Unit 11 Security Assessments

Documentation/Contracts - Rules of engagement

A document that defines exactly how the penetration test will be carried out. The rules of engagement document defines exactly how the penetration test will be carried out. The following should be defined in the rules of engagement: -Type of test - whether the test will be a white box, black box, or gray box test. -Data handling - an explicit statement of how sensitive data is to be handled. Be aware that the pentester will typically come across sensitive data during a penetration test. -Notifications - the detailed process on when and how to notify the IT team.

Python

A easy to read and understand programming language.

IDS/IPS State - False negative

A false negative traffic assessment means that harmful traffic was allowed to pass without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible scenario.

IDS/IPS State - False positive

A false positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic.

Device Implementation Methods - Host-based

A host-based IDS (HIDS) is a program installed on the host system itself that monitors all traffic coming into the host. A host-based IDS: -Is used to detect attacks that are unique to the services and applications on that system. It can monitor application activity and modifications as well as local system files, logon audit files, and kernel audit files. -Is typically unaware of other devices on the network but can be detected and could be the target of an attack itself. -May rely on auditing and logging capabilities of the operating system. -Can analyze encrypted traffic (because services running on the host decrypt the traffic) Antivirus software is the most common form of a host-based IDS One issue with host-based IDSs is that the software must be installed and configured on each system being protected. This can lead to excessive administrative effort. Also, if the host-system is compromised, the log reports on that system become unreliable because the attacker may have modified the log files.

Vulnerability Scan Options - Intrusive

A intrusive scan finds a potential vulnerability and then actively attempts to exploit it. This leads to more accurate results but cannot be done on a live system.

Common Vulnerabilities and Exposures (CVE)

A list of standardized identifiers for known software vulnerabilities and exposures.

Roles of Protocol Analyzers - Malicious user/hacker

A malicious user can use the protocol analyzer to find the same information as the network administrator and SecOps teams.By themselves, protocol analyzers cannot be used to perform an attack. However, protocol tools can be used with protocol analyzers for active interception of network traffic to perform attacks, such as: -Spoofing -Man-in-the-middle attacks -Replay attacks -TCP/IP session hijacking -MAC flooding A hacker can also use the analyzer to perform system fingerprinting. System fingerprinting identifies which operating system the system is running based on how it responds to different types of network traffic.

Promiscuous mode

A mode in which the NIC processes every frame it sees, not just those addressed to it.

IDS/IPS State - Negative

A negative traffic assessment means that the system deemed the traffic harmless and let it pass.

Roles of Protocol Analyzers - Network administrator

A network administrator can use the protocol analyzer to assist in the management of the network and employee usage. The protocol analyzer can help to: -Monitor and log network traffic as it is transmitted over the network. -Check for specific protocols on the network, such as SMTP, DNS, POP3, and ICMP. Identifying the specific protocols helps to: --Identify devices that might be using unallowed protocols, such as ICMP or legacy protocols such as IPX/SPX or NetBIOS. --Identify traffic that might be sent by attackers. -Examine the data contained within a packet. For example, by looking at the packet data, the network administrator can identify users who are connecting to unauthorized websites -Analyze network performance -Troubleshoot communication problems or investigate the source of heavy network traffic

Device Implementation Methods - Network-based

A network-based IDS (NIDS) is a dedicated device installed on the network. It analyzes all traffic on the network in real time. There are two options when installing an NIDS: -The first option is to install the NIDS out of band. This means it is installed outside the flow of traffic. --The IDS is usually connected with a network tap, such as a switch. This allows it to monitor network traffic without being in the way. -The other option is to install the NIDS as an inline device. This means it is installed in the flow of traffic and all traffic goes through the NIDS. It is then analyzed and either allowed to continue on or is stopped. Some other things to be aware of when implementing a NIDS are: -An NIDS is typically unaware of individual hosts on the network. It cannot be detected by attacking systems. -An NIDS is particularly well suited for detecting and blocking port scanning and DoS attacks. -An NIDS is unable to analyze encrypted traffic -An NIDS should be placed at all critical junctions within a network, including backbones and critical choke points, such as: --Inside the DMZ --Between the firewall and the internal LAN --Near any critical information assets --If using a switch on the network, the NIDS must be placed on a special port called a spanning or diagnostic port that directly connects to the backbone of the switch. This way, the NIDS can see all traffic on that segment. -A control center should be set up to receive all IDS data. This is where all decision-making should take place in regards to NIDS communications. -A application-aware NIDS can analyze network packets to detect malicious payloads targeted at Application layer services (such as a web server).

