eliminate vulnerabilities is to effectively patch systems and software.
Tell me about Hacktivists
Hacktivist groups perform high-profile attacks in an attempt to showcase their political or social cause. They often seek public recognition or notoriety, because their main goal is to garner attention for their specific cause.
What is Heap Spray in terms of Exploits?
Heap spray is a technique used to facilitate arbitrary code execution by injecting a certain sequence of bytes into the memory of a target process.
What is Hiding within SSL Encryption?
Hiding in SSL encryption masks the application traffic, for example, over TCP port 443 (HTTPS). More than half of all web traffic is now encrypted.
What is Mixed Reality?
Includes Virtual Reality (VR), Augmented Reality (AR), and Extended Reality (XR) that delivers an immersive and interactive physical and digital sensory experience in real time
Tell me about Insiders
Insiders, whether intentionally malicious or just careless, may present a very real security threat.
Tell me about Internal Networks
Internal networks are rarely homogeneous. They include pockets of users and resources with different levels of trust or sensitivity, and these pockets should ideally be separated (for example, research and development and financial systems versus print or file servers).
What are Mainframe Computers? in the context of Perimeter-Based Security Model
Mainframe computers predate the internet. In fact, mainframe computers predate ARPANET, which predates the internet. Today, an attacker uses the internet to remotely gain access, instead of physically breaching the data center perimeter.
Tell me about Stolen Credentials
Malicious users can gain access to the internal network and sensitive resources by using the stolen credentials of trusted users.
Tell me about Malware Types
Malware is varied in type and capabilities. 1. Logic Bombs 2. Spyware and Adware 3. Bootkits 4. Rootkits 5. Backdoors 6. Anti-AV 7. Ransomware 8. Trojan Horses 9. Worms 10. Virus
Dynamically Define the Resources that are Associated with the Sensitive Data or Application:
Many data centers and PaaS environments dynamically allocate resources to applications. To ensure that the security posture matches the current resource allocation, the firewall needs to adjust along with the changing environment.
Tell me about a Use Case with Application Classification
Many organizations use social networking applications such as Facebook for important business functions such as recruiting, research and development, marketing, and consumer advocacy. However, these same applications can be used to leak sensitive information or cause damage to an organization's public image - whether inadvertently or maliciously
Dynamically Define Access to Sensitive Applications and Data Based on a User's Group Membership:
Many traditional security policies define access based on the location of the endpoint in the network. Even if enterprise mobility didn't blur the traditional network boundaries, network location is a poor identifier for a user and their assigned privileges.
Patch Deployed, in terms of Eliminating a Vulnerability
Months or years could pass by before a vulnerability is announced publicly. After a security patch becomes available, time inevitably is required for organizations to properly test and deploy the patch on all affected systems.
Tell me about Quick Recovery
Most botnets are designed to withstand the loss of a C2 server, meaning that the entire botnet C2 infrastructure must be disabled almost simultaneously. If any C2 server is accessible or any of the fallback options survive, the bots will be able to get updates and rapidly populate a completely new set of C2 servers, and the botnet will quickly recover. Thus, even a single C2 server remaining functional for even a small amount of time can give an attacker the window needed to update the bots and recover the entire botnet.
What is Installation (Attack)?
Next, an attacker will escalate privileges on the compromised endpoint, for example, by establishing remote shell access and installing rootkits or other malware. With remote shell access, the attacker has control of the endpoint and can execute commands in privileged mode from a command-line interface (CLI) as if physically sitting in front of the endpoint. The attacker will then move laterally across the target's network, executing attack code, identifying other targets of opportunity, and compromising additional endpoints to establish persistence.
Tell me about Standards and Regulations
Organizations worldwide handle huge amounts of customer data and personal information, making them a prime target for cyber criminals. New standards regulations are being enacted to protect and secure this data. A. Payment Card Industry's Data Security Standard B. European Union General Data Protection Regulations
What is Panorama?
Panorama network security management enables centralized control, log collection, and policy workflow automation across all next-generation firewalls (scalable to tens of thousands of firewalls) from a single pane of glass.
