Section 1: Overview of Security Flashcards
CIA Triad
Confidentiality, Integrity, Availability
What is Confidentiality
Information has not been disclosed to unauthorised people
Information is only disclosed to authorised people
What is Integrity
Information has not been modified or altered without proper authorisation
What is availability
Information is able to be stored, accessed, or protected at all times
What are the AAA of Security
Authentication, Authorisation, Accounting
What is Authentication in AAA
Something you
- have
- are
- know
- do
- somewhere you are.
Think HAKDA
What is Authorisation in AAA
When a user is given access to a certain piece of data or certain areas of a building
What is Accounting in AAA
Tracking of data, computer usage, and network resources.
In case of data breach or an insider threat, you can go back and look at all the data in the log files to figure out who did what and when.
Non-repudiation
When you have proof that someone did something.
Sending an email to someone is signed with a digital signature, you are the only person in the world with that signature. That’s proof that you indeed sent that email.
Information Systems Security
The security of the systems that hold and process critical data
Information Security
Act of protecting data and information from unauthorised access, unlawful modification and disruption, disclosure, corruption, and destruction.
Malware
Short-hand term for malicious software
When does Unauthorised Access occur?
Occurs when access to computer resources and data happens without the consent of the owner
System Failure
When a computer crashes or an individual application fails (Blue Screen of Death / BSOD)
Social Engineering
Act of manipulating users into revealing confidential information or performing other detrimental actions (could be through email phishing or pretending to be someone you are not (i.e delivery person to gain access to premises)
What are the 3 controlls of Mitigating Threats?
- Physical Controls
- Technical Controls
- Administrative (or Managerial) Controls
What are Physical Controls?
Alarm systems, locks, surveillance cameras, identification cards, and security guards
What are Technical Controls?
Smart cards, encryption, access control lists (ACL’s) intrusion detection systems, and network authentication
What are Administrative Controls?
Policies, procedures, security awareness training, contingency planning, and disaster recovery plans
Most cost effective security control?
User Training!
What are the 5 types of Hackers?
- White Hats
- Gray Hats
- Black Hats
- Blue Hats
- Elite Hats
White Hats
Non-malicious hackers who attempt to break into a company’s system at their request
- Ethical Hackers / Pen testers
- They use open source tools
Gray Hats
Hackers without any affiliation to a company. They attempt to break into a company’s network and risk breaking the law
Difference between Black & Gray hats?
Black hats:
- have malicious intent
Grey hats:
- Just want to see if they can break into a company, don’t necessarily want to cause harm (still breaking the law)
- They some times break into a company and then inform them that “hey, this is how we did it, you need to patch it”
Black Hats
Malicious hackers who break into a computer systems and networks without authorisation or permission
Blue Hats
Hackers who attempt to hack into a network with permission of the company but are not employed by the company.
- Freelance ethical hackers / pen testers
- Could be doing this as part of bug bounty program (hackerone)
Elite Hats
Hackers who find and exploit vulnerabilities before anyone else does.
- create their own tools
- do their own programming
- develop tools that everyone else ends up using
- Can have 2 categories:
- Black Hat Elite Hackers
- White Hat Elite Hackers
Script Kiddies
Limited skill and only run other peoples exploits and tools
Organised Crime
Hackers who are part of a crime group that is well-funded and highly sophisticated
- well funded
- highly sophisticated
Hacktivists
Hackers who are driven by a cause like social change, political agendas, terrorism
Advanced Persistent Threats (APT)
Highly trained and funded groups of hackers (often by nation states) with covert and open-source intelligence at their disposal
- Russia trying to hack US elections
- China trying to hack into US companies to steal their intellectual properties
Skill Level rankings
High to Low
- APTs
- Organised Crime
- Hactivists
- Script Kiddies
Always consider the sources of your intelligence!
What are some factors to weigh the value of the intelligence you are getting?
- Timeliness
- Relevancy
- Accuracy
- Confidence Level
Intelligence Timeliness
Property of an intelligence source that ensures it is up-to-date
- intelligence over time is not very valuable (newer the better)
- if I know that your network is being attacked now, but wait 3 years to tell you, it is not useful
- once an adversary understands that they have been identified, they will change tactics and the way they do things. So the report you write today, might not be valid for tomorrow, 2 weeks, 3 months, or a year from now. Things change!
Intelligence Relevancy
Property of an intelligence source that ensures it matches the use cases intended for it
- if I am using windows or Linux but someone is attacking mac OS machines, is it really relevant to me?
- have to see what affects me or my organisation so I can defend against it
Intelligence Accuracy
Property of an intelligence source that ensures it produces effective results
- information must be valid and true
- eliminate false positives especially when using Automated Software/Machine Learning/ Artificial Intelligence
Intelligence Confidence Levels
Property of an intelligence source that ensures it produces qualified statements about reliability
- you put a grade on how good you think the information is
Three places you can get information from
- Proprietary
- Closed-Source
- Open-Source
Proprietary Information
Threat intelligence is widely provided as a commercial service offering, where access to updates and research is subject to subscription fee
- Not nearly as useful. Most of these package readily available information from the internet without adding their own information in them
Closed-Source Information
Data that is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymised
- FIREYE
Open-Source Information (OSINT)
Data available to use without subscription, which may include threat feeds similar to the commercial providers, and may contain reputation lists and malware signature databases
- US-CERT
- UK’s NCSC
- AT&T Security (OTX)
- MISP (Malware Information Sharing Project)
- VirutsTotal (checks for viruses on uploaded files and is a repo for malware)
- Spamhaus (spam & email)
- SANS ISC Suspicious Domains
Threat Feeds
Are a form of explicit knowledge, but implicit knowledge from experience practitioners is also useful
Explicit knowledge
Is knowledge you can
- write down
- feel
- see
- touch
Implicit knowledge
Is knowledge you
- only get from experience in the field
- ‘ah I know something is wrong here because of my experience’
- Cant write down this knowledge, its just something you know because of your experience
Open-Source Intelligence (OSINT)
Methods of obtaining information about a person or organisation through public records, websites, and social media
What is Threat Hunting
A Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring
- a pro active response
Is Threat hunting potentially less disruptive than penetration testing?
