GIAC
GSECtitle
Crashstyle
Course
Click to edit
Master
Michael J. Shannon
CISSP
Cisco CCNP R&S and CCNP Security
Palo Alto Networks Certified
Network Security Engineer (PNCSE7)
GIAC GSEC and Security+
ITIL 4 Managing Professional (MP)
OpenFAIR Foundation
AWS SysOps Administrator Associate
Introduction
Click to edit Master title style
• Welcome to the GSEC Challenge – that’s exactly what you are officially
doing if you attempt a GIAC exam without the official SANS 5-6 day class.
• Is the SANS GSEC $7000 worth the price?
• It’s an open book exam - All tools are free and open-source
• Here is what I’m giving you in this crash course
•
•
•
•
Slides in PDF – print them
An index of the course
Cheat sheets
YouTube videos for tools
Setting up Learning Labs
Click to edit Master title style
• You have several options for lab environments
• A powerful workstation/laptop
• VM Workstation Pro or VirtualBox 6
• Kali Linux + Metasploitable + Windows 10
• Virtual networks at AWS, GCP, IBM Cloud, or Azure
• Cisco Modeling Labs 2.0
https://www.virtualbox.org/
https://www.kali.org/downloads/
https://github.com/rapid7/metasploitable3
https://www.cisco.com/c/en/us/products/cloud-systems-management/modelinglabs/index.html
The OSI Reference Model
Click to edit Master title style
Number
Name
Description
7
Application
To accomplish a networked user task
6
Presentation
Expressing and translating data formats
5
Session
To accommodate multiple session connections
4
Transport
Connecting multiple programs on same system
3
Network (or
Internetwork)
Facilitate multihop communications across potentially different link
networks
2
Link
Communication across a single link including media access control
1
Physical
Specifies connectors, data rates, and encoding bits
The OSI Reference Model
Click to edit Master title style
Number
Name
Example
7
Application
HTTP, FTP, SMTP, DNS, TELNET
6
Presentation
ASCII, PNG, MPEG, AVI, MIDI
5
Session
SSL/TLS, SQL, RPC, NFS
4
Transport
TCP, UDP, SPX, AppleTalk
3
Network (or
Internetwork)
IP, IPX, ICMP, ARP, BGP, OSPF
2
Link
PPP/SLIP, Ethernet, Frame Relay, ATM
1
Physical
Binary transmission, encoding, bit rates, voltages
The TCP/IP Reference Model
Click to edit Master title style
Number
OSI Name
TCP/IP Model
7
Application
6
Presentation
5
Session
4
Transport
Transport
3
Network (or
Internetwork)
Internet
2
Data Link
Application
Network
1
Physical
OSI Model Mnemonics
Click to edit Master title style
• All People Seem To Need Data Processing
• All Proper Suitors Tell No Devious Phrase
_____________
• Please Do Not Throw Sausage Pizza Away
• Please Do Not Tell Secret Passwords Anytime
• Physical Data Networks Transport Session Presentation
Applications
Hexadecimal Math
Click to edit Master title style
• Hexadecimal is Base-16 math
• Digits are 0-9, A, B, C, D, E, F (16 elements)
Hexadecimal: 0 1 2 3 4 5 6 7 8 9 A
Decimal:
B
C D E F
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
There are 16 Hexadecimal digits. They are the same as the decimal digits up to 9, but
then there are the letters A, B, C, D, E and F in place of the decimal numbers 10 to 15
Hexadecimal Math
Click to edit Master title style
A
2
F
7
163
162
161
160
10 X 163
= 40960
2 X 162
= 512
15 X 161
= 240
7 X 160
=7
40960 + 512 + 240 + 7 = 41719
Just like 2^0 power is one in binary, 16 ^ 0 = 1 in hex -- 7 x 1 = 7
16 ^ 1 is 16 x 1 = 16 -- 15 x 16 = 240
16 ^ 2 is 16 x 16 =256 -- 2 x 256 = 512
16 ^ 3 is 16 x 16 x 6 = 4096 -- 10 x 4096 = 40960
40960 + 512 + 240 + 7 – 41719. Notice how we can now express a much larger
number with only 4 characters?
Hex to Decimal
Click to edit Master title style
Hexadecimal Addresses
Click to edit Master title style
MAC addresses and IPv6 addresses both use Hexadecimal numbers
Logical (Virtual) MAC addresses
Click to edit Master title style
AWS uses Elastic Network Interfaces (ENI). We just call them Network Interfaces. It is
a virtual NIC vNIC and is eth0 of the instance by default.
Internet Protocol (IP)
Click to edit Master title style
•
•
•
•
IP is the core protocol of the TCP/IP suite and the key
protocol of the Network (internetwork) layer
Its main purpose is to provide internetwork datagram
delivery services to layer 4 protocols like TCP and UDP
Often uses layer 3 devices like routers, multilayer
switches, load balancers, and firewall appliances to
forward datagrams (packets)
Exam Tip: The Time To Live (TTL) field designates
the number of hops a packet can take before it
reaches its destination.
Key Characteristics of IP
Click to edit Master title style
• Universal addressing
o Defines addressing mechanism
• Protocol independence
o Works with both the Ethernet and the 802.11 wireless family
• Connectionless delivery
o No handshake setup before transmission to remote host
• Unreliable and unacknowledged delivery - no tracking of
datagrams
• Fragmentation – to break up datagram into smaller packets
for a neighbor router that supports a smaller max
transmission unit (MTU)
Address Resolution Protocol (ARP)
Click to edit Master title style
• A technique used by a host to find the MAC address of
another host and map it to an IP address
• A protocol and a utility to view the cache
• Described in RFC 829
• IPv6 does not use ARP – uses ICMPv6 instead
• ARP reque t = “ W o a 10.10.10.33?; tell 192.168.10.45”
Main IP Protocol Versions
Click to edit Master title style
• The functions of IP were planned and designed well before
the protocol suite was defined
• The original Transmission Control Program was divided into
Transmission Control Protocol (TCP) and Internet Protocol (IP)
• There were three previous versions of the original TCP; so
when split, IP was called version 4
• There were never IP versions 1, 2 or 3
RFC 1918 Private Addresses
Click to edit Master title style
• The Internet Assigned Numbers Authority (IANA)
reserved these three blocks of the IP space for
private internets address space:
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Hosts within enterprises that use IP can be partitioned into three categories:
Category 1: hosts that need network layer access outside the enterprise (provided via
IP connectivity); hosts in this category require IP addresses that are globally
unambiguous.
Category 2: hosts that do not require access to hosts in other enterprises or the
Internet at large; hosts within this category may use IP addresses that are
unambiguous within an enterprise - but may be ambiguous between enterprises.
Category 3: hosts that need access to a limited set of outside services (e.g., E-mail,
FTP, remote login) which can be handled by mediating gateways (e.g., application
layer gateways). For many hosts in this category an unrestricted external access
(provided via IP connectivity) may be unnecessary and even undesirable for
privacy/security reasons. Such hosts may use IP addresses that are unambiguous
within an enterprise - but may be ambiguous between enterprises.
IP version 6
Click to edit Master title style
• IPv6 was intended to replace the widely used IPv4 that is
considered the backbone of the modern Internet
• IPv6 is often referred to as the "next generation Internet"
because of its expanded capabilities and its growth through
recent large-scale deployments
IPv4 vs. IPv6
Click to edit Master title style
Version 4
Version 6
232 address space
2128 address space
Dotted decimal format
Hexadecimal notation
DHCP dynamic addressing
SLAAC and DHCPv6
Header has 20 bytes and 13 fields
Header has 40 bytes and 8 fields
Variable header length
Fixed header length
Header options (obsolete)
Header extensions
Header checksum
No header checksum
IPv4 vs. IPv6
Click to edit Master title style
Version 4
Version 6
Packet size: 576 bytes required,
fragmentation optional
Packet size: 1280 bytes required
without fragmentation
Packet fragmentation: Routers and
sending hosts
Packet fragmentation: Sending hosts
only
IPv4 was never designed to be secure
Has native encryption and
authentication
IPsec optional
IPsec mandatory
Non-equal geographical distribution
(>50% USA)
No geographic limitations
IPv4 has the lack of security. IPv4 was never designed to be secure. It was originally
designed for an isolated military network, then adapted for a public educational &
research networks.
Assigning IPv6 Addresses
Click to edit Master title style
There are three methods for assigning IPv6 addresses:
• Manual
• Stateful Autoconfiguration (using a DHCPv6 server)
• Stateless Autoconfiguration (SLAAC)
Stateless Autoconfiguration
Click to edit Master title style
• Uses ICMP version 6 neighbor discovery to find routers and
then dynamically create IPv6 addresses
• You must connect the host to a network that uses at least one
IPv6-capable router that will send advertisement messages to
the link
• The connected IPv6 nodes can self-configure with an IPv6
address and routing parameters without further human
intervention (RFC 2462)
Stateless autoconfiguration uses neighbor discovery mechanisms to find routers and
dynamically create IPv6 addresses. To use this method for an IPv6 node, it is
important to connect the IPv6 node to a network that uses at least one IPv6 router.