What is Port Hopping?
Port hopping allows adversaries to randomly change ports and protocols during a session.
Tell me about Step 1: Compromise and Control a System or Device
Ransomware attacks typically begin by using social engineering to trick users into opening an attachment or viewing a malicious link in their web browser. This allows attackers to install malware onto a system and take control. However, another increasingly common tactic is for attackers to gain access to the network, perform reconnaissance on the network to identify potential targets and establish C2, install other malware and create backdoor accounts for persistence, and potentially exfiltrate data.
What is Ransomware?
Ransomware is malware that locks a computer or device (Locker ransomware) or encrypts data (Crypto ransomware) on an infected endpoint with an encryption key that only the attacker knows, thereby making the data unusable until the victim pays a ransom (usually with cryptocurrency, such as Bitcoin). Reveton and LockeR are two examples of Locker ransomware. Locky, TeslaCrypt/EccKrypt, Cryptolocker, and Cryptowall are examples of Crypto ransomware.
Tell me about how each of the shortcomings of perimeter-centric dealing with Net Result
Re-architecting defenses to create pervasive internal trust boundaries is, by itself, insufficient. Organizations must also ensure that the devices and technologies used to implement these boundaries provide the visibility, control, and threat inspection capabilities needed to securely enable essential business applications while still thwarting modern malware, targeted attacks, and the unauthorized exfiltration of sensitive data.
Tell me about "Internal" and "External" Distinction
Remote employees, mobile users, and cloud computing solutions blur the distinction between "internal" and "external."
What is SSlstrip Strategy?
SSLstrip strips SSL encryption from a "secure" session. When a user connected to a compromised Wi-Fi network attempts to initiate an SSL session, the modified access point intercepts the SSL request. With SSLstrip, the modified access point displays a fake padlock in the victim's web browser. Webpages can display a small icon called a favicon next to a website address in the browser's address bar. SSLstrip replaces the favicon with a padlock that looks like SSL to an unsuspecting user.
Tell me about Vulnerability Discovered, in terms of Eliminating a Vulnerability
Security patches are developed by software vendors as quickly as possible after a vulnerability has been discovered in their software.
What is Social Curation?
Shares collaborative content about particular topics. Social Bookmarking is a type of social curation. -Ex. Cogenz, Instagram, Pinterest, & Reddit
What is Polymorphism?
Some advanced malware has entire sections of code that serve no purpose other than to change the signature of the malware, thus producing an infinite number of unique signature hashes. Techniques such as polymorphism and metamorphism are used to avoid detection by traditional signature-based anti-malware tools and software. For example, a change of just a single character or bit of the file or source code completely changes the hash signature of the malware.
Tell me about Cyberthreats
Sophisticated cyberthreats could penetrate perimeter defenses and gain free access to the internal network.
What is Spyware and Adware?
Spyware and adware are types of malware that collect information, such as internet surfing behavior, login credentials, and financial account information, on an infected endpoint. Spyware often changes browser and other software settings and slows computer and internet speeds on an infected endpoint. Adware is spyware that displays annoying advertisements on an infected endpoint, often as pop-up banners.
What are Sub-Techniques
Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) secrets.
What is European Union General Data Protection Regulations?
The European Union (EU) General Data Protection Regulations (GDPR) apply to any organization that does business with EU citizens. GDPR regulations often apply more stringent standards for end user and data protections than those that are applied domestically. Some domestic companies have adopted a policy of complying with GDPR regulations, just in case their operations may interact with European or international consumers.
Tell me about Installing Current Patches - when disabling a bot
The Internet Service Provider (ISP) community has a commitment to securing internet backbones and core services known as the Shared Responsibility Model. Adhering to this model does not ensure that ISP providers can fully identify and disable C2 service clusters. Full termination of C2 architecture can be extremely difficult.
What is MITRE ATT&CK Framework?
