Ch.2 - Risk Management Flashcards

1
Q

Threat Source

A
  • Adversarial
  • Accidental
  • Structural
  • Environmental

*These threats don’t exist in isolation – One can lead to another

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Adversarial

A

Attacks from malicious users, inside or outside the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Accidental

A

Errors made by users who did not intend to hurt organizational security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Structural

A

Failures of hardware, software, or other equipment such as environmental controls which are directly controlled by the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Environmental

A

Natural disasters, or structural failures to resources the organization depends on but does not control, such as power or network access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

About Hackers

A

People bypassing security measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Unauthorized (Black Hat)

A

Criminal hackers
o Break computer security for personal gain or other malicious purposes
o Steal/destroy information, spread malware, or damage your computing assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Authorized (White Hat)

A

Security experts
o Practice hacking for legal purposes (finding countermeasures against hackers)
o Ethical hackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Semi-Authorized (Grey Hat)

A

Hackers who are not unauthorized/authorized
o Research security flaws as recreational exercise
o No intentional harm, but don’t care if they violate law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Attacker Qualities

A
  • Intent/Motivation: Motivated by any number of reasons (personal/financial/political)
  • Sophistication/Capability Level: Some are inexperienced, relying on automated tools or simple vulnerabilities. Others are more subtle/personalized (threats).
  • Resource/Funding: Attackers can be in groups working to a common cause or alone to launch a major and powerful attacks on security.
  • Location: Some requires physical proximity to your computing resources, others can be anywhere in the world. Can be outside/inside your org.
  • Target Information: Some can hack randomly until they find something vulnerable. Others know your assets/vulnerabilities. Others use open-source intelligence.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Common Attacker Types

A
  • Script Kiddies: Unskilled hackers relying on available attack tools (malicious scripts)
    o Deface websites, spread malware, or interrupt services,
    o Against poorly secured networks, they can do even more damage
  • Hacktivists: Hackers who attack organizations to further a political or ideological message
  • Criminal Syndicates: Criminal hackers seeking financial gain (work as part of a larger org)
    o Target resources they can sell to others
  • Insiders: Employees (or former ones) who have retained network access/knowledge
    o Inside thieves/embezzlers target financial resources/valuable intellectual property
    o Disgruntled employees motivated by revenge want to sabotage systems/data
    o Employees misusing resources (hurt performance/security)
    o Employees wanting to keep their job creating problems to fix
  • Nation-states: Nations employing intelligence agencies to attack rivals (orgs/business/political)
    o Have unparalleled attack resources
  • APT (Advanced Persistent Threat): Ongoing series of sophisticated attacks against an org
    o Target orgs with high-value data
    o Used by nation-states or most capable criminal groups
  • Shadow IT: Many orgs have IT resources that are not managed by the IT department
    o Not an attack, but can compromise org’s security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Threat Vectors

A

Technical methods used to enter your org and target your resources.
- AKA “Tactics, Techniques, and Procedures” (TTPs)

▪ Direct Access: Comes from source that can directly contact your resources (insiders)
▪ Wired and wireless networks: No direct access, but still affect your local network
o Remote access, data breaches, network service outages
▪ Email/Personal Communications: Email, internet messaging, telephone, other comm tools
o Mainly emails – spread malware, credential theft, phishing
▪ Social Media: Become part of how businesses comms with their customers/public
o Scanning postings for sensitive info, spreading misinfo, perform social engineering
▪ Supply Chains: Org’s vendors, outside contractors, customers
o Malicious trusted partner gaining direct access, business partner leaking data
▪ Removable media and mobile devices: Any kind of electronic device which can be connected to your computing/network infrastructure
▪ Cloud Services: Service on someone else’s computer
o Can be attacked by cloud service provider, other tenants on same cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Artificial Intelligence (AI) Risks

