CEH | Mind Map - EdrawMind

Elements of Information Security

Confidentiality

Integrity

Availability

Authenticity

Non-Repudiation

Attacks Classification

Passive attacks

Footprinting

Sniffing and eavesdropping

Network traffic analysis

Decryption of weakly encrypted traffic

Attive Attacks

Dos

Bypassing protection mechanisms

Malware Attacks (virus, wormes.. )

Spoofing attacks

...

Close-in-attacks

Social Engineering

Soulder surfing

Dumpster diving

..

Insider attacks

Eavesdropping

Wiretapping

Theft of physical devices

Pod splurping

Planting keyloggers, backdoors or malware

Distribution Attacks

Modification of software or hardware during production

Modification of software or hardware during distribution

Information Warfare

Command and control warfare ( C2 Warfare )

Offensive Information warfare

Defensive Information warfare

Intelligence-based warfare

Offensive Information warfare

Defensive Information warfare

Electronic warfare

Offensive Information warfare

Defensive Information warfare

Psychological warfare

Offensive Information warfare

Defensive Information warfare

Hacker warfare

Offensive Information warfare

Defensive Information warfare

Economic warfare

Offensive Information warfare

Defensive Information warfare

Cyberwarfare

Offensive Information warfare

Defensive Information warfare

Cyber Kill Chain Concepts

Reconnaissance

Gathering information

Performing analysis of various online activities - OSINT

Performing Whois, DNS footprinting

Scannings ( shodan.. )

Weaponization

Identifying appropriate malware payload based on the analysis

Creating a malware payload or reusing available online

Creating a phishing email campaign

Delivery

Sending phishing emails to employees of targeted org

Performing attacks such as watering hole on the compromised website

Distribuiting usb devices containing malicious payload to employees of target organization

Exploitation

Exploiting software or hardware vulnerabilities to gain remote access to the target system

Installation

Downloading and installing malicious software such as backdoors

Gaining remote access to the target system

Levereging various methods to keep backdoor hidden and running

Maintaining access to the target system

C2 - Command and Control

Establishing a two-way communication channel between the victim's system and the adversary-controlled server

Levereging channels such as web traffic, email communication and DNS messages

Applying privilege escalation techniques

Hiding any evidence of compromise using techniques such as encryption

Actions and Objectives

The adversary controls the victim's machine and can do whatever he wanted do

Pivot to others..

Tactics, Techniques and Procedures ( TTPs )

Refer to the patterns of activities and methods associated with specific threat or actors or groups of threat actors. TTPs are helpful in analyzing threats and profiling threat actors and can further be used to strengthen the security infrastructures of an organization.

TACTICS

Describe the way the threat actor operates during different phases of an attack. It consists of the various tactics used to gather information for the initial exploitation, perform priv esc and lateral mov, and deploy measures for persistance access to the system. They can vary, but they are mostly similar and can be used for profiling

TECHNIQUES

Set of tools and the way they are used to obtain intermediate results during an attack campaign. To lunch an attack successfully, threat actors use several techniques during its execution. These techniques include :

Covering the tracks of data exfiltration

Accessing the target infrastructure

Setting up C2 channel

Initial exploitation

PROCEDURES

Involve a sequence of actions performed by the threat actors to execute different steps of an attack life cycle. The number of actions usually differs depending upon the objectives of the procedure and the APT group.

IoC

Atomic Indicator - those that cannot be segmented into smaller parts, and whose meaning is not changed in the context of an intrusion.

Ip addresses

Email addresses

Computed Indicator - are obtained from the data extracted from a security incident

Hash values

Regex used

Behavioral Indicators - refer to a grouping of both atomic and computed indicators, combined on the basis of some logic

Email Indicators

sender's email address

email subject

attachments

links

Network indicators

URLs

Domain names

IP addresses

Host-based indicators

Filenames

File hashes

Registry keys

DLLs

Mutex

Behavioural indicators

Document executing PowerShell script

Remote command execution

Common IoC

Unusual outbound network traffic

Unusual activity through privileged user account

Geographical anomalies

Multiple login failure

Large HTML response size

Unusual DNS requests

Signs of DDoS activity

Web traffic superhuman behaviour

IDS / IPSThese solutions monitor networks or systems for harmful activities, mitigate them, and report the results to the system administrator.The Intrusion Detection System's goal is detecting, record-keeping of attacks, and alerting the administrator. IDS compares network traffic to threats database and flags network attacks, unsuccessful authentication, and privilege escalation attempts. To block malicious actions, the system administrator has to reconfigure the firewall by themselves.The Intrusion Prevention Systems are extensions of IDS solutions. IPSs are capable of autonomously reconfiguring the firewall and reset sessions based on real-time threats.

IDS

network-based IDSs (NIDS)NIDS scans huge volumes of network activity on the router level and flags suspicious transmissions, such as IP Spoofing, DoS attacks, ARP cache poisoning, DNS name corruption, and man-in-the-middle attacks.

host-based IDSs (HIDS)HIDS monitors multiple log files on the host (kernel, system, network, firewall) to identify misuse or intrusion. Additionally, HIDS assures the integrity of critical data on the host by validation of files' checksums (md5 or sha1). When checksums do not match, HIDS notifies the administrator.