Vulnerability Scan Options - Non-intrusive

A non-intrusive scan is the more common type of scan performed. This method scans the network and lists all potential vulnerabilities but is unable to validate if the system is vulnerable. This type of scan is able to performed on live systems and requires the network defender to take additional actions.

IDS

A passive IDS monitors, logs, and detects security breaches, but it takes no action to stop or prevent the attack. A passive IDS: -Can send an alert, but this requires the security administrator to interpret the degree of the threat and respond accordingly -Cannot be detected on the network because it takes no detectable actions

IDS/IPS State - Positive

A positive traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack.

Command shell

A program that provides an interface to give users access to operating system functions and services.

Threat feed

A service that tracks cyber threats across the world and provides real-time updates with IP addresses, URLs, and other relevant information regarding the threats.

Security Orchestration, Automation and Response

A solution stack of compatible software programs that collect data about security threats from multiple sources and respond to low-level security events without human assistance.

Port mirroring

A switch mode in which all frames sent to all other switch ports will be forwarded on the mirrored port.

Common Vulnerability Scoring System

A system that ranks vulnerabilities based on severity.

Documentation/Contracts - Scope of work

A very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work. The scope of work is a very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work. This document should answer the: -Who - specific IP ranges, servers, applications, etc. should be explicitly listed. -What - anything that is off limits, such as specific servers or tactics, should be explicity listed. -When - the time frame for the penetration test. This should identify how long the test will run, the deliverables, and when the deliverables are due. -Where - the location of the penetration tester. Sometimes the penetration tester will be located in a different state. In this case, all parties must agree on which state laws will be followed. -Why - the purpose and goals of the test. Penetration tests are often performed for compliance purposes and these requirements must be detailed in the document. Special considerations, such as travel, required certifications, or anything else unexpected will be defined in the scope of work. Finally, the scope of work should define payment and how to handle requests for additional work. This will help to reduce scope creep.

Advisories and bulletins

Advisories and bulletins provide detailed updates on cyber threats. They are usually updated weekly.

Reconnaissance

Also known as footprinting. This is the process of gathering information about a target before beginning any penetration test or security audit.

Signature-based detection

Also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS). This detection method looks for patterns in network traffic and compares them to known attack patterns called signatures.

IPS

An active IDS, also called an IPS, performs the functions of an IDS but can also react when security breaches occur. An IPS: -Can automate responses to malicious or suspicious traffic -Can terminate sessions (using the TCP-RST command) or restart other processes on the system. -Performs behaviors that can be seen by anyone watching the network. Usually these actions are necessary to block malicious activities or discover the identity of an intruder. Updating filters and performing reverse lookups are common behaviors of an active IDS.

Man-in-the-middle (MITM) attack

An attack in which the hacker intercepts communications between two devices.

Distributed denial of service (DDoS)

An attack that is designed to bombard the target with more data than it can handle, causing it to shut down.

DNS attack

An attack that targets DNS services.

Open-Source Intelligence (OSINT)

Any data that is collected from publicly available sources such as social media, search engines, company websites, media sources, or public government sources.

MAC flooding

Attack against a network switch in which the attacker sends a large number of Ethernet frames with various MAC addresses, overwhelming the switch. The switch is overloaded and sends traffic to all ports.

MAC spoofing

Attack in which the hacker spoofs the MAC address of the gateway. This results in the spoofed address overwriting the gateway's MAC address in the switch's CAM table.

