CySA+ Chapter 15: Tool Sets
Name 2 popular exploitation frameworks
1. Metasploit Framework, and 2. Nexpose
Name 6 popular vulnerability scanners
1. QualysGuard, 2. Nessus, 3. OpenVAS, 4. Nexpose, 5. Nikto, and 6. MBSA
Name 3 popular WAFs
1. SecureSphere, 2. ModSecurity, and 3. NAXSI
What are 6 popular SIEM tools?
1. Unified Security Management (USM) system, 2. ArcSight, 3. Kiwi Syslog, 4. OSSIM, 5. QRadar, and 6. Security Intelligence Platform.
Name 3 popular fuzzers
1. Untidy, 2. Peach Fuzzer, and 3. Microsoft SDL Fuzzer
name 3 popular packet capture tools
1. Wireshark, 2. Tcpdump, and 3. Aircrack-ng
What is FTK?
AccessData's Forensic Toolkit (FTK) is a popular choice for investigator needing to create a forensic image of a HD. FTK is a favorite for forensic analysts because of its built-in logging features, making the process of documentation easier for investigators looking to preserve the details of analysis itself. One of the more popular tools included in the FTK suite is the FTK Imager, a data preview and volume imaging tool
What is Aircrack-ng?
Aircrack-ng is the most popular open-source wireless network security tool. It's mostly used for its ability to audit the security of WLANs through attacks on WPA keys, replay attacks, deauthentication, and the creation of fake APs. If does, however, include packet capture functionality too. Also, it could be coerced into capturing wired network traffic. I t would not be a good choice, particularly considering the power of the other two tools. If the scenario required wireless capture, however, this would be the tool of choice.
What is EnCase?
EnCase's suite of tools is very popular with law enforcement and government for forensic missions because of its easy-to-use GUI and chain-of-custody features. EnCase's Evidence File Format is among the most common types of forensic imaging formats, due in part to its high portability.. The Imaged volume's data, metadata, and hashes are all included in a single file
What is EMET?
Enhanced Mitigation Experience Toolkit (EMET). The EMET is a free Microsoft product designed to enhance the protection of Windows systems against a variety of threats, particularly zero-days.
What are interception proxies used for?
For the purpose of analysis, interception proxies provide extraordinary insight into user behavior because they sit in between the user and the requested resource. As an intermediary device, an interception proxy can be used in several ways to collect, modify, or block certain types of data.
What is Helix?
Helix3 Pro is the latest multi-platform forensic suite offered by e-fense. Based on the open source Knoppix live boot utility, Helix allows analysts to fully image all internal devices, including physical memory and hard disks. The program also includes utilities for mobile device analysis, offering the same non-destructive imaging features.
What is QRadar?
IBM's QRadar stands out from other SIEMs in its ability to integrate "NetFlows," packet captures, and event logs in support of incident response. Rather than only tracking events (which could become incidents), this system tracks "offenses," which are correlated events that are more likely to be indicative of a security compromise. Analysts examining an offense can then see all network and log data supporting it, all the affected hosts, and all relevant vulnerabilities. Another distinctive feature of QRadar is its ability to automatically start acquiring forensic data and/or start an event ticket. QRadar would be a good fit in the scenario if you needed tight integration between your SIEM and your response processes. In particular, if your responses typically involve network captures or NetFlow data that had to be correlated, then this would likely be your best choice provided you could afford it. Because the scenario does not spell out this requirement, you would have to dig a bit deeper before making this decision.
What is SecureSphere?
Imperva's SecureSphere is one of the market-leading WAFs. One of its distinctive features is "dynamic profiling," which automatically learns protected applications' legitimate structure and behaviors, as well as the normal behaviors of their users. Taking a page from NGFWs, SecureSphere is able to exchange known threat sources and indicators of new attacks with a threat intelligence system in the cloud, which reduces the vulnerability of attacks and actors that have already been seen elsewhere. With an extensive feature set, the ability to learn normal and abnormal patterns, and a connection to threat intelligence resources, SecureSPhere is arguably one of the most powerful WAFs in the market. This, however, comes with a price in the tens of thousands of dollars per appliance, which puts SecureSphere out of reach of many smaller org. Because the startup is well funded and the infrastructure is yet to be developed, this may be the right time to think long-term and make the investment in SecureSphere. Although it may be overkill in the early days of the company, it would support very rapid growth.
What is John the Ripper?