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a comprehensive matrix of tactics and techniques designed for threat hunters, defenders, and red teams to help classify attacks, identify attack attribution and objective, and assess an organization's risk. Organizations can use the framework to identify security gaps and prioritize mitigations based on risk.
What is Payment Card Industry's Data Security Standard?
The Payment Card Industry's Data Security Standard (PCI DSS) establishes its own cybersecurity standards and best practices for businesses and organizations that allow payment card purchases. An ever-increasing number of international, multinational, federal, regional, state, and local laws and regulations also mandate numerous cybersecurity and data protection requirements for businesses and organizations worldwide.
Give me an Example of Spanning Botnets
The Rustock botnet is an example of a spamming botnet. Rustock could send up to 25,000 spam email messages per hour from an individual bot. At its its peak, it sent an average of 192 spam emails per minute per bot. Rustock is estimated to have infected more than 2.4 million computers worldwide. In March 2011, the U.S. Federal Bureau of Investigation (FBI), working with Microsoft and others, was able to take down the Rustock botnet. By then, the botnet had operated for more than five years. At the time, it was responsible for sending up to 60 percent of the world's spam.
Zero Trust Segmentation Platform:
The Zero Trust Segmentation Platform is referred to as a network segmentation gateway by Forrester Research. It is the component used to define internal trust boundaries, meaning that the platform provides the majority of the security functionality needed to deliver on the Zero Trust operational objectives, including the ability to: Enable secure network access Granularly control traffic flow to and from resources Continuously monitor allowed sessions for any threat activity
Tell me about SaaS Application Risks
The average employee uses at least eight applications. As employees add and use more SaaS apps that connect to the corporate network, the risk of sensitive data being stolen, exposed, or compromised increases. It is important to consider the security of the apps, what data they have access to, and how employees are using them.
Tell me about Least Privileges Access Control, in the context of Zero Trust
The combination of application, user, and content identification delivers a positive control model that allows organizations to control interactions with resources based on an extensive range of business-relevant attributes, including the specific application and individual functions being used, user and group identity, and the specific types or pieces of data being accessed (such as credit card or Social Security numbers). The result is truly granular access control that safely enables the correct applications for the correct sets of users while automatically preventing unwanted, unauthorized, and potentially harmful traffic from gaining access to the network.
Tell me about Zero Trust Capabilities
The core of any Zero Trust network security architecture is the Zero Trust Segmentation Platform, so you must choose the correct solution. Key criteria and capabilities to consider when selecting a Zero Trust Segmentation Platform include. 1. Secure Access 2. Inspection of All Traffic 3. Least Privileges Access Control 4. Cyberthreat Protection 5. Coverage for All Security Domains
Tell me about some of the High-Profile Attacks
The goals of attackers have changed dramatically. Their goals are mostly associated with financial gain. 1. SolarWinds 2. Colonial Pipeline 3. JBS S.A 4. Government of Ukraine
What is Installation (Defense)
The key to breaking the cyberattack lifecycle at this phase of an attack is to limit or restrict the attackers' lateral movement within the network. Use network segmentation and a Zero Trust model that monitors and inspects all traffic between zones or segments and provides granular control of applications that are allowed on the network.
How does Zero Trust enable "Monitor and Inspect"?
The need to "always verify" requires ongoing monitoring and inspection of associated communication traffic for subversive activities (such as threats).
How the Perimeter-based Security Model Assumes Trust on Internal Network
The primary issue with a perimeter-based network security strategy, which deploys countermeasures at a handful of well-defined entrance and exit points to the network, is that the strategy relies on the assumption that everything on the internal network can be trusted.
Tell me about the Zero Trust Design Principles
The principle of least privilege in network security requires that only the permission or access rights necessary to perform an authorized task are granted.
Tell me about Exploits Begin, in terms of Eliminating a Vulnerability
The process of discovery and patching will continue. According to research by Palo Alto Networks, 78 percent of exploits take advantage of vulnerabilities that are less than two years old, which implies that developing and applying patches is a lengthy process.
What is Web 3.0?
