Fluent Essays

Chapter1-4, summary, and what do you learn/ what do you think Infrastructure security with Red Team and Blue Team tactics Cybersecurity - Attack and Defense Strategies Yuri Diogenes, Erdal Ozkaya Cybersecurity Attack and Defense Strategies Yuri Diogenes Erdal Ozkaya BIRMINGHAM - MUMBAI Cybersecurity Attack and Defense Strategies Copyright 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors nor Packt Publishing or its dealers and distributors will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Namrata Patil Content Development Editor: Amrita Noronha Technical Editor: Sneha Hanchate Copy Editor: Safis Editing Project Coordinator: Shweta Birwatkar Proofreader: Safis Editing Indexers: Pratik Shirodkar Graphics: Tania Dutta Production Coordinator: Shantanu Zagade First published: January 2018 Production reference: 1230118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78847-529-7 Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details. At , you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the authors Yuri Diogenes is a professor at EC-Council University for their master's degree in cybersecurity program. Yuri has a master of science degree in cybersecurity from UTICA College, and MBA from FGV Brazil. Yuri currently holds the following certifications CISSP, CyberSec First Responder, CompTIA CSA+, E|CEH, E|CSA, E|CHFI, E|CND, CyberSec First Responder, CompTIA, Security+, CompTIA Cloud Essentials, Network+, Mobility+, CASP, CSA+, MCSE, MCTS, and Microsoft Specialist - Azure. First and foremost, I would like to thank God for enabling me to write another book. I also would like to thank my wife, Alexsandra, and my daughters, Yanne and Ysis, for their unconditional support. To my coauthor and friend, Erdal Ozkaya, for the great partnership. To Amrita Noronha for her amazing support throughout this project. Erdal Ozkaya is a doctor of philosophy in Cybersecurity, master of information systems security, master of computing research CEI, MCT, MCSE, E|CEH, E|CSA, E|CISO, CFR, and CISSP. He works for Microsoft as a cybersecurity architect and security advisor and is also a part-time lecturer at Australian Charles Sturt University. He has coauthored many security certification coursewares for different vendors and speaks in worldwide conferences. He has won many awards in his field and works hard to make the Cyber- World safe. I would like to thank my wife, Arzu, and my kids, Jemre and Azra, for all their support and love. I would like to give special thanks to my parents and brothers who have helped me become who I am. I would also like to thank my supervisor, Dr. Rafiqul Islam, for his help and feedback whenever I have needed it. About the reviewers Vijay Kumar Velu is a passionate information security practitioner, author, speaker, and blogger, currently based in Malaysia. He has more than 11 years of IT industry experience. He is a licensed penetration tester and has specialized in providing technical solutions to a variety of cyber problems. He is the author of Mastering Kali Linux for Advanced Penetration Testing, Second Edition and Mobile Application Penetration Testing. Pascal Ackerman is a seasoned industrial security professional with a degree in electrical engineering with over 15 years of experience in designing, troubleshooting, and securing large-scale industrial control systems and the various types of network technologies they utilize. After more than a decade of hands-on, in-the-field experience, he joined Rockwell Automation in 2015. He is currently employed as a senior consultant of industrial cybersecurity with the Network and Security Services Group. He recently became a digital nomad and now travels the world with his family while fighting cyber adversaries. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface 1 Chapter 1: Security Posture 6 The current threat landscape 6 The credentials – authentication and authorization 10 Apps 11 Data 13 Cybersecurity challenges 14 Old techniques and broader results 14 The shift in the threat landscape 15 Enhancing your security posture 16 The Red and Blue Team 18 Assume breach 21 References 22 Summary 24 Chapter 2: Incident Response Process 25 Incident response process 25 Reasons to have an IR process in place 26 Creating an incident response process 28 Incident response team 31 Incident life cycle 32 Handling an incident 33 Best practices to optimize incident handling 36 Post-incident activity 36 Real-world scenario 36 Lessons learned 38 Incident response in the cloud 39 Updating your IR process to include cloud 40 References 40 Summary 41 Chapter 3: Understanding the Cybersecurity Kill Chain 42 External reconnaissance 42 Scanning 44 NMap 44 Table of Contents [ ii ] Metasploit 46 John the Ripper 47 THC Hydra 48 Wireshark 49 Aircrack-ng 50 Nikto 52 Kismet 53 Cain and Abel 54 Access and privilege escalation 55 Vertical privilege escalation 55 Horizontal privilege escalation 56 Exfiltration 56 Sustainment 57 Assault 58 Obfuscation 59 Threat life cycle management 60 References 63 Summary 65 Chapter 4: Reconnaissance 66 External reconnaissance 67 Dumpster diving 67 Social media 68 Social engineering 69 Pretexting 70 Diversion theft 70 Phishing 71 Phone phishing (vishing) 72 Spear