Risk Management
Understanding current organization security environment and posture
Understanding critical information security issues faced/facing by organization
Initiating cyber security best practices
Developing modern Cyber Security program with Defense in Depth and Zero Trust
Developing Cyber Security Strategies to mitigate threats
Directing/Managing
Asset Management
High valued assets
Critical assets for operations
Cyber Physical Security Management
Hardware Security Management
IOT/OT/SCADA Security Management
Cyber Security Operations
SIEM
Audit log management
SOC
SOC Playbooks
SOAR
Incident Response
Identifying
Containing
Eradicating
recovering
Security breach management
Ransomware
Data loss
Shadow IT
Cloud Security Management
Cloud Security Architecture
Cloud Security tools
CASB, CWPP, CSPM
Security attacks
Cloud security frameworks
CSA, cloud adoption frameworks
Cloud computing policy
Cloud storage policy
Zero trust on cloud
SecDevOps/DevSecOps/Security Engineering
Shift left with security in DevOps Pipeline
Security Misconfigurations
Security automation
Infrastructure as code
Data Encryption
Symmetric
Asymmetric
Hashing
Encoding
Key exchange
Certificates
Digital signature
Data Privacy
Application Security
Secure Coding and software development
Security Awareness
Security First
Security Situational Awareness
Cryptography, Data Security and Protection
Vulnerability and Patch Management
Build
Audit
Review
Network Security/Perimeter security
Layered security controls
NGFW, NSM, IDS/IPS, Load Balancers, Proxies,
VPN, IPsec
Endpoint Security
End-user Security
EDR, XDR, HIDS,HIPS, EPP, FIM, Sandboxing, whitelist/blocklist
Malware defense
Cyber Security Governance, Risk, Compliance Management
Risk Assessment and Management
Information security Management
Security policies
Business continuity
Disaster Recovery
Cyber Security Maturity Models
Cyber Security Architecture
Zero Trust Model
Zero trust network access
Cyber Security Frameworks and controls
NIST cyber security framework
CIS critical controls
CMMC
NIST SP 800-171
NIST SP 800-53
Cyber Defense architecture and frameworks
MITRE ATT&CK
Cyber Security Standards
Cyber Security Reporting
Cyber Gap Analysis
Cyber Security Strategic Plan
Security workflow and relationships among multiple teams
Cyber Security Budget Management
Cyber Security Team performance, growth, learning
Penetration Testing/Red Team
Bring your own device policies
Remote work policies
Cyber Security product and services SLA's
Developing Non-Disclosure Agreements
Cyber Threat Landscape
Threat actors
Nation state attacks
TTP's
Critical business operations
Stakeholders
Organization business goals and vision
Security metrics
Weekly
Monthly
Quarterly
Architecture
Defense in Depth
Zero Trust
NIST
What you need to understand:
TCP/IP
OSI Model
Layered protocols
Layer 2: ARP, VLAN
IPv4 Protocol suite
IPV6
Network protocols and services
Nonroutable protocols
News to Follow
Companies to Follow:
Knowledge Base:
IETF RFC
MITRE Attack framework
CVE
Exploit DB
Security Assessment Standards:
PCI DSS
NIST SP 500-83
CJIS
Worms and Cyber Attacks for further study
Stuxnet
Petya
Non petya
Saudi Aramco cyber attack
Sony pictures hack
Target Hack
Vulnerabilities further study
Heartbleed
Shellshock
Assessment logics
Static analysis
Static code analysis
Configuration analysis
Dynamic testing
Network pentesting
Web application testing
Api testing
Cofiguration testing
Social enginering
Recon
Scan
Identify
Investigate
Exploit
Kali linux assuring security by pentesting by tedi heriyanto, lee allen and shakeel ali
Mastering kali linux for advanced penetration testing by rober w.beggs
Nmap
--script dns-srv-enum --script-args dns-srv-enum.domain=ebay.com
Fierce -dns
Threat modeling
Heap management algorithms
Books To Read
Mastering Kali Linux for Advanced Penetration Testing by Robert W Beggs
Kali Linux: Assuring Security by Penetration Testing by Tedi Heriyanto, Lee Allen and Shakeel Ali
Application Security/DevSecOps
Saturday, May 14, 2022
9:43 AM
Vulnerability Scanning
Friday, July 26, 2019
10:23 PM
Nmap
Nessus
Rapid 7 Nexpose
Fingerprinting
Network probing
Nvd.nist.gov
Exploit-db.com
Seclists.org
Hacker one
Securityfocus
Packet strom
Cert vulnerability notes
Scadavulns.com
Immunitysec.com
Coresecurity.com
Metasploit
NIST SP 800-115
Showmount
Dig
Snmpwallk
Define the Security Assessment objective
Testing enforced policies
Testing coverage of Audit requirements
what is the ultimate goal and objective
Build Scope:
Design the boundaries which need to be covered
Networks, Vlan's, IP Ranges, Applications, assets, People
Scan scope
How many firewall palced, acl's
How DNS resolution works
Id DNS data accurate
Stages
Reconnaissance
Identify everything and map the network
Which services and ports opened
Vulnerability Scan
Reviewing the vulnerabilities
Possibility of exploitation
Publicly Available Data:
Websearch engines
Whois
Dns servers
Email addresses
Telephone numbers
Usernames
Bruteforce grinding
Social engineering
Publicly exposed databaases
Historical usuage of same username and password
Subdomains
Search engines
Google, Bing
Netcraft
Shodan
Censys
Domain tools
Linked in
Whois
Bgp.he.net hurricane
Ip who is
DNS enumeration
DNS zone Trasfer
Network Scanning
Detecting IP ranges, Vlans, Hostnames, Network devices, Mac Addresses
Is ping scan works ?
