Focused ECIHv2 Study Guide Flashcards
What is the Risk equation?
Risk = Threat X Vulnerabilty
In Order, What is the Risk Assessment Process?
- System Characterization
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Likelihood Analysis
- Impact Analysis
- Risk Determination
- Control Recommendation
- Risk Assessment Report
What is PILAR?
Risk Analysis and Management Software
What is the purpose of Incident Response Orchestration - Automation?
To automatically notify a person when there’s an incident.
ISO/IEC 27000
Overview and introduction of the information security management systems
ISO/IEC 27001
The Information Security Management System (ISMS) requirements
ISO/IEC 27002
Code of practice for information security controls
ISO/IEC 27003
Information Security Management System implementation guidance
ISO/IEC 27004
Information Security Management
ISO/IEC 27005
Information Security Risk Management
ISO/IEC 27006
Requirements for bodies providing audit and certification of Information Security Management Systems
ISO/IEC 27007
Guidelines for Information Security Management Systems auditing
ISO/IEC TR 27008
Guidance for auditors on ISMS controls
ISO/IEC 27009
Guidelines for those producing sector or industry-specific ISO27k standards
ISO/IEC 27010
Information Security Management for inter-sector and inter-organizational communications
NIST 800-86
Incident Response Approach
NIST 800-61 Rev.2
Incident handling guide
RFC 2196
RFC 2196 builds on RFC 1244 and is a guide to setting computer security policies
COBIT IT
Governance framework that emphasizes compliance and helps increase the value of ID
NIST 800-61
Step-by-step instructions for new and established incident response teams
Graham-Leach-Bliley Act (GLBA)
Deals with financial institutions, specifically PII
Sarbanes-Oxley (SOX)
Fair and accurate corporate reporting. Deals with corporate fraud.
General Data Protection Regulations (GDPR)
Article 32: Speaks to the CIA triad and the ability to restore PII on time
Article 33: Must notify if data is breached within 72 hours, if possible
NIST: Incident Handling Criteria and Reporting Timeframe
Cat 0 Exercise/Network Defense Testing Cat 1 Unauthorized Access – 1 hour Cat 2 DOS – 2 hours Cat 3 Malicious code – 1 hour Cat 4 Inappropriate usage - Weekly Cat 5 Scan/Probe/Attempting access – Monthly Cat 6 Investigation
buck-security
Linux tools which identify the security status of a system
Kiwi Syslog Server
Centrally manages Syslog messages
Splunk
Collects, monitors and analyzes log files
Microsoft Baseline Security Analyzer
Gets the security posture of a Windows system, indicates whether a system is missing security patches.
Magic Tree
Reporting tool using a tree structure
KeepNote
Multi-platform notetaking software.
Forensic Readiness Planning
- Identify potential evidence
- Determine source
- Define a policy that determines the pathway
- Establish a handling and storing policy
- Does it require a full or formal investigation?
- Train staff
- Special process for documenting
- Legal advisory board
rc.local
The script /etc/rc. local is for use by the system administrator. It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel. You might use it to start a custom service, for example a server that’s installed in /usr/local.
Common Imaging Software
FTK Imager and R-Drive Image
Order of Volatility
- Registers and Cache
- Routing table, process table, kernel stats, memory
- Temp files
- Disk or storage media
- Remote logging
- Physical config and network topology
- Archival media
Data Collection Commands
Systeminfo.exe – Windows
PsInfo – Windows
Cat – Linux
Uname – Linux
Uptime Commands
- PsUptime – Windows
- Date /t – Windows (show date and time)
- Net Statistics – Windows
- Uptime and W – Linux
Process Commands
• Netsat – ab (Windows) All executable files
• ListDLLs (Windows) shows all DLLs
• Pslist.exe (Window) shows running processes and
uptime
• Pmdump (Windows) tries to help find rogue
processes
• Top (Linux) system info summary as well as
processes and threads
• W (Linux) current processes per user
• Ps root’s processes
• Pstree shows processes in a tree form
Network Commands
- Nbstat -c contents (cache name and ip)
- Netstat -ano (all connections and even ports)
- Netstat -r (routing table and frequent routes)
Cyber Triage
Simplified collection and analysis of endpoint data
Process Explorer
DLLs of processes – Can show you malware hits on Virus Total