The router transmits router advertisements to the link. These announcements can
allow the on-link connected IPv6 nodes to configure themselves with an IPv6 address
and routing parameters, as specified in RFC 2462, without further human
intervention.
Stateless Autoconfiguration
Click to edit Master title style
• The node can automatically configure its
global IPv6 address by appending its
interface identifier (64 bits) to the prefix
(64 bits) that is included in the router
advertisement messages
• This is an important feature for allowing
the rollout of new devices on the
Internet, such as mobile phones,
wireless devices, home appliances, IoT
devices, networks and more
A node on the link can automatically configure its global IPv6 address by appending
its interface identifier (64 bits) to the prefix (64 bits) that is included in the router
advertisement messages. Stateless autoconfiguration enables "plug and play," which
connects devices to the network without any configuration and without any stateful
servers (such as DHCP servers). It is an important feature for enabling the deployment
of new devices on the Internet, such as cell phones, wireless devices, home
appliances, and networks.
Note: A router announcement can even tell hosts that more configuration
parameters are available using stateful configuration (DHCPv6). These would be
other services like DNS, NTP, IP extensions, and so on.
IPv6 Neighbor Discovery
Click to edit Master title style
• The ICMPv6 provides the same diagnostic services as ICMPv4
o Error and informational messages
• It extends the functionality for some specific IPv6 functions
that did not exist in IPv4:
o Router solicitation and advertisement
o Neighbor solicitation and advertisement
o Redirection of nodes to the best gateway (router)
Neighbor solicitation and advertisement involves acquiring the data link layer
addresses for IPv6 neighbors
The IPv6 Header
Click to edit Master title style
Test Tip: The Version field is 4 bits
Traffic Class: Source host uses this field to mark the priority of outbound packets.
The IPv6 header has 40 octets (320-bits), instead of 20 octets (160-bits) as in IPv4.
The IPv6 header has fewer fields, and the header is aligned on 64-bit boundaries
Traffic Class: This 8-bit field is similar to the ToS field in IPv4. The source host uses
this field to mark the priority of outbound packets.
Next Header: The value of this field determines the type of information that follows
the basic IPv6 header. For example, the critically important ICMPv6 packet is
identified as 58 in the Next Header field.
IPv6 Extension Headers
Click to edit Master title style
•
IPv6 uses two distinct types of headers: The regular IPv6 Header
and IPv6 Extension Headers
• The extension headers, if there are any, follow the original 8 fields
• The number of extension headers is not fixed, so the total length of
the extension header chain is variable
IPv6 is using two distinct types of headers: Main/Regular IPv6 Header and IPv6
Extension Headers. The main IPv6 header is equivalent to the basic IPv4 one despite
some field differences that are the result of lessons learned from operating IPv4.
The options field in the IPv4 header (go back and show slide 5) is used to convey
additional information on the packet or on the way it should be processed. Routers,
unless configured otherwise, must process the options in the IPv4 header. The
processing of most header options pushes the packet into the slow path leading to a
forwarding performance hit. The options field has also been used as a vector for a
variety of network attacks as well.
Regardless, the IPv4 Options perform a key role in the IP protocol operation so the
functionality had to be preserved in IPv6. On the other hand, the impact of IPv4
Options on performance was taken into consideration in the development of IPv6. So
the functionality of options is removed from the main header and implemented
through a set of additional headers called extension headers. The main header
remains fixed in size (40 bytes) while customized EHs are added as needed.
IPv6 Extension Headers
Click to edit Master title style
Extension headers are an intrinsic part of the IPv6 protocol and they support some
basic functions and certain services.
Common Use Cases for EH
Click to edit Master title style
•
•
•
•
•
•
•
Hop-by-Hop EH is used for the support of Jumbo-grams
Destination EH is used in IPv6 Mobility
Routing EH is used in IPv6 Mobility and in Source Routing
Fragmentation EH is critical
Mobility EH is used in support of Mobile IPv6 service
Authentication EH and Encapsulating Security Payload EH
Hop-by-Hop EH is used for the support of Jumbo-grams or, with the Router Alert
option, it is an integral part in the operation of MLD. Router Alert is an integral
part in the operations of IPv6 Multicast through Multicast Listener Discovery (MLD)
and RSVP for IPv6.
• Destination EH is used in IPv6 Mobility as well as support of certain applications.
• Routing EH is used in IPv6 Mobility and in Source Routing. It may be necessary to
disable "IPv6 source routing" on routers to protect against DDoS.
• Fragmentation EH is critical in support of communication using fragmented packets
(in IPv6, the traffic source must do fragmentation-routers do not perform
fragmentation of the packets they forward)
• Mobility EH is used in support of Mobile IPv6 service
• Authentication EH is similar in format and use to the IPv4 authentication header
defined in RFC2402
• Encapsulating Security Payload EH is similar in format and use to the IPv4 ESP
header defined in RFC2406. All information following the Encapsulating Security
Header (ESH) is encrypted and for that reason, it is inaccessible to intermediary
network devices. The ESH can be followed by an additional Destination Options EH
and the upper layer datagram.
Internet Control Message Protocol (ICMP)
Click to edit Master title style
• IP is unreliable and doesn't guarantee
delivery, so ICMP is the feedback
mechanism offering feedback about
network problems
• IP also doesn’t offer a direct method
for collecting diagnostic information
• It resides somewhere between the
Transport and Network layers
• ICMP provides error messages and
informational messages
Even though IP is unreliable and doesn't guarantee delivery, it is important to notify
the sender when something goes wrong. The Internet Control Message Protocol
(ICMP) is the mechanism used to give feedback about network problems that are
preventing packet delivery. Upper protocols, like TCP, will be able to realize that
packets aren't getting through, but ICMP provides a method for discovering more
serious issues such as "TTL exceeded" and "need more fragments."
Uncommon problems like the IP checksum being in error, will not be reported by
ICMP.
ICMP messages are typically acted on by the IP layer, TCP or UDP, or even by some
web-enabled applications.
ICMP Characteristics
Click to edit Master title style
• ICMP will affect network operations in both positive and
negative ways
• Many border routers and firewalls will block most, if not all,
ICMP messages
• However, if blocked, diagnostic tools like ping and traceroute
will not work
• There are a number of Types and Codes and only a few are
commonly used
Common ICMPv4 Messages
Click to edit Master title style
Type
E/ I
Description
Echo Reply
0
I
Ping reply that returns data
Destination
Unreachable
3
E
Unreachable host/protocol
Redirect
5
E
Alternate gateway should be used
Echo
8
I
Ping request (data optional)
Time Exceeded
11
E
Resource exhausted (TTL decremented)
Parameter
Problem
12
E
Malformed packet or header
Name
All of the Types and Codes are on the SANS cheat sheet
TCP Functionality
Click to edit Master title style
•
•
•
•
•
Addressing and multiplexing
Connection handling
Packaging and managing data
Transferring data
Providing reliability and
transmission quality
• Providing flow control
• Congestion avoidance
- Many applications use TCP for transport and multiplexing the data is accomplished
using the underlying network protocol (IP, IPX, AppleTalk, etc,) and is identified
using ports. EXAMPLE: Lets say I open up a Chrome browser session, an Internet
Explorer browser session and a Mozilla Firefox session. Each one has a different
default Home page: Google for Chrome, Bing for IE, and Yahoo for the Firefox. I
also open up my company email through Outlook On The Web in a TOR browser
and a Mozilla Thunderbird email client for my POP3 email account -- different
ephemeral source ports and different server sockets etc.