ARP poisoning

Attack targeting the ARP protocol. The attacker changes the ARP cache by spoofing the IP address of a target.

Security Teams - Blue team

Blue team members are the defense of the system. This team is responsible for stopping the red team's advances.

Macros

Code that is used to perform a series of steps or functions inside a specific application.

SIEM Components - Collectors

Collectors are responsible for gathering all event logs from the configured devices and securely sending them to the SIEM system. Collectors are basically the middle man between devices and the SIEM system. Additional sensors can be set up on the network to gather other data, such as network packets or data inputs from specified network devices. This data is also sent to the collectors which then forward it to the SIEM system.

Additional Assessments - Log auditing

Computer systems generate log files for all events that happen on the system. Following a security breach, these log files can be reviewed to determine the cause of the breach and how it happened. Regular log auditing can also help discover potential security issues.

Reconnaissance Tools - Curl and wget

Curl and wget are two common command line programs that can be used to download or upload files. An example of using these tools is to download an entire website for offline analysis. Because these tools actively engage with the target, they are considered active reconnaissance tools.

Intrusion detection system

Device or software that monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack.

Intrusion prevention system

Device that monitors, logs, detects, and can also react to stop or prevent security breaches.

Reconnaissance Tools - Dnsenum

Dnsenum is a program that performs DNS enumeration and can find the DNS servers and entries for an organization. This information can help find other information such as usernames, computer names, IP addresses, and more.

Passive Reconnaissance Methods - Eavesdropping

Eavesdropping is the act of covertly listening in on a communication between other people. This can include: -Listening to employees conversations without them knowing. -Shoulder surfing, which is an eavesdropping technique where the listener obtains passwords or other confidential information by looking over the shoulder of the target as the target logs on or types information. -Dumpster diving, which is also considered eavesdropping. When dumpster diving, the attacker goes through the trash to find important information that may have accidentally been thrown away.

Protocol analyzer

Hardware or software used for monitoring and analyzing digital traffic over a network. Protocol analyzers go by other names, such as packet sniffers, packet analyzers, network analyzers, network sniffers, or network scanners.

Detection Methods - Heuristic-based

Heuristic-based detection, also referred to as behavior, anomaly, or statistical-based detection, first defines a baseline of normal network traffic and then monitors it. It looks for anything that falls outside that baseline. -Clipping levels, or thresholds, are defined and used to identify deviations from the baseline. -When the threshold is reached, an alert is generated or action is taken. -Heuristic-based systems can recognize and respond to some unknown attacks (attacks that do not have a corresponding signature file). -This detection method usually causes more false positives than signature-based detection.

hping

Hping is a security tool that can check connectivity and also analyze the target to gather information. Hping can send ICMP, TCP. UDP, and RAW-IP packets. Hping is primarily designed for Linux but can be installed in Windows.

Engine

IDS component that analyzes sensor data and events; generates alerts; and logs all activity

Sensor

IDS component that passes data from the source to the analyzer.

Vulnerability Scan Options - Credentialed

In a credentialed scan, the scanner uses an administrator or other account's credentials to perform the scan.This method shows a deeper look at the network and is able to identify more vulnerabilities than a non-credentialed scan. For example, a credentialed scan of a Windows workstation allows the Registry to be probed for security vulnerabilities. These scans can be more difficult to manage in a large organization because credentials are needed for each host being scanned.

Security Teams - Purple team

Members of the purple team work on both offense and defense. This team is a combination of the red and blue teams.

Reconnaissance Tools - Nessus

Nessus is a proprietary vulnerability scanner that is developed by Tenable. Nessus can be used to scan the target for any known vulnerabilities, which can be exploited to gain access to the target.

Penetration Testing Life Cycle Phases - Maintain Access

Once the pentester has gained access, maintaining that access becomes the next priority. This can be done by installing backdoors, rootkits, or Trojans.

