IH Flashcards
What two documents should your IR plan hook into?
COOP, DR
Any observable occurrence on a system or network
an event
Examples of events
Anything that you can show happened. (measurable)
System boot sequence
A system crash (could be normal behavior)
Packet flooding (could be legit, bursty apps)
Six stages of incident handling
Grand Master PI-CERL Preparation Identification Containment Eradication Recovery Lessons Learned
Places to share incident information?
BUGTRAQ (securityfocus.com)
Internet Storm Center (isc.com)
Dshield sensor network, part of SANS
Reviewing contingency plans, DR plans, and testing the technology and user base (phishing) that protect systems/networks from incidents is done during what phase?
Preparation
Warning banners NEED to include what?
- Consent to monitoring the use of its networks and systems
- Prohibits unauthorized access, use, or modification of resources
- If monitoring reveals evidence of criminal activity, the company can provide records to law enforcement.
Privacy laws can impact the ability of incident responders to
Effectively monitor and record system activity. Can be a problem in Europe.
What are some of the broad reasons you may be obligated to notify law enforcement for an incident?
- Threat to public safety or health
- Substantial impact to a third party
- Legal requirement for your industry
What types of protected data may require notifying the public when breached?
PII, PHI
What is your obligation to provide evidence to Law enforcement as part of THEIR investigation?
None, without a court order; have to balance need to conduct YOUR investigation, with theirs.
(Without any evidence, you’ll significantly hinder their investigation)
What SANS resource is available to help with law enforcement coordination?
SANS SCORE (sans.org/score/law-enforcement-faq)
Smart practice for policy on employees connecting remotely
Make sure the VPN banner includes a consent for remote search by the org.
How to get management buy in for IR capabilities
- Have a formal plan (with “peer” reporting measures)
- Provide monthly or quarterly reports
- Graphically illustrate incidents (cartoons, easy to understand stuff)
- Collect historical support
- Get news articles on similar incidents and how they were handled
Membership of a good IR team should include
Physical Security Infosec Legal HR DR BCP
two key items for benchmarking and recovering systems
- A system specific (desktop, file server, app server) build plan/doc
- A windows image backup of these that can be diffed against an infected machine
Your incident handling team construction should have what pyramid-like scheme?
An emergency communications plan and on-site team construction.
Similar to a command post; identify who is the engagement lead, who is handling which remote site/function, and what the comms plan is. (and backups are)
What is important to hammer out regarding procurement before beginning an IR activity?
A) What the procurement permission looks like; what happens if something (like an extra H/D) needs to be procured on site (how to make govt purchase card decisions)
and
B) What the secured communications plan is?
B) What is the plan for food/lodging/etc in case of the engagement going longer than expected?
Top two training issues for IR responders
- Creating forensic images under fire
2. Keyboard skills under fire
Some tricks for training the IR team
Internal honeypots
“War games” (Surprise pen tests)
Quick “drills” for creating images or finding specific log files
Great tool for performing large-scale incident response and hunt team communication/coordination.
Why is this tool good?
GRR, by google. Free.
- Works with Rekall,
- can pull relevant data asyncronously as hosts come on and off network. (helps w/Laptops and mobile)
- Can use “flows” (Scripts that run on the server but execute tasks on a host, such as looking for a file with a specific hash)
Contents of a good “jump bag” (Flyaway kit)
- Fresh/blank media
- Evidence collection suite (DD, Imager)
- Forensics tools (SIFT, EnCase, Flare, etc)
- Network Taps/Montiors
- EVery type of network/connection cable
- PC repair toolkit
- Extra copy of forms
_____ should be set as the incident handler(s), and they should have ___ for tasking.
one person, usually with a helper…..with a discrete set of events on a specifically scoped system to look at.
Why should you control information/need to know for an incident?
Details change quickly
incomplete or inaccurate details could get posted online
Folks who are “in the know” might have to testify, and will have an incomplete set of information
Insider threats can be tipped off
Out of Band communications options in the event the system is compromised
Off-network phones (no VOIP)
Encrypted email (PGP or GnuPG, Gail Webcast)
Encrypted text
Faxes
Ham radios/walkie talkies
Encrypted cloud storage (Tresorit/Securesafe)
Share keys in advance!