A
  • Most AI use ML (Machine Learning) which uses algorithms to analyze data and learn to recognize existing patterns and map relationships*
    1. If training data for AI is tainted or non-representative, the trained algorithm will not respond appropriately to real-world data.
    2. If ML algorithms have unknown biases or oversights introduced during development, AI will not behave appropriately regardless of how well-designed training data set was (undetected harms).
    3. attacker who knows enough about the AI “thinking” can game the system by meddling with real-world data to obscure own activities or create false alarms that keep security analysts busy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Third-Party Risks

A

Any business relationship with a third party introduces risks apart from anyone attacking you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Incident Impact

A

Impact if a threat acted on a given vulnerability

  • Availability Loss: Disabled/compromised resource can prevent your org from achieving goals like producing goods/providing services
  • Recovery Costs: Equipment/labor cost required to repair/replace asset harmed by a threat

o System is down, reduced operating capacity
• Data Loss: Damage done to data itself

• Information Disclosure: Damage done when sensitive data is exposed to untrusted parties
o Data exposure: Human error causes sensitive data to be placed in untrusted environment
o Data breach: Situation where unauthorized party accesses sensitive data
o Data exfiltration: Breach where data is copied without affecting the source data

  • Identity Theft: Use of private data (personal info) at victim’s expense (can impersonate)
  • Other Financial Costs: Theft of financial resources, physical assets, valuable intellectual property
  • Public/Professional Reputation: Loss of customers/business partners with loss of reputation
  • Legal Consequences: Failure to comply with laws/regulations leads to fines/charges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Threat Awareness

A

Know who will attack, asset vulnerabilities and how to mitigate threats

  • Known Threats: Long-established threats (variant) can breach weak security
    o Rely on heavy internal monitoring
  • Current Vulnerabilities: Documented vulnerabilities in hardware, software, or procedures are continually changing (stay aware)
    o Use cybersecurity resources, penetration tests, vulnerability scans
  • Trending Attacks: New strategies (defenses and vulnerabilities change) – Spearphishing
    o Recognize and prioritize those threats
  • Emerging Threat Sources: Ongoing changes in technologies/business practices
    o Adapt to them – Training, update security controls, complete rethinking
  • Zero-Day Vulnerabilities: Newly discovered vulnerabilities (before we know they exist)
    o Need software patch or alternative mitigation strategy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Intelligence Gathering

A

Intelligence cycle practiced by military and gov intelligence agencies

1) Define intelligence requirements – Goals/priorities
2) Collect and process info likely to meet your requirements (process raw data)
3) Analyze processed info to turn into actionable intelligence
4) Disseminate intelligence to decision makers who can act on it
5) Generate feedback to improve next cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Intelligence Source Types

A
  • Open-Source Intelligence (OSINT): Free to use and available to anyone
    o Ex: public threat feeds released by security orgs, news media, websites, forums
  • Closed-Source/Proprietary Intelligence: Only available to paying/exclusive customers
    o Ex: Commercial treat feeds from security vendors, advice from consultants, private orgs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Threat Intelligence Types

A
  • Strategic Intelligence: Non-technical, high-level info – focuses on big picture – slow
  • Operational Intelligence: Adversaries and their actions – changes rapidly
  • Tactical Intelligence: Immediate, specific threats – Short-term, highly technical
  • Counterintelligence: Active security strategy – offensively, expensive (illegal)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Cybersecurity Information Sources

A
  • Social Media: Twitter – excellent source for instant alerts, FB/LinkedIn – in-dept discussions
  • Vendor Websites: Strong interest to keep customers updated on threats and mitigating them
  • Academic Journals: Detailed knowledge of some field (technical and theoretical)
  • Conferences: Excellent place to meet security professionals, expert advice, demonstrations
  • Threat Actor Activities: Studying (un)successful attacks or reviewing incidents on your own
  • Request for Comments (RFC): Set of IETF publications – standards, practices, protocols
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Threat Intelligence Organizations

A

A. Computer Emergency Response Teams (CERT)
a. Expert groups that respond to security incidents or coordinate responses to widespread threats (Computer Emergency Readiness Teams)
b. Publish general-purpose security docs, alerts, tips about current threats
B. Information Sharing and Analysis Center (ISAC)
a. Organizations/communities related to CERTs, aka Information Sharing and Analysis Organizations (ISAO)
b. Each is gov or private non-profit to gather/share info – cybersecurity and threats
C. MITRE
a. US-based non-profit corporation that manages federally funded research and development centers to support government agencies such as NIST and DHS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Threat Intelligence Sources