ICMP type 8 and 13
Nmap -PEPM -sP -vvv -n Iprange
Ping -b broadcast address
Vulnerability Assessment
Saturday, May 14, 2022
10:39 AM
Is any of identified services does have vulenrabilites ?
What is the criticality
Is it impact the business
Is it impact CIA triad
Detecting and Assessing Attack Surface [useful for threat hunting too}
Users
Social engineering attacks
Clickjacking
Publicly exposed user creds and databases
Client assets
Vulnerable applications, browsers
Credential dumping
Client network
HTTPs session hijacking
SSH bruteforcing
Communication network
Communication infrastructure
Application Servers
Command injection
Session management
Database Servers
Threat Modeling
need further reading
Vulnerability Exploitation
Saturday, May 14, 2022
10:42 AM
Is there rate limit for sign in acitivity
Running bruteforce
Threat Modeling and Hunting
Saturday, May 14, 2022
11:26 AM
Threat Modeling
Threat Hunting
Def:
proactive and iterative search
validation of all assets connected in organizations network
Hwo to start ?
Hypothesis
Phishing emails
Anomalies behaviors
Drive on download
Credential hijack
Unusual external connections
detect anomalies
Data collection
Endpoint
Firewall
Application
Network
Analysis
What connections received at time of incident
Remote TeamViewer logins
SMB 1
Hypothesis Validation
Conclusion
Reporting
Reference :
Pyramid of pain
Detecting and Assessing Attack Surface
Users
Social engineering attacks
Clickjacking
Publicly exposed user creds and databases
Client assets
Vulnerable applications, browsers
Credential dumping
Client network
HTTPs session hijacking
SSH bruteforcing
Communication network
Communication infrastructure
Application Servers
Command injection
Session management
Database Servers
Know you network diagram ?
Know your assets ?
How many departments ?
How many servers in DMZ ?
Which firewall we have ? How many ?
Which router we have ?
Which switch we have ?
Which WAF we using ?
Desktops
Windows
Linux
Test network
Servers
Windows
Linux
Vm environment
Printers
IOT/SCADA
(get IP ranges all we have)
Which security controls we have
Which preventive controls we have
Which detective controls we have
What do we need? Centralized log collection
What is logging?
Syslog port numbers
Regex for threat hunting on raw logs
Log sources
Firewall logs
IDS/IPS
VPN
Proxies
Endpoint/edr
MFA failure attempts/2Factor
Authentication logs
Autherizaiton logs
What do we do? Understand known good patterns, detect the signatures to identify indicators of compromise
What is IOC’s and IOA’s
Indicator of compromise
Indicator of Attack
What is a threat Intelligence?
We can’t completely relies on threat intelligence
Because IP’s, DNS, File signatures changes
Focus on behavioural threat intelligence
Github used as c2c, how to detect that
Cloud servuces and CDN’s are often abused
What are host intrusion detection system?
What are network intrusion detection systems?
suricata
Oranization to maintain security posture
Run periodic audit and internal pentest
Vulnerability Management
What is the scope ?
Which audit cortrols we need to follow ?
Who is doing the patches ?
Who responsible for patching ?
