Professional Documents
Culture Documents
Cyber 3 Module 3 Reviewer Kunwari
Cyber 3 Module 3 Reviewer Kunwari
Cyber 3 Module 3 Reviewer Kunwari
In response to an incident:
● Secure data.
● Contain the incident.
● Return operations to normal.
● Identify how to prevent further exploitation.
● Assess the damage and impact.
● Update security policies and procedures based on lessons
learned.
Site Book
Hardware
Serial numbers, MAC addresses, disk drive type/sizes, CPU
type/speed, etc.
Software
Operating systems, applications, scripts, add-ons, etc.
Network infrastructure
Cabling, switches, routers, etc.
Physical infrastructure
Power supplies, table, chairs, shelving, etc.
Warranty information
Dates, vendors, receipts, registration information, etc.
Configurations
IP addresses, organization layout, distribution, configuration
files, etc.
Administrative credentials
User names, passwords, tokens, etc.
SOCs
● Equipped to perform incident response duties.
● Supported by organizational policies.
● Aware of strengths and limitations of tools.
● Able to separate signal from noise in monitoring.
● Able to balance size and presence in the organization.
● Able to incorporate various security processes.
● Prepared to leverage strong processes and minimize weaker
ones.
● Staffed with skilled professionals.
● Able to protect SOC itself.
● Willing to collaborate with other SOCs
CSIRT Organization
Central Team
● One team works on behalf of entire organization.
● Suitable for smaller organizations/organizations in one
location.
Distributed Team
● Multiple CSIRTs for different segments/locations of
organization.
● Suitable for large organizations/organizations in many
locations.
● Must be collaboration and consistency between teams.
Coordinating Team
● Overarching team provides guidance to other teams.
● Coordinates actions of distributed teams.
CSIRT Roles
Manager/team leader
● Supervises CSIRT.
Investigator
● Discovers impact and source of incident.
Security specialist
● Supports team members when dealing with specialized
systems.
Help desk staff
● Supports employees and customers affected by incident.
Crisis communicator
● Communicates important details of incident to stakeholders.
Auditor
● Evaluates existing security mechanisms.
Legal counsel/liaison
● Provides legal assistance in criminal incidents.
Software developer
● Builds and maintains tools used by CSIRT.
Consequences of an Incident
● Damage to data and information system resources
● Unauthorized changes to data and systems.
● Theft of data or resources.
● Disclosure of sensitive data.
● Interruption of services
Incident Containment
● Ensure the safety and security of all personnel.
● Remove devices from the network.
● Disable communications between network devices.
● Disable network user accounts.
● Disable email accounts.
● Limit access to affected subnets.
● Isolate the compromised system.
● Treat the compromised system as a crime scene.
System Hardening
● Deactivate unnecessary components
● Disable unused user accounts
● Implement patch management
● Restrict access to peripheral protocols
● Restrict shell commands
Blacklisting
● Internal example:
- Logic bombs triggering under known circumstances.
- You know the effect and the ports it uses to spread.
- Block these ports at the firewall to stop the spread.
● Limitations:
- False positives and collateral damage.
- What you don’t know can still hurt you.
Whitelisting
● Response to the problem of what you don’t know.
● Block everything except what you trust.
● You know the sources you trust; takes time and effort to
identify all possible bad sources.
● Enforcing a whitelist of trusted domains, ports, etc., will block
more bad sources.
● Can also be used to restrict application usage during
mitigation efforts.
● Limitations:
- Can be very restrictive
- Need to be constantly fine-tuned.
DNS Filtering
● Restricts what kind of lookup requests are validated.
● Uses blacklists/whitelists to block untrusted sources.
● Usually returns a block message to user who tries to access
untrusted sources.
● During an incident, filtering can prevent more malware from
downloading.
● Easy to apply across the organization.
● Won’t remove an infection, but contain it.
● Users can bypass filtering if they don’t use your DNS server.
· Obtain evidence.
· Support prosecution.
Investigating Scope
· You may come across activity that is beyond the scope of your current investigation.
Authentication of Evidence
Chain of Custody
● Collect Evidence
● Analyze and Store
● Present in court
· They may not be as technical or have the same knowledge of your organization.
· Consider the risk of evidence being seized for long periods of time.
● TSK
● EnCase
● CAINE
● Helix3
● FTK
● Forensic Explorer
● SIFT
● DFF
● COFEE
● Elcomsoft Forensic Disk Decryptor
● WindowsSCOPE
● Volatility
● md5sum
● shasum
● HashMyFiles
● HashKeeper
● Foremost
● TestDisk
● log2timeline
● Wireshark
· Develop a plan for who will handle each type of forensic task.
