NickPGSmith: 2 revisions imported

2024-05-08T04:53:43Z

2 revisions imported

← Older revision	Revision as of 04:53, 8 May 2024
(No difference)

NickPGSmith: 1 revision imported

2023-02-17T21:02:13Z

1 revision imported

← Older revision	Revision as of 21:02, 17 February 2023
(No difference)

NickPGSmith: /* Vulnerability impact */

2021-12-31T14:37:31Z

Vulnerability impact

New page

== Malware ==

=== Comparing viruses, worms and trojans ===

* Virus: need user interaction
* Worm: no user interaction
** RTM Worm (1988), 10% affected
* Trojan horse: disguised actions
** RAT (Remote Access Trojan)

=== Malware payloads ===

* Adware: Change search engine, popups, etc
* Spyware: Gathers info, eg keyloggers
* Ransomware: Encrypt disk, eg wannacry
* Crypto malware: mines cryptocurrency

=== Understanding backdoors and logic bombs ===

* Backdor: workaround access eg hardcoded accounts, defaults, unknown access channels
* Logic bomb: eg date/time, file contents, API call

=== Looking at advanced malware ===

* Root kits: escalate privileges
* File-less viruses: in memory only, eg Office Macros, JavaScript code, Registry
* Botnets: communicate though IRC, Twitter, peer-peer (Command and Control)

=== Understanding botnets ===

=== Malicious script execution ===

== Understanding Attackers ==

* Script kiddies
* Hacktivist - motivation
* Organised crime
* Nation states - APTs

* White Hats: work with targets' permission
* Back Hats: no permission
* Grey Hats: illegal, but with good intent

* Insider threat: principle of least privilege
** 2 person check for critical operations
** mandatory vacations for critical staff (fraud uncovering)
* Shadow IT
* Attack Vectors: Email, social media, USB, chip in cable, network jack, skimmmers, cloud servers, physical access (including supply chain), Wifi

=== Cybersecurity Adversaries ===

=== Preventing insider threats ===

=== Attack vectors ===

=== Zero days and the advanced persistent threat ===

== Threat Intelligence ==

=== Threat Intelligence ===

Open Source intelligence: security websites, vulnerability DBs, media, codebases, etc
Closed Source intelligence: proprietary info
* Timelines
* Accuracy
* Reliability

Threat indicators: IP, file patterns, etc

* Cyberobservable expression CybOX - Schema
* Structured Threat Information Expression (STIX) - Language format
* Trusted Automated Exchange of Indicator of Information (TAXI) - Info exchange

Cybox > STIX > TAXI

* Open IOC - Mandient Framework
* Functions supported by intellegence
** Incident Response
** Vulnerability Management
** Risk Management
** Security Engineering
** Detection and Monitoring

=== Intelligence sharing ===

Information sharing & analysis centres
* Safe way for competitors to collaborate
* Each industry has at least one ISAC

=== Threat research ===

* Reputational threat research
** previous actors, IP, email, domains, etc
* Behavioural research
** identify behaviour that resemble activity of past threats
* Vendor websites, cybersecurity jouranals, academic journals, RFC docs, local industry groups, social media, etc

=== Identifying threats ===

Modelling: structured approach should be used:
* Asset focused
* Threat focused
* Service focused eg API review

=== Automating threat intelligence ===

eg
* Blacklisting IPs from feeds
* Incident Response could be partially automated eg IDS attack > workflow for customer geolocaton, logs, etc

Security Orchestration, Automation and Response (SOAR)
* Machine learning allows automated creation of file diagnostics

=== Threat hunting ===

Cannot prevent all threats: "assumption of compromise"
* Now searching for those compromises
* Need to think like an adversary

Establish a hypothesis and look for indicators of compromise -> containment/eradication/recovery

TTPs - Tactics, Techniques, Procedures

== Social Engineering Attacks ==

=== Social engineering ===

Psychological attacks to gain info
* Authority - defer to authority
* Intimidation - scare people
* Consensus/social proof - herd mentality
* Scarcity - act quickly or miss an opportunity
* Urgency - time is running out
* Familiarity/liking - flattery/fake relationships

Education is the solution

=== Impersonation attacks ===

* Spam
** phishing, trick users to share information
* Prepending info on email
* Spear phishing - target a small number
** Whaling - target executives eg subpoenas
* Pharming - setup false websites
* Vishing - voice phishing
* Smishing / SPIM - SMS/IM often uses spoofing, faking an identity

=== Identifying fraud and pretexting ===

Pretexting - impersonate a customer while contacting an organisation
* eg convince phone company to switch phone number to his -> reset bank details with this number

=== Watering hole attacks ===

Websites that spread malware - users must trust websites, at least to some extent
Users are conditioned to bypass security
Attacker uses a compromised popular website -> infected system calls home

=== Physical social engineering ===

* Shoulder surfing
* Dumpster diving
* Tailgating

== Common Attacks ==

=== Password attacks ===

* Brute force
* Dictionary attacks
* Hybrid attacks
* Rainbow table attacks

=== Password spraying and credential stuffing ===

Uses common password list and attempt to use them against one account

=== Adversarial artificial intelligence ===

Machine Learning:
* Descriptive analytics (eg what % female)
* Predictive analytics (eg model to predict future customer behaviour)