A
  • Data Repositories: Databases of known vulnerabilities, threat, security controls
  • Vulnerability Feeds: Regularly updated/distributed sources of info about new vulnerabilities
  • Threat Intelligence Feeds: Similar to vulnerability feeds, but with info about known threats
  • Threat Maps: Visual maps showing real-time/recently reported cyberattacks on world map
  • Predictive Analytics: App of ML that analyzes existing data to predict future trends
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Threat Indicators

A

Info used to describe security vulnerability, attack, its impact, or some other aspect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Reputational Indicator

A

Indicator of attack (IoA) associated with known/likely threat source
o IP address/email associated with attackers, URLs to phishing, or files to malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Behavioural Indicator

A

IoA associated with a known or suspected action performed by attackers
o Unauthorized network scans, failed login attempts, phishing attempts, human behaviors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Indicator of Compromise (IoC)

A

Forensic data associated with malicious activity on sys or net
o Unusual login behaviors, unexpected outbound net traffic, unauthorized config change

An IoA or IoC can indicate more than the presence of an attack; it can explicitly suggest a specific threat actor or threat actor category.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Vulnerability

A

Weakness in system/network which can be exploited by threat actor
o Its target, how to exploit it, and potential impact of exploitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Attack Framework

A

Systematic threat modeling processes to map how threats, vulnerabilities, and security controls in a system are likely to interact

  • Defensive modeling: Begins with threats and uses them to identify potential vulnerabilities
  • Attack modeling: Begins with vulnerability and finds attack path that can compromise it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Cyber Kill Chain

A

Model real-world network intrusions conducted by APTs

  • Consists of several phases linked in sequence to represent necessary steps of successful attack
  • By blocking any of those steps, you can defend against the threat as a whole
  • Interrupting any one of these steps will interrupt the entire attack.
  • Useful to model many attacks and teach defenders how to think about them proactively
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Cyber Kill Chain Phases

A
  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions of objectives
31
Q

Risk Assessment

A

To determine security needs

1) Identify assets potentially at risk.
2) Conduct a threat assessment for each asset.
3) Analyze the business impact of each threat.
4) Determine the likelihood of a given threat doing damage.
5) Prioritize risks by weighing the likelihood vs. potential impact of each threat.
6) Create a risk mitigation strategy to shape future security policies.

32
Q

Risk Registers

A

Formal document of risks you’ve discovered, correlated, calculated

  • For each risk you identify, the risk register should have a variety of fields, with details corresponding to the process you’re using
  • Ex: Unique ID and description, category, Likelihood, Business impact, Priority, Mitigation
33
Q

Identifying Assets

A

First need to identify assets with their value

- Ex: Information/data, Hardware/Software, Business inventory, buildings, cash

34
Q

Threat Assessments

A

Consider all bad things that could happen to assets

• Accidents and disasters: Anything in physical environment that can damage assets
o Fire, earthquakes, war, terrorism, utility failure

• Equipment failure: Threat of equipment along with what happens if failures happen
o Computing hardware, network devices, storage media

• Supply chain failure: Failure of goods, services, people, info (resources to do business with)
o Defective/sabotaged goods and info, malicious contractors/employee in a project

• Human error and negligence: Accidental human behaviors
o Accidentally access/distribute data, create new issues without knowing while fixing

• Malicious outsiders: Outside attacks harming assets and used to gain access within org
o Physical intrusion, unauthorized network access, distribution of malware

• Malicious insiders: Attackers who already have trust/access within org
o Motivated by greed, revenge, ideology, boredom

35
Q

Impact Analysis

A

Potential costs/other impacts ((in)direct) associated to damage (qualitative metrics)

36
Q

Supply Chain Assessments

A

Maps outs supply chains and how they cause risk to business operations
- Areas of interest should be ways that a supply chain disruption can cause failures in critical business operations and ways that supply chain relationships can cause data breaches