John the Ripper is an open source password-cracking tool, initially developed for UNIX, that now has variations for many OSs. Image on page 362 shows options for usage with the command-line tool. John runs attacks with wordlists, which reference a precompiled list of possible passwords, or by brute force, which tries as many possible combinations in the character space. Additionally, John supports auto-detection of password hash types, the protective measure used by OSs to prevent unauthorized viewing of the password file. The commercial version of John the Ripper expands on the already impressive selection of hashes supported.
What is Metasploit Framework?
Like many popular security tools, the Metasploit Framework began as an open source project and was later acquired and expanded to include paid options for commercial use. Initially developed under the larger Metasploit Project to develop and execute against remote targets, the framework provides an easy way for security professionals to assess system vulnerabilities and determine exploitability. Although the Metasploit Framework itself is still free, Rapid7 offers several interfaces and professional options with a paid license. Every version ships with hundreds of exploits and payloads. The image on page 353 is a screenshot of the Metasploit command-line interface. Metasploit's main strength is the versatility it provides by way of its modular design. Exploits can be combined with payloads to take advantage of flaws and execute code in a single effort. The image on page 354 shows an example in which a user selects the PSExec Exploit for use against a Windows OS, along with the various options presented for its usage.
What is NetFlow Analyzer?
ManageEngine's NetFlow Analyzer is an analysis tool for network traffic that relies on NetFLow data to give admins a complete view of their network. In addition to performing basic bandwidth monitoring and service identification, NetFlow Analyzer also provides traffic-shaping features, which might be useful to identify and curb bandwidth abuse. Additionally, NetFlow Analyzer provides some network forensics and security specific capabilities through an add-in module. In our scenario, you could use NetFlow Analyzer to quickly identify the server in question and whether other devices are exhibiting the same type of behavior.
What is MBSA?
Microsoft Baseline Security Analyzer (MBSA): MS provides a tool called MBSA to quickly identify missing security patches or software misconfigurations in Windows operating systems. Designed for use with Windows Vista, Windows XP, Windows 7, Windows 8, and Windows server 2003, Windows Server 2008, and Windows Server 2012, MBSA is available as a small DL directly from MS. His tool is only useful for assessing Windows endpoints and servers, so if the organization is running anything else, this tool won't work on those platforms. The image on page 344 shows the various options for starting a scan with this tool. You can scan for vulnerabilities related to passwords, server and database misconfigurations and missing security updates. The output of the resulting report can also be modified to suit your organization's naming conventions. a) The reports generated by MBSA provide info about what was tested on the system and the results from each test .From some entries, a link to possible solutions is provided. The full report of our local scan is shown on page 345. You can see that vulnerabilities are grouped by type, and there is an option to sort the result by impact.
What is Microsoft SDL Fuzzer?
Microsoft SDL Fuzzers: As part of its Security Development Lifecycle (SDL) toolset, MS released two types of standalone fuzzers designed to be used in the verification phases of the SDL: The "Minifuzz File Fuzzer" and the "Regex Fuzzer." However, MS has dropped support and no longer provides these applications for DL.
Name 3 popular Sysinternals Suite tools
Microsoft now owns Sysinternals and they create multiple powerful tools for Windows superusers. Here are some of the most useful tools for cybersecurity analysts: i. Process Explorer: provides an abundance of info about all processes, including how much memory and CPU they use, who/what started, the origin, and even the VirusTotal score ii. Autoruns: Allows you to quickly determine which programs are configured to start up automatically when the system is started or users log on, as well as to disable autoruns iii. Process Monitor: Provides detailed information on the specific resources that a process owns or us using, including registry keys, DLLs, files, and other processes.
What is ModSecurity?
ModSecurity is an open source toolkit for web application monitoring, logging, and control. It was originally developed as an Apache server module (hence the "Mod" part of the name), but has since been adapted to work with Microsoft IIS and Nginx. ModSecurity is able to leverage the OWASP Core Rule Set (CRS), which is a set of detection rules for the most common web application attacks. The CRS is specifically developed by OWASP for ModSecurity, though it also works with compatible WAFs. In addition to this traditional rule-based detection, ModSecurity is also able to aggregate multiple (less-critical) rule matches so that, collectively, they trigger a higher-level alert. This anomaly-based approach is meant to catch adversaries who go for small, incremental attacks that would otherwise not show up on an analyst's screen Because the system admin in the scenario is proficient with Apache, ModSecurity would provide a very low-cost solution that would not require specialized hardware, licenses, or additional hires. Apache and ModSecurity, however, may not be the best choice among the 3 systems we discuss in terms of performance for a rapidly growing business
What is MRTG?