- Has processes for negotiating, establishing, managing, and terminating
connections
- Packages upper layer data with a header of valuable metadata
- TCP stack on participating node transfers the packaged segments to the TCP
process on the other node
- Maintains reliability and transmission quality
- Flow control and congestion avoidance
TCP Characteristics
Click to edit Master title style
•
•
•
•
•
•
•
Connection-oriented
Stream-oriented
Bidirectional transport
Allows multiple connections
Reliable and acknowledged
Unstructured data
Managed data flow
Unstructured – multiple messages are sent using TCP, the applications must offer a
method for differentiating one message (data element, database record, etc.) from
another
TCP Operations
Click to edit Master title style
• TCP takes the bytes from upper layers and sends it on to the
network layer protocol (IP)
• Bytes are divided into segments (a discrete piece of a stream)
• IP places them into datagrams and passes the encapsulated
packet to the link layer to be “framed” with a header and
trailer
• TCP Session Closing:
• Graceful = FIN > FIN-ACK> ACK
• Abrupt = RST/ACK
Look for wireshark output that shows a graceful TCP closing
TCP Operations
Click to edit Master title style
•
•
•
•
•
•
•
Since TCP is reliable, it tracks each byte of data with a sequence
number applied to blocks
Sequence numbers are used to make sure the segmented data can
be reassembled and retransmitted if necessary
To provide reliability and flow control, TCP uses a sliding window
acknowledgement system
Each node’s TCP stack uses a retransmission queue
Each sent segment is placed in the queue and a retransmission
timer is started
When an ACK is received, the data is removed from the queue
If the timer expires, the segment is retransmitted
The sliding window mechanism is very complicated yet at the heart of TCP operations
TCP Operations
Click to edit Master title style
TCP takes the bytes from upper layers and sends it on to the network layer protocol
(IP)
Bytes are divided into segments (a discrete piece of a stream)
IP places them into datagrams and passes the encapsulated packet to the link layer to
be “framed” with a header and trailer
tcpdump
Click to edit Master title style
•
•
•
Network packet sniffer that uses libpcap capture library
Simply a sniffer and not a protocol analyzer
You must be familiar with this tool and what the output looks like
on the exam
TCP has to use IPsec or SSL/TLS to get security services
TCP sends data as a continuous stream of segments instead of as discrete messages –
the application decides where one message begins and ends
TCP Handshake
Click to edit Master title style
TCP Header
Click to edit Master title style
TCP Control Bits
Click to edit Master title style
Subfield
Name*
Description
URG
Indicates priority data transfer feature for this segment
ACK
Indicates that segment is carrying acknowledgement
PSH
Push feature requests that data be pushed to receiving
application immediately
RST
Sender has encountered problem and needs to reset the
connection
SYN
A request to synchronize sequence numbers to establish a
connection
FIN
The sender is requesting to terminate the connection
* Each Control Flag’s subfield is 1 bit in size
Comparing UDP to TCP
Click to edit Master title style
•
•
•
•
•
•
UDP does not ensure data delivery
If TCP is used, the transport layer
has those additional responsibilities
UDP does not provide
segmentation services
Behavior is best-effort and
connectionless
No sequencing of segments
Best for video, audio, conferencing,
and content streams
•
Use UDP when…
• you need a rapid response from a
server (DNS query)
• the response comes back in a
single packet
• Connection costs are too high for
TCP
• you can afford to lose some data
(stock ticker, weather data,
gaming data, audio, video)
• it can be multicasted to more than
one host
Both TCP and UDP protocols manage the communication of multiple applications and
provide communication services directly to the application process on the host.
The basic service that the transport layer provides is tracking individual
communication between applications on the source and destination hosts. This
service is called session multiplexing, and it is performed by both UDP and TCP.
A major difference between TCP and UDP is that TCP can ensure that the data is
delivered, while UDP does not.
UDP provides applications with best-effort delivery and does not need to maintain
state information about previously sent data. As a benefit, UDP does not need to
establish any connection with the receiver and is termed connectionless.
Multiple communications often happen simultaneously; for instance, you may be
searching the web and using FTP to transfer a file at the same time from one laptop
host. The transport tracks these communications and keeps them separate. This
tracking is provided by both UDP and TCP. To pass data to the proper applications, the
transport layer must identify the target application. If TCP is used, the transport layer
has the additional responsibilities of establishing end-to-end operations, segmenting
data and managing each piece, reassembling the segments into streams of
application data, managing flow control, and applying reliability mechanisms.
UDP does not provide segmentation services - instead it expects the application
process to perform any necessary segmentation and supply it with data chunks that
do not exceed the MTU of lower layers. The MTU of the IP protocol is 1500 bytes.
Larger MTUs are possible, but 1500 bytes is the normal size.
The terms reliable and best effort are terms that describe two types of connections
between computers. TCP is a connection-oriented protocol that is designed to ensure
reliable transport, flow control, and guaranteed delivery of IP packets. For this
reason, it is labeled a "reliable" protocol. UDP is a connectionless protocol that relies
on the application layer for sequencing and detection of dropped packets and is
considered "best effort." Each protocol has strengths that make them useful for
particular applications.
Common UDP Services
Click to edit Master title style
•
•
•
•
•
•
•
DNS queries
Simple Network Management Protocol (SNMP)
Routing Information Protocol (RIP)
Dynamic Host Configuration Protocol (DHCP)
Datagram TLS (DTLS)
Real-time audio and video streaming protocols
Business applications
Numerous key Internet applications use UDP, including: the Domain Name System
(DNS), where queries must be fast and only consist of a single request followed by a
single reply packet, the Simple Network Management Protocol (SNMP), the Routing
Information Protocol (RIP)[1] and the Dynamic Host Configuration Protocol (DHCP).
Voice and video traffic is generally transmitted using UDP. Real-time video and audio
streaming protocols are designed to handle occasional lost packets, so only slight
degradation in quality occurs, rather than large delays if lost packets were
retransmitted. Because both TCP and UDP run over the same network, many
businesses are finding that a recent increase in UDP traffic from these real-time
applications is hindering the performance of applications using TCP, such as point of
sale, accounting, and database systems. When TCP detects packet loss, it will throttle
back its data rate usage. Since both real-time and business applications are important
to businesses, developing quality of service solutions is seen as crucial by some.
Some VPN systems such as OpenVPN may use UDP while implementing reliable
connections and error checking at the application level.
The CIA Triad
Click to edit Master title style
Confidentiality
CIA Triad
Integrity
Availability
Confidentiality
Click to edit Master title style
• Confidentiality is the act of preserving authorized restrictions
on information access and disclosure, including means for
protecting personal privacy and proprietary information
using:
• Cryptosystems
• Compartmentalization
• Encapsulation
Integrity and Availability
Click to edit Master title style
• Integrity involves guarding against improper information
modification or destruction and ensuring information nonrepudiation and authenticity using:
• Cryptographic hashing
• Digital signatures
• Availability – ensuring timely and reliable access to and use of
information using
•
•
•
•
Backups and snapshots
Redundancy and failover
Availability zones
Business Continuity Planning
Categories of Controls
Click to edit Master title style
• Administrative/Managerial Controls are activities that
enforce the guidance, risk treatment, and policy directives of
an organization
• Examples: acceptable use policies, no piggybacking or tailgating
directives, security awareness training
• Technical Controls are combinations of software and
hardware to achieve confidentiality, integrity, and availability
• Examples: firewalls, routers, endpoint protections, web
application firewalls, cloud-based threat modeling
Categories of Controls
Click to edit Master title style
• Operational/Physical Controls deal with
the effectiveness of your controls
combined with the protection of
personnel, data, hardware and the
facility from physical threats that could
harm, damage, or disrupt business
operations
• Examples: IAM, SSO, gates, etc.
Types of Controls
Click to edit Master title style
• Directive Controls are managerial or administrative measures
to advise personnel on the proper behavior and handling of
systems, applications, services, and physical components
• Examples: AUPs, written policies, guidelines, best practices, etc.
• Preventative Controls are physical, technical, and
administrative measures to preclude activities that may
violate policy or increase risk to resources and assets
• Examples: firewalls, IPS, security guards, biometrics, fences and
gates, locks, mantraps, etc.
Types of Controls
Click to edit Master title style
• Deterrent controls include implementing warnings and
forewarnings of consequences to security violations
• Examples: signage, bollards, banners, guards, dogs, lighting,
video Surveillance, alarms, etc.
• Corrective (compensating) controls leverage all control
categories to respond to the detection of an event or incident
to eliminate or reduce any unwanted consequences
• Examples: software and firmware updates to applications and
systems, policy enforcement, privilege removal, etc.
