Explain the importance of automation and orchestration related to secure operations Flashcards
incident response process
Preparation: In the preparation phase, organizations establish and maintain incident response plans. These plans should be regularly updated to address evolving threats. This is the stage at which the Cybersecurity Incident Response Team (CSIRT) is
Analysis: At the analysis stage, SIEM takes the lead, using correlation techniques to analyze the type of incident flagged, prioritizing its impact and category. To do this analysis, we can use tools such as the MITRE ATT&CK framework, the Cyber Kill Chain, or the diamond model of intrusion analysis
Containment: In the containment stage, the primary goal is to limit the incident’s impact. This often involves isolating affected systems or quarantining them to prevent the attack from spreading. Simultaneously, volatile evidence (such as running processes and network connections) should be collected for analysis, and any compromised user accounts or access credentials should be disabled.
Eradication: Eradication focuses on destroying the root cause of the incident. For example, if malware is detected, efforts should be made to remove it completely. This may involve patching systems, deleting infected files, or disabling unnecessary services to protect the environment against future attacks.
Recovery: In the recovery phase, the organization aims to restore its operations to a normal state. This includes activities like data restoration, in which essential systems (such as domain controllers) are brought back online once they are clean and secure. The goal is to achieve the Recovery Point Objective (RPO) as closely as possible. The RPO is the amount of time a company can operate without its systems.
Lessons Learned: After the incident has been effectively contained and resolved, it’s essential to conduct a post-incident analysis. This Lessons Learned phase involves reviewing how the incident was handled to identify the strengths and weaknesses of the organization’s response. The insights gained here help organizations refine their incident response plans and take preventive measures to reduce the likelihood of similar incidents in the future.
For an example of this process in action, imagine a scenario in which a do
Stages of the Cyber kill chain
Reconnaissance
Calling employees, sending emails, social engineering, dumpster diving
Weaponization
Create malware payload
Delivery
Delivery medium, such as USB, email, web page
Exploitation
Executing code via a vulnerability
Installation
Installing malware on the asset
Command and Control
Infected system sends back information to the attacker
Action on Objectives
Hands-on keyboard—attack complete
Kerberos Authentication
Kerberos authentication uses a process called a TGT session, in which the domain controller provides the user with a service ticket that is used to access resources such as the mail serverIn a TGT session, a user sends their credentials (username and password, or smart card and PIN) to a domain controller that starts the authentication process and, when it has been confirmed, will send back a service ticket with a 10-hour lifespan. This service ticket is encrypted and cannot be altered..
Lightweight Directory Access Protocol Secure (LDAPS) Secure port number
636
Internet Message Access Protocol Secure (IMAPS)
993 TCP Secure version of IMAP that uses TLS for encryption.
VM sprawl
Unmanaged VMs installed on your network
VM escape
While virtualization is designed to isolate VMs, the hypervisor (that is, the essential software managing these VMs) introduces an unexpected challenge. It can unintentionally create a path for lateral movement, known as moving east to west, and enable potential attackers to move from a secluded VM to the host system or other interconnected VMs.
port
acts as a virtual endpoint for communication between devices and applications over a network.
