Module 01: Introduction to ethical hacking

State-Sponsored Hackers

individuals employed by the government to penetrate and gain top-secret information from and do damage to the information systems of other governemnts

Cyber Kill Chain Methodology

1) A component of intelligence-driven defense for the identification and prevention of malicious intrusion activities. 2) It provides greater insight into attack phase, which helps security professionals to understand the adversary's tactics, techniques, and procedures beforehand.

Scope of ethical hacking

1) A crucial component of risk assessment, auditing, counter fraud, and information systems security best practices. 2) It is used to identify risks and highlight remedial actions, it also reduces ICT cost by resolving vulnerabilities

Motives, Goals and objectives of information security attacks

1) A motive originates out of the notion that the target system stores or processes something valuable, and this leads to the threat of an attack on the system. 2) Attackers try various tools and attack techniques to exploit vulnerabilities in a computer system or its security policy and controls in order to fulfil their motives.

Payment card industry data security standard (PCI DSS)

1) A proprietary information security standard for organizations hat handle cardholder information for major debit,, credit 2) PCI DSS applies to all entities involved in payment card processing

Defense-In-Depth

1) A security strategy in which several protection layers are placed throughout an information system. 2) It helps to prevent direct attacks against the system and its data because a break in one layer only leads the attacker to the next layer.

Hacker

1) An intelligent individual with excellent computer skills who can create and explore computer software and hardware. 2) Hacking is a hobby to see how many computers or network they can compromise. 3) Some of their intentions can either be to gain knowledge or to probe and do illegal things. 4) Some hack with malicious intent such as to steal business data, credit card information, social security numbers, email passwords, and other sensitive data.

Distribution attack

1) Distribution attacks occur when attack tamper with hardware or software prior installation. 2) Attackers tamper with the hardware or software at its source or in transit

Tactics

1) Guidelines that describe the way an attacker performs the attack from beginning to the end. 2) This guideline consists of the various tactics for information gathering to perform initial exploitation, privilege escalation, and lateral movement, and to deploy measures for persistent access to the system and other purpose

Strategic Threat Intelligence

1) High-level information on changing risk 2) Consumed by high-level executives and manager

Technical Skills of an ethical hacker

1) In depth knowledge of major operating environments such as Windows, Unix, Linux and Macintosh. 2) In depth knowledge of networking concepts, technologies, and related hardware and software. 3) A computer expert adept at technical domains 4) Knowledgeable about security areas and related issues 5) "High technical" knowledge for launching sophisticated attacks

Operational Threat Intelligence

1) Information on a specific incoming attack 2) Consumed by Security Managers and Network defenders

Tactical Threat Intelligence

1) Information on attackers' TTPs 2) Consumed by IT service and SOC managers, Administrators

Technical Threat Intelligence

1) Information on specific indicators of compromise 2) Consumed by SOC staff and IR teams

Adversary Behavioral Identification

1) Involves the identification of the common methods or techniques followed by an adversary to launch attacks on or to penetrate an organization's network. 2) It gives the security professionals insight into upcoming threats and exploits.

Ethical Hacking

1) Involves the use of hacking tools, trick, and techniques to identify vulnerabilities and ensure system security. 2) It focuses on simulating the techniques used by attackers to verify the existence of exploitable vulnerabilities in a system's security. 3) They perform security assessments for an organization with the permission of concerned authorities.

Role of AI and ML in cyber security

1) ML and AI and now vastly used across various industries and applications due to the increase in computing power, data collection, and storage capabilities. 2) ML is an unsupervised self-learning system that is used to define what the normal network looks like, along with its devices, and then to backtrack and report any deviations or anomalies in real-time. 3) AI and ML in cyber security helps in identifying new exploits and weaknesses, which can then be easily analyzed to mitigate further attacks.

Procedures

1) Organizational approaches that threats actors follow to launch an attack. 2) The number of actions usually differs depending on the objectives of the procedure and threat actor group.

Hacking Phase: Scanning

1) Pre-attack phase when the attackers scans the network for specific information based on information gathered during reconnaissance. 2) Include the use of dialers, port scanners, network mappers, ping tools, and vulnerability scanners. 3) Attackers extract information such as live machines, port, port status, OS details, device type, and system uptime to launch attack.