Aversarial AI: Injected tainted training data - Tesla speed sign example)

== Understanding Vulnerability Types ==

=== Vulnerability impact ===

Confidentiality:
* Disclosure attacks: data breach
Integrity:
* Unauthorised changes
Availability:
* Authorised individuals can't access resources: DoS attacks

Risks:
* Financial
* Reputational
* Strategic
* Operational
* Compliance (eg HIPAA)

=== Supply chain vulnerabilities ===

End of Life Cycle:
* End of sale
* End of Support (all or some support stopped)
* End of Life (now updates at all)

Vendors can just fail to provide proper support, especially in embedded systems

=== Configuration vulnerabilities ===

eg default accounts

Cryptographic vulnerabilities
* Key management
* Certificate management

Patch management (OS, Apps, Finance)

Account management (eg execute permissions)
* Use principle of least privilege

=== Architectural vulnerabilities ===

Incorporate security early on, no a bolt-on extra

System sprawl: new devices get turned on but old devices are not decomissioned

== Vulnerability Scanning ==

=== What is vulnerability management? ===

Detects, remediates and reports vulnerabilities

Why manage?
* Maintain security
* Comply with corp policy
* Comply with regulations
** PCI/DSS: anyone who handles credit card data: quarterly scans internasal and external, repeat scans after large changes, use approved vendor, remediate and rescan until you achieve a clean report
** FISMA for US government employers: follow NIST guidelines, regular scans, analyse the results, remediate legitimate vulnerabilities, share with other agencies

Tests:
* Network scans
* Application scans
* Web application scans (eg SQL/CSS)

=== Identifying scan targets ===

Asset Inventory provides a starting point
Nessus and Qualis may discover assets

* Impact > what is the highest level of data classification handled?
* Likelihood > What is the network exposure? (is it behind a firewall? What services are running?)
* How critical is the system?

=== Scan configuration ===

Nessus
* configure pings, port scanning, scan sensitivity: default "normal" sensitivity
* "Enable safe checks"
* Rate limits can be configured
* Choose default plugins

=== Scan perspective ===

Network location:
* Consider scanning inside network/Internet/DMZ
* All are valid and answer different questions

Firewall and IDS/IPS and segmentation impacts scan results

Agent-based scans: install a security agent on each target

Credentialed scanning: mix scan perspectives

=== SCAP (Security Content Automation Protocol) ===

Confusing terminology, so provide a consistent language that describes items:
* CVSS (Common Vulnerability Scoring System)
* CCE (Common Configuration Enumeration)
* CPE (Common Platform Enumeration)
* CVE (Common Vulnerability and Exposures)
* EXXDF *Extensible Configuration Checklist Format)
* OVAL (Open Vulnerability Assesment Language)
** describes testing procedures in a programmatic way

=== CVSS (Common Vulnerability Scoring System) ===

CVSS: 10 point scale:
* Attack vector
** Physical
** Local
** Adjacent Network
** Network
* Attack complexity
** High
** Low
* Privileges required
** High (admin)
** Low
** None
* User interaction (exploitability)
** Required (user needs to do something)
** None

* Confidentiality
** None
** Low
** High (all is vulnerable)
* Integrity
** None
** Low
** High (all info could be modified)
* Availability
** None
** Low (performance degraded)
** High (system shutdown)

* Scope
** Changed (vulnerabilities can affect other comments)
** Unchanged

=== Analysing scan reports ===

Prioritisation factors
* Severity of vulnerabilities
* System criticality
* Information sensitivity
* Remediation difficulty
* System exposure

=== Correlating scan results ===

Consult industry standard eg PCI/DDS:
* will fail if any systems has CVSS score of ⩾ 4.0

Technical info CMDB, log repositories, others
Trend analysis look for changes over time, Eg if new web apps keep showing CVSS: Dev training or better libraries

== Penetration Testing and Exercises ==

=== Penetration testing ===

Security professionals in roles of attackers
* test security controls by bypassing or defeating them
* define scope of systems ("Rules of engagement")

* White Box Test - with full knowledge like an internal attacker
* Black Box Test - with no knowledge like outsider
* Grey Box Test - with some knowlegde

NIST recommend:
* Discovery Phase
* Attack Phase
** Gain Access > Elevate Privs > Browsing > Install tools
* Goto Discovery

Pivot: after exploiting a system, pivot to another more secure system

Clean up the traces of attack
* expensive/time consuming so use occasionally

=== Bug bounty ===

* Align attacker's and organisation's interests
* Can be self managed or fully managed by external vendor

=== Cybersecurity exercises ===

* Teams attacking (red) vs Securing systems (blue)
* White team: observe and judge

Red and blue team results -> Purple Team

* Capture the Flag exercises, usually in a sandbox

Threats, Attacks, Vulnerabilities - Revision history

NickPGSmith: 2 revisions imported

NickPGSmith: 1 revision imported

NickPGSmith: /* Vulnerability impact */