Passive Reconnaissance Methods - Open-source intelligence (OSINT)

Open-source intelligence is any data that is collected from publicly available sources. The goal is to gather as much personal identifiable information (PII) as possible. This includes information found from resources such as: -Search engines (Google, Bing) -Social media (Facebook, LinkedIn) -Company websites (About sections of websites, company directories) -Media sources (news sites, interviews, articles) -Public government sources (property appraisal sites, public records)

Passive Reconnaissance Methods - Packet sniffing

Packet sniffing is the process of capturing data packets that are flowing across the network and analyzing them for important information. Modern networks should have good protection against network sniffing attacks, but there are occasional circumstances that allow an attacker to gather sensitive information from the data packets.Packet sniffing is most easily performed on open wireless networks. Because the attacker is not sending data or actively interacting with the target, this is considered passive reconnaissance.Scanning for open wireless networks needs to be done before packets can be sniffed. Two common methods are war driving and war flying: -War driving is driving around with a wireless device looking for open, vulnerable wireless networks. -War flying uses drones or unmanned aerial vehicles to find open wireless networks.

Types of Penetration Tests - Black box

Penetration test in which the ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores the insider threats. The ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores insider threats.

Types of Penetration Tests - White box

Penetration test in which the ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic. The ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic.

Types of Penetration Tests - Gray box

Penetration test in which the ethical hacker is given partial information of the target or network, such as IP configurations, email lists, etc. This test simulates the insider threat. The ethical hacker is given partial information of the target or network, such as IP configurations, email lists, etc. This test simulates the insider threat.

ping

Ping is a command line tool that is used to perform a connection test between two network devices. Ping works by sending ICMP packets to a specified device on the network and waiting for a response. This shows if there is a connection issue or not. The syntax for the ping command is: ping <target IP address or hostname> The following switches are the more common switches that can be used to modify the ping command: - -t sends ICMP packets until manually stopped. - -a resolves addresses to hostnames. - -n <count> specifies the number of ICMP packets to send. Ping sends 4 packets by default - -l <size> specifies the packet size in bytes. ping sends 32-byte packets by default

Penetration Testing Life Cycle Phases - Scan/enumerate

Running scans on the target is the second phase. During this phase, the ethical hacker is actively engaged with the target. Enumeration is part of the scanning phase. Enumeration uses scanning techniques to extract information such as: -Usernames -Computer names -Network resources -Share names -Running services

SOAR System Components - Security response

SOAR systems are able to automatically take actions against threats. For example, if malware is discovered, the SOAR system can automatically identify and quarantine the threat as needed.

Scan results that indicated a vulnerability, but there is none.

Scan results that indicate no vulnerability when a vulnerability exists.

False positive

Scan results that indicated a vulnerability, but there is none.

Reconnaissance Tools - Shodan

Shodan is a popular search engines for internet-connected devices. Users are able to search for specific types of devices and locations. This information can be used to see if a target has any online devices without proper security.

Detection Methods - Signature-based

Signature-based detection, also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS), looks for patterns in network traffic and compares them to known attack patterns called signatures. Similar to how viruses have a unique fingerprint that antivirus programs use to detect their presence, malicious packets have a unique fingerprint that the IDS can use to do the same. These fingerprints are referred to as signatures. -Signatures are written and updated by the IDS vendors. -Signature-based detection cannot detect unknown attacks; they can only detect attacks identified by published signature files. For this reason, it is important to update signature files on a regular basis. -Signature-based detection usually causes more false negatives than heuristic-based detection.

Reconnaissance Tools - Sn1per

Sn1per is a automated scanner that can be used to enumerate and scan for vulnerabilities. Sn1per combines the functions of many tools and can be used to find information such as DNS information, open ports, running services, and more.

IP scanners

Special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses. IP scanners are special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses. Advanced scans can also display information such as: Routes Hostnames Operating systems

Security information and event management

Special tools that gather network information and aggregate it into a central place. SIEM systems can actively read the network information and determine if there is a threat.

