General Flashcards
Apache log file path
/var/log/httpd/access_log
/var/log/httpd/access_log
This file records all requests processed by the Apache server
httpd_log
Log file for WebSphere, an old web server application from the early 2000’s for z/OS
http_log
C header library for http logging, utilized by Apache
apache_log
Binary/executable file used for parsing Apache logs in a Postgres DB
The incident response policy contains procedures and guidelines, divided into these categories
- Preparation
- Detection/Analysis
- Containment
- Eradication/Recovery
- Post-incident stages
Incident Response Procedures
Provide detailed, tactical information to the CSIRT
CSIRT
Cybersecurity Incident Response Team
A Policy is
a statement of intent
A Guideline is
A statement by which to determine a course of action, aiming to streamline a routine process
A Framework is
A basic structure underlying a system, concept, or text
Mimikatz
Post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets
Tool for performing pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets
Mimikatz
Extensible Configuration Checklist Description Format (XCCDF)
XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents in XML.
Common Vulnerabilities and Exposures (CVE)
Provides a reference-method for publicly known information-security vulnerabilities and exposures
Common Configuration Enumeration (CCE)
Provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools
Used with vulnerability scanners
Common Platform Enumeration (CPE)
A structured naming scheme for IT systems, software, and packages
Used to identify an endpoint’s characteristics when conducting network authentication
Network Access Control (NAC)
Port Security
Enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port
Shellshock/Bash Bug/Bashdoor
A critical Bash vulnerability that was discovered in 2014 that enabled RCE by encoding a script in an environment variable via the “function export” feature
Logjam
A TLS downgrade attack, discovered in 2015
Drupalgeddon
A highly critical Drupal vulnerability discovered in 2014 that allows RCE
Stagefright
A critical Android vulnerability that enables RCE by utilizing Multimedia Messages (MMS), discovered in 2015
Heartbleed
A high severity vulnerability in OpenSSL effecting the TLS protocol via improperly handled Heartbeat Extension packets (bad input validation), causing a “buffer-over-read” condition that allows the retreival of sensitive information in process memory
Root Cause Analysis
Helps understand why important alerts were missed and guides improvements in your alert management system to prevent similar oversights
Alert Fatigue
A common cause of missed security alerts, due to a security team being inundated with an excessive volume of alerts
CVSS Metric - AV
Access Vector
CVSS Metric - AC
Access Complexity
CVSS Metric - PR
Privilege Required
CVSS Metric - UI
User Interaction
CVSS Metric - S
Scope
CVSS Metric - C
Confidentiality
CVSS Metric - I
Integrity
CVSS Metric - A
Availability
Nmap Filtered Result
A network obstacle is blocking the port so Nmap cannot tell whether it is open or closed
Gramm-Leach-Bliley Act (GLBA)
Protects the privacy of an individual’s financial information held by financial institutions
Sarbanes-Oxley Act (SOX)
Dictates requirements for retaining documents related to an organization’s financial and business operations
Security framework that assumes a unidirectional workflow
Lockheed Martin Cyber Killchain; Fails to consider attacker retreat
Attack framework developed in response to unidirectional workflows
AT&T Alienvault
Best security mitigation for ICS/SCADA and IoT networks
User Entity Behavioral Analysis (UEBA) to compare behavior to a known good baseline
Sensitive/Commonly Abused Ports
53 (DNS)
Advanced Persistent Threat (APT)
A stealthy threat actor, typically a nation-state or state-sponsored, that can remain undetected for an extended period of time
EUBA unlikely to detect this kind of threat actor, should be discovered through endpoint analysis
Regex \b
Delimiter for a “whole word”
Developed Capabilities (MITRE)
A threat actor’s capability to identify and exploit zero-day vulnerabilities
Acquired and Augmented (MITRE)
Refers to the utiliation of commodity malware and techniques (aka script kiddies)
Advanced Capabilities (MITRE)
A threat actor’s capability to introduce vulnerabilities through the supply chain attacks
Integrated Capabilities (MITRE)
Refers to non-cyber tools, such as political or military assets
Formal Verification Methods
A mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases
Provides the single greatest mitigation for critical software which cannot have errors (corner cases)
User Acceptance Testing (UAT)
A beta phase of software testing by a limited set of users who report their findings
eFUSE
Intel-designed mecahnism to allow software instructions to blow a transistor in the hardware chip.