Types of Controls
Click to edit Master title style
• Recovery controls are triggered
once an incident compromises
confidentiality, integrity, or
availability to restore systems
back to an acceptable state
• Examples: BCP, DRP, offsite
facilities, snapshots and backups
Enterprise Architecture
Click to edit Master title style
“Enterprise architecture is a well-defined security architecture that links
all necessary security controls to a combination of design, baseline
administrative controls, business drivers, legal requirements, and threat
scenarios. It ensures that all the necessary physical, administrative, and
technical safeguards are in place and in sync with each other and with the
overall IT architecture and business culture.“
- Ken Cutler, CISSP, CISA, Managing Director of Information Security
Institute
NIST Enterprise Security Architecture
Click to edit Master title style
The Center for Internet Security (CIS®)
Click to edit Master title style
•
The CIS® (Center for Internet Security, Inc.) is a progressive, nonprofit organization that leverages a global IT community to defend
private and public organizations against cyber threat actors and
their exploits and malware
• The CIS offers four popular services:
•
•
•
•
•
The CIS Controls®
CISBenchmarks™
CIS Hardened Images®
The Multi-State Information Sharing and Analysis Center® (MSISAC®)
Make sure you are familiar with the CIS on the exam
The CIS Controls®
Click to edit Master title style
• The CIS Controls® are a prioritized collection of activities and
controls to protect the enterprise, systems, applications, and
data from known cyber attack vectors
• There are 20 controls and resources in three categories:
• Basic
• Foundational
• Organizational
Sample CIS Control Countermeasures
Click to edit Master title style
• Inventory of Authorized and Unauthorized Software
• Devise a list of authorized software monitored with file-integrity
checking tools
• Deploy application whitelisting on firewalls from layer 3 to layer
7 of OSI model
• Deploy software inventory tools to track operating systems and
applications in a CMDB
• Virtual machines, containerization, and air-gapped systems
should be used as often as feasible
CISBenc mark ™
Click to edit Master title style
• CISBenchmarks™are best practices to securely configure
various systems
• The benchmarks are available for more than 140 technologies
• They were established using an exclusive technique built from a
consensus of global cybersecurity professionals and subject
matter experts around the world
• CIS Benchmarks™are security configuration guides created by
government, business, industry, and academia
CIS Hardened Images®
Click to edit Master title style
• CIS provides virtual images that are hardened using CIS
Benchmarks™secure configuration guidelines
• CISHardened Images™offer a secure, on-demand, scalable
computing environment
• They are available from the leading cloud computing providers AWS, Azure, and Google Cloud Platform
The MS-ISAC®
Click to edit Master title style
• The Multi-State Information Sharing and Analysis Center® (MSISAC®) has the mission of improving the total cybersecurity
stance of the nation's state, local, tribal and territorial
governments using concentrated cyber threat prevention,
protection, response, and recovery techniques
The MS-ISAC®
Click to edit Master title style
• 24/7 Security Operation Center
• Incident Response Services
• Cybersecurity Advisories and
Notifications
• Access to Secure Portals for
Communication and Document
Sharing
• Cyber Alert Map
• Malicious Code Analysis
Platform (MCAP)
• Weekly Top Malicious Domains/IP
Report
• Monthly Members-only Webcasts
• Access to Cybersecurity Table-top
Exercises
• Vulnerability Management
Program (VMP)
• Nationwide Cyber Security
Review (NCSR)
• Awareness and Education
Materials
Assurance Standards Mapping
Click to edit Master title style
Assurance Standard
References
NIST 800-53 rev. 4
CA-7: Continuous Monitoring
CM-2: Baseline Configuration
CM-8: Information System Component Inventory
CM-10: Software Usage Restrictions
CM-11: User-Installed Software
SA-4: Acquisition Process
SC-18: Mobile Code
SC-34: Non-Modifiable Executable Programs
SI-4: Information System Monitoring
PM-5: Information System Inventory
NIST Core Framework (2014)
ID.AM-2: Asset Management
PR.DS-6: Data Security
ISO 27002:2013 Annex A
A.12.5.1: Installation of software on operational
systems
A.12.6.2: Restrictions on software installation
There are a number of parallels between the CIS Controls and various NIST and ISO
controls as seen in this table. This is just a sampling, and although the mappings are
not necessarily a one-to-one match, the concepts overlap quite effectively
Access Control Concepts
Click to edit Master title style
• Access management and control must
always be driven by the Least Privilege
principle
• There are a variety of models that can be
used depending on the organization type
and sensitivity of the subjects and objects
involved
• Data classification is critical and is the
responsibility of the data owner
Data Classification
Click to edit Master title style
• Common government
classifications:
• Top Secret
• Secret
• Secret but unclassified
• Confidential
• Unclassified
• Common private sector or
commercial classifications:
• Confidential
• Private
• Sensitive
• Public
Top secret is the highest level of sensitivity and should garner the most mission
critical protection controls
Secret is very important, and exposure could harm agency, governmental unit, or
even national security
SBU – is not classified but should be protected as the unauthorized release could
jeopardize confidence in the organization or cause embarrassment and loss of
goodwill with other entities
Confidential data should be well-protected and might be a threat to subjects if
compromised – usually personnel files, PII, PHI, and IP
Unclassified – some or all of this information could be released under the right
circumstances. There may be some redaction to maintain confidential or SBU
information
Data Classification Process
Click to edit Master title style
1.
2.
3.
4.
5.
6.
Identify roles such as owner, custodian, steward, and user
Classify and label (tag) data
Identify exceptions based on review board
Designate controls
Identify processes for de-classification, transfer, and disposition of
data
Conduct ongoing awareness and continual improvement
The owner is responsible for classifying the data and determining the sensitivity level
in the model or architecture
A data custodian is accountable for data assets from a technical perspective such as
granting temporary access through tickets or assertions.
A data steward is accountable for data assets from a business perspective.
The user us responsible for working with the data within the permission set and
acceptable use policies
Key Terms
Click to edit Master title style
• Identity is claiming to be a certain entity
• Authentication is the process of proving who you are using
various factors
• Something you have, know, are, or reside
• Authorization dictates actions
• Accounting is for auditing and/or billing purposes
Key Principles
Click to edit Master title style
• Least Privilege is giving just the right amount of access
• Need to Know relates to mandatory access controls that use
sensitivity levels and lattices
• Separation of duties divides critical tasks or systems to be
operated by one or more subjects
• Rotation of Duties involves a revolving job role for personnel
to mitigate against theft, fraud, or a single point of failure
• Mediated Access uses proxies
Separation of duties is called Dual Operator when 2 high-level parties are involved
Rotation of duties can also include the “forced vacation” principle
Access Control Models
Click to edit Master title style
•
Discretionary Access Control (DAC)
• Managed by the owner of object and can grant permissions to
other entities
• Mandatory Access Control (MAC)
• Uses a strict set of established sensitivity levels and access
controls for integrity and confidentiality based on classifications
• Role-based Access Control (RBAC)
• Based on group or role assignments from directory, org chart,
functions, etc.
Access Control Models
Click to edit Master title style
•
Rule-based (ruleset) Access Control
• A set of rules processed in a certain order and applied to users,
data, or traffic common with firewalls and access control lists
• Attribute-based Access Control (ABAC)
• Dynamic controls based on different variables and user
behavior
• Token-based Access Control
• Temporary access granted by assertions made using federated
services like Single Sign-On
Token-based: SAML 2.0 assertions, AWS Security Token Service (STS), Microsoft
Kerberos tickets, Azure shared access signature (SAS) token, or JSON Web Token
(JWT) used in OAUTH 2.0
Password Management
Click to edit Master title style
• Passwords are still widely used
credentials for access even though they
represent a continuous vulnerability due
to human error
• They should always be part of a multifactor authentication if used
• Consider password managers and SSO
solutions
Single Sign-On with AWS SSO
On-Premise AD
Click to edit Master title style
SSO
SSO
Custom
SAML 2.0
Applications
SSO
Cloud Business
Applications
OU
Dev
OU
Prod
AWS Organization
Single Sign-On Considerations
Click to edit Master title style
• Advantages of SSO:
•
•
•
•
•
•
Can reduce security risks
Simplifies management
Reduces password fatigue
Protects identities
Improves productivity
Reduces workloads for
helpdesk and service desk
• Establishes solutions are readily
available
• Challenges of SSO:
• Passwords must be long and
strong
• Single point of failure
• Can be cumbersome to deploy
(SAML for example)
• Risky on multi-user systems
• Social network use enhances
organizational risk
• Data can be sold to thirdparties
Irreversible Cryptosystems and Hashing
Click to edit Master title style
• In many organizations,
passwords are the only security
control used for authentication
and authorization of access
• Irreversible encryption and
hashing algorithms are
commonly used by operating
systems to store passwords
• Common for servers to store
hashes on backend databases
Computer systems store only the hashed passwords and not the original password on
disk. When a user tries to authenticate, the system applies a hash algorithm to the
user-supplied password to see if it matches the one in storage.
Also common for web servers to store password hashes in a backend SQL or NoSQL
database
Cryptographic Hashing of Passwords
Click to edit Master title style
Password Cracking
Click to edit Master title style
•
•
•
•
•
The technique to determine or guess plaintext passwords
The algorithm is not broken
Each guess is hashed and compared to a stored value
Can be an online or offline operation
There a many standalone tools and module in exploit kits
available on the web
• The tools are often combined with various published lists
Password Hash Cracking
Click to edit Master title style
Password Cracking
Click to edit Master title style
1. Locate a valid username or ID
2. Determine the algorithm
used
3. Get the hashed password
4. Create or download a
wordlist
5. Hash each password in the
list
6. Find a match
• Brute Force – attempting
every possibility in keyspace
• Dictionary – using a word file
or dictionary of feasible
passwords
• Pre-computation – using
Rainbow tables of precomputed hash values
• Hybrid – a combination of
techniques in succession
Password Attack Countermeasures
Click to edit Master title style
•
•
•
•
Strong password policies
Avoid common patterns
Use mnemonic techniques
Add additional factors
•
•
•
•
OTP token/card
TOTP soft tokens
Challenge/response
Biometrics (fingerprint, facial, retina, iris, voice, etc.)