The vision of Web 3.0 is to return the power of the internet to individual users, in much the same way that the original Web 1.0 was envisioned. To some extent, Web 2.0 has become shaped and characterized, if not controlled, by governments and large corporations dictating the content that is made available to individuals and raising many concerns about individual security, privacy, and liberty. -AI & Machine Learning -Blockchain -Data mining -Mixed Reality -Natural Language Search
Tell me about "Fundamental Assertions" in Zero Trust
There are fundamental assertions about Zero Trust: -The network is always assumed to be hostile. -External and internal threats exist on the network at all times. -Network locality is not sufficient for deciding trust in a network. -Every device, user, and network flow is authenticated and authorized. -Policies must be dynamic and calculated from as many sources of data as possible.
Patch Released, in terms of Eliminating a Vulnerability
This delay between the discovery of a vulnerability and development and release of a patch is known as a zero-day threat (or exploit).
Dynamically Define Access from Devices or Device Groups to Sensitive Applications and Data and From Users and User Groups to Specific Devices:
This is important in IoT-heavy environments, where devices may access applications and data in the same way a user would. For example, medical equipment may be sending sensitive data to specific applications or repositories. Malicious or even accidental access might disrupt manufacturing equipment or industrial control systems.
Core Zero Trust Principles - "Inspect and Log All Traffic"
This principle reiterates the need to "always verify" while also reinforcing that adequate protection requires more than just strict enforcement of access control. Close and continuous attention must also be given to exactly what "allowed" applications are actually doing, and the only way to accomplish these goals is to inspect the content for threats.
Tell me about Step 3: Notify Victim
Though seemingly obvious, attackers and victims often speak different languages and have varying levels of technical capabilities. Attackers must alert the victim about the compromise, state the demanded ransom amount, and explain the steps for regaining access.
What is Ransomware Attack?
Though the malware deployed in the current generation of cryptographic ransomware attacks is not especially sophisticated, it has proven very effective at not only generating revenue for the criminal operators but also preventing impacted organizations from continuing their normal operations. New headlines each week demonstrate that organizations large and small are vulnerable to these threats, enticing new attackers to jump onto the bandwagon and begin launching their own ransomware campaigns
Tell me about how DDoS attacks are used and their impact on an organization
Through: 1. Use of Bots 2. Bruteforce Attack 3. Target 4. Dual Risk 5. Targeted Strategy
Tell me about "Configure Listen-Only Mode"
To get started, security teams can configure a Zero Trust segmentation platform in listen-only mode to obtain a detailed picture of traffic flows throughout the network, including where, when, and to what extent specific users are using specific applications and data resources.
Tell me about Step 4: Accept Ransom Payment
To receive payment while evading law enforcement, attackers utilize cryptocurrencies such as Bitcoin for the transaction.
What is Jasager?
To understand a more targeted approach than the Evil Twin attack, think about what happens when you bring your wireless device back to a location that you've previously visited. When you bring your laptop home, you don't have to choose which access point to use, because your device remembers the details of wireless networks to which it has previously connected. The same goes for visiting the office or your favorite coffee shop.
How does the Prevention Architecture "Provide Full Visibility"
To understand the full context of an attack, the portfolio provides visibility of all users and devices across the organization's network, endpoint, cloud, and SaaS applications.
Have Visibility of and Control Over the Applications and their Functionality in the Traffic:
Traditional security infrastructure describes applications through ports and protocols. Zero Trust's least privilege access model requires precise control over application use that a port and protocol definition cannot achieve
Tell me about Bruteforce Attack - in a DDoS attack
Unlike other types of cyberattacks, a DDoS attack does not typically employ a prolonged, stealthy approach. Instead, a DDoS attack more often takes the form of a highly visible bruteforce attack that is intended to rapidly cause damage to the victim's network and systems infrastructure and to their business and reputation.
What is multi-functional?
Updates from C2 servers can also completely change the functionality of advanced malware. This multifunctional capability enables an attacker to use endpoints strategically to accomplish specific tasks, such as stealing credit card numbers, sending spam containing other malware payloads (such as spyware), or installing ransomware for the purpose of extortion.