37
Q

Privacy Impact Assessments

A

Analyzes privacy risks, evaluates security controls which can minimize them, and ensures compliance with privacy policies and regulations

38
Q

Threat Probability

A

Calculate how likely threats are to happen

  • Mean Time To Failure (MTTF): Average time for newly installed device to fail (to be replaced)
  • Mean Time To Repair (MTTR): Average time to repair serviceable device (bring it back online)
  • Mean Time Between Failures (MTBF): Average uptime between failures on serviceable device (excluding time needed for repairs)
  • Mean Time Between Service Incidents (MTBSI): Average time between failures (including time needed for repairs) – MTBF + MTTR
39
Q

Vulnerability Assessment

A

How resistant your org is against likely threats

40
Q

Risk Measurement

A

Determine if you need to apply security controls first

41
Q

Quantitative risk assessment

A

An objective value (monetary figure) to each risk based on the probability and impact cost of the associated threat (objective numbers)

42
Q

Qualitative risk assessment

A

Begins with probability and impact cost of each threat and uses human judgment to calculate and assign a priority to the associated risk (quick and easy)

43
Q

Risk Control Assessments

A

Evaluating presence and effectiveness of existing security controls so you can identify and correct shortcomings

1) Identify business objectives - whether they represent organizational milestones/process metrics
2) Identify risks which get in the way of achieving those objectives
3) Identify security controls already in place to control risks and intended effect of each
4) Perform gap analysis combining current effectiveness of each control (their own effectiveness)

44
Q

Risk Management Strategies

A
Risk avoidance
Risk transference
Risk mitigation
Risk deterrence
Risk acceptance
45
Q

Risk avoidance

A

o Choosing not to engage in activities that could expose your org to risk

46
Q

Risk transference

A

o Transferring risk to another party that will assume responsibility (include costs)
o Most common risk transference is purchasing insurance for expensive assets

47
Q

Risk mitigation

A

o Applying security controls to reduce risk
o Aims to limit risk of an activity without preventing the activity outright
o Several Mitigation Strategies:
▪ Technology controls
• Intended to protect physical assets, personnel, valuable data
▪ Policies and procedures
• Administrative and operational controls
▪ Routine audits
• Periodically reviews to look for unnoticed changes/problems
▪ Incident management
• Determine what harm was done, minimize or repair damage, and restore system to a secure state (preserve evidence)
▪ Change management
• Assesses security impact and makes necessary adjustments (if changes)

48
Q

Risk deterrence

A

o Applying visible controls to discourage attacks/human error from occurring

49
Q

Risk acceptance

A

o Hoping for the best without changing anything
o Good strategy when no other solution seems cost-effective
▪ Particularly when the risk is very unlikely or very low impact

50
Q

Residual Risk

A

Risks that remain (cannot eliminate everything)

51
Q

Cost Calculations

A

Risk determination relies heavily on costs

52
Q

Total Cost of Ownership

A

o Full life cycle cost of anything org owns/operates - initial investment, administration, maintenance, insurance premiums, or anything else associated (Low TCO is better)

53
Q

Return on Investment (ROI)

A

o Basic measure of profitability, describing expected reward associated with investment (high ROI is better)

54
Q

Choosing a Strategy by Risk Type

A

▪ Risks internal to org - Workplace accidents, equipment failures, and regulatory liability, come from factors under your control
▪ Often well-suited to effective risk avoidance, deterrence, and mitigation strategies

▪ External risks - Natural disasters and supply chain failures are much less under your control
▪ More challenging to forecast
▪ Rely on transferring or accepting risks you cannot reduce

▪ Multi-party risks that you share with other organizations are always complicated
▪ Multi-party cybersecurity incidents tend to be large and damaging
▪ Can control how to calculate the risk or define responsibilities

▪ Intellectual property risks can be complicated - Best strategy depends on the nature of the IP and how rigorously relevant laws are enforced where thieves are
▪ Better case for strong technical controls or outright avoidance