Common patterns: dictionary words and jargon, birthdays, names, common numbers,
environment attributes, qwerty key patterns
Network Types
Click to edit Master title style
• Personal Area Network (PAN)
• Bluetooth, Infrared, Tethered Wi-Fi
• Local Area Network (LAN)
• Ethernet, fiber, wireless
• Campus Area Network (CAN)
• Fiber, wireless mesh
• Metropolitan Area Network (MAN)
• FDDI ring, fiber, wireless mesh
• Wide Area Network (WAN)
Network Topologies
Click to edit Master title style
•
•
•
•
•
•
Bus topology
Ring topology
Star topology
Tree topology
Hybrid topology
Mesh topology
Physical Star Topology
Click to edit Master title style
Logical Star Topology
Click to edit Master title style
Mesh Networks
Click to edit Master title style
This type of network offers the greatest fault tolerance
Network Zones
Click to edit Master title style
• Zoning is used to counter the risk of an open network by
partitioning infrastructure services into logical groupings that
have the same communication security policies and security
requirements
• Zoning is a logical design approach used to manage and
govern access and data communication flows according to
security policies
• A zone is defined by a logical grouping of services under the
same policy constraints, driven by business requirements
Network Zones
Click to edit Master title style
• Every zone contains one or more separate, routable networks
• Every separate, routable network is contained within a single
zone
• Every zone connects to another zone via a perimeter that
contains zone interface points (firewalls and load balancers)
• The only zone that may connect to the public zone is the
public access zone or subnet (DMZ)
Network Zones
Click to edit Master title style
Uncontrolled
Zones
Internet
Controlled
Zones
DMZ
Perimeter
Web Tier
Perimeter
Perimeter
DB Tier
Perimeter
Perimeter
Directory
Services
Describe on-premises vs. AWS scenario
Perimeter
MGMT
VLAN or
Other
Restricted
Tier
Network Zones
Click to edit Master title style
Jump
Jump
Network Hubs and Taps
Click to edit Master title style
• Hubs (micro hubs)
• Traditional Ethernet hubs have become virtually obsolete and
replaced with switches or USB micro hubs
• Network Taps
• A Network Tap (Terminal Access Point) is used by administrators
and attackers to capture packets inline to analyze a network
• Has A, B, and C ports
These are OSI layer 1 devices
Packet Sniffers can use Taps
Click to edit Master title style
Secure Access Switches
Click to edit Master title style
• Security Switches or L2 data plane control is part of a trend to
move security closer to the endpoints
• Security Switches offer a variety of services to secure frames
to and from endpoints and between switches
• There should be an established secure setup baseline
Securing a Cisco 3550 switch
Click to edit Master title style
Switch Security Features
Click to edit Master title style
• IEEE 802.1x (PNAC) and RADIUS/DIAMETER
• IEEE 802.1AE MACsec with AES-GCM-128/256
• DHCP Snooping Database
• IP-ADDR + MAC-ADDR + VLAN-ID + PORT-ID
• Supports Dynamic ARP Inspection (DAI)
• Supports IP Source Guard (PACLs)
• Ethertype ACLs
802.1X (PNAC)
Click to edit Master title style
802.1AE MACsec
Click to edit Master title style
AES-128-GCM with GMAC
or
AES-256-GCM with GMAC
Wireless APs and Controllers
Click to edit Master title style
Wireless Analysis
IAM
IDS/IPS
Rogue Detection
802.1X
802.11w – MFP
WPA3 Enterprise
Secure Routers
Click to edit Master title style
Routers are primarily layer 3 devices although they can function as Layer 2 (bridged or
transparent mode) through Layer 5/7 (Application layer gateways – deep packet
inspection) devices. They physically and logically separate broadcast domains or
VLANs. Typically route IPv4 and IPv6 traffic although other routed protocols like
AppleTalk and IS-IS (Intermediate System-to-Intermediate System protocol) can be
supported depending on the environment. IS-IS is still used at the core of some ISP
networks.
Routers require knowledge of all of the LANs in their domain to decide which
destination packets will be forwarded. If the destination does not exist in the router's
routing table, the packet should be dropped. Routers use static routing or dynamic
routing protocols such as RIPv2, OSPF, EIGRP, BGP, and others.
Security Services: (modular and/or integrated into O/S) Firewall services, IDS/IPS, VPN
gateways and concentrators; NAT and PAT translation; URL filtering; Proxy services;
Inspection of traffic layer 2-7 (DPI,AIC)
Secure Routers
Click to edit Master title style
• Primary roles of a router
• Packet forwarding on the data
plane and VRF
• Inter-area and AS routing
• QoS and traffic engineering
• Static packet filtering
(Infrastructure ACL)
• VoIP and Wireless gateways
or bridging
• Security roles of a router:
• Firewall services
• IDS/IPS
• VPN gateways and
concentrators
• NAT and PAT translation
• URL filtering and proxies
• Inspection of traffic layer 2-7
(DPI,AIC)
Security Services of a router: (modular and/or integrated into O/S)
CSP Elastic Load Balancing
Click to edit Master title style
• Elastic Load Balancing (ELB) automatically distributes
incoming application traffic across multiple targets, such as
Amazon EC2 instances, containers, and IP addresses
• It can handle the varying load of your network (TCP, UDP) or
application (HTTP/HTTPS) traffic in a single Availability Zone
or across multiple zones (failover)
• Can also perform flow logging, TLS 1.2/3 gateway services
(Listener), certificate services, web application firewall (WAF),
health checks, offload to HSM or SSL accelerator
ELBs and Auto-scaling
Click to edit Master title style
Internet
Firewalls
Click to edit Master title style
• A firewall is a metaphor representing an integrated security
system combining hardware (physical or virtual) and software
and/or on-premise and cloud-based solutions
• Firewalls should be placed between all domains, zones,
networks and subnets (VLANs) in order to “prevent the fire from
spreading”
• Linux builds have a native stateful firewall called iptables
iptables –A INPUT –p tcp –dport ssh –j ACCEPT
Append this rule to the input chain to view ingress traffic; look for TCP (-p tcp); if so,
does it go to the destination SSH port?; if yes, then permit the traffic (-j ACCEPT)
Firewalls
Click to edit Master title style
•
•
•
•
•
Physical vs. virtual
Stateless (NACLs) vs. stateful
Whitelisting only
Restrictive vs. permissive
Web Application Firewall
(ALG/AIC/AVC/DPI/Layer 5-7)
• Proxy services (mediated access)
for NAT, authentication, IPS, and
more
Next Generation Firewalls
Click to edit Master title style
• URL and reputation filtering
• Application Visibility and Control
(WAF)
• Content Security
• Intrusion prevention (IDS/IPS)
• Advanced malware protection with
cloud correlation
• VPN gateway with inspection
• Integration with directories
• Machine Learning
URL Filtering: cloud server-based web site reputation scores
Application Visibility and Control: For example, applications like Skype and
Webex or P2P file sharing that can hop from one port to another can be
recognized. Another example is only whitelisting Facebook without features
like gaming. IM without web cam or sending files.
Context Awareness: Who is connecting, to what, from where, using what
device, at what time?
Intrusion Prevention System:
Advanced Malware Protection with Cloud correlation
NG Application Visibility and Control
Click to edit Master title style
NG Application Visibility and Control
Click to edit Master title style
NG Application Visibility and Control
Click to edit Master title style
Web Application Firewall (WAF)
Click to edit Master title style
• Generate or leverage WebACLs that match on:
•
•
•
•
IP addresses of originating requests
Country that requests originate from
Values in request headers (e.g. User-Agent, Content-Type)
Literal or regex string patterns that appear in requests
(e.g. [cC][mM][dD].[eE][xX][eE])
• Length of requests (buffer overflows)
• Presence of SQL injection code that is likely to be malicious
• Presence of a malicious cross-site scripting attack
Automating WAF at AWS
Click to edit Master title style
@aws.amazon.com
IDS and IPS
Click to edit Master title style
• Today we typically just use the term IPS for intrusion
detection and prevention services depending on the mode of
operation
• IPS will begin in a passive/monitor (IDS) mode
• Traditional sensors are Signature/Rule/Anomaly based
• Anomaly-based based builds a knowledge base over several
hours and then looks for deviations from the baseline
• NGIPS uses cloud-based heuristics and machine learning
• Heuristic analysis uses rules and estimation engines to
discover anomalies
IPS Deployment Options
Click to edit Master title style
•
•
•
•
NIPS or HIPS
Switch SPAN port or a network tap (GIGAMON or VIAVI nTap)
Between VLANs on multi-layer switch or hypervisor
As a multiport bridge or routing appliance with multiple
interfaces
• Cloud-based MSSP solution
IPS Deployment Options
Click to edit Master title style
•
•
•
•
•
•
IPS sensor is in fail-open or fail-closed modes
Tuning and optimization is critical before deploying
True positive = correct + action
True negative = correct + no action
False positive = error + action
False negative = error + no action
True positives: The security control, such as an IPS sensor, acted as a consequence of
malicious activity. This represents normal and optimal operation.
True negatives: The security control has not acted, because there was no malicious
activity. This represents normal and optimal operation.
False positives: The security control acted as a consequence of non-malicious activity.
This represents an error, generally caused by too tight proactive controls (which do
not permit all legitimate traffic) or too relaxed reactive controls (with too broad
descriptions of the attack).