· The organization should develop its own capability to perform digital forensics.
· Linda accessed the same server at 7:43 A.M. from her internal workstation.
· Later, in the early morning before most people made it in to the office, the attacker
physically went to Linda’s desk, discovered her password written down in a drawer,
and used it to log in to her workstation and the remote server.
· While in the remote server, the attacker transferred a smart watch schematic to
Linda’s workstation, where he or she then copied the document to a removable drive.
· The attacker deleted the document from Linda’s workstation, ejected the removable
drive, and left.
· Affected hosts (research and development server and Linda’s workstation) have
been disconnected from the network.
· A new machine with a backup of the research and development server is pushed to
the live environment.
· Linda’s account will stay disabled for now, and she will be provisioned a new,
temporary workstation.
Order of Volatility
1. RAM
2. Network Cache
3. Hard Drive
4. DVD-ROM
File Systems
o Directory structure.
o File location.
o File size.
o File names
o Miscellaneous attributes
· System images or forensic tools can let you capture and view metadata.
o NTFS (Windows)
o ext3/4 (Linux)
· File carving
· Data recovery software (i.e., TestDisk and Foremost) can recover deleted or
corrupted data from a disk partition.
· Preserve all gathered evidence in a proper manner for a lengthy period of time.
· Capture video.
· Take hashes.
· Take screenshots.
· Identify witnesses.
Cyberlaw
· Governs the behavior of individuals and groups in the use of computers, the internet,
and other information technology domains.
· Communicate the who, why, and how to those who can take legal actions.
Reflective Questions
Chapter 11 (DONE)
Addressing Security
● Remediate Identify and Access Management Issues
● Implement Security During the SDLC
IAM Tasks
● Assigning and changing user access.
● Resetting user passwords.
● Tracking user activities.
● Creating and de-provisioning IDs.
● Synchronizing multiple identities.
● Enforce identity and access control policies.
● Designing and maintaining identity systems.
● Evaluating identity-based threats and vulnerabilities.
● Maintaining compliance with government regulations.
IAM Issues
● Personnel
○ Popular vector for attack - easy for users to be careless
○ Requires end user security training.
● Endpoints
○ Devices are difficult to identify outside the organization
○ Endpoint management can assign untrusted profiles to
unknown endpoints.
● Server
○ Servers need stronger authentication through digital
certificates.
○ Issuing CAs and private keys must be thoroughly
protected.
● Software
○ Determine which entities are allowed to run certain
apps
○ Services like AppLocker can enforce app identity and
permissions for client access
● Roles
○ Roles define identity based on an asset’s function
○ Roles must be meaningfully defined to avoid privilege
creep
Directory Services Issues
● Directory services assign attributes to objects for
identification
● LDAP is dominant directory service protocol
○ Active Directory, OpenLDAP, etc.
● LDAP susceptible to code injection
○ Attacker can dump or modify records
○ Based on malformed queries
○ Use input validation and query encoding to remediate.
● LDAP transmits in plaintext by default
○ Attacker can eavesdrop on directory info
○ LDAPS constructs an SSL/TLS tunnel for confidentiality
RADIUS vs. TACACS+
RADIUS TACACS+
Transport Protocol UDP TCP
Encryption Only Passwords All payload contents
Authentication/Aut Combines functions Separates functions
horization
Context-Based Authentication
● Time
○ Based on time of day or day of year
○ Can block users working off hours or in different regions
○ Supplement with other rules or schemes
● Location
○ Based on physical location
○ Can also be restrictive
○ GPS and IP are not always reliable indicators
● Frequency
○ Based on how often an object tries to access a
resource
○ Difficult to determine
○ Evaluate workflow before setting this rule
● Behavior
○ Based on how object acts
○ Complex and susceptible to false positives
○ Test rules and evaluate effectiveness
SSO and Identity Federation
● Impersonation
○ Social engineering can net an attacker new or
modified credentials.