eFUSE prevents firmware downgrades
FERPA
Family Education Rights and Privacy Act
Privacy act that relates to Education
Dynamic Threat Models
Diamond, MITRE ATT&CK, AT&T Alienvault
Open Web Application Security Project (OWASP)
International non-profit organization dedicated to web application security
NetBIOS
A legacy transport layer protocol that allows Windows computers to talk to eachother on the same network, and was used as a legacy implementation of SMB on port 139
LPR (Protocol)
Line Printer Remote Protocol (TCP 515)
AppSocket (RAW)
Non Windows printing protocol
Utilizes smaller packet headers and requires no further processing by the receiving printer
Offers no security and very vulnerable
Port 9100
Internet Printing Protocol (IPP) supports
Authentication, access control, and encryption
Proprietary ISO Framework
27001
Security Intelligence
Collects, analyzes and disseminates information on the status of security systems (internal)
Cyber Threat Intelligence
Investigation, collection and dissemination of information about emerging threats and the threat landscape (external)
Cisco Talos
A reputational threat research intelligence supplier
Information Sharing and Analysis Centers (ISAC)
(USA) Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members. ISACs are available for Critical Infrastructure, Government, Healthcare and other industries.
Cyber Security Information Sharing Partnership (CSIP)
The UK’s alternative to USA’s ISACs
Indicator of Attack
Evidence that an intrusion is ongoing
Indicator of Compromise
Evidence that an attack has happened
Behavioral Threat Research
Refers to the correlation of IoCs into attack patterns (killchain)
STIX
Structured Threat Information eXpression
Structured Threat Information Expression
Language standard for the dissemination of IOC data via JSON included in the OASIS CTI framework
TAXII
Trusted Automation eXchange of Indicator Information
Trusted Automation eXchange of Indicator Information (TAXII)
Application protocol for exchanging CTI over HTTPS using a REST API
OpenIOC
CTI framework developed by Mandiant of XML formatted data to be used in automated incident detection and threat analysis
MISP
Malware Information Sharing Project
CTI
Cyber Threat Intelligence
Adversary Capability
A formal classification of the resources and expertise available to a particular threat actor (ie. Acquired or Augmented tools)
Attack Surface
The point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor
Attack Vector
A specific path by which a threat actor gain unauthorized access to a system
Google Hacking
Open-source intelligence technique that use Google search operators to locate vulnerable web servers and applications. The Google Hacking Database contains a reference for optimized GH search strings aka “Dorks”.
Shodan
A search engine optimized for identifying vulnerable internet-attached devices
AbuseIPDB
Community-driven database that keeps track of IP addresses reported for abusive behavior
NetFlow
Cisco-developed means of reporting network flow information and metadata to a structured database
Zeek (Bro)
Open source IDS/IPS for UNIX/Linux that contains a scripting engine that can be used to act on significant events by generating an alert or executing a process
Domain Generation Algorithm (DGA)
Method used by malware to evade block lists by dynamically generating domain names for C2 networks, primarily used in a “Fast Flux Network” and usually generates a high volume of NXDOMAIN errors.
Mitigating DGA
Use Secure Recursive DNS Resolvers
Fast Flux Network
Method used by malware to hide the presence of C2 networks by continually changing the host IP addresses in domain records using domain generation algorithms
Blinding Attack
Condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed
Firewalking
A firewall enumeration technique that sends packets with a TTL of 1 to a variety of ports in an attempt to identify hosts behind an open port
Black Hole
Means of mitigating DoS or intrusion attacks by routing traffic to a null interface, effectively dropping the traffic
Sinkhole
DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis
Dark Nets
Unused physical network ports or unused IP address space within a local network often used by attackers
Forward Proxy
A server that receives traffic and sends (forwards) it to another network. Can filter or modify data in the process of forwarding.
Reverse Proxy
A type of proxy server that protects servers from direct contact with client requests
Non-Transparent Proxy
A type of proxy that requires explicit clientside configuration that a user is generally aware of
Transparent Proxy (Forced or Intercepting Proxy)
A proxy server that redirects requests and responses without the client being explicitly configured to use it
Web Application Firewall (WAF)
A firewall designed specifically to protect software running on webservers and their backend databases from code injection and DoS attacks
Snort
IDS or IPS/SIEM
Security Onion
Open source Linux-based platform for security monitoring, incident response, and threat hunting that bundles Snort, Suricata, Zeek, Wireshark and NetworkMiner, and other log and incident management tools
Port Security
Security measures applied to physical or logical ports on a networked device
Endpoint Security Hybrid Products
Advanced Threat Protection (ATP), Advanced Endpoint Protection (AEP), NextGen AV (NGAV)
FLARE VM
A malware analysis sandbox for Windows binaries
Cuckoo
Malware analysis VM for Linux, Windows and Mac binaries
Joe Sandbox
Malware sandbox tool that performs some automated malware classification and accepts Windows, Linux, Mac and Android binaries
File Signature (Magic Number)
The first two bytes of a binary header that indicates its file type. FileSignatures.net serves as a resource for information on Magic Numbers.