Detection Methods

Signature-based

Anomaly-based

Rule/Policy-based

IPS

NIPSNetwork IPS (NIPS) is placed on a router. It inspects transit traffic before it is allowed through the network. As NIPS solutions work with the network traffic, they don't need operation system (OS) compatibility with each host on the net.

inline modeIn the inline mode, NIPS works as a network bridge and after detecting an attack, it can block its expansion within a few seconds. Inline NIPS instances do not have their own MAC or IP address, which makes them invisible and inaccessible for the attackers.

promiscuous modeIn the promiscuous mode, NIPS is placed on the Switched Port Analyzer (SPAN), which sends a copy of network packets from multiple ports to NIPS. In the promiscuous mode, NIPS works with a copy of traffic, so it can not block the attackers on the fly. Encrypted or fragmented traffic may challenge NIPS solutions, as the difficulty of the analysis increases. Also, high-bandwidth networks may require costly deployment of more NIPS sensors. (Product: SolarWinds Security Event Manager)

HIPSHost IPS (HIPS) monitors suspicious activity within the host on which it is installed. It intercepts the operating system and application calls for system resources, validates the call against the policy, and decides to allow or deny the request. Encrypted traffic is not an issue for HIPS, as it has access to its unencrypted form on the host. Additionally, HIPS analyzes the log files for post-factum suspicious activity. For greater results, HIPS has to be deployed on each host in the network. Without prior verification, this may cause compatibility issues with different OS types over the network. (Products: CrowdStrike Falcon, OSSEC, Fail2Ban.)

Un infrastruttura ha bisogno di entrambi a lavorare assieme. Per questo molti prodotti escono con entrambi integrati es: AT&T Cybersecurity AlienVault USM, Cisco's Next-Generation Intrusion Prevention System (NGIPS), and Darktrace

Hacking phases

Reconnaissance

active

passive

Scanning

Gaining access

Maintaining access

Clearing tracks

Tools like : PsTools, Netcat or trojan to erase their footprints

Information Security Controls Information security controls prevent the occurrence of unwanted events and reduce risk to the organization's information assets. The basic security concept critical for information are the CIA.

Information assurance (IA) refer to the assurance of the CIA and authenticity of information and information system during usage, processing, storage and transmission of information.Processes that help in achieving IA are :

Develop local policy, process and guidance in such a way to maintain the information system at an optimum security level

Design network and user authentication strategy

Identify network vulnerabilities and threats

Identity problems and resource requirements

Create a plan for identify resource requirements

Apply appropriate IA controls

Performing the Certification and Accreditation ( C&A ) process to information system help to trace vulnerabilities and implement safety measures to nullify them.

Provide IA training to all personnel in federal and private organizations for IT awareness

Defense-in-depth Is a security strategy in which security professional use several protection layers throughout an information system. Use the military principle that is more difficult for an enemy to defeat a complex and multi-layered defence system than to penetrate a single barrier

Risk Management

What is a RISK? RISK = Threats x Vulnerability x Impact IT risk RISK = Threat x Vulnerability x Asset Value Risk Level : Consequence x likelihood

Probability of the occurrence of a threat or an event that will damage, cause loss to or have negative impacts to an organization, internally or externally

The possibility of a threat acting upon an internal or external vulnerability and causing harm to a resource.

The product of the likelihood that an event will occur and the impact that the event might have on an information technology asset

Objectives

Identify potential risks

Identify the impact of risks

Prioritize the risks

Undestand and analyze the risks and report identified risk events

Control the risk and mitigate its effect

Create awareness among the security staff and develop strategies and plans for lasting risk management strategies

Phases

Risk Identification

main aim : identify the risks, including the sources, causes and consequences of the internal or external risks affecting the security of the organization BEFORE they cause harm

Risk Assessment

This phase assess the organization's risk and estimates the likelihood and impact of those risks. It's an ongoing iterative process that assign priorities for risk mitigation and implementation plans

Risk Treatment

Is the process of selecting and implementing appropriate controls on the identified risks in order to modify them. Address them based on the severity level. Decision made in this phase are based on the results of a risk assessment.

Information needed BEFORE treating the risk:

Appropriate method of treatment

People responsible for the treatment

Costs involved

Benefits of treatment

Likelihood of success

Way to measure and assess the treatment

Risk Tracking and Review

Evaluate the performance of the implemented risk management strategies

Cyber Threat Intellingence

THREAT : the possibility of a malicious attempt to damage or disrupt a computer network or system

Cyber Threat Intelligence or CTI is the collection and analysis of information about threats and adversaries and the drawing up of patterns that provide an ability to make knowledgeable decisions and preparedness, prevention and response actions against various cyberattacks. Main aim : make the organization aware of existing and emerging threats and prepare them to develop a proactive cybersecurity posture in advance of exploitation.