Hacking

1) Refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system's resources. 2) It involves modifying system or application features to achieve a goal outside of the creator's original purpose. 3) Used to steal and redistribute intellectual property, leading to business loss.

Hacking Phase: Clearing Tracks

1) Refers to the activities carried out by an attacker to hide malicious acts 2) The attacker's intentions include obtaining continuing access to the victim's system, remaining unnoticed and uncaught, and deleting evidence that might lead to their prosecution 3) The attacker overwrites the server, system, and application logs to avoid suspicion. 4) Attackers always cover their tracks to hide their identity.

Risk

1) Refers to the degree of uncertainty or expectation that an adverse event may cause damage to the system. 2) Categorized into different levels according to their estimated impact on the system. 3) Matrix is used to scale risk considering the probability, likelihood, and consequences or impact of the risk.

Hacking Phase: Maintaining Access

1) Refers to the phase when the attacker tries to retain their ownership of the system 2) Attackers may prevent the system from being owned by other attackers by securing their exclusive access with backdoors, rootkits, or trojans 3) Attackers can upload, download, or manipulate data, applications, and configurations on the owned system 4) Attackers use the compromised system to launch further attacks

Hacking Phase: Gaining Access

1) Refers to the point where the attacker obtains access to the operating system or applications on the target computer or network. 2) The attacker can gain access at the operating system, application, or network levels 3) The attacker can escalate privileges to obtain complete control of the system. In this process, the target's connected intermediate systems are also compromised.

Non-technical skills of an ethical hacker

1) The ability to learn and adopt new technologies quickly. 2) Strong work ethics and good problem solving and communication skills. 3) Committed to the organization's security policies 4) An awareness of local standards and laws.

Indicators of Compromise (IoCs)

1) The clues, artifacts, and pieces of forensic data found on the network or operating system of an organization that indicate a potential intrusion or malicious activity in the organization's infrastructure. 2) IoCs are not intelligence although they do act as a good source of information regarding the threats that serve as data points in the intelligence process. 3) Security professionals need to perform continuous monitoring of IoCs to effectively and efficiently detect and respond to evolving cyber threats.

Cyber Threat intelligence

1) The collection and analysis of information about threats and adversaries and the drawing of pattern that provide the ability to make knowledgeable decisions for preparedness, prevention, and response actions against various cyber-attacks 2) Helps the organization to identify and mitigate various business risks by converting unknown threats into known threats; it helps in implementing various advanced and proactive defense strategies.

Hacking Phase: Reconnaissance

1) The preparatory phase where an attacker seeks to gather information about a target prior to launching an attack. 2) This information could be the future point of return, noted for ease of entry for an attack, when more about the target is known on a broad scale. 3) The target range may include the target organization's clients, employees, operations, networks, and systems.

Techniques

1) The technical methods used by an attacker to achieve intermediate results during the attack. 2) These techniques include initial exploitation, setting up and maintaining command and control channels, accessing the target infrastructure, covering the tracks of data exfiltration, and others.

Reasons why organizations recruit ethical hacker

1) To prevent hackers from gaining access to the organization's information system 2) To uncover vulnerabilities in systems and explore their potential as a security risk 3) To analyze and strengthen an organization's security posture, including policies, network protection infrastructure, and end-user practices 4) To provide adequate preventive measures in order to avoid security breaches 5) To help safeguard customer data 6) To enhance security awareness at all levels in a business

Limitations of ethical hacking

1) Unless the business already know what they are looking for and why they are hiring an outside vendor to hack systems in the first place, chances are there would not be much to gain from the experience. 2) An ethical hacker can help the organization to better understand its security system; it is up to the organization to place the right safeguards on the network

Non-repudiation

A guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.

Threat modeling

A risk assessment approach for analyzing the security of an application by capturing, organizing, and analyzing all the information that affects security of an application

Incident Management

A set of defined processes to identify, analyze, prioritize and resolve security incidents to restore normal service operations as quickly as possible and prevent future recurrence of the incident.