Multi Router Traffic Grapher (MRTG) is a cross-platform, network measuring tool that relies on SNMP exchanges to produce graphs and stats. Developed to be lightweight, the tool is written in Perl and offered as free software under the GNU General Public License. A sample graph is shown on page 346 of network traffic over several weeks. MRTG is very fast and capable of storing logs for years without appreciable increase in log storage requirements. Although the HTML output is convenient, it lacks the polished interface and correlation features offered by other network monitoring solutions
What is Palo Alto Networks?
Palo Alto Networks is widely regarded as the industry leader in NGFW innovation, frequently rolling out new features ahead of its competitors. An example of this is the introduction of cloud-based malware detection into the market with its Wildfire subscription service, which is integrated with its threat intelligence cloud. Integration is a major theme within Palo Alto's product line, which can result in faster detection and better protection, particularly against previously unknown threats. This innovation comes at a cost; however, because Palo Alto's solutions tend to be more expensive than its competitors'. If ever there was a time to jump on the Palo Alto bandwagon, this might be it since you are better resourced.
What is Peach Fuzzer?
Peach Fuzzer is a powerful fuzzing suite that's capabile of testing a wide range of targets. Peach uses XML-based modules, called "pits," to provide all the information needed to run the fuzz. These modules are configurable based on the testing needs. Before conducting a fuzz test, the user must specify the type of test, the target, and any monitoring settings desired. The image on page 356 is a short list of the pits available for image file and network protocol fuzzing.
What is QualysGuard?
QualysGuard is a product of the California-based security company Qualys, an early player in the vulnerability management market. The company currently provides several cloud-based vulnerability assessment and management products through a SaaS model. For internal scans, a local VM conducts the assessment and reports to the Qualys server. The image on page 337 is a sample dashboard that shows the various options under the vulnerability management module All network discovery, mapping, asset prioritization, scheduling, vulnerability assessment reporting, and remediation tracking tasks can be accessed via the web-based UI. The platform can generate detailed reports using several templates. Included in the deafult installation is a template called "Executive Report," which provides just the type of data the CISO needs for her discussion. A portion of the results of this report can be seen on page 338.
What class of tools is best able to receive information from a variety of platforms, aggregate it into a data store, generate alerts, and allow users to query the data?
SIEMs
Your internal development team just developed a new web application for deployment onto the public-facing web server. You are trying to ensure that it conforms to best security practices and does not introduce any vulnerabilities into your systems. You discover a vulnerability that causes the app to crash whenever it receives a password length of 256 or greater. You are under immense pressure to get the app online and the development team will need a week to fix the issue. Assuming you already using it, which tool can help mitigate the risk and allow the app to go online by tomorrow? Alien Vault, Sourcefire, Nessus, or Metasploit?
Sourcefire because it's an IPS that can be configured to detect and prevent problematic password values
What is Sourcefire?
Sourcefire started its life as the commerical version of Snort. It quickly grew in capabilities and was later expanded into a set of offerings under the Firepower line of security products. The Sourcefire company was acquired by Cisco in 2013, and the Firepower IPS was integrated into Cisco products even as it was further improved. This system is offered as a time-limited (typically annual) license in Cisco's Adaptive Security Appliance (ASA) line of products. The licensing model is one that increases with the number of hosts being supported, so a small org. like the one in the scenario would probably be able to afford it, particularly if the Cisco firewall you already have can already support Sourcefire Firepower. Unlike Bro and Snort, this IPS comes with commercial support, which could make things easier for you as you settle into your new role.
What is ZAP?
The OWASP Zed Attack Proxy (ZAP) is one of OWASP's flagship projects due to its powerful features and popularity. ZAP uses its position between the user's web browser and the web application to intercept and inspect user requests, modify the contents if required, and then forward them to a web server. This is exactly the same process that occurs during a MitM attack. ZAP is also designed to be used by security practitioners at all levels. The image on page 351 shows the results of an attack conducted with nothing more than a target specified. In this example, ZAP rapidly fabricates a list of GET request using known directories and files to test the site. These locations should not be publicly viewable, so the results here will inform an admin of misconfigurations in the server and unexpected data exposure.
What does nslookup do?