Types:

Strategic Threat Intelligence

Financial impact of cyber activities

Attribution for intrusions and data breaches

Threat actors and attack trends

The threat landscape for various industry sectors

Statistical informations for data breaches, data theft and malware

Geopolitical conflicts involving various cyberattacks

Information on how adversary TTPs change over time

Industry sectors that might impact due to the high-level business decisions

Tactical Threat Intellingence

provides information related to the TTPs used by attackers to perform attacks

Operational Threat Intelligence

provides information about specific threats against the organization

Technical Threat Intelligence

resources that an attacker uses to perform an attack

Threat Modeling

what is?

Risk assessment approach for analyzing the security of an application by capturing, organizing and analyzing all the information that affects the security of an application

help to

Identify relevant threats to a particular application scenario

Identify key vulnerabilities in an application design

Improve security design

5 Steps

Identify security objectives

Application overview

Identify roles

people and the roles and actions they can perform within the application

Identify technologies

Os, web server software, database server software etc..

Identify key usage scenarious

Identify application security mechanisms

Decompose the application

Identify trust bundaries

Identify data flows

Identify entry points

Identify Threats

Identify Vulnerabilities

Incident Management

What is

IM is a set of defined processes to identify, analyze, prioritize and resolve security incidents to restore the system to normal service operations asap and prevent recurrence

Include

Vulnerability handling

Artifact handling

Security awareness training

Intrusion detection

Public or technology monitoring

Incident Handling and Response (IH&R)

what is

Is the process of taking organized and careful steps when reacting to a security incident or cyberattack. It is a SET OF PROCEDURES, ACTIONS and MEASURES taken against an unexpected event occurrence.

steps involved :

Step 1 : Preparation

Perform an audit of resources and assets to determine the purpose of security

Define the rules, policies and procedures that drive the IH&R process

Build and train an incident response team

Define incident readiness procedures

Gather required tools

Train employees to secure their systems and accounts

Step 2 : Incident Recording and Assignment

This phase handles identifying an incident and defining proper incident communication plans for the employees and also to the IT submitting a ticket.

Step 3 : Incident Triage

The incident is analyzed, validated and prioritized. The IH&R team further analyzes the compromised device to find incident details such : source of attack, severity, target, impact, method of propagation and vulnerability exploited

Step 4 : Notification

In this phase the IH&R team inform various stakeholders, including management, third-party vendors and clients about the identified incident.

Step 5 : Containment

Help to prevent the spread of infection to other assets

Step 6 : Evidence Gathering and Forensic Analysis

The team gather all possible evidence and submit them to the forensic department for investigations

Step 7 : Eradication

The IH&R removes or eliminates the root cause of the incident and closes all the attack vectors to prevent similar incident in the future

Step 8 : Recovery

The IH&R restore the affected system, services and resources. It's them the duty of maintaining the service up and running

Step 9 : Post-incident Activities

Final review :

Incident Documentation

Incident Impact Assessment

Reviewing and revising policies

Closing the investigation

Incident Disclosure

Is designed to:

Improve service quality

Resolve problems proactively

Reduce the impact of incidents on an organization or its business

Meet service availability requirements

Increase staff efficiency and productivity

Improve user and customer satisfaction

Assist in handling future incidents

AI and ML concepts

what are AI and ML ?

AI is the only solution to defend networks against various attacks that an antivirus scan cannot detect. A huge amount of data is fed into the AI, which processes and analyzes it to undestand its details and trends.

ML is a branch of artificial intellingence that gives the systems the ability to self-learn without any explicit programs.

2 types of ML

Supervised Learning

Classification

Regression

Unsupervised Learning

How they help prevent cyber attacks?

Password Protection and Authentication

Phishing detection and Prevention

Threat Detection

Vulnerability Management

Behavioral Analytics

Network Security

AI-based Antivirus

Fraud Detection

Botnet Detection

AI to combat AI threats

Laws and Standards

PCI DSS

ISO/IEC 27001:2013

Specify the requirements for establishing, implementing, maintaining and continually improving an information security management system withing the context of the organization : EMII per ricordare

different uses:

Use within an organization to formulate security requirements and objectives

Use within an organization as a way to ensure that security risks are cost-effectively managed

To ensure compliance with laws and regulations

Defining new information security management processes

...

Use to provide relevant information about information security to customers

HIPAA [1996]

Privacy Rule

It sets limits and conditions on the uses and disclosures that may be made of such information ( PHI ) without patient authorization. The rule also gives patients rights over their health information, including the right to examine and obtain a copy of their health records and to request corrections.

Security Rule

Establish national standards to protect individuals' electronic phi that is created, received, used or maintained by a covered entity. It requires appropriate ADMINISTRATIVE, PHISICAL and TECHNICAL safeguards, to ensure the confidentiality, integrity and security of electronically PHI ( ePHI)

NPI - National Provider Identifier, 10-position intelligence free number that HAVE TO be used for financial and administrative transactions adopted under HIPAA

SOX - Sarbanes Oxley Act [2002]

Protect investors and the public by increasing the accuracy and reliability of corporate disclosures

DMCA - Digital Millennium Copyright Act

Copyright

FISMA - Federal Information Security Management Act