False negatives: The security control has not acted, even though there was malicious
activity. This represents an error, generally caused by too relaxed proactive controls
(which permit more than just minimal legitimate traffic) or too specific reactive
controls.
Cisco IPS Sensor
Click to edit Master title style
Snort is an Open-source IDS
Click to edit Master title style
•
•
•
•
Excellent lightweight NIDS with a good reputation since 1998
Low-cost or free versions
Can identify several attack variants with flexible ruleset
Administrators can create custom pattern matching rules for
zero-days, new worms, and exploits
A Basic Snort Rule
Click to edit Master title style
Snort 101 and Snort Rules
https://www.youtube.com/watch?v=W1pb9DFCXLw
https://www.youtube.com/watch?v=RUmYojxy3Xw
IEEE 802.11 Wireless
Click to edit Master title style
•
802.11 was created in 1997 and ratified by IEEE in 1999
• .11b in 1999 offered max bandwidth of 11 Mbps in the 2.4 GHz
frequency
• .11a in 1999 with max BW of 54 Mbps in 5 GHz range
• .11g in 2003 with max BW of 54 Mbps in 2.4 GHz range
• These were all officially incorporated in 2007
•
802.11n came in 2009 and offered BW from 100 – 600 Mbps
• Enhanced performance due to Multiple Input Multiple Output
(MIMO) and signal reflection
• Operates in both 2.4 GHz and 5 GHz ranges
• Standardized in 2012
802.11ac and .11ax Wireless
Click to edit Master title style
• 802.11ac is the most recent standard
ratified in 2016
• Aggregate BW of 1 Gbps with some
deployments to 6.77 Gbps
• Utilizes multiple radios and
bandwidth aggregation in the
5 GHz range
• Newest, non-ratified draft is
802.11ax in ranges below 6 GHz with
speeds up to 11 Gbps using
aggregated bandwidths
Evolution of Wireless Security
Click to edit Master title style
• Wi-Fi Protected Access 1 (WPA-2003) was a temporary
fix to the first WEP security mechanism
• Used TKIP to generate “better” keys for underlying RC4
encryption
• Used a Message Integrity Check (MIC) to thwart forgery
and replay
• Both protocols had issues so WPA 2 was introduced
afterwards
• Remember that Kismet is a popular wireless network
sniffer and wireless IDS
WEP has been deprecated due to the following reasons:
Hackers can easily obtain challenge phrase and encrypted response to crack the WEP
key
Crackers have decrypted captured data traffic
Provides only weak encryption of data
The initialization vector (IV) is a clear-text 24-bit field – a pseudo-random number
used along with the secret key for data encryption
The small space guarantees the re-use of the same key stream
The weakness is NOT with the RC4 protocol per se
Temporal Key Integrity Protocol - TKIP
Evolution of Wireless Security
Click to edit Master title style
• WPA2 was the replacement for
WPA in 2004 and devices required
testing and certification from Wi-Fi
Alliance by 2006
• Based on IEEE 802.11i
• Supports PSK and Enterprise
authentication
• In October 2017, the major KRACK
attack targeted the 4-way
handshake
Temporal Key Integrity Protocol - TKIP
Evolution of Wireless Security
Click to edit Master title style
•
WPA2-PSK (personal)
•
•
•
•
•
Shared secret key is used
Manually configured on devices and AP
Local access controls
AES-128 used for encryption
WPA2-Enterprise (802.1X)
• Authentication server is required
• Centralized RADIUS used for authentication and key
distribution
• AES-128 used for encryption
•
Management Frame Protection (PMF or MFP) was
introduced in WPA 2
Protected Management Frames (PMF)
Click to edit Master title style
• Wi-Fi uses three different frame types: Management, Control,
and Data
• Management frames like authentication,
de-authentication, association, disassociation, beacons, and
probe frames are used by wireless stations to locate and
connect wireless networks
• They also manage the client connection after a successful
association
Protected Management Frames (PMF)
Click to edit Master title style
• To keep your Wi-Fi infrastructure safe from attack, you should
implement Management Frame Protection (MFP) features
• The management frames sent between APs and clients are
protected, so that both APs and clients can detect and drop
invalid or spoofed management frames
• APs can be set up to not emit certain broadcast management
frames like disassociation, deauthentication, or action frames
Protected Management Frames (PMF)
Click to edit Master title style
• Based on IEEE 802.11w, PMF offers integrity protection for
both unicast and broadcast management frames
• It also encrypts unicast management frames in the same way
as data to ensure data confidentiality
• Protected Management Frames are intended to stop a variety
of wireless attacks such as disconnect, honeypot, and evil
twin
• Device vendors and security administrator should make sure
that Protected Management Frames are configured
automatically
WPA3
Click to edit Master title style
• WPA3 adds new mechanisms to streamline wireless security,
support more robust authentication schemes, and deliver
increased cryptographic strength for sensitive data
• All WPA3 networks will utilize the latest security techniques
while prohibiting outdated protocols
• WPA3 requires the use of Protected Management Frames
(PMF) to preserve the resiliency of mission critical wireless
networks
WPA3-Personal
Click to edit Master title style
• Use for SO/ HO environments or when devices can’t support
802.1X authentication
• WPA3-Personal provides the Simultaneous Authentication of
Equals (SAE)
• SAE is a secure key establishment protocol between wireless
nodes to provide strong protections against third-party
password guessing tools
WPA3-Personal
Click to edit Master title style
• The Wi-Fi Alliance said in a past statement “Recently
published research identified vulnerabilities in a limited
number of early implementations of WPA3 Personal, where
those devices allow collection of side channel information on
a device running an attacker’s software, do not properly
implement certain cryptographic operations, or use
unsuitable cryptographic elements.”
This relates to the Dragonfly handshake, which forms the core of WPA3, and is also
used on certain Wi-Fi networks that require a username and password for access
control: the EAP-pwd protocol.
WPA3-Enterprise
Click to edit Master title style
• WPA3-Enterprise offers a new 192-bit security level based on
the NSA’s ‘Suite B’ Cryptography for environments needing
stronger security
• It allows fewer EAP types to be used:
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(mandatory)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (optional)
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (optional)
• It only allows GCMP-256 encryption
Personal Area Networks (PAN)
Click to edit Master title style
•
•
•
•
•
•
The primary PAN technology in use today is Bluetooth
Bluejacking is a legacy Bluetooth prank that takes advantage of
sending contact information automatically without authentication
or authorization
The cracker creates an address book object and a contact in the
contact list then spoof a name to appear on your phone
Bluesnarfing is much more dangerous as it can steal data from a
wireless device over the Bluetooth connection
Often conducted between iPhones, Android phones, iPods, iPads,
laptops, and assorted PDAs
Bluesnarfing can access contact lists, calendars, emails, and text
messages
Personal Area Networks (PAN)
Click to edit Master title style
• Zigbee is a low-power solution that
can even run on batteries
• A collection of automation
standards
• Based on IEEE 802.15.4
• Less expensive and easier to deploy
PAN alternative to Bluetooth
Near Field Communications (NFC)
Click to edit Master title style
• NFC technologies let you harness the benefits of rapid and
contactless payments
• They facilitate entry and exit from transit systems without
long waiting times
• The advantages of RFID/NFC for travelers and shoppers are
abundant and the technology will only expand in the future
NFC Threats and Vulnerabilities
Click to edit Master title style
• Cloning and emulating Point-of
Sale (POS) devices
• Sniffing, spoofing, and replay attacks
• Man-in-the-middle attacks
• Denial of service
• RFID malware
NFC Threats and Vulnerabilities
Click to edit Master title style
• NFC and RFID blocker tags and
jammers can mitigate
• Special blocking wallets
• RFID zapper
• Disposable cameras that disable
RFID chips
5G
Click to edit Master title style
• 5G offers bigger channels to speed data transfer, lower
latency, and the ability to connect to many devices
simultaneously
• Low-band 5G operates in frequencies below 2GH - the oldest
cellular and TV frequencies
• Mid-band 5G is in the 2-10GHz range. That covers most current
cellular and Wi-Fi frequencies, as well as frequencies slightly
above those
Low-band can go great distances, but there aren't very wide channels available, and
many of those channels are being used for 4G. So low-band 5G is slow. It acts and
feels like 4G, for now. Low-band 5G channels are from 5MHz in width (for AT&T) up to
20MHz (for T-Mobile), so you can see they aren't roomier than 4G. Complicating
things, AT&T and T-Mobile low-band phones sometimes show 5G icons when they
aren't even using 5G, making it hard to tell any difference.
Mid-band 5G is in the 2-10GHz range. That covers most current cellular and Wi-Fi
frequencies, as well as frequencies slightly above those. These networks have decent
range from their towers, often about half a mile, so in most other countries, these are
the workhorse networks carrying most 5G traffic. Most other countries have offered
around 100MHz to each of their carriers for mid-band 5G. Here in the US, New TMobile will use Sprint's spectrum for a mid-band network, using up to 120MHz per
city. AT&T and Verizon will shave off little bits of their 4G spectrum using DSS for midband 5G, 10MHz here and 10 there.