phishing 73 Water holing 74 Baiting 74 Quid pro quo 75 Tailgating 75 Internal reconnaissance 76 Sniffing and scanning 76 Prismdump 77 tcpdump 78 NMap 78 Wireshark 80 Scanrand 81 Cain and Abel 82 Nessus 82 Metasploit 83 Aircrack-ng 85 Table of Contents [ iii ] Wardriving 86 Conclusion of the reconnaissance chapter 86 References 87 Summary 89 Chapter 5: Compromising the System 90 Analyzing current trends 91 Extortion attacks 91 Data manipulation attacks 92 IoT device attacks 94 Backdoors 94 Mobile device attacks 95 Hacking everyday devices 95 Hacking the cloud 97 Phishing 98 Exploiting a vulnerability 101 Zero-day 101 Fuzzing 102 Source code analysis 102 Types of zero-day exploits 103 Buffer overflows 104 Structured exception handler overwrites 104 Performing the steps to compromise a system 105 Deploying payloads 105 Installing and using a vulnerability scanner 105 Using Metasploit 106 Compromising operating systems 108 Compromising systems using Kon-Boot or Hiren's BootCD 108 Compromising systems using a Linux Live CD 110 Compromising systems using preinstalled applications 111 Compromising systems using Ophcrack 112 Compromising a remote system 113 Compromising web-based systems 114 SQL injection 114 Cross-site scripting 115 Broken authentication 115 DDoS attacks 116 References 117 Summary 119 Chapter 6: Chasing a User's Identity 120 Identity is the new perimeter 120 Table of Contents [ iv ] Strategies for compromising a user's identity 123 Gaining access to the network 125 Harvesting credentials 125 Hacking a user's identity 127 Brute force 128 Social engineering 129 Pass the hash 137 Other methods to hack identity 139 References 139 Summary 140 Chapter 7: Lateral Movement 141 Infiltration 142 Network mapping 142 Avoiding alerts 144 Performing lateral movement 145 Port scans 145 Sysinternals 146 File shares 149 Remote Desktop 150 PowerShell 151 Windows Management Instrumentation 152 Scheduled tasks 154 Token stealing 154 Pass-the-hash 155 Active Directory 155 Remote Registry 156 Breached host analysis 157 Central administrator consoles 157 Email pillaging 158 References 158 Summary 159 Chapter 8: Privilege Escalation 160 Infiltration 161 Horizontal privilege escalation 161 Vertical privilege escalation 162 Avoiding alerts 162 Performing privilege escalation 163 Exploiting unpatched operating systems 164 Table of Contents [ v ] Access token manipulation 165 Exploiting accessibility features 166 Application shimming 167 Bypassing user account control 172 DLL injection 173 DLL search order hijacking 174 Dylib hijacking 175 Exploration of vulnerabilities 176 Launch daemon 177 Hands-on example of privilege escalation on a Windows 8 target 177 Conclusion and lessons learned 179 References 179 Summary 180 Chapter 9: Security Policy 181 Reviewing your security policy 181 Educating the end user 183 Social media security guidelines for users 184 Security awareness training 185 Policy enforcement 185 Application whitelisting 188 Hardening 189 Monitoring for compliance 194 References 198 Summary 198 Chapter 10: Network Segmentation 200 Defense in depth approach 200 Infrastructure and services 202 Documents in transit 202 Endpoints 205 Physical network segmentation 205 Discovering your network 208 Securing remote access to the network 210 Site-to-site VPN 212 Virtual network segmentation 213 Hybrid cloud network security 215 References 218 Summary 218 Chapter 11: Active Sensors 219 Table of Contents [ vi ] Detection capabilities 220 Indicators of compromise 221 Intrusion detection systems 224 Intrusion prevention system 226 Rule-based detection 227 Anomaly-based detection 228 Behavior analytics on-premises 228 Device placement 232 Behavior analytics in a hybrid cloud 232 Azure Security Center 233 References 238 Summary 239 Chapter 12: Threat Intelligence 240 Introduction to threat intelligence 240 Open source tools for threat intelligence 244 Microsoft threat intelligence 249 Azure Security Center 250 Leveraging threat intelligence to investigate suspicious activity 252 References 256 Summary 257 Chapter 13: Investigating an Incident 258 Scoping the issue 258 Key artifacts 259 Investigating a compromised system on-premises 265 Investigating a compromised system in a hybrid cloud 270 Search and you shall find it 278 Lessons learned 279 References 279 Summary 280 Chapter 14: Recovery Process 281 Disaster recovery plan 282 The disaster recovery planning process 282 Forming a disaster recovery team 283 Performing risk assessment 284 Prioritizing processes and operations 284 Determining recovery strategies 284 Collecting data 285 Creating the disaster recovery plan 285 Testing the plan 285 Table of Contents [ vii ] Obtaining approval 285 Maintaining the plan 286 Challenges 286 Live recovery 287 Contingency planning 288 IT contingency planning process 289 Development of the contingency planning policy 290 Conducting business impact analysis 290 Identifying the critical IT resources 291 Identifying disruption impacts 291 Developing recovery priorities 291 Identifying the preventive controls 292 Developing recovery strategies 292 Backups 292 Alternative sites 293 Equipment replacement 295 Plan testing, training, and exercising 295 Plan maintenance 296 Best practices for recovery 