○ Mitigation: Train users to spot social engineering
● Man-in-the-middle
○ Attackers can eavesdrop on unsecured
transmissions
○ Mitigation: Employ end-to-end encrypted channels
● Privilege escalation
○ Buffer overflows can help attacker assume
privileges of running software
○ Mitigation: Run software with least privilege and
ASLR
● XSS and session hijacking
○ Malicious code injection can hijack user’s web
cookies
○ Mitigation: HTML input/output encoding and
validation
● Rootkits
○ Can bypass IAM at the kernel/firmware level
○ Mitigation: Harden systems with secure
boot/trusted computing
Guidelines for Remediating IAM Issues
Microsoft SDL
Training
1. Core Security Training
Requirements
2. Establish security requirements
3. Create quality gates/bugs bars
4. Perform security and privacy risk assessments
Design
5. Establish design requirements
6. Perform attack surface analysis / reduction
7. Use threat modeling
Implementation
8. Use approved tools
9. Deprecate unsafe functions
10. Perform static analysis
Verification
11. Perform dynamic analysis
12. Performa fuzz testing
13. Conduct attack surface review
Release
14. Create an incident response plan
15. Conduct final security review
16. Certify release and archive
Response
- Execute incident response plan
Security Requirements
- App must meet expected behavior baseline
- Several security requirements are common among all
projects
- Legal and regulatory requirements drive security efforts
- You may be required to handle PII a certain way for privacy
- How will security mechanisms affect the user experience?
- App must also align with risk management policies
- What are the password policy requirements the app needs to
enforce?
- How will you control access and permissions in your app?
- Compile requirements from stakeholders into a document
Security testing tools
- Uses different tools to validate app security
- Web app vulnerability scan:
- Looks for weaknesses to SQL injection and related
attacks
- Results could change app’s design
- Interception proxy:
- Crawls outbound traffic from an app
- Determine nature of HTTPS traffic
- Is traffic secure?
- Fuzzing
- Active testing of app
- Sends random data as input to cause a crash
- Demonstrates potential attack
- Static code analysis
- Don’t just test apps in execution
- Code analysis can reveal faulty logic and insecure
libraries
Development Tests
Manual peer review
- Reviewers analyze other people’s code, not their own
- Automated review should supplement, not replace, manual
review
Input validation
- App must handle all types of input gracefully
- Can identify weaknesses to irregular input like code injection
Stress testing
- Apps must perform under significant load
- May reveal ways for an attacker to launch DoS
User acceptance testing
- Apps must meet general needs of consumer
- Users must be satisfied with how private data is handled
Security regression testing
- Evaluates old code for issues when new changes are
implemented
- New code may break existing security mechanisms
Secure coding
- Secure coding saves the organization from avoidable
incidents
- Ensures that software is secure by design
- Best practices may differ based on source
- Ultimately about anticipating vulnerabilities and applying
recognized techniques
- Sources for best practices
- OWASP
- SANS
- CIS
OWASP
- Open web application security project
- Provides free access to web app security programming
resources
- Top 10 project lists most significant risks to web apps for a
calendar year
- Latest is 2013; planned to restart in 2017
- Secure coding cheat sheets go into depth for prevention
strategies
- Examples of topics covered
- User authentication
- Input validation
- Output encoding
- Error handling
- Cryptography
- Cookie handling
- Threat defense
- Secure coding practices quick reference guide is a checklist
for these topics:
- Checklist items are brief reminders of what to
incorporate
- Latest version (v2) from 2010, but still useful
SANS
- Cybersecurity training organization
- Offers curricula on many topics, including secure coding
- Secure software development curriculum:
- Level 1: secure coding for web apps, mobile apps,
DevOps
- Level 2: secure coding for languages like C++, Java,
.NET
- Level 3: app pen testing and lifecycle management
- Some courses map to GIAC certs
- Reading room
- Free whitepapers on most areas of security
- Secure coding whitepaper examples:
- Applying regression testing
- Preventing buffer overflows
- Preventing XSS attacks
- Conducting static code analysis
CIS
- Non-profit that provides cybersecurity resources to public
and private sectors
- Intends to foster trusted environments that interface with one
another
- Benchmarks:
- Best practices and design recommendations
- Target a variety of systems
- Provide metrics and assessment tools
- Can test application vulnerabilities on hardened
environments
- Some offered free of charge, rest require paid
membership
- Controls:
- Techniques to defend against attacks
- Short checklists of high-priority actions
- 20 total, each with no more than 10 action items
- One control focuses on secure application development
- Free for non-commercial use
Guidelines for implementing security during the SDLC
- Integrate security at every step on the process
- Clearly define all security requirements
- Consider how compliance has an effect of app design
- Consult with relevant stakeholders regarding requirements
- Put app through testing regimen
- Use passive testing tools to identify weak areas
- Use active tools to demonstrate attack vectors
- Employ static code analysis
- Test apps against user privacy expectations
- Stress test apps
- Regression test apps
- Employ input validation
- Perform manual peer reviews of code
- Consult sources like OWASP, SANS, and CIS for secure
coding best practices.