▪ Respect IP of other orgs - Software licensing compliance is a systematic risk in the enterprise
▪ Use strict software inventory and license management controls

▪ Some risks are a tradeoff between short term and long-term strategies
▪ Cost of replacing legacy systems/software in short term can be very high, so acceptance or limited mitigation might be necessary temporarily

55
Q

Automated Security

A

Scripts used automate procedures and tools to enact technical controls, audit compliance, document security-related events, and anything else that can be done programmatically

  • Script: Special programs designed to emulate what user could do with sequential manual actions
56
Q

Securing the Security Assessment

A

Any kind of security assessment needs to be treated as sensitive information and distributed on a need-to-know basis
- Different security documents need to be distributed or secured in different ways

57
Q

About Vulnerability Assessments

A

Search for vulnerabilities that might otherwise go unnoticed

▪ Determining the attack surface: All software and services installed that are subject to attack (use config review, vulnerability scanning and penetration tests to help)
▪ Code review: Security of software should be validated before installation, reviewed after updates, when there’s a reason to suspect a problem, or during periodic review process
▪ Architecture review: Ensure that network hosts and devices have an architecture that meets their required security level
▪ Configuration review: Ensure new systems, apps and other solution doesn’t introduce unacceptable risks (includes security policies and procedures)
▪ Log review: Once system is up/operating, review activity logs to determine security problems
▪ Baseline review: Comparing actual performance (events/usage) to baseline settings and logs

58
Q

Vulnerability Scans

A

Broad and fundamentally passive scan that examines entire system, network, or organization, checking for specific list of known vulnerabilities

  • Scan can be passive/invisible to security systems
59
Q

Penetration Test

A

Simulated attack designed to determine whether an adversary could compromise an asset (if test fails, then system has passed)
- Test is active and intrusive, but more focused

60
Q

Reconnaissance Tools

A

TCP/IP tools, shells/scripting env, network scanners, accounts, other elements

  • Want to know as much of you can about the network’s structure, services, and exposed OSINT before trying to discover vulnerabilities
  • Know Command line tools and scripts that you might execute on a security workstation, a system you want to secure, or a system you’re trying to exploit
    o Linux – “bash” and “csh” for command-line management and scripting
    o PowerShell – Most powerful tool for command-line management and scripting
    o Programming languages – Python, Ruby, Perl
61
Q

Goals of Vulnerability Assessments

A

✓ Missing security controls
o Scan can detect standard security measures that aren’t installed/have been disabled
✓ Open ports and services
o If service is appropriately secured and serves important function – No problem
o If insecure, unauthorized, unnecessary, it’s a potential vulnerability
✓ Unsecure network protocols
o Network protocols with no/weak security measures are vulnerable (need replacement)
✓ Weak encryption
o Can be cracked and give false sense of security
✓ Unsecure accounts
o If automated scan can find user credentials for a resource, an attacker can
o Have weak controls
✓ Open permissions
o Acc/App with broad permissions has higher security impact when compromised and can be the target of privilege escalation attacks
✓ Misconfigured security controls
o Look for particular common mistakes on hosts, devices, apps
o Compare settings against a standard baseline and look for deviations
✓ Unsecured data
o Data stored in wrong place on network or without adequate security controls (Use DLP software to solve problem)
✓ Compromised systems
o Rogue servers, malware infection, unauthorized user accounts, or deliberately sabotaged security controls
✓ Exploitable vulnerabilities
o Many scanners are designed to check target systems against known common exploits so that you can patch/secure them
✓ Unpatched firmware and software
o Security updates can contain patches for vulnerabilities in device firmware, OS, App software
✓ Errors
o Can be a compromised system, misconfigured control, other underlying problem that will impact security or availability
o Errors detected during assessment should be passed along to troubleshooting process

62
Q

Vulnerability Scan Types

A

Intrusive: Use larger traffic volumes, unusual messages, or attempts to gain system permissions - more likely to trigger security alarms, disrupt or crash vulnerable/unstable systems as side effect

Non-Intrusive: Focuses on monitoring communications or making routine requests for info that will give info about system and its potential vulnerabilities (no harm)