5G
Click to edit Master title style
• High-band 5G is also called millimeter-wave
• So far, it is mostly airwaves in the 20-100GHz range that
haven't been used for consumer applications before
• They are very short range with 800-foot distances from
towers
• Can provide very fast speeds using up to 800MHz at a time
• Verizon relies extensively on high-band, which it calls “ultra
wideband”
5G
Click to edit Master title style
• With current phones in low- and mid-bands, you can combine
two 100MHz channels, for 200MHz usage and you can also
stack three more 20MHz 4G channels on top of that
• In high-band 5G, you can use up to eight 100MHz channels
• Dynamic spectrum sharing (DSS) allows carriers (like AT&T
and Verizon) to dynamically split channels between 4G and
5G based on demand with DSS-compatible phones
• Studies are not definitive on the dangers to people and
animals from high-band
Many devices: sensors, smart devices, IoT.
The great speeds 5G carriers promise are just about leveraging more airwaves at
once. But if you don't have the airwaves available, you don't get the speeds.
Attacks: Replay
Click to edit Master title style
• On a wireless network, it is easier to gather the data
necessary for a replay attack
• WEP and WPA are vulnerable to ARP replay attacks, among
others, as there are many tools available that will crack their
encryption keys (AirSnort and AirCrack are classics)
• Ettercap and dsniff are two popular man-in-the-middle attack
tools that use Wireshark to modify the data in transit
Attacks: Rogue APs
Click to edit Master title style
• Honeypots and Evil Twins are
malicious rogue APs tricking users
to associate
• Can be a wireless man-in-themiddle attack or DHCP starvation
• An evil twin AP replaces an existing
network so users will connect to
the fake one instead of the real one
• Evil twins spoofing a public hotspot
can also be a serious concern
Modern managed APs and controllers can detect other APs over the air, and if not
known it is classified as a rogue
The location of the rogues can be plotted on a floor-plan map
If the found AP is determined to be a known internal AP, it can be marked accordingly
If the AP is found to be a neighboring wireless LAN, such as in a hotspot or adjacent
business, then it can be marked as a known external
Attacks: Jamming
Click to edit Master title style
• Jamming is a form of wireless DoS attack that floods the RF
with interference or excessive traffic so that wireless links
cannot be sustained
• Exploit kits have several jamming modules and scripts
included for hard and soft APs
• Some DoS attacks may not be due to malicious activity, but
rather poorly written drivers on endpoint Wireless NICs
Attacks: Disassociation
Click to edit Master title style
• Wireless clients use authentication, deauthentication,
association, disassociation, beacons, and probe frames to find
an AP and initiate a network session
• Attacker spoofs the AP MAC address and sends management
frames, usually deauthentication or disassociation messages,
to valid clients
• The goal is typically to perform a DoS attack against the
network or to force the client to reauthenticate
Wireless clients use control and management frames, such as authentication and
deauthentication, association and disassociation, beacons, and probes, to choose an
AP and initiate a session for network service
AP impersonation is a common attack against wireless networks where the attacker
spoofs the AP MAC address and sends management frames, usually deauthentication
or disassociation messages, to valid clients
The goal is typically to perform a DoS attack against the network or to force the client
to reauthenticate
Attacks: Wi-Fi Protected Setup (WPS)
Click to edit Master title style
•
•
•
•
Originally called “Wi-Fi Simple Config”
Attacks on the PIN generated by the AP entered on the device
Online and offline brute-force attacks are possible
Captured packets determine PIN and gain unauthorized
access
• If the device does not allow the pin to be changed,
unauthorized access is possible
• If the AP is accessible by anyone, just push the button
PIN is printed on device or listed in configuration menu
Attacks: WPA2 KRACK
Click to edit Master title style
•
Key reinstallation attacks (KRACK) are a form of cyberattack that
exploits a vulnerability in WPA2 resulting in stolen data transmitted
over networks
• An encrypted WPA2 connection is initiated with a four-way
handshake sequence, but the entire sequence is not required for a
reconnect - only the third part of the four-way handshake needs to
be retransmitted
• When a user reconnects to a familiar Wi-Fi network, the network
resends the third part of the handshake sequence and this
resending can occur multiple times to ensure the connection
succeeds
• This repeatable step is the vulnerability that can be exploited by a
man-in-the-middle evil twin or rogue AP
An encrypted WPA2 connection is initiated with a four-way handshake sequence,
although the entire sequence isn’t required for a reconnect. In order to enable faster
reconnections, only the third part of the four-way handshake needs to be
retransmitted. When a user reconnects to a familiar WiFi network, the WiFi network
resends them the third part of the handshake sequence; this resending can occur
multiple times to ensure the connection succeeds. This repeatable step is the
vulnerability that can be exploited.
Attacks: WPA3
Click to edit Master title style
• In July 2019 two security researchers disclosed information
regarding several vulnerabilities (known as Dragonblood) in
the Wi-Fi Alliance's WPA3 Wi-Fi security and authentication
standard
• Three main attack categories:
• Downgrading to WPA2
• Offline password cracking through side-channel attack
• Denial of service
Dragonfly is the key exchange mechanism through which users authenticate on a
WPA3 router or access point. In April, Vanhoef and Ronen found that Dragonfly key
exchanges that relied on P-521 elliptic curves could be downgraded to use the
weaker P-256. As a result, the WiFi Alliance recommended that vendors use the
stronger Brainpool curves as part of the Dragonfly algorithms. However, we found
that using Brainpool curves introduces a second class of side-channel leaks in the
Dragonfly handshake of WPA3.
Common Social Engineering Attacks
Click to edit Master title style
•
•
•
•
Tailgating and piggybacking
Scams, fraud, and hoaxes
Dumpster diving
Shoulder surfing
• Watering hole
• Influence campaigns
• Trolling organizational
social media sites
Eliciting information and reconnaissance, hoaxes, Identity fraud, Impersonation and
pretending, Invoice scams, Credential harvesting
Influence campaigns are also called misinformation operations and influence
operations:
To Launch propaganda or disinformation initiative – and - Gain a competitive
advantage or confuse adversary or competitor
Phishing Attacks and Variants
Click to edit Master title style
• Phishing is a cyber attack that
uses disguised email and
webmail as a delivery method
• The goal is to hoax the
recipient into accepting it as a
real message
• Attackers request reply,
clicking a hyperlink or
downloading an attachment
• Spear phishing targets specific
roles and responsibilities
• Whaling targets high-profile,
highly privileged, or C-suite
• Vishing attacks telephones,
cell phones, and VoIP systems
• Smishing uses SMS texting as
the vector
Indicators of Phishing
Click to edit Master title style
•
•
•
•
•
•
•
•
Vague salutations – "Dear valued customer"
Suspicious display names or domains
Entity name is farther down the URL path
Wrong information or suspicious IP addresses when you
hover over links
Awkward grammar and misspelled words
Subject line has urgent or intimidating phrases
Lack of legitimate contact information
Spoofed headers, graphics and logos
Business Email Compromise (BEC)
Click to edit Master title style
• Business Email Compromise (BEC) is a type of special attack
that targets entities who outsource, conduct wire transfers,
and have suppliers abroad, and more
• Corporate email accounts of high-level employees are either
spoofed or compromised through keyloggers or phishing
attacks, in order to perform fraudulent transfers
Typosquatting
Click to edit Master title style
• Typosquatting involves sitting on sites under someone else's
brand or copyright and targeting Internet users who
erroneously type a web site address into their browser
address bar
• Examples: gooogle, facebooj, amaxon, insdagram
• Other terms are URL hijacking, sting sites, or fake URL
Common Malware Payloads
Click to edit Master title style
•
•
•
•
•
•
Trojans and RATs
Polymorphic worms
DDoS Bots
Spyware and adware
Keyloggers
Ransomware
Potentially unwanted programs (PUPs) will show up as red flags in anti-virus/antimalware tools
Malvertisments
Remote Access Trojans
Click to edit Master title style
Command and Control Server (C&C-C2)
Act as client
Act as server
Attacker
Capture webcam
Keystrokes logging
Remote shell
Update RAT version
Download file
Upload file
RAT-infected PC
Complex Malware Types
Click to edit Master title style
• Rootkits
• Backdoors
• File-less/memory-only
viruses
• Logic bombs
• Stegomalware
• Polymorphic packers
• Multipartite
A rootkit is a category of malicious software intended to advance administrator-level
or root level control over a computer system without being detected by authorized
users. The term is a combination of the words "root", which represents the root user
in a UNIX/Linux system or the administrator in a Windows system and "kit", meaning
software toolkit. Typically, the goal of a rootkit is to execute malicious activities on a
target system at a later time without the knowledge of the users of that computer.
This malicious software can target the BIOS, boot loader, kernel, system files, and
much more. Rootkits are difficult to detect since they are initiated before the
operating system has fully booted. It might install hidden files, processes, and hidden
user accounts. Because rootkits can be installed in firmware or software, they can
even intercept data from network connections, keyboard input and output,
among others.