ScriptKiddies

An unskilled hacker who compromises a system by running scripts, tools, and software that were developed by real hackers

Risk Assessment

Assesses the organization's risk and provides an estimate of the likelihood and impact of the risk

Confidentiality

Assurance that the information is accessible only to those authorized to have access

Availability

Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized user.

Passive attacks

Do not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network

Examples of active attacks

DoS, Man-In-The-Middle, session hijacking and SQL injection

Example of behavioral indicators

Document executing PowerShell script, and remote command execution.

Risk Tracking

Ensures appropriate controls are implemented to handle known risks and calculates the chances of a new risk occurring.

Risk Review

Evaluates the performance of the implemented risk management strategies

Example of host-based indicators

Filenames, file hashes, registry keys, DLLs, and mutex

Host-based indicators

Found by performing an analysis of the infected system within the organizational network

Categories of IoCs

Helps security professional to quickly detect the threats against the organization and protect the organization from evolving threats

Risk Identification

Identifies the sources, causes, consequences, and other details of the internal and external risk affecting the security of the organization.

White Hats

Individual who use their professed hacking skills for defensive purposes and are also known as security analysts. They have permission from the system owner

Suicide Hackers

Individuals who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment

Hacktivist

Individuals who promote a political agenda by hacking, especially by defacing or disabling websites

Gray Hats

Individuals who work both offensively and defensively at various times

Black Hat

Individuals with extraordinary computing skills; they resort to malicious or destructive activities and are also known as cracker

CyberTerrorists

Individuals with wide range of skills who are motivated by religious or political beliefs to create fear through the large-scale disruption of computer networks

Elements of Information Security

Information security is a state of well-being of information and infrastructure in which the possibility of theft, tampering and disruption of information and services is low or tolerable.

Passive reconnaissance

Involved acquiring information without directly interacting with the target

Active Reconnaissance

Involved directly interacting with the target by any means

Insider attack

Involved in using privileged access to violate rules or intentionally cause to the organization's information or information system

Necessity of ethical hacking

It allows for counter attacks against malicious hackers through anticipating the methods used to break into the system

Supervised Learning

Makes use of algorithms that input a set of labeled training data, with the aim of learning the differences between the labels.

Unsupervised Learning

Makes use of algorithms that input unlabeled training data, with the aim of deducing all categories by itself

Close-in attacks

Performed when the attacker is in close physical proximity with the target system or network in order to gather, modify or disrupt access to information

Defensive Information Warfare

Refers to all strategies and actions designed to defend against attacks on ICT assets

Offensive Information Warfare

Refers to information warfare that involves attacks against the ICT assets of an opponent.

Information Assurance (IA)

Refers to the assurance that the integrity, availability, confidentially, and authenticity of information and information systems is protected during the usage, processing, storage and transmission of information.

Authenticity

Refers to the characteristics of a communication, document, or any data that ensures the quality of being genuine.

Tactics, Techniques, and Procedures (TTPs)

Refers to the patterns of activities and methods associated with specific threat actors or group of threat actors

Information Warfare

Refers to the user of information and communication technologies (ICT) to gain competitive advantages over an opponent.

Examples passive reconnaissance

Searching public records or news releases

Risk Treatment

Selects and implements appropriate controls for the identified risks

Examples of passive attacks

Sniffing, eavesdropping

Examples of close-in attacks

Social engineering such as eavesdropping, shoulder surfing, and dumpster diving

ISO IEC 27001:2013

Specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization

Active attacks

Tamper with the data in transit or disrupt the communication or services between the systems to bypass or break into secured systems

Example active reconnaissance

Telephone calls to the target's help desk or technical department

Risk Management

The process of reducing and maintaining risk at an acceptable level by means of a well-defined and actively employed security program

Incident handling and response

The process of taking organized and careful steps when reacting to a security incident or cyberattack

Example of email indicator

The sender's email address, email subject and attachment or links

Integrity

The trustworthiness of data or resources in terms of preventing improper or unauthorized changes

Example of insider attack

Theft of physical devices and planting keyloggers, backdoors and malware

Example of network indicators

URLs, domain names, and IP address

Behavioral indicators

Used to identify specific behavior related to malicious activites

Email indicators

Used to send malicious data to the target organization or individual.

Network indicators

Useful for command and control, malware delivery, identifying the operating system and other tasks