The name server lookup, or nslookup, utility can be thought of as the user interface of the DNS. It allows us to resolve the IP address corresponding to a fully qualified domain name (FQDN) of a host. Depending on the situation, it is also possible to do a reverse lookup. It is also possible to obtain other record data, such as MX (email) and CNAME (canonical).
What is Check Point?
This company's claim to fame is having pioneered the Stateful Packet Inspection (SPI) firewall. It has a very robust R&D arm and is considered among the market leaders. It also has a very good reputation when it comes to complex deployments in very large organizations as well as in some niche use cases (for example, ruggedized ICS/SCADA protection) and with regard to regulatory compliance. Because your org. is large and the upgrades could be complicated, Check Point might help you make the transition easier
What is Kiwi Syslog?
This is a tool developed SolarWinds to monitor, archive, and alert to syslog events. Technically, it is not a SIEM, though it does share some basic features with this class of tools (e.g., prioritizing and alerting on messages). Kiwi is really meant to monitor performance and for regulatory compliance issues, but these can also help identify compromises, which is the reason CompTIA lumped it in with the SIEMs. Realistically, though, Kiwi would be insufficient as a standalone SIEM. There is nothing in this scenario that specifically calls out Kiwi Syslog as a good solution. Still ,if your main challenge were integration of log files from both Linux and Windows systems, this could be part of the solution
What is OpenSSL?
This is an opensource software library that allows software systems to communicate securely. Despite its name, it includes both SSL and TLS functionality. This library includes a command-line interface (CLI) that provides the following functionality: i. Generate and validate certificates ii. Generate, sign, and verify MD5 and SHA hashes iii. Encrypt and decrypt data iv. Establish secure connections to remote servers.
What is Snort?
Though also an IDS, it's more frequently used as an IPS than Bro. Its scripting language is not as powerful as Bros, but it is plenty to stop any network threat for which you can develop a signature. This is a key difference between Snort and Bro, in that the latter can look for both signatures and anomalous behavior. Unlike Bro, Snort does not automatically log everything it sees on the network, which may be attractive if you have limited means to store large amounts of event data. Like Bro, however, Snort is free and opensource, which means you should be able to afford it. Because you have some Snort experience, you already have a leg up on deploying it in your new organization.
Your internal development team just developed a new web application for deployment onto the public-facing web server. You are trying to ensure that it conforms to best security practices and does not introduce any vulnerabilities into your systems. You decide to try random data to see if you can force instability or crashes. Which is the best tool for this purpose? Untidy, Cellebrite, Cain & Abel, or Qualys?
Untidy
What is Untidy?
Untidy is a popular XML fuzzer. Used to test web applications clients and servers, Untidy takes valid XML and modifies it before inputting it into the application. The Untidy fuzzer is now part of the Peach Fuzzer project.
What is Vega?
Vega is another cross-platform interception proxy written in Java. It provides automated scanning, injection discovery, and XSS vulnerability discovery through its user interface or via an API. Usage is similar to ZAP in that a user can launch a quick attack by identifying the target. As with ZAP, the list of results will include a short description of discovery, why it's important, and how best to remediate. An example of the information provided is shown on page 352.
What is Wireshark?
Wireshark is widely used. It has a CLI version called TShark, which is useful when you can't get a GUI (e.g., when connecting over SSH) or when you want to script a packet capture. Whether you capture the traffic through the GUI or CLI, you can save it and view it on GUI later. You can similarly view captures from other tools (such as tcpdump) provided they were saved in the packet capture (.pcap) file format.
What is ArcSight?
With 3 distinct but related platforms, ArcSight has something for medium- to large-sized organizations. Among its distinctive features is the maturity of its correlation and analytics engine. Multiple optional modules for specialized feature sets such as "User Behavior Analytics (UBA)" and "DNS malware analytics" provide additional functionality only for those who want it. One of the features that differentiates ArcSight from other SIEMs is an open architecture that facilitates its integration with most other security solutions. This is evident in the way it can either do its own data analytics or interface with other systems, such as Hadoop and Kafka to feed third party big data platforms. ArcSight is one of the most respected platforms on the market, so you couldn't go wrong in selecting it in this scenario. The optional modules would provide you a nice growth path, even though the base product provides a robust set of features. Additionally, if your org. grows to the point of being able to leverage big data analytics, ArcSight would integrate very well with most common solutions in that space.
Name 3 popular IDS and IPS tools?