Application logs are most useful from
Web apps
App Servers for thick-clients
Cloud based-services
“Net” commands used to look for suspicious activities
Net view: look at shares
Net session: look at inbound connections/smb sessions
net use: look at outbound smb sessions
nbstat -S: NetbBIOS over TCP, sorted by IP connection to our machine
Net commands for looking at TCP/IP activity
Netstat -na: Unusual TCP activity (continuous refresh)
netstat -naob: important: shows owning process id and associated DLL/executables
netstat -naob 5: same, but with auto refresh every 5 sec
netsh advfirewall show currentprofile: show built in firewall rules
commands to examine windows processes
WMIC
wmic process list (brief|full)
wmic process get name,parentprocessid, processid
wmic process where processid=pid, get commandline
commands to examine services on a windows machine
services.msc
net start: running services
sc query | more: get more details about each service
tasklist /svc: MAP EVERY SERVICE TO A PROCESS
command to map which services are running out of each process on your system
tasklist /svc
What are the registry and file locations that start software automatically
HKLM\Software\Microsoft\Windows\CurrentVersion:
Run
RunOnce
RunOnceEx
Settings for a registry key can be checked on the command line using
reg query regkey
Manipulating the computer and financial infrastructure of a target for political reasons
hacktivism
Allowing political dissidents to communicate on covert channels can be a form of
hacktivism
Some ways to use malicious code for profit
Scraping CC numbers out of RAM for POS terminals Keystroke loggers stealing financials DoS Extortion Cryptomining Spam advertising Ransomware
Breakout time is
The time from initial compromise to privilege escalation to additional internal network targets
Average time for APTs to breakout
20-309 mins
Average time to respond to a breach before you’ve got compromises
3.5 hrs
Cumulative (Collective representation) data known about a target online (person, org, etc)
OSINT
WHOIS data stopped being as useful in 2016 with the introduction of
European requirements for General Data Protection Regs (GDPR)
Used to gather limited domain info (name, creation data, registrar) using registrant name or email address
reverse whois (such as viewdns.info)
Who must publish the logs of all issued certificates, and what is this called?
CAs, via Certificate Transparency
How does certificate Transparency help attackers?
helps them collect information on an organization, such as the hostname/cname published in the cert. Clues you in on additional target data.
Open Source, GPL based OSINT data collection and analysis tool
Spiderfoot
When recon crosses the line into the target site (tools that start sending requests directly to the target organization)
Direct recon
tool to interrogate dns server (deprecated in Linux)
nslookup
Easiest way to get as much info from the DNS server as possible
zone transfer
Command to do a zone transfer and get all data
nslookup, set type any (will grab A, MX, HINFo, and NS records)
dig AXFR
DO against all associated name servers in an org
How to brute force DNS zone transfers
using nmap with the dns-brute switch, and using a word list
DNS Recon defenses
Dont allow zone transfers from any system
Limit XFR to DNS servers only
Secondary and Tertiary name servers should reject all xfrs
use split dns
Harden all DNS servers
Look for zone transfer in DNS logs
What is Split DNS?
Publish external name info to only external servers, internal name info to only internal servers
to identify DNS zone xfr activity in logs
look for packets going to and from TCP port 53 on DNS servers. (Queries use UDP port 53, transfers only use TCP)
The SEC has what tool that’s useful for OSINT
EDGAR: Data on publicly traded US companies (addresses, financial statements, etc)
Site that allows you to identify which social networking sites a target user account may be using
namechk
Powerful site that allows you to correlate internet presence of an identity
pipl.com
Social media geolocation tool that uses flickr, twitter and google photo metadata
pushpin
defense against website searching
tell your admins to look for aggro web spider/crawler activity
limit info available
make employment ads more general
determine what other sites are linked to your company
Current version of google hacks/dorks queries is stored at
exploit db
Difference in how google cache and archive.org handle images
Google cache does NOT save the images; it will load them from where they currently are stored, if they can.
Archive.org keeps a copy and uses the cached copy if they’re not located on the current site. If they’re on the current site, it will load them.
Tool that automates process of discovering files w/accessible metadata (pdf, xls, ppt) while also folding support for google hacking, sqli scanning, brute forcing subdirectories, and versions of vulnerable software
FOCA/GOCA
Tool used for combining google hacking with bing hacking, shodan, etc into one framework. Also includes modules for searching a site to see if it’s hosting malware, or if its vulnerable to data leakage (DLP)_
Search Diggity
Defenses against automated search engine recon, such as google dorks
Have google remove you
look for information leakage by using google hacks against yourself
remove pages, snippits, cahed pages via metadata tags (noindex, nofollow, nosnippit)
robots.txt
Tools for web based recon
Shodan
dnsstuff
network-tools.com
securityspace.com
What does network-tools.com do?
Web based tool that does dns lookups, email checkers, domain name conversion, internet ping, spam blacklist checker for domain names, whois, etc.
WarVOX is a tool for ______ that requires ________.
War dialing VOIP, IAX protocol
Tool that records MP3 audio files associated witern matchingth each number dialed and answered, for pat
Warvox
Defense against war dialing VOIP
war dial yourself
conduct training on effective phone passwords
find out-of-band or unlisted numbers
set a policy for out-of-band access. (Make sure you have a full inventory of all remote routers)
secure modems with strong authentication (token, crypto)
use scanning-detection functionality for a PBX system
difference between active and passive WIFI scanning
In active scan, the attacker sends probe requests on all channels of an SSID and observes responses;
Passive, the attacker just listens for beacon frames outbound from the AP.
Both return network info, encryption and auth methods, channels, and manufacturer info.