Insecure FTP
21
Post office protocol 3 insecure
110
Network Time Protocol (NTP) insecure
123
LDAP Insecure
389
SNMP Insecure
161
Secure Kerberos
88
HTTP insecure
80
HTTPS
443
Remote Desktop Protocol (RDP) Secure
3389
Session Initiated Protocol (SIP)
Connects internet-based cells
Port 5060/61
SMTPS
587
Server Message Block (SMB) Secure
445
Secure Protocols
Protocol
UDP
Port
Use cases
Secure Shell (SSH)
22
Secure remote access
Secure Copy Protocol (SCP)
22
Secure copy to UNIX/LINUX
Secure File Transfer Protocol (SFTP)
22
Secure FTP download
DNSSEC
TCP/UDP
53
Secure DNS traffic
Kerberos
88
Secure authentication
Simple Network Management Protocol Version 3 (SNMP V3)
UDP
162
Secure status and reports of network devices
Lightweight Directory Access Protocol Secure (LDAPS)
636
Securely manages directory service information
Hypertext Transport Protocol Secure (HTTPS)
443
Secure web browser
TLS/SSL
443
Secure data in transit
Server Message Block (SMB)
445
File and Print Sharing
Internet Protocol Security (IPSec)
UDP
500
Secure session for VPN or between two hosts
SMTPS
587
Secure SMTP
Secure/Multipurpose Internet Mail Extensions (S/MIME)
993
Encrypt or digitally sign email
Secure IMAP 4
993
Secure IMAP4
Secure Post Office Protocol 3
995
Secure POP3
File Transfer Protocol Secure
989/990
Download large files securely
Remote Desktop Protocol (RDP)
3389
Microsoft remote access
Session Initiated Protocol (SIP)
5060/61
Connects internet-based cells
Secure Real-Time Protocol (SRTP)
5061
Secure voice traffic
Insecure
Protocol
UDP
Port
Use case
File Transfer Protocol (FTP)
21
File transfer – passive FTP
Telnet
23
Run commands on remote hosts (however, note that passwords are not encrypted)
Simple Mail Transport Protocol (SMTP)
25
Transport mail between mail servers
Domain Name System (DNS)
UDP
53
Host name resolution
53
Zone transfer
UDP
53
Name queries
Dynamic Host Configuration Protocol (DHCP)
UDP
67/68
Automatic IP address allocation
Trivial File Transfer Protocol (TFTP)
UDP
69
File transfer using UDP
Hypertext Transport Protocol (HTTP)
80
Web browser
Post Office Protocol 3
110
Pulls mail from a mail server; no copy is left on the mail server
Network Time Protocol (NTP)
123
Time synchronization
NETBIOS
UDP
137–139
NETBIOS to IP address resolution
Internet Message Access Protocol (IMAP 4)
143
Pulls mail from a mail server
Simple Network Management Protocol (SNMP)
UDP
161
Notifies the status and creates reports on network devices
Lightweight Directory Access Protocol (LDAP)
389
Stores X500 objects; searches directory services for users, groups, and other information
smurf attack
smurf attack occurs when the attacker floods the target network with infinite ICMP request packets
Software Compostion analysis
Software composition analysis (SCA) is the correct tool for identifying vulnerabilities in third-party software components because it specifically scans and analyzes their codebases
NAT translation
Network address translation (NAT) is optimal for allowing Internet access to a web server while securing the rest of the network. NAT masks internal IP addresses, funneling external requests specifically to public-facing services. Packet filtering is too basic, lacking the ability to translate addresses.
Stateful Packet Inspection
Stateful packet inspection (SPI) is appropriate for protecting against IP spoofing and other complex network attacks. Unlike stateless packet filtering, which inspects each packet in isolation, SPI keeps track of ongoing connections, allowing it to distinguish between legitimate and malicious packets more effectively
E-Discovery
involves legally compliant data collection, distinct from general data retrieval methods. It’s specifically tailored to legal requests, ensuring data relevance and compliance
IT goverance Owner role
owner in IT governance is key in shaping the organization’s cybersecurity strategy, particularly concerning the classification of assets and the approval of risk mitigation strategies
DKIM
a protocol that allows an organisation to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify
DMARC
DMARC suggests what to do with mail that isn’t legitimate. Domain-based Message Authentication, Reporting and Conformance, a technical standard that helps protect email senders and recipients from advanced threats that can be the source of an email data breach
File integrity monitoring
works by first creating a baseline, which acts as a reference point and is periodically analyzed to detect tampering or fraud
Decentralization
Unlike traditional centralized databases (in which a single entity controls the ledger), the open public ledger is decentralized. Multiple copies of the ledger are distributed across nodes (i.e., computers) within a blockchain network.
Unified Threat Management Firewall (UTM)
A multi-tasker – malware inspection, content, and URL filtering
Purple Team
is a security methodology in which offensive security professionals (referred to as red teams) and Cyber Security Operations Centre (CSOC) professionals (referred to as blue teams) work closely together in order to enhance cyber capabilities through continuous feedback and knowledge transfer.
Wardriving
cyber security is the act of looking for publicly accessible Wi-Fi networks, usually from a moving vehicle, using a laptop or smartphone.