1. Bro, 2. Snort, and 3. Sourcefire
Name 3 popular interception proxies?
1. Burp Suite, 2. ZAP, and 3. Vega
Name the top 3 firewall vendors.
1. Check Point, 2. Cisco, and 3. Palo Alto Networks
Name 4 popular forensic suites
1. EnCase, 2. FTK, 3. Helix, and 4. Cellebrite's UFED
What are 2 popular password cracking tools?
1. John the Ripper, and 2. Cain & Abel
Name 5 popular monitoring tools
1. MRTG, 2. Nagios, 3. Orion, 4. Cacti, and 5. NetFlow Analyzer
What is OSSIM?
"Open Source Security Information Manager (OSSIM)" is an integrated collection of components rather than a monolithic product .OSSIM was started in 2003, and five years later became the basis for the commercial product AlienVault, described previously. It includes the "Open Vulnerability Assessment System (OpenVAS)" for vulnerability assessment, "Suricata"for network based intrusion detection, OSSEC for host-based intrusion detection, as well as file integrity monitoring and more. The multitude of open source tools are coherently integrated into a unified web-based interface with wizards to walk you through common setups, as shown in the image on page 328. OSSIM is distributed as an ISO that can be installed on a virtual or physical host. These hosts can participate in the Open Threat Exchange, which is a crowd-sourced IP reputation service that allows OSSIM systems to share information about known or suspected malicious addresses. You already saw how ALienVault's USM would be a good fit for the scenario. If your budget was limited, or if you preferred to invest in workforce development in addition to platform acquisition, then OSSIM would be a good fit. The money you save by choosing this free platform could be invested in training for your staff, which could give you a better fit, depending on the specific requirements.
What is a WAF?
A WAF is a system that mediates external traffic to a protected server. The WAF is configured for the specific Web apps (or classes of web apps) that it is intended to protect. In other words, the WAF "speaks the language" of the web app so as to identify unusual or disallowed requests to it. It is also able to determine which URLs, directories, and parameters are acceptable and which are suspicious. This is something that traditional firewalls cannot do. PCI DSS requires organizations to have all web application code reviewed by a specialized org. or to deploy a WAF for any web-facing applications
What are Web proxies?
A Web proxy is a system that intercepts and then forwards web traffic between clients and servers. Such proxies are commonly used to carry out content filtering to ensure that Internet use conforms to the organization's AUP. They can block unacceptable web traffic, provide logs with detailed information pertaining to the sites specific users visited, monitor bandwidth-usage stats, block restricted web site usage, and screen traffic for specific key words (such as porn, confidential, or SSN). The proxy servers can be configured to act as caching servers, which keep local copies of frequently requested resources, allowing organizations to significantly reduce their upstream bandwidth usage and costs while significantly increasing performance. It is worth noting that although most web proxies support HTTPS traffic, doing so effectively requires additional steps. For starters, you will be examining the contents of a conversation that is encrypted and can therefore can be reasonably expected (by the user) to be private. It is essential that your org. policies make it clear to the users that this can happen, or else you could find yourself in legal trouble. The next step is to ensure that all clients in your org. trust the CA with which you will be signing the internal certificates. At issue is the fact that, when using HTTPS, a client requests from the server a certificate that is issued by a trusted CA and matches the domain of the requested resource. When a web proxy is mediating this conversation, it will present its own certificate to the client to secure the internal connection and use the server's certificate to secure the external half of the connection. If the proxy's CA is not trusted by the client, the browser will generate a certificate warning every time, which is something we really don't want our users to get used to clicking though
Why do cybersecurity analysts need password cracking tools?
A common target for attackers is the OS password file. I Windows, the "Security Account Manager (SAM)" file is the database of user passwords. In modern Linux environments, the user information is stored in the "/etc/passwd" file, and the password hashes are stored in the "/etc/shadow" file. As you can imagine, these files are protected by the system using various cryptographic methods. However, it's possible to break into these files given the right tools
What is Bro
Bro is not really meant to be used as an IPS, but its powerful scripting language certainly allows for this. At its core, this IDS does two things: it captures all sorts of events (labeling them neither good nor bad) and then runs scripts that analyze the events looking for signatures or anomalies that might indicate a security incident. These scripts can take actions ranging from sending a warning message to changing configurations on systems in order to thwart a threat (IPS). What might make Bro a particularly good fit for the scenario is that it records EVERYTHING, even as you are getting familiarized with it and building a library of scripts. This means that you would be able to run new scripts on already-acquainted data to detect things that happened before you were fully up to speed. The fact that it is free also fits your limited budget.