Difference between Kismet and SSIDer
Kismet is completely passive.
PCAP and WiFi analysis is found in what tool
Kismet; will produce full packets, pcap can be dumped into wireshark
What is Galois Counter Mode
A mode of encrypting data in WPA3 that is easy to accelerate in hardware
What are the 3 modes of authentication for WIFI
PSK (pre shared key)
EAP/TLS (Enterprise auth)
SAE (Simultaneous Auth of Equals: PSK, but eliminates offline password-guessing)
Why is PSK authentication for WIFI dangerous?
EVeryone uses the same pre-shared key for auth, so a stolen device compromises all devices)
Even without the device, offline password guessing attacks can be used on PSK.
How to offline guess a PSK password
Capture some packets with Kismet, try to match the hash with a password list
Best tool for password guessing wifi
Aircrack-ng
Impersonate and steal creds for WPA2 enterprise networks with a linux machine using
Hostpad WFE
Will “dumb down” auth attempts
tool for hijacking mouse and keyboards (and what it requires)
Jackit ; a crazyradio PA USB stick, or similar)
defense against wireless ap hacking
use WPA2+
deploy EAP/TLS auth or cert based auth
use TLS for critical data
NMAP 4 packets to identify up hosts
ICMP echo
TCP SYN to 443
TCP ACK to 80
ICMP timestamp
defense against network mapping (4)
Disable incoming ICMP echo requests
Disable outgoing ICMP time exceeds
IDS signatures for ping sweeps/tracert
temporarily block a frequent ping sweep
TCP RESET flag does
tears down a connection
TCP PUSH flag does
Data should be pushed through the TCP stack(?)
NMAP ack scans are useful to
Do network mapping instead of a ping sweep; good for finding sensitive internal servers.
CANNOT DO PORT SCAN
Tool that takes screenshots of websites and tries to quickly identify the purpose of it to find interesting stuff
Eyewitness. Looks for things like RDP, servers, indexed web directories, etc.
Four options for disabling a windows service listening on a port
kill the process with task manager
kill the process with WMIC
disable the service in control panel
disable the service using sc cmd (best, versatile)
Best two ways to see listening ports on linux
lsof
netsat -nap
disable linux processes listening on ports (5 methods)
first, try to stop it with systemctl
then try to kill it if you cant use the first command
disable the service in /etc/rc.d
disable service using systemd
disable service in inetd/xinetd (/etc/*.conf)
Excellent bypass for IDS uses a ______ packet in the middle of an attack
TCP reset; tricks the way a target OS/firewall handles TCP checksums.
Defense against IDS/IPS evasion (5)
Up to date/resourced devices Implement behavioral analytics used Host-based systems as well block odd packet fragments harden ports
Nessus client-server comm port, language
8834, HTML 5 (uses HTTPS)
Nessus plugin to block dangerous plugins
Safe checks
SMB ports (2 kinds)
445
used to use netbios ports, TCP/UDP 135-139
Establishing an SMB session from cmd line
net use \targetIP
Can connect to most SMB shares as long as you
Have a non-admin username and password. (Can use this to connect to IPC$)
command to get a list of smb shares once you’re connected to an IP
net use \ip
net view \ip
command to get the list of all domain users
net user /domain > output.txt
Tool to bypass authentication and hijack password libraries so that they accept any password
Konboot
Attack a computer that it’s suspended or hibernate state with this tool to unlock it it. (Requires firewire/thunderbolt)
Inception
Use this hardware dongle to surreptitiously steal logs using responder, for these services.
Lan Turtle
Steals things like kerberos traffic, LLMNR, DNS, etc.
Physical attack medium that Looks like a use thumb drive, but can act as a keyboard and inject strings, scripts, malware
Rubber ducky
defense against physical access attacks
Full disk encryption Train users to power down systems Restrict access to USB ports to only pre approved devices Password protect BIOS Disable USB boot Disable LLMNR
Takes original netcat tool and makes it capable of communicating over pipes. devices, sockets, SSL, and Raw IP
Socat
Netcat that can communicate over data frames
Linkat
Client mode Netcat traffic is passed by:
Send ______ to standard in
Send ______ to standard out
Send _______ to standard err
Keyboard, redirect data from a file or piped from an application to standard in (input)
All data sent back across the network to standard out (response)
All messages from the tool sent to standard err
Listener mode netcat traffic is passed by:
Send _____ to standard in
Send ______ to standard out
Send ______ to standard err
Sends received data to standard in
Sends data to client over standard out
all messages from the tool are sent to standard err
Uses of netcat
Data transfer Port scanning Vuln SCanning Making connections to open ports Backdoors relays
How to backpipe a netcat relay
use the mknod command (common to linux and unix) to create a special FIFO (first in, first out) file as a “backpipe” for information to flow through. Acts as intermediary, carry data back and forth on the command line.
the 0backpipe at the end (receiver sending data to standard in) is important! drawing on 3:19