MZ
The first two bytes of an executable binary, AKA MZ in ASCII.
Packed Program/Program Packer
An executable self-extracting archive
Masquerading
Replaces a genuine executable with a malicious one
DLL Sideloading
Exploits a programs manifest to load a malicious DLL at runtime
Process Hollowing
Dropper starts a process in a suspended state and rewrites the memory locations for the program with malware code
Shellcode
Any lightweight code designed to run an exploit on a target
Yara
Program for identifying, classifying and describing malware samples. Commonly used for analyzing pcaps against Yara rules.
MAEC Scheme (Malware Attribute Enumeration and Characterization Scheme)
A standardized language for sharing structured information about malware that is copmlementary to STIX and TAXII to improve the automated sharing of threat intelligence
MUA (Software)
Mail User Agent
MDA
Mail Delivery Agent
MTA (Email)
Message Transfer Agent
MIME
Multipurpose Internet Mail Extensions
Multipurpose Internet Mail Extensions (MIME)
Allows a body of an email to support different formats, such as HTML, RTF, encoded binary and attachments
MIME Exploit
Message data that contains scripts or objects that target some vulnerability in the message client
Secure MIME (S/MIME)
Email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications
SPF
Sender Policy Framework
Sender Policy Framework (SPF)
Single DNS record identifying hosts authorized to send mail for the domain that can include other SPF records (Ex: TXT @ v=spf1 mx include:_spf.google.com include:email.domain.com -all)
DKIM
DomainKeys Identified Mail
DomainKeys Identified Mail (DKIM)
Provides a cryptgoraphic authentication mechanism for mail utilizing a public key published as DNS record, performed serverside (Ex: v=DKIM1;k=rsa;p=PublicKeyGoesHere)
DMARC
Domain-Based Message Authentication, Reporting and Conformance
Domain-Based Message Authentication, Reporting and Conformance (DMARC)
Framework for ensuring proper application of SPF and DKIM utilizing a policy published as a DNS record (Ex: v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:user@ex.domain.tld; ruf=mailto:user@ruf.domain.tld; fo=1)
Security Information and Event Management Systems (SIEM)
A solution that provides real time or near real time analysis of security alerts generated by network hardware and appliances
Normalization
Process where data is reformatted or restructured to facilitate the scanning and analysis process
find/findstr
Windows alternative to grep
Windows Management Instrumentation Command-Line (WMIC)
CLI for the administration of Windows systems using WMI, often used for reviewing log files on a remote machine
EnCase
Digital forensics case management suite that provides workflows to assist in investigations
Forensic Toolkit (FTK)
Digital forensics investigation suite for Windows which can utilize server clustering for faster processing speeds
Sleuth Kit
Commandline utilities for imaging and file analysis that interfaces with Autopsy
File Carving
The process of extracting data from a computer when that data has no associated file system metadata
Master File Table
A table that contains metadata with the location of each file in terms of blocks/clusters for disks formatted as NTFS (FAT uses a File Allocation Table instead)
Scalpel
Open source CLI tool included in Sleuth Kit/Autopsy that is used to conduct file carving on Linux and Windows
Covert Channel
An IOC where data is transmitted with a hidden element, such as non standard data inside of a ping packet
DRDoS
Distributed Reflection DoS
Beaconing
Means for a network node to advertise its presence and establish a link with other nodes, often seen in specified intervals
Slashdot Effect
When a website experiences DoS conditions due to sudden popularity
ARP Spoofing/Poisoning
Occurs when an attacker redirects an IP to a MAC that was not its intended destination, best remediated by an IDS
Footprinting
Phase of an attack or penetration test in which the attacker or tester gathers information about the target before attacking it
IANA Dynamic Ports
49,152 - 65,535
Overt Channel Exfiltration
The usage of commonly used programs to exfiltrate data, such as IM, SMS, Email, FTP or P2P programs
Covert Channel Exfiltration
The exfiltration of data using covert techniques such as data segmentation, obfuscation and encoding, with the aim of evading detection
pstree
Linux command that provides the parent/child relationship of all the processes on a system
ps
Linux command that lists the attributes of all the current processes
systemd
A Linux Init daemon
SO (Shared Library)
Linux equivalent of a DLL
Memory Overflow
A means of exploiting a vulnerability in an application to execute arbitrary code or to crash the process with a memory leak
Prefetch File
A file that records the names of applications that have been run, as well as the date and time, file path, run count and DLLs used by the executable
Shimcache
An application usage cache that is stored in the Registry as the key. (Ex. HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache) Often used for applications that require specialized compatibility settings.