Warchalking
Warchalking is the drawing of chalk symbols in public places to indicate free Wi-Fi hotspots. Wi-Fi enthusiasts practice warchalking in rural and urban areas and usually draw warchalking symbols on objects near the Wi-Fi hotspot, like sidewalks, walls, or lamp posts.
Active Reconnaissance
active reconnaissance involves more direct interaction with the target, albeit in a non-intrusive manner.21
Hash Function
A hash function is a computational method that can map an indeterminate size of data into a fixed size of data. Or more plainly, it provides a number quantity that represents the input data.
OSNIT
OSINT refers to the collection and analysis of free and publicly available threat intelligence information donated by multiple cybersecurity organizations and individuals.
white team
A white team is a group of IT specialists tasked with overseeing red vs blue exercises
Telemetry
. Telemetry is the process you use to gather information about your IT infrastructure
asymmetric encryption
Asymmetric encryption is the process of using a public key from a public/private key pair to encrypt plaintext, and then using the corresponding private key to decrypt the ciphertext
asymmetric algorthims
RSA, Diffie–Hellman, and Elliptic Curve Cryptography (ECC).
symmetric algorthim
Data Encryption Standard (DES—56 bit), the Triple Data Encryption Standard (3DES—168 bit), and the more popular Advanced Encryption Standard (AES—256 bit)
Key Longevity
: Key longevity refers to the duration over which cryptographic keys remain secure and effective in protecting sensitive data, making it imperative to periodically update keys to stay ahead of potential security threats. This is typically between one to two years.
Key Length
The length of cryptographic keys is the measure of their resistance against attacks. A key’s length directly affects the complexity of deciphering encrypted data.
Layer 1 Physical Layer
cabling
Layer 2 Data Link
Switch /VLAN
Wireless Access Point (WAP)
MAC addresses
00-1A-2B-3C-4D-5E
ARP
Layer 3 Network layer
Routers / Subnets
Layer 3 Switch
IP Addresses and routing of packets (e.g., 192.168.1.1
Layer 4 Transport
Layer 4 Transport Layer
Load Balancer
TCP/UDP
Layer 7 application
Layer 7 Application Layer
Web Application Firewall (WAF)
Network Intrusion Prevention System (NIPS)
Protocols: DNS, SMTP, HTT
Switch
: A switch is an internal network device that links all machines in the local area network (LAN), see the following figure), maintaining a table known as Content Addressable Memory (CAM) with MAC addresses to identify connected hosts. Figure 10.2 is a visual representation of this device
router
A router is a device used to connect two different networks when setting up a host machine, known as the default gateway. It is used by your company to give you access to other networks—for example, the internet. It
VLAN
A VLAN is established through the software on a network switch. It allows you to group multiple network ports together, effectively creating a distinct and separate network within the larger network. This method of network division aids in controlling traffic flow and segregating communications for distinct functions or device groups
SDN struture
Management Plane: The management plane orchestrates network intelligence effortlessly by monitoring the network traffic.
Control Plane: The control plane, often embodied by an SDN controller, serves as the network’s “brain.” It is a centralized entity that makes high-level decisions about traffic routing, network policies, and resource allocation, based on a set of rules set by administrators. This abstraction provides network administrators with a global, bird’s-eye view of the network and a single point from which to apply changes.
Data Plane: The data plane consists of network devices such as switches, routers, and access points. It is responsible for forwarding data packets based on the instructions received from the control plane. Unlike traditional networking, where control and data planes are tightly integrated, SDN separates them, allowing for programmable and dynamic control over the network’s behavior, including that of both resource allocation and security.
Virtual desktop infrastructure,
is IT infrastructure that lets you access enterprise computer systems from almost any device
Directory Traversal
Directory traversal is where the attacker aims to traverse the directory structure and access sensitive or confidential files that they should not have access to.
Examples DIrectory Traversal
/etc/passwd
This file contains user account information, including usernames and hashed passwords. Accessing this file could potentially allow attackers to further compromise user accounts.
/etc/shadow
This file contains the encrypted password hashes for user accounts. Accessing this file would provide attackers with information that could help them crack passwords offline.
/etc
This is the system configuration directory. It contains various configuration files for system services and applications.
