Section 1.7- Security Assessment Techniques/ 1.8- Penetration Testing Techniques
Passive Reconnaissance
one is not interacting directly with the target and as such, the target has no way of knowing, recording, or logging activity.
Credentialed Scan
A credential scan is a much more powerful version of the vulnerability scanner; It has higher privileges than a non-credentialed scan
Maneuver
A cybersecurity maneuver, then, refers to a company's efforts to defend itself by disguising its system, thereby making it difficult for an attacker to successfully infiltrate
Bug bounty (Penetration testing)
A monetary reward given to ethical hackers for successfully discovering and reporting a vulnerability or bug to the application's developer. Bug bounty programs allow companies to leverage the hacker community to improve their systems' security posture over time continuously.
Non-Credentialed Scan
A non-credentialed scan has lower privileges than the credentialed scan. -It will identify vulnerabilities that an attacker would easily find.
Privilege Escalation
A security hole created when code is executed with higher privileges than those of the user running it; generally a higher-level account, but in some cases, it is horizontal privilege escalation where a user gains access to another users' resources
Vulnerability Scans
A vulnerability scan assesses possible security vulnerabilities in computers, networks, and equipment that can be exploited.
Advisories and Bulletins
Advisories and security bulletins provide good advice on how to keep your company safe. The advisories tend to be released government-funded agencies. Bulletins tend to be released by vendors or private companies.
Footprinting
An ethical hacking technique used to gather as much data as possible about a specific targeted computer system, infrastructure and networks to identify opportunities to penetrate them.
Sentiment Analysis
Artificial intelligence and machine learning to identify attacks; Cybersecurity sentiment analysis can monitor articles on social media, look at the text and analyze the sentiment behind the articles
Application Scans
Before applications are released, coding experts perform regression testing that will check code for deficiencies.
Passive Footprinting
Browsing target website Google search (Google hacking) Performing WHOIS lookup Visiting social media profiles
Packet Capture
Can capture packets and analyze them to identify threats as soon as they reach your network, providing immediate alert to security team if desired.
Log aggregation (SIEM)
Can correlate and aggregate events so that duplicates are filtered and a better understanding network events is achieved to help identify potential attacks.
SOAR (security orchestration, automation, and response)
Centralized alert and response automation with threat-specific playbooks; tooling that allows an organization to define incident analysis and response procedures in a digital workflow format
War Flying
Combines war driving with a drone and simply float above all of these organizations to gather wireless details. Enables accumulation of information like SSID or wireless network names, and encryption status of these networks
Configuration Review
Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.
Web Applications Scans
Crawl through a website as if they are a search engine looking for vulnerabilities. Perform an automated check for site/app vulnerabilities, such as cross-site scripting and SQL injection
Threat Feeds
Enable organizations to stay informed about indicators of compromise (IoCs) related to various threats that could adversely affect the network.
Artificial Inteligence
Focuses on accomplishing 'smart' tasks combining machine learning and deep learning to emulate human intelligence
Log Reviews
Following a vulnerability scan, it is important to review the log files/reports that list any potential vulnerabilities.
Intelligence Fusion
Fusion centers in the US and abroad play an important role in countering cyber threats, attacks, and crime through gathering, analyzing, and sharing threat information.
Log Collection->SIEM->SOAR->SOC->Log Collection
Integrates your security processes and tooling in a central location. Response automation, using machine learning and artificial intelligence. Make it faster than human in identifying and responding to true incidents
Partially Known Environment(Penetration Testing)
Limited information is shared with the tester, sometime in the form of login credentials. Simulate the level of knowledge that a hacker with long-term access to a system would achieve through research and system foot printing; "grey box test"
OSINT (Open Source Intelligence)
Much of this information in the open source can be categorized as open-source intelligence or OSINT. The data that you can collect through these open sources is extensive
Unknown Environment (Penetration Testing)
Penetration tester knows nothing about target systems and networks, They go into the test completely blind and build out the database of everything they find as they go; "black box test"
Active Footprinting
Ping sweep Tracert analysis Nmap Extracting DNS information
Security Monitoring
Real-time protection and event monitoring system that correlates the security events from multiple resources, identifies a breach, and helps the security team to prevent the breach
Rules of Engagement (Penetration testing)
Rules of engagement define the purpose of the test, and what the scope will be for the people who are performing this test on the network; ensure everyone will be aware of what systems will be considered, date and time, and any constraints all should be aware of
Log Collectors
SIEM has built-in log collector tooling that can collect information from both the syslog server and multiple other servers. An agent is placed on the device that can collect log information, parse and restructure data, and pass to SIEM for aggregation.
Event Reporting (Review Reports)
SIEM typically includes dashboard and collects reports that can be reviewed regularly to ensure that the policies have been enforced and that the environment is compliant Highlight whether SIEM system is effective and working properly
Common Vulnerability and Exposures (CVE)
Simply a list of all publicly disclosed vulnerabilities that includes the CVE ID, a description, dates, and comments
Data inputs (SIEM)
The SIEM system collects a massive amount of data from various sources
National Vulnerability Database (NVD)
The U.S. government repository of standards-based vulnerability management data
Non-Intrusive Scans
These are passive and merely report vulnerabilities. They do not cause damage to your system.
Network Scans
These scans look at computers and devices on your network and help identify weaknesses in their security.
User Entity Behavior Analysis(UEBA)
This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day; tracks the devices that the user normally uses and the servers that they normally visit
True Positive
This is where the results of the system scan agree with the manual inspection
False Negative
When there is a vulnerability, but the scanner does not detect it
False Positive
Where the scan believes that there is a vulnerability but when physically checked, it is not there
Deep learning
a subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural network
Machine Learning
a subset of AI, computer algorithms that improve automatically through experience and the use of data
Pivoting (penetration testing)
also known as island hopping a compromised system is used to attack another system on the same network following the initial exploitation. If the compromise is introduced at a different time than the attack, then it is aid to involve persistence
drones
can be leveraged in multiple ways for passive reconnaissance, from assessing physical security to gathering wireless network information
Intrusive Scans
can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.
Threat Hunting
dynamic process of seeking out cybersecurity threats inside your network from attackers and malware threats
Cleanup (Penetration testing)
final stage of a penetration test, in which all work done during the testing process is cleaned up/removed
Lateral Movement
gaining access to an initial system, then moving to other devices on the inside of the network
War driving
gathering wireless network information while driving around the streets of a city
Persistence
in the context of penetration testing refers to the testers ability to achieve a persistent presence in the exploited system- long enough for a bad actor to gain in-depth access
Active Reconnaissance
interacts directly with the target in some way and as such, the target may discover, record, or log these activities.
Known Environment (Penetration testing)
penetration tester is given a map of target systems and networks. They go into the test with substantial/full information of the target systems and networks; 'white box test'
SIEM (Security Information and Event Management)
system that collects data from many other sources within the network. provides real-time monitoring, analysis, correlation & notification of potential attacks.
Common Vulnerability Scoring System (CVSS)
the overall score assigned to a vulnerability. It indicates severity and is used by many vulnerability scanning tools.