296 References 296 Summary 297 Chapter 15: Vulnerability Management 298 Creating a vulnerability management strategy 299 Asset inventory 299 Information management 300 Risk assessment 301 Scope 301 Collecting data 302 Analysis of policies and procedures 302 Vulnerability analysis 302 Threat analysis 303 Analysis of acceptable risks 303 Vulnerability assessment 304 Reporting and remediation tracking 305 Response planning 306 Vulnerability management tools 307 Asset inventory tools 307 Peregrine tools 308 LANDesk Management Suite 308 StillSecure 309 Foundstone's Enterprise 309 Information management tools 310 Risk assessment tools 311 Table of Contents [ viii ] Vulnerability assessment tools 312 Reporting and remediation tracking tools 313 Response planning tools 313 Implementation of vulnerability management 314 Best practices for vulnerability management 316 Implementing vulnerability management with Nessus 318 Flexera (Secunia) Personal Software Inspector 328 Conclusion 331 References 331 Summary 332 Chapter 16: Log Analysis 333 Data correlation 333 Operating system logs 335 Windows logs 335 Linux logs 338 Firewall logs 339 Web server logs 341 References 342 Summary 342 Other Books You May Enjoy 344 Index 347 Preface With a threat landscape that it is in constant motion, it becomes imperative to have a strong security posture, which in reality means enhancing the protection, detection, and response. Throughout this book, you will learn the attack methods and patterns to recognize abnormal behavior within your organization with Blue Team tactics. You will also learn techniques to gather exploitation intelligence, identify risks, and demonstrate impact on Red and Blue team strategies. Who this book is for This book is for information security professionals and IT professionals who want to know more about Cybersecurity. What this book covers , Security Posture, defines what constitute a secure posture and how it helps in understanding the importance of having a good defense and attack strategy. , Incident Response Process, introduces the incident response process and the importance to have one. It goes over different industry standards and best practices for handling the incident response. , Understanding the Cybersecurity Kill Chain, prepares the reader to understand the mindset of an attacker, the different stages of the attack, and what usually takes place in each one of those phases. , Reconnaissance, speaks about the different strategies to perform reconnaissance and how data is gathered to obtain information about the target for planning the attack. Preface [ 2 ] Compromising the System, shows current trends in strategies to compromise the system and explains how to compromise a system. , Chasing a User's Identity, explains the importance of protecting the user's identity to avoid credential theft and goes through the process of hacking the user's identity. , Lateral Movement, describes how attackers perform lateral movement once they compromise one system. , Privilege Escalation, shows how attackers can escalate privileges in order to gain administrative access to the network system. , Security Policy, focuses on the different aspects of the initial defense strategy, which starts with the importance of a well-created security policy and goes over the best practices for security policies, standards, security awareness training, and core security controls. , Network Segmentation, looks into different aspects of defense in depth, covering physical network segmentation as well as the virtual and hybrid cloud. , Active Sensors, details different types of network sensors that help the organizations to detect attacks. , Threat Intelligence, speaks about the different aspects of threat intelligence from the community as well as from the major vendors. Preface [ 3 ] , Investigating an Incident, goes over two case studies, for an on-premises compromised system and for a cloud-based compromised system, and shows all the steps involved in a security investigation. , Recovery Process, focuses on the recovery process of a compromised system and explains how crucial it is to know what all options are available since live recovery of a system is not possible during certain circumstances. , Vulnerability Management, describes the importance of vulnerability management to mitigate vulnerability exploitation. It covers the current threat landscape and the growing number of ransomware that exploits known vulnerabilities. , Log Analysis, goes over the different techniques for manual log analysis since it is critical for the reader to gain knowledge on how to deeply analyze different types of logs to hunt suspicious security activities. To get the most out of this book We assume that the readers of this book know the basic information security1. concepts, Windows, and Linux operating systems. Some of the demonstrations from this book can also be done in a lab2. environment; therefore, we recommend you to have a virtual lab with the following VMs: Windows Server 2012, Windows 10, and Kali Linux. Preface [ 4 ] Download the color images We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: . Conventions used There are a number of text conventions used throughout this book. : Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded disk image file as another disk in your system." Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel." Warnings or important notes appear like this. Tips and tricks appear like this. Get in touch Feedback from our readers is always welcome. General feedback: Email and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at . Preface [ 5 ] Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit , selecting your book, clicking on the Errata Submission Form link, and entering the details. Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at with a link to the material. If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit . Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about Packt, please visit . 11 Security Posture Over the years, the investments in security moved from nice to have to must have, and now organizations around the globe are realizing how important it is to continually invest in security. This investment will ensure that the company stays competitive in the market. Failure to properly secure their assets could lead to irrepairable damage, and in some circumstances could lead to bankruptcy. Due to the current threat landscape, investing only in protection isn't enough. Organizations must enhance their overall security posture. This means that the investments in protection, detection, and response must be aligned. In this chapter, we'll be covering the following topics: The current threat landscape The challenges in the cybersecurity space How to enhance your security posture Understanding the roles of the Blue Team and Red Team in your organization The current threat landscape With the prevalence of always-on connectivity and advancements in technology that are available today, the threats are evolving rapidly to exploit different aspects of these technologies. Any device is vulnerable to attack, and with Internet of Things (IoT) this became a reality. In October 2016, a series of Distributed Denial of Service (DDoS) attacks were launched against DNS servers, which caused some major web services to stop working, such as GitHub, Paypal, Spotify, Twitter, and others (1). Security Posture Chapter 1 [ 7 ] This was possible due to the amount of insecure IoT devices around the world. While the use of IoT to launch a massive cyber attack is something new, the vulnerabilities in those devices are not. As a matter of fact, they've been there for quite a while. In 2014, ESET reported 73,000 unprotected security cameras with default passwords (2). In April 2017, IOActive found 7,000 vulnerable Linksys routers in use, although they said that it could be up to 100,000 additional routers exposed to this vulnerability (3). The Chief Executive Officer (CEO) may even ask: what do the vulnerabilities in a home device have to do with our company? That's when the Chief Information Security Officer (CISO) should be ready to give an answer. Because the CISO should have a better understanding of the threat landscape and how home user devices may impact the overall security that this company needs to mitigate. The answer comes in two simple scenarios, remote access and Bring your Own Device (BYOD). While remote access is not something new, the number of remote workers are growing exponentially. Forty-three percent of employed Americans are already working remotely according to Gallup (4), which means they are using their own infrastructure to access company's resources. Compounding this issue, we have a growth in the number of companies allowing BYOD in the workplace. Keep in mind that there are ways to implement BYOD securely, but most of the failures in the BYOD scenario usually happen because of poor planning and network architecture, which lead to an insecure implementation (5). What is the commonality among all technologies that were previously mentioned? To operate them, you need a user and the user is still the greatest target for attack. Humans are the weakest link in the security chain. For this reason, old threats such as phishing emails are still on the rise, because it deals with the psychological aspects of the user by enticing the user to click on something, such as a file attachment or malicious link. Usually, once the user performs one of these actions, their device becomes compromised by either malicious software (malware) or is remotely accessed by a hacker. A spear phish campaign could start with a phishing email, which will basically be the entry point for the attacker, and from there other threats will be leveraged to exploit vulnerabilities in the system. One example of a growing threat that uses phishing emails as the entry point for the attack is ransomware. Only during the first three months of 2016, the FBI reported that $209 million in ransomware payments were made (6). According to Trend Micro, ransomware growth will plateau in 2017; however, the attack methods and targets will diversify (7). Security Posture Chapter 1 [ 8 ] The following diagram highlights the correlation between these attacks and the end user: This diagram shows four entry points for the end user. All of these entry points must have their risks identified and treated with proper controls. The scenarios are listed as