Additional Assessments - System policy settings

System policy settings should be reviewed regularly. These policy settings can include: -Password requirements -Access controls -File and system permissions -Other basic security and network settings. Weak system policy settings are a major reason for vulnerabilities in computer and network systems.

Reconnaissance Tools - OSINT framework

The OSINT framework is a collection of resources and tools that are separated by common categories. The OSINT Framework makes it easy to gather all sorts of information, making the initial reconnaissance process much more efficient. Documentation can be found at https://osintframework.com/

SOAR System Components - Security orchestration

The Orchestration component of the SOAR system is responsible for gathering the data and information from across the network. A SOAR system gathers the same data as a SIEM system, but it can also implement many different third-party tools. The SOAR system coordinates these tools, sensors, and collectors to work together.

SIEM Components - SIEM alerts

The SIEM system is configured with network baseline data. As the data is analyzed and sorted, any data that exceeds the established threshold triggers an alert. The alert is sent to the security administrator who can then investigate and take appropriate actions.

SIEM Components - Data handling

The SIEM system receives the data from the collectors and then reads, analyzes, and separates the data into different categories. Examples of categories can include: -Logon attempts -Database entries -Port scans -Network congestion The security operations team can review this data to determine if there is any suspicious activity on the network.

SOAR System Components - Security automation

The SOAR system can be set up to automate tasks that are routine, tedious, and time consuming. This includes tasks such as looking for and deleting phishing emails. These tasks are usually configured using playbooks or runbooks: -Playbooks are linear checklists of required steps and actions that are taken to respond to an alert. While playbooks do support automated actions, they are often used to document the processes and procedures that are to be used by a human during a manual intervention. -Runbooks consist of a series of conditional steps to perform actions, such as sending notifications or threat containment. This automation speeds up the overall incident-response process. Automating these tasks frees up time for security operations to focus on other more important tasks.

Packet sniffing

The act of capturing data packets transmitted across the network and analyzing them for important information.

Eavesdropping

The act of covertly listening in on a communication between other people.

War driving

The act of driving around with a wireless device looking for open vulnerable wireless networks.

War flying

The act of using drones or unmanned aerial vehicles to find open wireless networks.

arp

The arp command is used in both Windows and Linux. ARP stands for Address Resolution Protocol and is used to match IP addresses to MAC addresses. The arp command displays, adds, and removes arp information from network devices. Some of the common switches used with the arp command are: - -a displays current ARP entries. -inet_addr specifies an internet address - -d deletes the host specified by inet_addr

Penetration Testing Life Cycle Phases - Report

The final phase is generating the test results and supporting documentation. After any penetration test, a detailed report must be compiled. Documentation provides extremely important protection for both the penetration tester and the organization.

Penetration Testing Life Cycle Phases - Perform reconnaissance

The first phase in the pentesting process is reconnaissance, also known as footprinting. In this phase, the pentester begins gathering information on the target. This can include gathering publicly available information, using social engineering techniques, or even dumpster diving.

Threat hunting

The human-based, methodical search and monitoring of the network, systems, and software in order to detect any malicious or suspicious activity that has evaded the automated tools.

ipconfig/ifconfig

The ipconfig command (Windows) and the ifconfig command (Linux) are used to display the IP configuration on the local computer. Information such as the following can be shown using these commands: -Adapter name -Adapter MAC address -If DHCP is enabled or not -IPv6 address -IPv4 address -Subnet mask -IP lease information -Default gateway -DHCP server -DNS server

netcat

The netcat security tool can read and write data across both TCP and UDP network connections. It opens a TCP connection between two devices and can be used to send packets, scan for open ports, and listen in on connections to specific ports. You can download netcat from the internet.

