Ch1: Network & Endpoint Security Intro.

Endpoint Security Solution

- A suite of tools that helps secure workstations and end-user devices against risky activity/malicious attacks. - Operates as an enterprise security perimeter - Best suited for BYOD.

String/Byte Signatures:

- Executable files consist of bytes or strings of bytes in specific patterns. - The patterns vary between executable files. By comparing the pattern scanned to patterns in its database, an AV can identify malicious patterns.

Antivirus: Scanning

- String/byte signatures, - Hash signatures, - Heuristic detection.

Application Control/Allow Listing

- provides the ability to map a list of applications on an endpoint and control their use. -Applications can be blocked, allowed, or limited by blocking only certain services or application processes.

Zero-Day

-A newly discovered flaw in a program. Exploited before a vendor can patch it. Highly sought after by hackers and enterprise security teams.

EDR vs. AV

-AV has a single purpose: detecting and removing malware. -EDR includes an AV, but also contains behavioral analysis detection that is not signature-based -EDR can protect against sophisticated threats (APT)-advanced persistent threats

Allow Listing

-AVs can mistakenly identify files as malicious. -ClamAV includes an option to allow listing applications.

Signature Usage

-AVs rely on signatures to detect malicious files. Different vendors have different signature formats and every vendor uses their own dedicated format. There isn't any standard structure. In addition to its own signature format, CVD, ClamAV also supports signatures written in the YARA format (YARA is a standard format).

Logical Signature

-Combines multiple signatures using logical operators. -Enables more specific and flexible pattern matching. -Files extensions include *.ldb, *.ldu, and *.idb.

Device Control and BYOD (Bring Your Own Device)

-Expand the enterprise security perimeter. -Employees connect private devices to the company network. -Potential of passing malware through company defenses.

F/P Causes

-Heuristics: AVs and viruses evolve -Behavioral Analysis: legitimate apps behaving like malicious apps. -Machine Learning: mistakes in training data fed to software.

Endpoint Security Components

-Internal Firewall: blocks incoming/outgoing connections to/from the workstation. HIDS/HIPS: detects, protects, and alerts upon malicious activity. Sandbox: restricted environment used to run suspicious programs and files.

Multi-Engine Antivirus Scanning

-Only one should be installed on a workstation. -Different AVs, different methodologies, and block lists. -Scanning with multiple engines at the same time. -More than 65 engines in VirusTotal scan files and URLs.

ClamAV

-Open-source and cross-platform AV software. -Mainly a CLI tool, although a GUI is available. -Most features require initial configuration.

Endpoint Detection & Response (EDR)

-Originally ETDR (Endpoint Threat Detection and Response ) -Provides high visibility of endpoints -Focuses on detecting and responding to malicious activity on the host. -Best use case: search manually for threats.

Visibility and Response

-Securing endpoints requires real-time visibility of all activities on the endpoint. -Pinpoint malicious behavior. -Act swiftly to prevent an attack from becoming a breach.

Antivirus

-signatures must always be updated. -Designed to detect and remove viruses, trojans, worms, etc. -Can quarantine or delete files (depending on user's choice)

ClamAV database files extensions

.ldb, .ldu, and .idb for logical signatures and .hdb, .hsb, .hdu, and .hsu for hash signatures.

ClamAV Installation

1- Download ClamAV Portable. 2. Move the configuration files from the sample directory to the ClamAV root directory. 3. Remove sample from the name of the configuration files. 4. Update the virus database.

Endpoint Security Suite

1. Antivirus 2. Data Loss Prevention (DLP) 3. Application Control/Allow Listing 4. Host Intrusion Prevention/Detection System (HIPS/HIDS) 5. Communications Encryption 6. Email and Phishing Protection 7. Logging and Monitoring 8. Encrypted Communication and Hardware

Data Loss Prevention (DLP):

A set of tools used to classify and prevent the loss, misuse, or unauthorized access of sensitive data. The three types are: • Token-based: Uses fixed keywords for detection • Regular expression-based: Generic patterns characterize families of sensitive data like personal identification information (PII). • User custom signature-based: Uses specific signatures related to customer needs

Disabling Antivirus Updates

AV software depends on the signatures database. Every virus is compared against this database. Not updating the AV may allow new viruses to enter that are not listed in the current database.

Fileless Attack

Also known as zero footprint attacks or non-malware attacks, these types of attacks do not install new software on a user's computer, so antivirus tools are more likely to miss them. These types of attacks usually run the malicious payload from RAM.

Email & Phishing Protection:

Another necessary form of protecting communications is the ability to scan all incoming and outgoing email messages for possible malicious payloads in any part of the email itself (header, body, etc.) and in attached files. Because phishing emails are becoming increasingly clever and harder to distinguish from genuine emails, even the most vigilant users can fall prey to them in a moment of distraction.