Research:
Is logging disabled on any device or asset
Is antivirus disabled on any device
Malware persistence mechanisms
Tools
Empire
Dnscat2
What we are doing reactive, we need proactive
Managing SOC alerts
Check logs for suspect activity
Check dashboards for unusual activity
Monitor and respond to EDR alerts
These are all reactive activities
Threat hunting is a proactive process
How to perform asset integrity
Network threat hunting
C2 communication/threat hunting
Outbound connections
Dns over http
TXT records
Using zeek
Connection persistence, happening more often
Longest network connections
Total time the pair has in contact
Data exfiltration data size
Expected dns traffic
Dns traffic and certificate match
Moving data to random ip
Unique client signature
Self signed cerificates
Abnormal protocol usauage
External IP reputation check
Failed sign in, connectins, protocol communications
Beacons activity with respect to time
Repetitive connections ip’s and FQDN
Connections to cdn
Which threat actors use which cdn
Beacon detection using kmeans clustering
Types of threat hunting
Active
Asset isolation
Memory forensics
Passive
Review packets
Review siem logs
Threat Hunting using Firewall
What is network jitter
Detection of cobaltstirke c2 communication
Detect heartbeat
Session size
Connection to TeamViewer
To avoid false positives
Check connection persistence
What is valid use case
Legit need
NTP
Windows notification services
Checking for patches
Outbound protocols
5222 chrome remote desktop
5800 and 590x vnc
502 modbus
C2 tunnelling
Standard ports for unexpected apps
Applications using not standard ports
Counter cyber terroirism
Check for common web vulnerability strings and useragents
/etc/passwd
Review LolBins
Windows
Linux
MacOS
Further research Questions
Saturday, May 14, 2022
12:53 PM
Ransomware groups which generate both keys on victim machine
Which programs/processes doesn't follow DEP and ASLR
How threat actors bypass ASLR or memory restrictions
Code ideas and questions
Saturday, May 14, 2022
1:18 PM
Information gathering scripts
Subdomain enumeration methodologies
ASN Lookup
Search engine search for sensitive files download
File header sensitive data
Pdf/doc/text/ sensitive keywords search
Comments grabber
Github/gitlabsearch
Network Security Assessment
Friday, February 18, 2022
11:32 AM
Google Project Zero
Exploitation software defect
Defense and depth
MITRE Framework
CVE database
NIST Framework
NIST Vulnerability Database
NIST 800-115
NIST 53
NIST vulnerability database
Exploit database
CERT security notes
NSA DevSecOps
NSA IAM
DISA
CSEG CHECK
- CHECK Fundamental Principles
PCI DSS
HITRUST
HIPPA
ISO 27001
PTES
PreEngagement
Intelligence Gathering
Reconnaissance
DNS
Subdomains
ASN
Webservers
Mail servers
VPN
User names/emails
Port scans
TCP, UDP, 65536
Identifying networks and hosts
Threat Modeling
Vulnerability Analysis
Nmap, Tenable
Service fingerprinting
Network probing
Exploitation
Post-Exploitation
Reporting
System administration
Windows
Netbios
SMB
RPC Services
Users
Groups
Shares
Domains
Password Policies
Linux
RPC services
NFS services
R services (rsh, rexec, rlogin)
Best practices
OS internals
Computer networking
OSI layers
TCP/IP
Network protocols
FTP, SMTP, HTTP
X86 processor registers
Fundamentals of Cryptographic
OWASP Top 10
Network Security Assessment
Cyber Risk Management
Information Assurance process
Security assessment workflows and tactics
DDOS attacks
Man-in-the-middle Attacks
What is client business ?
What is the criticality in business?
Critical Assets ?
Cyber Gap Analysis
Asset classification
Who are our adversaries
State sponsored
Criminals
What is our attack surface ?
Which are exposed
External network and infrastructure
Users
Web application
Network Exploitation strategies
Network defense strategies
Network segmentation
Zerotrust policies
Defendable networks
Vulnerability Assessment
Vulnerability Classes
Adversary types
Network Discovery
External Network Mapping
Ports and Services
Local Network Discovery
Asset Discovery
Network Sniffing
IP Network Scanning
Scan Types
IDS evasion
Low-level packet analysis
Common Network protocols and services analysis
SSH
FTP
Kerberos
SNMP
VNC
Common ports
Microsoft Services
Netbios
SMB version
RPC
RDP
Mail Services
O365
SSO
MFA
SMTP
POP3
IMAP
Transport Rules
Information Leak
BruteForce attacks
VPN Services
Ipsec
TLS/SSL services
Data security on transit
Web Application Architecture
OWASP Top 10
XXE
API abuse
Privilege escalation
Vulnerable frameworks
Serialization Bugs
Python pickel
Yaml
Java
Business Logic
Compression techniques
Encoding techniques
Parsing mechanism
Rendering
Shell shock
Security Assessment
Source code
Configurations
Server
Infrastructure
Architecture
Dynamic Testing
Network infrastructure
Web services (API mobile applications)
REST API
Fuzzing
SOAP API
Data Storage
Storage protocols
Assessment Process
DNS Information retrieval
Network mapping
Network Probing
ICMP, TCP,UDP
TCP Service banner grabbing
SNMP enumeration
MIB
Router and Switches enumeration
Telnet, TFTP
User enumeration
Compromised user accounts
OT
SCADA
IOT
Last updated