Roles of Protocol Analyzers - Security operations

The network SecOps team can use the protocol analyzer during a vulnerability assessment. The protocol analyzer can help the SecOps team to: -Identify frames that might cause errors. For example, the network administrator can: --Determine which flags are set in a TCP handshake --Detect any malformed or fragmented packets. This would indicate that someone is trying to get around the firewall. -Discover passwords and other sensitive data being sent in cleartext -Find any open network ports that should not be open.

nmap

The nmap utility is a network security scanner. Use nmap to scan an entire network or specific IP addresses to discover all sorts of information such as: -Open ports -Running services -Operating system Nmap can use many different protocols and options depending on the network or device being scanned. Nmap is a command line tool, but a GUI version called Zenmap is available.

nslookup/dig

The nslookup and dig commands are used to view and modify DNS settings. These tools can be used to look up DNS server information and also give IP addresses and domain names for a network server. -nslookup is used in Windows. -dig is used in Linux.

pathping

The pathping Windows command line tool combines the tracert and ping tools. Use pathping to locate network devices that are down or causing latency issues.

Vulnerability scan

The process of capturing and analyzing packets to identify any security weaknesses in a network, computer system, local applications, and even web applications.

Passive reconnaissance

The process of gathering information about a target with no direct interaction with the target.

Active reconnaissance

The process of gathering information by interacting with the target in some manner.

Security Teams - Red team

The red team members are the ethical hackers. This team is responsible for performing the penetration tests.

route

The route command is used in both Windows and Linux to show the routing table and to make manual changes to the table.

Intelligence fusion

The sharing of information between multiple government agencies and private security firms.

Penetration Testing Life Cycle Phases - Gain access

The third phase takes all of the information gathered in the reconnaissance and scanning phases to exploit any discovered vulnerabilities in order to gain access. After gaining access, the pentester can perform lateral moves, pivoting to other machines on the network. The pentester will begin trying to escalate privileges with the goal of gaining administrator access.

tracert/traceroute

The tracert tool shows the path a packet takes to reach its destination. Every device the packet passes through is known as a hop. Use tracert to locate network devices that are down or causing latency issues. -tracert is the Windows version and sends ICMP packets. -traceroute is used in Linux and sends UDP packets.

Security Teams - White team

The white team members are the referees of cybersecurity. This team is responsible for managing the engagement between the red and blue teams. This group typically consists of the managers or team leads.

Types of Penetration Tests - Bug bounty

These unique tests are setup by organizations such as Google, Facebook, and others. Ethical hackers can receive compensation by reporting bugs and vulnerabilities they discover. These unique tests are programs that are setup by organizations such as Google, Facebook, and many others. The organization sets strict guidelines and boundaries for ethical hackers to operate within. Any discovered vulnerabilities are reported and the ethical hacker is paid based on the severity of the vulnerability.

netstat

Use the netstat command to display a variety of network statistics in both Windows and Linux, including: -Connections for different protocols -Open ports -Running programs Some of the common switches used to specify the information shown in Windows are: - -a displays all connections and listening ports. - -b displays the executable involved in creating each connection or listening port. - -f displays the FQDN for the foreign address if possible. - -r displays the routing table - -p <protocol> shows the connections for a specified protocol (TCP, UDP, TCPv6, UDPv6)

Vulnerability Scan Options - Non-credentialed

With a non-credentialed scan, the security administrator does not authenticate to the system prior to running the scan. A non-credential scan shows open ports, protocols, and services that are exposed on a host system. This shows vulnerabilities that an outside attacker might be able to take advantage of. These scans do not typically produce the same level of detail as a credentialed scan.

Heuristic-based detection

detectionAlso referred to as behavior, anomaly, or statistical-based detection. This detection method first defines a baseline of normal network traffic and then monitors traffic looking for anything that falls outside that baseline.

Reconnaissance Tools - scanless

scanless is used for port scanning. Instead of scanning ports from the hacker machine, scanless uses exploitation websites to perform port scans. This means the attacker is able to maintain anonymity while scanning the target.

Reconnaissance Tools - theHarvester

theHarvester is a passive reconnaissance tool that is used to gather information from a variety of public sources. The tool gathers emails, names, subdomains, IPs, and URLs using multiple public data sources. These sources include search engines, social media sites, and Shodan. theHarvester does have some options, such as brute-forcing DNS and taking screenshots, that would fall under active reconnaissance.