Yes. You analyse data within the system you have instead of trying to break in
First step of Threat Hunting?
Establish a Hypothesis
- It is derived from the threat modelling and is based on potential events with higher likelihood and higher impact
Second step of Threat Hunting?
Profiling Threat Actors and Activities
- Create scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be
- understand who is trying to attack you
- what systems they might be going after
What does Threat Hunting rely on?
On the use of tools developed for regular security monitoring and incident response
What should you assume when Threat Hunting?
That the existing rules you have in place for protection have most likely failed
What are the steps you need to take for the following scenario:
You have threat intelligence that there is this new Windows malware that is infecting your Windows computers and there are no current malware definitions for it.
- Analyse network traffic
- Analyse the executable process lists on the host you are analysing
- Identify how the malicious process was executed
What are the 5 benefits of Threat Hunting?
- Improve detection capabilities
- Integrate Intelligence
- Reduce attack surface
- Block attack vectors
- Identify critical assets
What does the benefit of Threat Hunting, “Improve detection capabilities” include?
Once you find out how someone infiltrated and bypassed detection. Feed it back to the detection plan, rewrite rule sets, detection algorithms, and use better scripting. You can also improve signature based detection and prevent future attacks.
What does the benefit of Threat Hunting, “Integrate Intelligence” include?
Correlate external threat intelligence with your internal logs and sources. When combined you get Actionable Intelligence
What does the benefit of Threat Hunting, “Reduce Attack Surface” include?
Identify your attack surface. Where the bad guy might have gotten in to the network. Based on that you can go back and reduce the attack surface
What does the benefit of Threat Hunting, “Block Attack Vectors” include?
There are different attack vectors and TTP (Tactics, Techniques, Procedures) used by bad guys.
You can add additional security controls to try and block those different ports or interfaces and prevent infiltrations.
What does the benefit of Threat Hunting, “Identify Critical Assets” include?
You can identify what people go after and figure out what the best offensive options for those critical systems and data assets are.
What does TTP mean?
Tactics, Techniques, Procedures
What are the 3 attack frameworks?
- Lockheed Martin Kill Chain
- MITRE ATT&CK Framework
- Diamond Model of Intrusion Analysis
What is the Lockheed Martin Kill Chain Framework?
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion
What are the 7 steps of Lockheed Martin Kill Chain Framework?
- Reconnaissance
- Weaponisation
- Delivery
- Exploitation
- Installation
- Command & Control (C2)
- Actions on Objective
What is the Reconnaissance step in Kill Chain?
Process which an attacker determines what methods to use to complete the phases of the attack
- passive information gathering
- passive / active scanning techniques
- OSINT
What is the Weaponisation step in Kill Chain?
When the attacker prepares the payload code with exploit code that will take advantage of the vulnerability in the target system and execute by using the vulnerability.
What is the Delivery step in Kill Chain?
When a vector is identified which allows the weaponised code to be transmitted to the target environment
- email (phishing)
- USB
What is the Exploitation step in Kill Chain?
The weaponised code is executed on the target system
- email with phishing link, exploitation when the link is clicked
- when infected USB is plugged in, and auto runs
What is the Installation step in Kill Chain?
Mechanism that enables the weaponised code to run a remote access tool and achieve persistence on the target system
- gives us control of the system going forwards
- persistence is what we are looking for
What is the Command & Control (C2) step in Kill Chain?
An outbound channel is established to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack (reverse shell)
- You have access, control, and you can run commands
What is the Actions on Objective step in Kill Chain?
Use the access you achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives
How can Kill Chain Analysis be used to our advantage?
Can be used to identify defensive course-of-action matrix to counter the progress of an attack at each stage
- block the kill chain steps
- detect, deny, disrupt, degrade, deceive, destroy the attacker’s capabilities (6 Ds)
What are the 6 D’s of Kill Chain Analysis?
- Detect
- Deny
- Disrupt
- Degrade
- Deceive
- Destroy
What is the MITRE ATT&CK Framework?
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques and common knowledge or procedures (attack.mitre.org)
What is the MITRE ATT&CK Framework focusing on?
Focusing more on the Exploitation Phase
What does the pre-ATT&CK tactics matrix align with?
Reconnaissance and Weaponisation phases of the Kill Chain
- detect things before they become real attacks
What is the Diamond Model of Intrusion Analysis framework?
A framework for analysing cybersecurity incidents and intrusions by exploring the relationship between four core features
What are the 4 core features of the Diamond Model of Intrusion Analysis Framework?
- Adversary
- Capability
- Infrastructure
- Victim
What does the Diamond Model of Intrusion Analysis framework represent?
An intrusion event
How can you automate the Diamond Model of Intrusion Analysis framework?
By creating a Tuple and adding it to a SIEM
Can the 3 attack Frameworks be combined or used individually only?
They can be combined or used individually.