What is Burp Suite?
Burp Suite is an integration web application testing platform. Often used to map and analyze a web application's vulnerabilities, Burp allows seamless use of automated and manual functions when finding and exploiting vulnerabilities. In proxy mode, Burp will allow the user to manually inspect every request passing through from the user to the server. The option to forward or drop the request Is shown on page 350. Although Burp is designed for a human to be in the decision loop, it does offer a point-and-click web scanning feature in the paid version that might be useful for this scenario.
Your internal development team just developed a new web application for deployment onto the public-facing web server. You are trying to ensure that it conforms to best security practices and does not introduce any vulnerabilities into your systems. What would be the best tool to use if you want to ensure that the web application is not transmitting passwords in cleartext? Nikto, FTK, Burp Suite, or Aircrack-ng?
Burp Suite. This is an integrated web application testing platform often used to analyze a web application's vulnerabilities. It is able to intercept web traffic and allow analysts to examine each request and response.
What is Cacti?
Cacti is a free front end for the RRDTool, a network logging and graphing tool based on MRTG. Like MRTG, Cacti's strength is its speed in ingesting and visualizing logging data. Due to its low resource requirements, Cacti is a popular choice for Web admins who want to create quick graphs and stats. The image on page 349 is a display provided by the developers to highlight the precise control over graph timespans using the web interface
What is Cain & Abel?
Cain & Abel is a Windows password-cracking tool that can operate on sniffed network traffic or locally acquired password hashes. Note that Cain is not officially supported for OSs newer than Windows Vista, and its use with those modern systems might require workarounds. Like John, Cain supports wordlist and brute force attacks, but can also use rainbow tables to speed up its analysis. Normally, a password-cracking tool using a wordlist will take the given plaintext, compute the hash, and perform a search for that hash in the password file. Rainbow tables are pre-computed lists of hashes that the program will use to perform a reverse lookup of the possible password. In the case of the rainbow table, only the hash needs to be searched for, so this speeds up the cracking process significantly. The trade off is that rainbow tables can be extremely large in size. The trend of increasingly affordable hardware has ushered in the age of hardware-accelerated password cracking. Using "rigs," composed of several Graphics Processing Units (GPUs), a user can brute-force passwords orders of magnitudes faster than traditional CPU-only methods.
What is UFED?
Cellebrite is a co. that developed data transfer solutions for mobile carriers and has since moved into the mobile forensics market. Its flagship product, the Universal Forensic Extraction Device (EFED), is a handheld hardware device primarily marketed to law enforcement and military communities. With the EFED, a user can extract encrypted, deleted, or hidden data from select mobile phones. Cellebrite also provides evidence preservation using techniques such as write blocking during the data extraction procedure.
What is Cisco?
Cisco's NGFW solutions are common in Cisco-only (or Cisco-mostly) deployments. Its solutions are marketed as Cisco ASA with FirePOWER services, and they represent a (subscription-based) FirePOWER service on a traditional ASA firewall. When it comes to traditional firewall features and protection, Cisco leads compared to the other manufacturers. That said, its NGFW features compare well with the other two, though they tend to not be as robust or innovative. If Total Cost of Ownership (TCO) is a principal concern, Cisco NGFWs compare very well. This is particularly relevant in the scenario because you already have a significant investment in Cisco devices
What is NAXSI?
NAXSI stands for Nginx Anti XSS and SQL Injection. Nginx is an open source web server developed specifically to outperform Apache in high-use environments. It follows that NASXI also focuses on performance and does so by zeroing in on a relatively small rule set that reportedly identifies the features of 99 percent of known web application attacks. By taking some fairly draconian measures with these rules, NAXSI implements a "deny by default" rule policy. It is then up to the system admin to create whitelists that will allow legitimate traffic through, while letting NAXSI drop everything else. Obviously, tuning a NAXSI implementation is critical, but this is facilitated by a semi-supervised self-learning feature that this WAF can use to automatically generate whitelists.
You are concerned about your ability to block zero day exploits before they enter your network. Which of the following tools would best allow you to do this: Wireshark, Imperva's SecureSphere, Metasploit, or Palo Alto Network's NGFW?
NGFWs because they can connect to threat intelligence feeds to quickly identify new attacks and share those with others with similar firewalls via the cloud. They also have the ability to run applications in a sandbox to determine whether they are benign or malicious
What is Nagios?