Forensic Explorer
Undelete and slack space
Forensic toolkit (FTK)
decryption and password cracking
Event Log Explorer
Event logs in Windows
OSForensics
Discover relevant forensic data through searching and indexing as well as undelete, also cheap
Helix3
Gives visibility across your entire network revealing internet abuse, data sharing and harassment
Autopsy
view file system, restore deleted data and timeline analysis
EnCase
Does pretty much everything, very expensive
Foremost
Linux recovers files based on headers, footers and internal data structures
Golden Ticket
Stolen Kerberos ticket
Syscall Proxying
Remote commands
Userland Execve Technique
Unix process load and execute ELF binary image
ADS (Alternate data stream)
Hide files in NTFS
Trail Obfuscation
Trying to mislead investigators
Preparing Malware Testbed Steps
Step 1: Allocate a physical system for the analysis lab
Step 2: Install virtual machine on the system
Step 3: Install guest OS on the virtual machine
Step 4: isolate the system for the network by ensuring that the NIC card is in “host only” mode
Step 5: Simulate internet services using tools such as iNetSim
Step 6: Disable the “shared folders” and the “guest isolation”
Step 7: Install malware analysis tools
Step 8: Generate hash value of each OS and tool
Step 9: Copy the malware over to the guest OS
Live System/Dynamic Analysis
A malware detection technique for live systems that are operational
Intrusion Analysis
A malware detection technique that utilizes logs and alerts of IDS, SIEMS, etc…
TCPView
GUI TCP viewer
Process Monitor
GUI that allows filtering of real time monitoring, you can use it to drill down clear to driver stack information and see individual commands sent over the network to the machine. You can also right click on the process and search it online.
Registry Monitoring Tools
Regshot Reg Organizer Registry Viewer RegScanner Registrar Registry Manager
Autoruns
Monitors autoruns, you can verify signatures and jump to reg key or file location
SIGVERIF
Checks file and folder integrity by verifying hash values
HashMyFiles
Hashes files
IDA Pro
Multi-platform disassembler and debugger through instruction tracing, functions tracing, read/write/execute tracing
Memory Dump Analysis Using Volatility Framework
connections - connscan - psscan - pstree - malfind - apihooks - printkey - idt - threads - modscan - getsids - filescan - sockets - mutantscan -
SSDT View and ReKall
Identify SSDT patching by rootkits
RogueKiller
Identifies kernal-mode rootkits
CapLoad and Wireshark
Detect malicious beaconing traffic
PRTG Network Monitor and GFI Languard
Identify unwanted traffic to malicious and unknown external entities
Mail Bombing
DOS attack by overloading an email box
Mail Storming
DOS by reply all to large distribution lists
Spear Phishing
Targeted at a specific person or group
Whaling
Targeting high profile people, like executives
Pharming
Redirecting traffic using DNS poisoning or host file modification
Spimming
Spam on Instant Messanger
Puddle Phishing
Targeting small organizations
CEO Scam
Impersonating a CEO to get employees to do something for you (Like the Google Play card scams that are super common)
Netcraft
Neighborhood watch scheme to help defend community against phishing – also includes a toolbar that gives a website a risk rating
PhishTank
Open API for developers and researchers to integrate anti-phishing data into their applications
MxToolbox
Makes email headers human readable by parsing them according to RFC 822
Email Dossier, Email Address Verifier, emailvalidator, Email Checker, and G-Lock Software Email Verifier
All email validity checkers
eMailTrackerPro
Analyzes email header and reveals sender’s geographical location and IP address
EventLog Analyzer
Used to analyze email logs at server level
Recover My eMail
Uses Outlook PST or DBX files to recover deleted emails
Gophish
Used to create phishing simulations to test your organizations exposure to phasing – usually used to schedule people for additional security awareness training
SPAMfighter
An automatic SPAM filter
Gpg4win
Email encryption and digital signatures
Suricata
IDS/IPS/Network Security Monitoring (NSM)/offline pcap processing
Ntopng
Web-based network traffic monitoring released under GPLv3
Wireshark - Detect ICMP Ping Sweep Attempts
Icmp.type==8 or icmp.type==0
Wireshark - Detect TCP ping sweep
Tcp.dstport==7
Wireshark - Detect UDP ping sweep
Udp.dstport==7