YARA Rule Signature

ClamAV accepts YARA rules but is limited to a maximum of 64 strings per rule. The extensions .yar and .yara are parsed as YARA rules.

Logging and Monitoring:

Collecting security logs such as access violation and failed authentication to monitor end-user devices and identify threats in real-time or to perform analysis at a later time

Signature Types: -Body-Based Signature

Compares specific sequences of suspicious file bytes with malware models stored in a database.

Signature Types: -Hash-Based Signature:

Compares the file hash checksums of suspicious files with malware models stored in a database.

quarantine

Folder with read permission where malicious files are kept.

ClamAV-PROS

Free Supports scheduled tasks Ease of use Regular virus database updates High virus detection rates Technical support

ClamAV-CONS

Low processing speed Infrequent software updates 100% virus protection not guaranteed No host firewall No safe browsing capabilities GUI is outdated, inadequate features

Code Mutation

Mutations (faults) are automatically embedded in the malware code. The mutations create slightly different variations of the malware with the goal of avoiding detection.

Antivirus Bypass Techniques

Packing and Encryption, Code mutation, Stealth techniques, Disable AV updates, Fileless attack.

Device Control and BYOB cont.

Removable Storage Device, Policy Enforcement, Data Protection

Communications Encryption:

The ability to establish a VPN over IPsec or other encrypted method of communication with every party looking to connect to the organizational network, whether from another branch of the organization or from an end-user device.

YARA Rule Structure

The first part of the rule is its name, followed by strings, which is used to specify text and hex values to search for. The term hex refers to hexadecimal, which is a Base 16 number system. Logical operators can be used in rule conditions.

Exclusions

The following are allow list signature database file extensions recognized by ClamAV. *.fp - MD5 signature *.sfp - SHA1 or SHA256 signature *.ign2 - Specific signature

Antivirus/Antimalware:

The most common security solution in place on most home or enterprise computers, these programs work by comparing file signatures against a database of known malicious files.

Host-Based Intrusion Prevention/Detection System (HIPS/HIDS):

The system creates checksums—usually MD5, SHA1, or better—of the objects and stores them in a secure database to be later reviewed for the purposes of detecting or preventing changes made by an unknown, possibly malicious, entity. It can also analyze log files and check system components to detect irregularities and potential malware. • Token-based: Uses fixed keywords/hashes for detection of malicious well-known attacks • Regular expression-based: Uses different generic patterns to characterize well-known attacks such as WannaCry, a malicious attack targeting Windows Server Message Block (SMB) vulnerabilities. • User custom signature-based: Uses specific signatures related to the customer's needs

Common Vendors

These are only some of the services that are consistent among Symantec, Check Point, Kaspersky, and McAfee: • Real-time protection • Host firewall • Application control • Device control • Web protection • Full disk encryption • USB protection • EDR • Sandbox • Antispam and phishing • Antispam and phishing • Zero-day protection • Antiransomware • Centralized management

Packing and Encryption

To encrypt or compress an executable file, This method avoids signature-based detection by hiding the original executable file's signature with the compressed file. Because executable code is usually decompressed in temporary memory, detection can be avoided.

YARA Rules

YARA rules are a way of describing a pattern to identify certain files. The rules are written to meet specific conditions. Their main use is to classify particular strains or entire malware families. YARA rules essentially provide a way to manually update a virus database.

PhishSigs

a database of file signatures associated with phishing. Phishing is an attempt to obtain information such as names, passwords, credit card details, etc., by posing as a legitimate partner in communication. Examples of a PhishSig database file include: *.pdb - Includes URLs of potential phishing sites *.gdb - Includes URL hashes (signatures meant to shorten the long URL) *.wdb - Includes allow listed URLs to configure trusted sources

ClamAV Configuration Files

clamd.conf : Clam AV scan daemon settings freshclam.conf: Change virus database update interval Clamconf : List both files configurations.

False Positive (F/P)

exist in every testing mechanism. A test that indicates that a condition is true when it actually is not.

Hash Signatures:

is a one-way function that takes input of any length and converts it into a fixed size string of unique text using a mathematical function. There are three components used in a hashing process, the input (what we are trying to hash), the hash function (the hash algorithm we want to use), the hash value (the resulting string of text).

Sigtool

is used to write and inspect signatures. 1.The --md5 flag generates an MD5 hash. 2.Full file path 3.Outputs to test.hdb

False Negative

is when a test result falsely indicates the lack of a condition.

generic detection

looks for malware that is a variant of known families

Heuristic detection

searches for unknown viruses by looking for known suspicious behavior or file structures. examines files to detect anything out of the ordinary. It looks for such parameters as whether it is oddly structured or behaves differently from a benign file.

Stealth Techniques

used to alter or augment the behavior of an operating system, applications, or software programs by intercepting function calls, messages, or events passed between software components.