/var/www/html
These are web application directories where source code, configuration files, and potentially sensitive data could be stored.
traversal examples
../../../../../
or %2f..%2f..%2f
or ..2f..2f..2f
This is a traversal attack. Seeing this in a log file or URL means that the attacker is moving up the directory. Each ../ means that they have moved up one level. %2f or ..2f could replace ../.
/root
This is the home directory of the root user, which may contain system-related files and configurations.
Collison attack
Cryptography relies on the creation of unique signatures or hashes for data to ensure authenticity and integrity. A collision attack shatters this notion of uniqueness by manipulating the hash function. The attacker creates both a malicious and a benign document with the same hash.
Concurrent session usage
Monitoring the number of concurrent user sessions can reveal suspicious activity. Sudden spikes or a significantly higher number of concurrent sessions than usual might indicate unauthorized access or a breach in progress.
Cross Site injection
type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
WEP
WEP (Wired Equivalent Privacy) is the oldest and most common Wi-Fi security protocol. It was the privacy component established in the IEEE 802.11, a set of technical standards that aimed to provide a wireless local area network (WLAN) with a comparable level of security to a wired local area network (LA
WPA
WPA (Wi-Fi Protected Access) is a wireless security protocol released in 2003 to address the growing vulnerabilities of its predecessor, WEP.
Offline Password attacks
This attack is where the attackers have managed to gain access to a system’s password storage and then attempt to crack them offline. For instance, they may download a copy of the /etc/shadow file from a Linux server or %SystemRoot%\System32\config\SAM from a Windows computer. The attacker can now take this home and track and crack the passwords in their own time without alerting the security team
Log files
This attack is where the attackers have managed to gain access to a system’s password storage and then attempt to crack them offline. For instance, they may download a copy of the /etc/shadow file from a Linux server or %SystemRoot%\System32\config\SAM from a Windows computer. The attacker can now take this home and track and crack the passwords in their own time without alerting the security team
Temporal Key Integrity Protocol (TKIP)
which dynamically generates a new key for each packet, or unit of data. TKIP is much more secure than the fixed-key system used by WEP.
VLSM
VLSM allows network designers to give each subnet a different number of IP addresses, ultimately resulting in less network congestion and wasted IPs.
EAP
EAP methods protect a specific portal so that only users with an authentication key or password can get network access. EAP uses the 802.1x standard as its authentication mechanism over a local area network or a wireless LAN (WLAN)
sticky mac port
Sticky MAC addresses simplify the port security process by storing the MAC addresses of authorized devices.
EAP-TLS
-TLS is a specific, secure version of wireless authentication that requires a certificate stored on the endpoint (client or device) to verify identity and authorization.
PEAP
PEAP is a version of Extensible Authentication Protocol (EAP) that encapsulates and encrypts the EAP data using a certificate stored on the server, making it more secure for Wireless Local Area Networks (WLANs).
EAP-TTLS
EAP-TTLS uses two phases. The first is to set up a secure session with the server by creating a tunnel using certificates that are stored on the server, and seen by the client. The second is to authenticate the client’s credentials.
EAP-FAST
T: EAP-FAST, developed by Cisco, is used in wireless networks and point-to-point connections to perform session authentication. It is the only one of these authentication protocols that does not use a certificate.
RAS Protocols
A remote access service (RAS) is any combination of hardware and software to enable the remote access tools or information that typically reside on a network of IT devices.
IDS
The IDS is passive as it uses sensors and collectors to detect suspicious or unauthorized activities, sounding the alarm when potential threats are discovered. Both the IPS and IDS can be network-based, though, in these instances, they are known as NIDS and NIPS and can protect the network but not the host. The host versions of these systems are HIDS and HIPS. As expected, they can only protect the host and not the network.
what does tacas encrypt
TACACS+ encrypts the entire packet content, ensuring a higher level of security.
RADUIS ENCRYPTS?
RADIUS encrypts only the password in the access request packet.
CER
: A critical metric for evaluating biometric systems before making a purchase, the CER represents the point where the FAR and FRR are equal. A lower CER indicates that the biometric system produces fewer errors, because both the FAR and FRR are low, and would be the best biometric system to purchase.
hard authentication
A hard token is an electronic device that generates one-time passwords for logging into a computer system.