Nagios is a very popular monitoring and alerting platform that comes in two flavors: Nagios Core and Nagios XI. While both solutions provide monitoring and analytics capabilities for network infrastructure, Nagios Core is offered as an open source and no-cost solution . Nagios XI, on the other hand, requires an annual standard or enterprise license. Aside from the cost, the primary differences between the two options are in the reporting and interface options. Nagios XI allows for advanced configuration of the dashboards, graphs, and reports. The image on page 347 is an example of the dashboard to show the graphs and screens most relevant to your security team's needs. Details on each device are hyperlinked directly from the dashboard, so all historical information about the server in question is just a click away. Each host details screen, as shown on page 348, can be configured in the same manner as the dashboard to show the graphs and screens most relevant to your security team's needs.
What is Nessus?
Nessus is the most popular vulnerability scanner on the market. It boasts a large library of over 80,000 plug-ins, which the platform uses to scan for vulnerabilities on the network on an ad-hoc basis or schedules basis. Like QualysGuard, Nessus provides an easy way to configure assessments and view the results through your favorite web browser. When Nessus discovers a vulnerability, it assigns a severity level to it in the scan results, as shown on page 339. Technical details for each vulnerability, the method used in identifying it, and any database references can be found here. Nessus is particularly strong at assessing compliance using its library of "compliance checks." These compliance checks, or any other type of scan, can be scheduled to occur as desired, fulfilling the CISO's desire to automatically conduct periodic scans. As for reports, Nessus offers server export options, as shown on page 339, such as Nessus, PDF, HTML, CSV, or Nessus DB. Nessus can generate reports that only list vulnerabilities with an associated exploit alongside suggested remediation steps. For an audience such as company leaders, explaining in plain language the concrete steps that may be taken to improve organizational security is key. Nessus provides these suggestions for individual hosts as well as for the network at large.
What does netstat do?
Netstat provides a wealth of information on the status of network connections and listening sockets. This is probably the most common use of this tool. It can also show interface stats. It can also provide protocol stats, such as IP and ICMP. Netstat is a default installation on almost every Linux, Mac OS, and Windows system, though some specific options are slightly different in Windows
What is Nexpose (but, for exploitation)?
Nexpose is a vulnerability discovery and management tool. Because it integrates extremely well with Metasploit, it's a natural choice for security analysts wanting to pivot quickly from analysis to exploitation without leaving the interface. Using one of the commercial options of Metasploit, called Metasploit Pro, it's possible to connect to the Nexpose scan engine directly. The image on page 355 shows a listing of vulnerabilities found during a routine scan, along with an indication of whether an exploit exists for that vulnerability. The Metasploit integration into Nexpose is useful in determining and prioritizing exploitable vulnerabilities on the network, while also reducing the burden of managing reports across the two systems.
What is Orion?
Orion by SolarWinds is a provider of Several It and network monitoring tools. The company began in 1999 as a developer of network performance monitoring software and has expanded to flow analysis, virtualization management, and server monitoring each with advanced reporting options. Its main platform, Orion, provides the foundation for the entire SolarWinds suite of products. Performing protocol analysis to determine what kind of data is moving from nodes, for example, can be performed by the NetFlow Traffic Analyzer tool, which rides on the Orion framework.
What is Nexpose?
Nexpose is a vulnerability scanner from Rapid7, the developers of Metasploit. It places more emphasis on the entire vulnerability management lifecycle rather than just scanning for and cataloging vulnerabilities. It's also designed to integrate directly into Metasploit for exploitation of discovered vulnerabilities. Once the scan is started, network-connected devices, referred to as "assets," will populate the dashboard, shown in the image on page 341. The assets are classified by IP address, system, and host name. An analyst may choose to view the details of the vulnerabilities discovered either by clicking a particular host listed or by viewing all vulnerabilities across the site to look for trends. The image on page 341 shows the site-wide vulnerability charts, breaking all discoveries down by CVSS score. The system provides context to rate each vulnerability by how exploitable it might be. This is important because not every vulnerability has an associated exploit, not does every vulnerability have a risk. For example, a resource that has no value cannot have a risk, so it does not necessarily make sense to devote energy to hardening that resource. This point must be considered when conducting risk assessments
What is Nikto?