Tell me about the Types of Advanced or Modern Malware?
Updates from command-and-control (C2) servers can also completely change the functionality of advanced malware. 1. Obfuscation 2. Polymorphism 3. Distributed 4. Multi-functional
What is Remote Team Meeting Software?
Used for audio conferencing, video conferencing, and screen sharing. -Ex. Adobe Connect, Microsoft Teams, & Zoom
What is Remote Access Software?
Used for remote sharing and control of an endpoint for collaboration or troubleshooting. -Ex. LogMeIn & TeamViewer
What is Social Networks?
Used to share content with business or personal contacts. -Ex. Facebook, Instagram, Linkedin
Tell me about Coverage for All Security Domains, in the context of Zero Trust
Virtual and hardware appliances establish consistent and cost-effective trust boundaries throughout an organization's network, including in remote or branch offices, for mobile users, at the internet perimeter, in the cloud, at ingress points throughout the data center, and for individual areas wherever they might exist.
Tell me about Vulnerabilities?
Vulnerabilities are routinely discovered in software at an alarming rate. Vulnerabilities may exist in software when the software is initially developed and released, or vulnerabilities may be inadvertently created, or even reintroduced, when subsequent version updates or security patches are installed.
What is WPA3?
WPA3 was published in 2018. Its security enhancements include more robust bruteforce attack protection, improved hotspot and guest access security, simpler integration with devices that have limited or no user interface (such as IoT devices), and a 192-bit security suite. Newer Wi-Fi routers and client devices will likely support both WPA2 and WPA3 to ensure backward compatibility in mixed environments. According to the Wi-Fi Alliance, WPA3 features include improved security for IoT devices such as smart bulbs, wireless appliances, smart speakers, and other screen-free gadgets that make everyday tasks easier.
What is Watering Hole?
Watering hole attacks compromise websites that are likely to be visited by a targeted victim-for example, an insurance company website that may be frequently visited by healthcare providers. The compromised website will typically infect unsuspecting visitors with malware (known as a "drive-by download").
Tell me about Phishing Attacks
We often think of spamming and phishing as the same thing, but they are actually separate processes, and they each require their own mitigations and defenses. Phishing attacks, in contrast to spam, are becoming more sophisticated and difficult to identify. 1. Spear Phishing 2. Whaling 3. Watering Hole 4. Pharming
What is Whaling?
Whaling is a type of spear phishing attack that is specifically directed at senior executives or other high-profile targets within an organization. A whaling email typically purports to be a legal subpoena, customer complaint, or other serious matter.
Tell me about Public Airwaves
Wi-Fi is conducted over public airwaves. The 2.4GHz and 5GHz frequency ranges that are set aside for Wi-Fi communications are also shared with other technologies, such as Bluetooth. As a result, Wi-Fi is extremely vulnerable to congestion and collisions.
What is Wireless Security?
Wi-Fi security begins—and ends—with authentication. An organization cannot protect its digital assets if it cannot control who has access to its wireless network.
Tell me about Wireless Technologies
Wireless technologies, partner connections, and guest users introduce countless additional pathways into network branch offices, which may be located in untrusted countries or regions.
How does Zero Trust enable "No Default Trust"?
With Zero Trust there is no default trust for any entity - including users, devices, applications, and packets - regardless of what it is and its location on or relative to the enterprise network.
How it works for Zero Trust to "Identify the Traffic"
With an understanding of the interdependencies among an organization's DAAS, infrastructure, services, and users, the security team should put controls in place as close to the protect surface as possible, creating a micro-perimeter around it. This micro-perimeter moves with the protect surface, wherever it goes.
Tell me about Decentralization of IT infrastructure
With applications moving to the cloud, the decentralization of IT infrastructure, and the increased threat landscape, organizations have lost visibility and control.
What is a Logic Bomb?
malware that is triggered by a specified condition, such as a given date or a particular user account being disabled.