Section 1.7- Security Assessment Techniques/ 1.8- Penetration Testing Techniques

Passive Reconnaissance

one is not interacting directly with the target and as such, the target has no way of knowing, recording, or logging activity.

Credentialed Scan

A credential scan is a much more powerful version of the vulnerability scanner; It has higher privileges than a non-credentialed scan

Maneuver

A cybersecurity maneuver, then, refers to a company's efforts to defend itself by disguising its system, thereby making it difficult for an attacker to successfully infiltrate

Bug bounty (Penetration testing)

A monetary reward given to ethical hackers for successfully discovering and reporting a vulnerability or bug to the application's developer. Bug bounty programs allow companies to leverage the hacker community to improve their systems' security posture over time continuously.

Non-Credentialed Scan

A non-credentialed scan has lower privileges than the credentialed scan. -It will identify vulnerabilities that an attacker would easily find.

Privilege Escalation

A security hole created when code is executed with higher privileges than those of the user running it; generally a higher-level account, but in some cases, it is horizontal privilege escalation where a user gains access to another users' resources

Vulnerability Scans

A vulnerability scan assesses possible security vulnerabilities in computers, networks, and equipment that can be exploited.

Advisories and Bulletins

Advisories and security bulletins provide good advice on how to keep your company safe. The advisories tend to be released government-funded agencies. Bulletins tend to be released by vendors or private companies.

Footprinting

An ethical hacking technique used to gather as much data as possible about a specific targeted computer system, infrastructure and networks to identify opportunities to penetrate them.

Sentiment Analysis

Artificial intelligence and machine learning to identify attacks; Cybersecurity sentiment analysis can monitor articles on social media, look at the text and analyze the sentiment behind the articles

Application Scans

Before applications are released, coding experts perform regression testing that will check code for deficiencies.

Passive Footprinting

Browsing target website Google search (Google hacking) Performing WHOIS lookup Visiting social media profiles

Packet Capture

Can capture packets and analyze them to identify threats as soon as they reach your network, providing immediate alert to security team if desired.

Log aggregation (SIEM)

Can correlate and aggregate events so that duplicates are filtered and a better understanding network events is achieved to help identify potential attacks.

SOAR (security orchestration, automation, and response)

Centralized alert and response automation with threat-specific playbooks; tooling that allows an organization to define incident analysis and response procedures in a digital workflow format

War Flying

Combines war driving with a drone and simply float above all of these organizations to gather wireless details. Enables accumulation of information like SSID or wireless network names, and encryption status of these networks

Configuration Review

Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.

Web Applications Scans

Crawl through a website as if they are a search engine looking for vulnerabilities. Perform an automated check for site/app vulnerabilities, such as cross-site scripting and SQL injection

Threat Feeds

Enable organizations to stay informed about indicators of compromise (IoCs) related to various threats that could adversely affect the network.

Artificial Inteligence

Focuses on accomplishing 'smart' tasks combining machine learning and deep learning to emulate human intelligence

Log Reviews

Following a vulnerability scan, it is important to review the log files/reports that list any potential vulnerabilities.

Intelligence Fusion

Fusion centers in the US and abroad play an important role in countering cyber threats, attacks, and crime through gathering, analyzing, and sharing threat information.

Log Collection->SIEM->SOAR->SOC->Log Collection

Integrates your security processes and tooling in a central location. Response automation, using machine learning and artificial intelligence. Make it faster than human in identifying and responding to true incidents

Partially Known Environment(Penetration Testing)

Limited information is shared with the tester, sometime in the form of login credentials. Simulate the level of knowledge that a hacker with long-term access to a system would achieve through research and system foot printing; "grey box test"

OSINT (Open Source Intelligence)

Much of this information in the open source can be categorized as open-source intelligence or OSINT. The data that you can collect through these open sources is extensive

Unknown Environment (Penetration Testing)

Penetration tester knows nothing about target systems and networks, They go into the test completely blind and build out the database of everything they find as they go; "black box test"

Active Footprinting

Ping sweep Tracert analysis Nmap Extracting DNS information

Security Monitoring

Real-time protection and event monitoring system that correlates the security events from multiple resources, identifies a breach, and helps the security team to prevent the breach

Rules of Engagement (Penetration testing)

Rules of engagement define the purpose of the test, and what the scope will be for the people who are performing this test on the network; ensure everyone will be aware of what systems will be considered, date and time, and any constraints all should be aware of

Log Collectors

SIEM has built-in log collector tooling that can collect information from both the syslog server and multiple other servers. An agent is placed on the device that can collect log information, parse and restructure data, and pass to SIEM for aggregation.

Event Reporting (Review Reports)

SIEM typically includes dashboard and collects reports that can be reviewed regularly to ensure that the policies have been enforced and that the environment is compliant Highlight whether SIEM system is effective and working properly

Common Vulnerability and Exposures (CVE)

Simply a list of all publicly disclosed vulnerabilities that includes the CVE ID, a description, dates, and comments

Data inputs (SIEM)

The SIEM system collects a massive amount of data from various sources

National Vulnerability Database (NVD)

The U.S. government repository of standards-based vulnerability management data

Non-Intrusive Scans

These are passive and merely report vulnerabilities. They do not cause damage to your system.

Network Scans

These scans look at computers and devices on your network and help identify weaknesses in their security.

User Entity Behavior Analysis(UEBA)

This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day; tracks the devices that the user normally uses and the servers that they normally visit

True Positive

This is where the results of the system scan agree with the manual inspection

False Negative

When there is a vulnerability, but the scanner does not detect it

False Positive

Where the scan believes that there is a vulnerability but when physically checked, it is not there

Deep learning

a subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural network

Machine Learning

a subset of AI, computer algorithms that improve automatically through experience and the use of data

Pivoting (penetration testing)

also known as island hopping a compromised system is used to attack another system on the same network following the initial exploitation. If the compromise is introduced at a different time than the attack, then it is aid to involve persistence

drones

can be leveraged in multiple ways for passive reconnaissance, from assessing physical security to gathering wireless network information

Intrusive Scans

can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.

Threat Hunting

dynamic process of seeking out cybersecurity threats inside your network from attackers and malware threats

Cleanup (Penetration testing)

final stage of a penetration test, in which all work done during the testing process is cleaned up/removed

Lateral Movement

gaining access to an initial system, then moving to other devices on the inside of the network

War driving

gathering wireless network information while driving around the streets of a city

Persistence

in the context of penetration testing refers to the testers ability to achieve a persistent presence in the exploited system- long enough for a bad actor to gain in-depth access

Active Reconnaissance

interacts directly with the target in some way and as such, the target may discover, record, or log these activities.

Known Environment (Penetration testing)

penetration tester is given a map of target systems and networks. They go into the test with substantial/full information of the target systems and networks; 'white box test'

SIEM (Security Information and Event Management)

system that collects data from many other sources within the network. provides real-time monitoring, analysis, correlation & notification of potential attacks.

Common Vulnerability Scoring System (CVSS)

the overall score assigned to a vulnerability. It indicates severity and is used by many vulnerability scanning tools.