Nikto is a command-line based web server vulnerability scanner. Although its utility is limited to web servers, Nikto's strength is its speed in assessing the software vulnerabilities and configuration. As a command line tool, it's also not as user-friendly as other tools. Nikto requires at least a target host to be specified, with any additional options, such as target ports, added in the command line. In the image on page 342, we see the command issued to perform a scan against the web team's new site, which operates on port 3780 a) Nikto also allows reports to be saved in a variety of ways, including HTML,. An example of an HTML file is on page 343. b) The report includes a summary of the command issued, information about the servers tested, and hyperlinks to the relevant resources and their vulnerability data.
What is nmap?
Nmap, or "Network Mapper," works by sending specifically crafted messages to the target hosts and then examining the responses. This not only tells you what hosts are active on the network and which ports are listening, but also helps us determine the OS, hostname, and even patch level of some systems. Though it is a command-line interface (CLI), there is a GUI for Windows called Zenmap, NmapFE for Linux, and Xnmap for Mac OS.
What is OpenVAS?
OpenVAS: is a fork of the initial Nessus project and is widely used vulnerability scanner whose major benefit is its cost. OpenVAS uses a similar structure as Nessus to conduct its scans: the OpenVAS Manager is used to configure and access the OpenVAS Scanner, which schedules and runs the vulnerability scans. The image on page 340 is an example of the OpenVAS dashboard. A free and open source software, OpenVAS relies heavily on community support in maintaining its library of nearly 50,000 network vulnerability tests (NVTs). Although the software is free, it does not offer the same level of support its paid alternatives do. For a large enterprise network, the price of on-demand customer support might justify the increased cost.
What is the Security Intelligence Platform?
Splunk is the best-known name in the SIEM market. Its "Security Intelligence Platform (SIP)" comprises two products: "Splunk Enterprise" and "Splunk Enterprise Security." The former provides event and log collection, indexing and analysis, whereas the latter has the traditional SIEM features that make the data actionable. Splunk started off as a log file analysis engine that grew into a SIEM, which explains why it shines in the first role but faces stiff competition in the second role. In fact, if you're looking for advanced event correlation, other platforms provide better products and require less effort. Like ArcSight, SIP is also able to provide user behavior analytics (UBA), which is very useful for advanced threat monitoring There is nothing in the scenario that makes SIP stand out as an obvious choice, so it would boil down to the best cost for the basic capabilities you need. Splunk is very competitive with other solutions, so you would have to specify your requirements and get quotes from multiple vendors. You could then compare the features and costs and choose the right platform based on those criteria.
What is tcpdump?
Tcpdump is a CLI tool that comes standard in many distributions of BSD, Linux, and Mac OS, which means you typically don't have to worry about installing it on the platform from which you'd like to capture traffic. As long as you can SSH into a host and run as a privileged user (such as root), you can capture packets on most non-Windows systems. As shown on page 333, the display is not easy to read as Wireshark's but the information captured can be the same. There is also a Windows version called "windump," which is typically not installed by default. Unless you were planning to use a Windows computer for the capture in the scenario, tcpdump would be a good choice
What is the USM system?
The AlienVault "Unified Security Management (USM)" system is a proprietary extension of the Open Source Security Information Management Manager (OSSIM), which we discuss later. In addition to the OSSIM capabilities, USM includes data analytics and visualization, log management, phone and e-mail support, documentation, a knowledgebase, and a full day of training. AlienVault also offers a subscription threat intelligence service in addition to the crows-sourced Threat Exchange, which supports OSSIM and USM. All this is available as a virtual or hardware appliance either on premises or tightly into "Amazon Web Services (AWS)," with well-regarded customer service. Because the scenario specifies that you don't have much in the way of SIEM capabilities, a product like USM would allow you to pack a lot of punch for a fairly small amount of money. The threat intelligence service subscription could also help mitigate the threat from APTs, particularly with the sophisticated analysis reporting features in this product.
What is one very popular imaging utility for Unix/Linux systems?
the dd utiltiy is just about the easiest way to make a bit-for-bit copy of a HD. You can find the program in nearly every Linux distribution as well as in the Mac OS. It's primary purpose is to copy or convert files, and accordingly there are several options for block sizes and image conversion during the imaging process that might assist in following analysis. The following comand will perform a bit-for-bit copy of hard drive "had" to a file called case123.img using the options to set the block size to 4,096 bytes and fill the rest of the block with null symbols should it encounter an error: dd if=/dev/had of=case123.img bs-4k conv=noerror,sync