follows: Connectivity between on-premises and cloud (1) Connectivity between BYOD devices and cloud (2) Connectivity between corporate-owned devices and on-premises (3) Connectivity between personal devices and cloud (4) Notice that these are different scenarios, but all correlated by one single entity-the end user. The common element in all scenarios is usually the preferred target for cybercriminals, which appears in the preceding diagram accessing cloud resources. Security Posture Chapter 1 [ 9 ] In all scenarios, there is also another important element that appears constantly, which is cloud computing resources. The reality is that nowadays you can't ignore the fact that many companies are adopting cloud computing. The vast majority will start in a hybrid scenario, where Infrastructure as a Service (IaaS) is their main cloud service. Some other companies might opt to use Software as a Service (SaaS) for some solutions. For example, Mobile Device Management (MDM), as shown in scenario (2). You may argue that highly secure organizations, such as the military may have zero cloud connectivity. That's certainly possible, but commercially speaking, cloud adoption is growing and will slowly dominate most of the deployment scenarios. On-premise security is critical, because it is the core of the company, and that's where the majority of the users will be accessing resources. When an organization decides to extend their on-premise infrastructure with a cloud provider to use IaaS (1), the company needs to evaluate the threats for this connection and the countermeasure for these threats through a risk assessment. The last scenario (4) might be intriguing for some skeptical analysts, mainly because they might not immediately see how this scenario has any correlation with the company's resources. Yes, this is a personal device with no direct connectivity with on-premise resources. However, if this device is compromised, the user could potentially compromise the company's data in the following situations: Opening a corporate email from this device Accessing corporate SaaS applications from this device If the user uses the same password (8) for his/her personal email and his corporate account, this could lead to account compromise through brute force or password guessing Having technical security controls in place could help mitigate some of these threats against the end user. However, the main protection is continuous use of education via security awareness training. The user is going to use their credentials to interact with applications in order to either consume data or write data to servers located in the cloud or on-premise. Everything in bold has a unique threat landscape that must be identified and treated. We will cover these areas in the sections that follow. Security Posture Chapter 1 [ 10 ] The credentials authentication and authorization According to Verizon's 2017 Data Breach Investigations Report (9), the association between threat actor (or just actor), their motives and their modus operandi vary according to the industry. However, the report states that stolen credentials is the preferred attack vector for financial motivation or organized crime. This data is very important, because it shows that threat actors are going after user's credentials, which leads to the conclusion that companies must focus specifically on authentication and authorization of users and their access rights. The industry agreed that a user's identity is the new perimeter. This requires security controls specifically designed to authenticate and authorize individuals based on their job and need for specific data within the network. Credential theft could be just the first step to enable cybercriminals to have access to your system. Having a valid user account in the network will enable them to move laterally (pivot), and at some point find the right opportunity to escalate privilege to a domain administrator account. For this reason, applying the old concept of defense in depth is still a good strategy to protect a user's identity, as shown in the following diagram: Security Posture Chapter 1 [ 11 ] Here, there are multiple layers of protection, starting with the regular security policy enforcement for accounts, which follow industry best practices such as strong password requirements, a policy requiring frequent password changes, and password strength. Another growing trend to protect user identities is to enforce MFA. One method that is having increased adoption is the callback feature, where the user initially authenticates using his/her credentials (username and password), and receives a call to enter their pin. If both authentication factors succeed, they are authorized to access the system or network. We are going to explore this topic in greater detail in , Chasing User's Identity. Apps Applications (we will call them apps from now on), are the entry point for the user to consume data and to transmit, process, or store information onto the system. Apps are evolving rapidly and the adoption of SaaS-based apps is on the rise. However, there are inherited problems with this amalgamation of apps. Here are two key examples: Security: How secure are these apps that are being developed …