Wireshark - It is used to see if a port is open, RST response if port is closed
SYN+ACK
Wireshark - Used if there is a large amount of RST or ICMP type 3 packets
Stealth Scan
Wireshark - Used if the TCP session is less than 4 packets it can be a sign of a TCP port scan
Stealth Scan Detection – Statistics>Conversations>TCP
Wireshark - A full three-way handshake to find open ports
A full connect scan
Wireshark - Same detection method as stealth scan
TCP full connect scan detection
Wireshark - Checks for SYN, SYN+ACK, RST+ACK or ICMP Type 3 packets
Full scan detection
Wireshark - Null Scans
TCP packets without a setting flag
RST = Port closed, no response = open or filtered
Detect using TCP.flags==0x000
Wireshark - Xmas Scans
Attacker uses FIN, PSH, and URG TCP flags and waits for a response
RST = Port closed, no response = open or filtered
Detect using tcp.flags==0x029
Wireshark - ARP poisoning detection
- Duplicate IP address configured messages
- Arp.duplicate-address-detected
- Xarp is another tool that can be used to do this besides Wireshark
PromqryUI
Detect network interfaces running in promiscuous mode
NMAP
Detect network interfaces running in promiscuous mode using nmap –script=sniffer-detect (target ip address/range of ip addresses)
ZENMAP
GUI version of NMAP
DoS/DDoS - Volumetric Attacks
o Measured in bits-per-second o UDP Flood o ICMP Flood o Ping of death o Smurf
DoS/DDoS - Protocol Attacks
o Measured in packets-per-second o SYN flood o Fragmentation o ACK flood o TCP state exhaustion
DoS/DDoS - Application Layer Attacks
o Measured in requests-per-second
o HTTP GET/POST
o Sloworis
DoS/DDoS - Permanent Attack
Plashing – Bricks the system (Bad firmware updates)
DoS/DDoS - Distributed Reflection Attack
Reflects transmissions of third parties before the target to amplify attack
DoS/DDoS Tools
o Low Orbit Ion Cannon – Flood target with UDP, TCP or HTTP packets or requests
o High Orbit Ion Cannon – DDOS version, just select IP/Port/Protocol
o Additional Tools – HULK, Black Hat Hacking Tools, DAVOSET, Tsunami, R-U-Dead-Yet
KFSensor
Honeypot software to attract and detect hackers
RFC 3704 Filtering
Limits impact by denying spoofed addresses
CISCO IPS Source IP Reputation Filtering
Uses Cisco database to check reputation of connection source
Black Hole Filtering
Discarding packets at the routing level
Anti DDOS Guardian & D-Guard Anti-DDOS Firewall
Anti-DDOS software
Incapsula
Mitigates any size attack without impacting legitimate traffic and latency
Shell Injection
System (), StartProcess (), java.lang.runtime.exec (), System.Diagnostics.Process.Start ()
Cross-Site Request Forgery
Spoofed requests on behalf of the logged in user
\’
Single-quote character
|
or
\%27
Single-quote character
--
Double-dash
#
Hash
\%23
Hex version of #
What does the ‘i’ mean at the end of a regular expression?
Case insensitive
What does the ‘x’ mean at the end of a regular expression?
Ignore white spaces
\%3d
=
\%3b
;
\%6f
o
\%4f
O
\%72
r
\%52
R
\%2e
.
\%2f
/
\%5c
\
16 bit Unicode
Replaces unusual Unicode with %u
UTF-8
% followed by the hexcode (%c2 for example)
Base64
Represents binary data in printable ASCII characters
Hex Encoding
HTML encoding scheme that uses hex values of every character
%0a
new line
%20
space
&
&
<
>
>
Who is the Cloud Consumer?
The User
Who is the Cloud Carrier?
Intermediary between user and provider (Transport services)
Who is the Cloud Auditor?
Makes independent assessments of cloud service controls
Who is the Cloud Broker?
Manages the cloud service and maintains relationship between provider and consumer (the reseller)
AICPA SAS 70 Type II
Cloud Security best practice
CloudPassage Halo
All security functions needed to deploy servers securely in public and hybrid clouds
Pod Slurping
Stealing information using small devices like iPods/iPads/phones/MP3 players/etc
Where to find USB Connected History
Windows - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB (Windows)
Mac - System Information->Hardware->USB
Linux - usb-devices
ObserveIT
Threat Management solution that monitors user behavior with “eyes on the endpoint”
DataRobot
Automated machine learning platform to detect insider threats
Ekran System
Helps monitor/detect/analyze user-based insider threats
NERC 1300
North America Electric Reliability Corporation
Mirekusoft
Uninstaller
SysAnalyzer
Malcode analyzer
OWASP
Top 10 Web Application Security Risks
Cross-site Forgery
Also known as one-click attacks