Amcache
An application usage cache that is stored as a hive file (Ex. C:\Windows\appcompat\Programs\Amcache.hve)
Persistence
The ability of a threat actor to maintain covert access to a target host or network
crontab
Tool that manages cron jobs, the Linux equivalent of scheduled tasks. “crontab -l” lists the currently scheduled cron jobs
Cellebrite
Software for evidence extraction from smartphones and other mobile devices, cloud data and metadata using a universal forensic extraction device (UFED)
Mobile Phone Examiner Plus (MPE+)
Mobile device forensics tools created by AccessData, the developers of FTK
EnCase Portable
Mobile device forensics tool created by Guidance Software, the developers of EnCase
Pivoting
Using an infected host to attack another host (Using SSH with the -D flag, you can set up a local proxy and port forwarding on a target)
Pass the Hash
Network based attack where the attacker steals hashed user credentials and uses them as is to try to authenticate to the same network the hashed credentials originated on. Only use Domain Admin accounts for logging into Domain Controllers to prevent pass the hash exploits
Golden Ticket
A Kerberos ticket that can grant other tickets in an Active Directory environment (AKA TGT). Admins should regularly change the krbtgt account password.
krbtgt hash
The trust anchor of the AD domain which functions like a private key of a RCA (root cert authority) and generates ticket-granting tickets (TGT) that are used by users to access services within Kerberos
Business Continuity Plan (BCP)
The plans and processes used during the response to a disruptive event
Disaster Recovery Plan (DRP)
The plans used during the event of a disaster
Tabletop Exercise
An exercise that tests a framework of controls using an incident scenario conducted by a “red team”
OODA Loop
A military decision making model created to help responders think clearly in the “fog of war”, consisting of Observe, Orient, Decide and Act
Isolation Mitigation
Removes an affected component from a larger environment
Segmentation Mitigation
Achieves the isolation of a host or group of hosts using network technologies and architecture
Sanitization
Group of procedures that an organization uses to govern the disposal of obsolete information and equipment
Enterprise Risk Management (ERM)
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization, usually as defined by business stakeholders rather than engineers
Single Loss Expectancy (SLE)
Metric to determine the expected financial loss from a single event. SLE = AV * EF, (Asset Value * Exposure Factor)
AV (Risk Analysis)
Asset Value, Monetary value of the asset
EF (Risk Analysis)
Exposure Factor, The percentage of loss that would result
Annual Rate of Occurence (ARO)
Number of times per year that a specific threat is expected to occur
Annual Loss Expectancy (ALE)
Expected financial loss for multiple events during a year
Business Impact Analysis (BIA)
A systemic activity that identifies organizational risks and determines their effect on ongoing mission critical operations
Maximum Tolerable Downtime (MTD)
The longest period of time a business can be inoperable without causing irrevocable business failure
Recovery Time Objective (RTO)
Length of time it takes after an event to resume normal business operations and activities
Work Recovery Time (WRT)
The length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system
Recovery Point Objective (RPO)
The longest period of time that an organization can tolerate lost data being unrecoverable
Risk transference
Response that involves moving or sharing the responsibility of a risk to another entity, usually involving insurance
Risk mitigation
Response that reduces a risk to fit within an organization’s risk appetite
Risk avoidance
Ceasing an activity that presents risk
Risk Register
Document highlighting the results of risk assessments in an easily comprehensible format that is disseminated to stakeholders
CVSS Base Score 9+
Critical
CVSS Base Score 7-8.x
High
CVSS Base Score 4-6.x
Medium
CVSS Base Score 0.x-3.x
Low
CVSS Base Score 0
None
tcpdump -e
Includes the ethernet header during packet capture.
tcpdump -n
Displays the IP addresses in numeric form
tcpdump -l
Line buffered mode
tcpdump -C
Packet buffered mode
tcpdump port
Listen only on a specified port
tcpdump -A
Print each packet in ASCII
tcpdump -s
Set snap length (0 for unlimited, all traffic)
tcpdump -B
Set buffer size
tcpdump -c
Limit captured packets to provided value (e.g. 20 packets)
tcpdump Logical Operators
“AND”, &&, “OR”, ||, “NOT”, !