Credentialed: Requires user credentials for hosts or resources being scanned - give you much more information since you can directly view security configuration data with less traffic

Non-Credentialed: Doesn’t use any special permissions or user credentials - approaches system or network in much the way that an outside visitor would see it

63
Q

Vulnerability Scanners

A

Passive test of security controls

  • Infrastructure Vulnerability Scanner: Checks for vulnerabilities in host OS, services, and third-party applications
  • Web Application Scanner: Checks for vulnerabilities common in generic web servers and apps or for problems related to specific products
  • Cloud Infrastructure Scanner: Scan cloud-based hosts, services, and apps just like their on-premises counterparts
64
Q

Legacy Platforms

A

Hardware/software that is old/outdated but not easy to replace
▪ Include outdated computers, operating systems, and applications that are no longer in production or receiving manufacturer updates
▪ Include custom applications developed in-house or by a third party, which predate your current testing process or development environments

65
Q

Assessment Results

A

Should be compiled in report listing detected vulnerabilities and other findings

66
Q

Validating Scan Results

A

Scans detect false positive, but not false negative (missed problem)

  • Updated feeds help improve scan accuracy – reduces false neg/pos
  • Stricter scanning criteria – reduces false neg, but more false pos
  • Credentialed scans show vulnerabilities not accessible to outsides– can reduce false pos/neg
  • Document false pos for future scans
67
Q

Penetration Testing

A

Picking one or more expected weak points and trying to hammer them open

  • Fundamentally active and intrusive
  • Goals: Verify that theoretical threat exists - “Can this attack damage my newly secured system?”
  • One thing penetration test don’t do is comprehensively scan for vulnerabilities
68
Q

Penetration Testing Process

A
  1. Planning
  2. Discovery
  3. Attack
  4. Reporting
  • If attack doesn’t work, tester can return to discovery phase for new leads instead of giving up
  • Better to have a test environment to not disrupt services, crash servers, harm operations
69
Q

Penetration Test Approaches (depending on goals of test)

A
  1. Unknown Environment: Tester is given no knowledge of the system before the test (black-box)
    a. Like a real hacker – need to research public sources, examine network, etc. (research)
  2. Known Environment: Tester is given full knowledge of existing security controls, system configurations, policies about the system and its potential vulnerabilities (white box)
    a. Give complete understanding to hit where it’s weakest
  3. Partially Known Environment: Tester is given some knowledge of the existing security configuration, but not a complete picture
70
Q

Testing Teams

A

People separated into team for security exercise

  • Red Team: Attackers – perform reconnaissance on network then exploit vulnerabilities
  • Blue Team: Defenders – secure assets and monitor network against intrusion
  • White Team: Moderators/referees – coordinate exercise and monitor results
  • Purple Team: Neutral team – ensure blue and red team collaborate to find vulnerabilities
71
Q

Performing Reconnaissance

A
  • Goal: put together an idea of what assets the target has, how they are arranged, and what ways you can achieve at least an initial foothold on their network (paint a more detailed picture)
  • Passive Reconnaissance (footprinting): Gathering wtv info you can about your target without directly sending them any info about your presence
  • Active Reconnaissance: Techniques that might tip target off that they’re being targeted, and how – network probes and direct contact via social engineering (can include semi-passive)
  • Vulnerability Analysis: Find avenues of attack
72
Q

Penetrating Network (Next Step)

A
  • Perform privilege escalation to get more control over infiltrated system
  • Establish persistence, or ways that you can regain access if you lose it
  • Pivot to view/access other network systems that you could not reach from starting point
  • Perform lateral movement through network to get closer to other goals
73
Q

Bug Bounties

A

Ongoing formal offer of name recognition or financial rewards to any individual who finds a software bug or security exploit in a specific website, application, or other product

74
Q

Proactive Threat Hunting

A

Proactively searching network for signs of intrusion which automated systems have missed – proactive practice and mindset

  • Begins with assumption attackers are in network and focuses on determining where they are
  • Active defense trying to stop the attack