Raduis how does it work
RaDIUS is a cornerstone in network security, particularly in remote access scenarios. RADIUS clients encompass a variety of devices, including wireless access points, routers, and switches. As these clients forward authentication requests to a RADIUS server, they necessitate a shared secret. This secret, known to both the RADIUS client and server, safeguards the exchange of sensitive data, bolstering the integrity of the authentication process.
KBA
static KBA, which is based on a pre-agreed set of shared secrets, and dynamic KBA, which is based on questions generated from a wider base of personal information.
Bluesnarfing
. Bluesnarfing, in contrast, is a malicious act that involves gaining unauthorized access to a Bluetooth-enabled device’s data (such as contacts, messages, or files) without the owner’s knowledge or consent.
Telenet Port
Port 23 is the default Telnet port, and it is used for remote terminal emulation of both computers and devices
Remediation Server
Remediation server: Positioned within the boundary or quarantine network, the remediation server plays a pivotal role. When a non-compliant device is redirected to this network, it gains access to the missing updates and patches from the remediation server. Once the device achieves a fully patched status, it is then permitted to access the LAN without compromising security.
Evil Twin Attack
In an evil twin attack, the attacker uses either the same or a similar SSID to the victim. The telltale signs of this attack are a slower internet connection and the inability to access corporate data. This error occurs because you are actually on the wrong wireless network—one created by the attacker.
Tethering
: Tethering is a connection method for mobile devices that bridges the gap between a GPS-enabled smartphone and other devices (a laptop, for instance) by providing them with internet access.
Log File
Log files are text files that reside on every device, recording events as they happen. They contain a wealth of information about system events, errors, user interactions, and security incidents, acting as an audit trail by which an event can be tracked
Server Message Block (SMB)
Windows proprietary protocol built on NetBIOS. Allows users to remotely access servers. Originally used port 139 over UDP.
Hex Dump
In computing, a hex dump is a textual hexadecimal view of computer data, from memory or from a computer file or storage device. Looking at a hex dump of data is usually done in the context of either debugging, reverse engineering or digital forensics.
Users can inspect raw data, addresses, and corresponding characters
NetFlow
NetFlow defines traffic flows based on shared characteristics, known as keys, and groups them into flow labels
MOA(Memorandum of Agreement)
An MOA is legally binding. It meticulously outlines the terms and conditions and detailed roles and responsibilities of the parties involved. The
MOU
: An MOU is a formal acknowledgment of a mutual agreement between two or more parties. It is more substantial than an informal agreement, reflecting a serious commitment from all involved parties, but generally lacks the binding enforceability of a legal contract. It serves primarily as a statement of intent.
MSA
The MSA articulates the general terms and conditions governing a contractual relationship between the involved entities. It typically addresses aspects such as payment terms, dispute resolution mechanisms, intellectual property rights, confidentiality clauses, and liability provisions.
BPA
A BPA is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are shared. It also establishes rules for termination of the partnership, either at a given point in time or if one of the partners dies or is otherwise unable or unwilling to continue their partnership.
integer overflow
integer overflow occurs when an arithmetic operation on integers attempts to create a numeric value that is outside of the range that can be represented with a given number of digits
Allowlist
The application allow list has a clear purpose, which is to specify a roster of approved applications that are permitted to execute while blocking unauthorized or potentially malicious software from gaining a foothold. This can be done by creating a whitelist, which is a list of approved applications that will deny access to any application not on the list.
Reverse Proxy
The flow of traffic from a reverse proxy is incoming traffic from the internet coming into your company network. The reverse proxy is placed in a boundary network called the screened subnet. It performs the authentication and decryption of a secure session to enable it to filter the incoming traffic.
active reconnaissance
active reconnaissance, an attacker actively probes and interacts with the target system to gather information
DMZ
: The DMZ is an area that is neither fully trusted nor fully untrusted. It’s an intermediate zone that allows controlled access to certain services from the external network. Communication between the DMZ and the internal network might be subject to more stringent controls. This is also commonly known as a screened subnet, where resources that are accessed by untrusted and trusted networks reside.
offensive security assessment
Offensive security is the practice of actively seeking out vulnerabilities in an organization’s cybersecurity.