Continuous Integration
Automated building and testing of an application after it’s source code has been updated
Continuous Delivery
Delivers the newest version of an application to a production or testing environment, which can then be approved for release by a human
Continuous Deployment
All changes to code that pass CI/CD checks are automatically released without the need for human intervention
Continuous Monitoring
Constant evaluation of an environment for changes to quickly detect new risks and improve business operations
Data Sampling
Captures specified data that is determined to be useful, rather than collecting all data
SSL vs TLS
TLS was developed in 1999 as SSLv3.1 before being renamed to TLS and the two terms are often used interchangably although SSL is not considered to be secure
Nikto
Web application scanner
OpenVAS
Infrastructure vulnerability scanner
Nessus
Infrastructure vulnerability scanner
Qualys
Infrastructure vulnerability scanner
Output Encoding
Translates special characters into an encoded form that isn’t dangerous to the target system (Ex: < to < in HTML)
Input Validation
Ensures data entering a system is formatted as expected
Defense In Depth
Layering various technical controls to further secure infrastructure
Base64 Encoding
Commonly used to bypass detection mechanisms in a network, and will commonly end with two equal signs (Ex. aGVsbG8gd29ybGQNCg==)
Windows Autostart Registry Location
Run Subkey (HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\Run)
nmap -sT
TCP connect scan
nmap -sV
Service discovery scan
nmap -Pn
Scan ports, no ping
nmap -p
Scan port or port range
nmap -p-
Scan all ports on system
nmap -F
Fast port scan
nmap -sS
Syn Port Scan, Only performs a partial connection and thus does not reveal you to your target
nmap -sT
TCP Connect Scan, Detects open TCP ports
nmap -sU
UDP Port Scan, Detects open UDP ports
nmap -sA
Ack Port Scan, Detects if a port is stateful and/or filtered
nmap -sn
Performs host discovery but does not scan any ports (use for quick scans)
nmap -PR
Performs ARP discovery on a local network
nmap -n
Does not resolve DNS, speeds up some scans
nmap -A
Aggression Detection Mode, which is a combination of OS and service discovery
nmap -O
OS Detection
nmap -oN
Output Normal
nmap -oX
Output XML
nmap -oG
Output Greppable
nmap -oA
Output All (types)
Password Spraying
When an attacker uses a common password(s) to attempt to access multiple accounts
Credential Stuffing
The automated injection of stolen username and password pairs (credentials) to an authentication system
Ring 0
Kernel
Ring 1
Device Drivers (Most privileged)
Ring 2
Device Drivers (Less privileged)
Ring 3
Applications
Secure Disposal
A method of sanitizing by physical destruction of the media via shredding, incineration or degaussing
Clearing involves
Overwriting data once with repetitive data, or resetting a device to factory settings
Purging involves
Eliminating information from being feasibly recovered even in a laboratory environment
DeepScan
Static code analyzer
Tripwire
File integrity monitoring program
OAuth2 is designed to
Authenticate claims, not to authenticate users. It’s a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.
OpenID Connect (OIDC)
OIDC is an identity authentication protocol that is an extension of open authorization (OAuth) 2.0 to standardize the process for authenticating and authorizing users when they sign in to access digital services.
DGA
Domain Generation Algorithm
SCAP
Security Content Automation Protocol
Security Content Automation Protocol (SCAP)
A method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization
TOGAF
The Open Group Architecture Framework
The Open Group Architecture Framework (TOGAF)
A prescriptive framework that divides the enterprise architecture into four domains: Technical, Business, Applications and Data
Regression Testing
Re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change
Linux command to find bash version
which bash
NIST recommendations on SMS multi-factor
NIST’s SP 800-63-3 recommends SMS be depreciated for MFA, as it may be accessible to attackers
MacOS Application Config File Format
Property Lists (plists)
net config
Used to manage network resources
net group
Used to manage domain groups
net computer
Adds or removes a computer from a domain (ran on primary DC)
ZAP
OWASP Zed Attack Proxy
OWASP Zed Attack Proxy (ZAP)
The worlds most popular FOSS web application scanner
sc
Windows Scheduler command
/etc/xinetd.conf
Older location for Linux startup services configuration. Potential location for evidence of a backdoor.
Why are FPGAs often considered as “Anti-Tamper”
FPGAs are often used to provide “Physically Unclonable Functions” (PUFs) that generate a digital fingerprint based on unique features of a device
XXE
XML External Entity
XML External Entity (XXE)
Type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
UEFI Boot Phase Order
- Security
- Pre-EFI initialization
- Driver Execution Environment
- Boot Device Select
- Transient System Load
- Runtime
Identity Provider (IdP)
Validates a user’s identity when using SAML for authentication
Relying Party (RP)
Provide services to members of a federation (SAML)
FISMA
Federal Information Security Management Act
Federal Information Security Management Act (FISMA)
United States federal law that defines a comprehensive framework to protect government information, operations, and assets (Compliance)