Sideloading
Sideloading is generally associated with Android devices utilizing Android Application Package (APK) files. While applications can also be sideloaded on Apple devices, the practice directly violates Apple’s terms and conditions and voids the device’s warranty.
Rooting
Rooting allows users to bypass manufacturer or operating system restrictions on Android devices, providing more control over a device. This is commonly known as unlocking a device. This freedom, however, exposes the device to significant security risks.
Logical security controls
restrict the access capabilities of users of the system and prevent unauthorized users from accessing the system
Compensating controls
Compensating controls are alternative measures implemented when primary controls are not feasible or sufficient
SLA
Defines service expectations and responsibilities
DCHP port
Dynamic Host Configuration Protocol (DHCP) 67/68 UDP This network management protocol is used to assign multiple local private IP addresses from one public IPv4 address.
Internet Message Access Protocol (IMAP) port
993 E-mail protocol used by e-mail clients to communicate with e-mail servers. Provides two way communication unlike POP.
SMTPS
Simple Mail Transfer Protocol Secure (SMTPS) 587
FTPS
File Transfer Protocol Secure (FTPS) 989/ 990 TCP FTPS uses TLS for encryption. It can run on ports 20/21 but is sometimes allocated to ports 989/990.
Purple Team
purple team is a security team that combines offensive and defensive tactics to identify, assess, and mitigate security risks
What is Nessus?
A remote scanning tool that can identify vulnerabilities that hackers can exploit
Subjects Data Plane
Subjects in the data plane are the entities that initiate data communication,
Systems in data plane
systems represent the collective infrastructure, resources, and devices that are responsible for processing and forwarding data packets as they traverse the network
Heat Map
A heat map is a valuable tool in the hands of a network administrator when addressing reports of inadequate coverage. By visually pinpointing areas with subpar coverage on the map, administrators can efficiently identify potential issues, including malfunctioning WAPs
red and orange areas indicate good coverage,
PSK
: PSK refers to a passphrase or a pre-shared secret key that is used to authenticate and secure access to a wireless network
WPS
WPS: WPS allows you to connect to a wireless network by simply pushing a button, negating the need to insert a password each time.
EAP-FAST
EAP-FAST, developed by Cisco, is used in wireless networks and point-to-point connections to perform session authentication. It is the only one of these authentication protocols that does not use a certificate.
Secure Coding Practices
Secure coding practices are a set of guidelines and principles that software developers follow to write code in a way that prioritizes security and reduces the risk of vulnerabilities or weaknesses that could be exploited by attackers.
IMAP port number
Internet Message Access Protocol (IMAP) 143, 993
POP
110
SMTP
Simple Mail Transfer Protocol (SMTP) 25/587Internet mail protocol used to send outgoing mail from email clients to mail servers.
POP3/IMAP/SMTP
POP3 and IMAP are protocols for retrieving emails from a server, while SMTP is for transmitting emails
POP3/IMAP
POP3 downloads all the emails simultaneously, while IMAP shows you the message header before downloading the email. POP3 downloads an email from the server and then deletes it. IMAP stores the email on the server and syncs it across several devices to access over multiple channels.
POP3/IMAP
POP3 downloads emails from a server to a single computer, making those emails only accessible on that specific computer. IMAP stores emails on a server and then syncs them across multiple devices. IMAP is more advanced than POP3 and allows you to access your email from anywhere, and on any device.
SMTP
Simple Mail Transfer Protocol (SMTP) used port 25. Today, SMTP should instead use port 587
Bluejacking
Bluejacking is a type of attack in which individuals send unsolicited messages or business cards to nearby Bluetooth-enabled devices, such as smartphones or laptops
PSK shared key
refers to a passphrase or a pre-shared secret key that is used to authenticate and secure access to a wireless network. Any time you visit a restaurant and ask the host for the wireless password, the password they provide is the PSK. Remember there is also an admin password on the WAP that you should never share.
Password Spraying vs Brute Force
Traditional brute-force attacks target a single account with multiple possible passwords. A password spraying campaign targets multiple accounts with one password at a time.
Stateful vs stateless
Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. Stateless firewalls, however, only focus on individual packets, using preset rules to filter traffic