Injection Attacks
Click to edit Master title style
• DLL Injection
• Malicious code forces itself to run in place of other benign code
• This "injected" code is usually code written by a third-party
developer, designed to perform some malicious function
• SQLi
• Involves inserting a SQL query through input data from client to
server application and can allow for several exploits
• Read sensitive database data (SELECT FROM)
• Change database data (INSERT, UPDATE, DELETE)
• Defend with input validation and length limits
The injection attack is often the result of MITM exploit or RAT attack. Malware can
inject false MAC or IP addresses.
Injection Attacks
Click to edit Master title style
• LDAP Injection
• The web server accepts input from the client for additional
processing
• The attacker exploits the data not being properly sanitized or
data/commands being sent directly to a back-end database
• The attacks can render sensitive user information or change
information in the LDAP directory
Yersinia for Layer 2 – 7 Injection
Click to edit Master title style
Cross-site Scripting (XSS)
Click to edit Master title style
•
DOM-Based: (Local XSS or Type 0)
•
•
Reflected XSS (Nonpersistent/Type 1)
•
•
Insecurely written HTML page on end
user's system or local gadgets and
widgets
An input trust vulnerability where the
app expects input like a query string,
but the attacker sends something the
developer did not expect
Stored XSS (Persistent or Type 2)
•
A variant of type 1 where, rather
than reflecting the input, the web
server persists the input
DOM-Based: Also called Local XSS or Type 0, Does not involve vulnerable web servers,
Insecurely written HTML page on end user's system or local gadgets and widgets
(Widgets – Apple, Nokia, Yahoo; Gadgets – Microsoft and Google; Also have similar
code in GNOME and KDE (stock tickers, RSS feeds, sports scores, clocks, mini-games,
social networking tools, notifications, etc, and much more)
Allows the attacker to manipulate the DOM through untrusted input and they can
render input that might lead to other XSS vulnerabilities
Reflected XSS (Nonpersistent or Type 1): A classic input trust vulnerability where the
application is expecting some input (i.e. a query string) and the attacker sends
something developer did not expect. Example: attacker provides a JavaScript code
fragment as the querystring and the victim clicks on the link. Prevalent since it's not
feasible to turn off all scripting in browsers.
Stored XSS (Persistent or Type 2): A variant of type 1 where, rather than reflecting the
input, the web server persists the input. The user is served up later to unsuspecting
victims. Difference is an intermediate phase where the untrusted input is stored in a
file or a database before unloading on the victim. Often found in blogs and
review/feedback web applications.
Cross-site Request Forgery (CSRF)
Click to edit Master title style
• CSRF occurs when a malicious web site, blog, email, instant
message, or program causes a web client to do unsolicited actions
on a trusted site for which a user (preferably an administrator) is
presently authenticated
• An effective CSRF/XSRF attack can force users to perform exploits
like changing passwords and email addresses to conducting
transactions such as funds transfers
• If the victim is an administrative or root account, the attack can
affect the entire web site application
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious
web site, email, blog, instant message, or program causes a user’s web browser to
perform an unwanted action on a trusted site for which the user is currently
authenticated.
Common Application Attacks
Click to edit Master title style
• Cookie storage and transmission
• Buffer overflow and integer overflows
• Memory leaks
• Short lived user-land application
• Long lived user-land application
• Kernel-land process
• Race conditions and TOC/TOU
• The result of an unexpected ordering of events – poor code
design
Cookies typically don’t hold confidential info, but attackers can still use them to
develop well-crafted attacks. For example they can extract a users regular visits to a
banking or brokerage site to support a spear phishing or pharming attack. Cookies
should be securely stored using encryption. Sensitive cookies should be stored
securely on the web server will pointers on the clients.
Buffer overflows take advantage of poorly written applications or operating system
code. Injection of malicious code can be accomplished with a DoS to memory buffers
and addresses or even SQL injection methods. They cause errors or command shells
and programs to run in order to further launch the exploit or deliver the malware.
One example is a packet holding a long string of NOP – no-operation instructions
followed by a command (NOP Slide) that forces the processor to locate where a
command can actually be executed. This can be mitigated with proper input
validation and regular vendor patches and updates.
OWASP = “Arithmetic operations cause a number to either grow too large to be
represented in the number of bits allocated to it, or too small. This could cause a
positive number to become negative or a negative number to become positive,
resulting in unexpected/ dangerous behavior.” SOLUTION Never perform arithmetic
operations on numeric primitives without strict checking for overflow/underflow
conditions. Static analysis can be helpful in checking for possible overflow/underflow
conditions. Some runtime environments automatically check for overflow/underflow
and trigger exceptions, but no mainstream language runtimes used for web
application development currently do this except for some flavors of Python.
A memory leak is unintentional memory consumption where the programmer fails to
free an allocated block of memory when it’s no longer needed. Consider the
following general three cases:
• Short Lived User-land Application: Little if any noticeable effect. Modern operating
system recollects lost memory after program termination.
• Long Lived User-land Application: Potentially dangerous. These applications
continue to waste memory over time, eventually consuming all RAM resources.
Leads to abnormal system behavior
• Kernel-land Process: Very dangerous. Memory leaks in the kernel level lead to
serious system stability issues. Kernel memory is very limited compared to user
land memory and should be handled cautiously.
Race Conditions happen when a piece of code doesn’t function as designed. They are
the result of an unexpected ordering of events, which can lead to the finite state
machine of the code transitioning to a undefined state. It can also cause contention
of more than one thread of execution over the same resource. Multiple threads of
execution acting or manipulating the same area in memory or persisted data which
gives rise to integrity issues. FIX: programmers have to test for race conditions or use
something like OWASP ZAP to test for vulnerabilities.
Time of Check/Time of Use = (OWASP) Time-of-check, time-of-use race conditions
occur when between the time in which a given resource is checked, and the time that
resource is used, a change happens in the resource to invalidate the results of the
check.
Consequences:
• Access control: The attacker can gain access to otherwise unauthorized resources.
• Authorization: race conditions such as this kind may be employed to gain read or
write access to resources which are not normally readable or writable by the user
in question.
• Integrity: The resource in question, or other resources (through the corrupted
one), may be changed in undesirable ways by a malicious user.
• Accountability: If a file or other resource is written in this method, as opposed to
in a valid way, logging of the activity may not occur.
• Non-repudiation: In some cases it may be possible to delete files a malicious user
might not otherwise have access to, such as log files.
Related Controls:
• Design: Ensure that some environmental locking mechanism can be used to
protect resources effectively.
• Implementation: Ensure that locking occurs before the check, as opposed to
afterwards, such that the resource, as checked, is the same as it is when in use.
The most common result of resource exhaustion exploits is denial of service. The
software may slow down, crash due to unhandled errors, or lock out legitimate users.
In some situations, it may be possible to force the software to "fail open" in the event
of resource exhaustion. The state of the software - and possibly the security
functionality - may then be compromised. The aforementioned memory leaks are
forms of RE.
Firmware Vulnerabilities
Click to edit Master title style
• Embedded systems increasingly use software-driven lowpower microprocessors for security-critical settings
• Firmware programs are often written in the C language so
existing source-code analysis tools do not work well for this
• Intel, Apple, and Android still fight this battle among many
other manufacturers and vendors
• Rootkits and tools can modify a computer’s UEFI (Unified
Extensible Firmware Interface) so that it silently reinstalls its
surveillance tool even if the hard drive is wiped clean or
replaced
UEFI is a replacement for the traditional BIOS (Basic Input/Output System) and is
meant to standardize modern computer firmware through a reference specification.
But there are multiple companies that develop UEFI firmware, and there can be
significant differences between the implementations used by PC manufactures.
CryptoMalware
Click to edit Master title style
• CryptoMalware technically applies to any malicious code that
involves encryption and/ decryption during the lifecycle
•
•
•
•
Rogue cryptomining (cryptojacking)
Ransomware
Crypto DDOS
Steganography
The goal of a cryptojacking crypto-malware isn’t to steal data – it is to remain in place
for as long as possible, quietly mining in the background.
Crypto-malware can also impact the DDoS market. Instead of botnet CPUs being used
to generate packets to blackmail the victim, who may or may not pay the ransom, the
DDoS botnet could be repurposed to mine cryptocurrencies, guaranteeing a payoff
for the criminal.
Ransomware Lifecycle
Click to edit Master title style
1. INSTALL
Crypto-ransomware
installs itself after
bootup
2. CONTACT HQ
The installed
malware contacts
a server belonging
to an attacker or
group (C&C)
3. HANDSHAKE
AND KEYS
The ransomware
client and server
"handshake" and the
server generates two
cryptographic keys
4. ENCRYPT
The ransomware
starts encrypting
every file it finds
with common file
extensions
5. EXTORT
A screen displays
giving a time limit to
pay up before the
criminals destroy the
key to decrypt the
files
Ransomware
Click to edit Master title style
Cryptolocker Infection Chain
Click to edit Master title style
This is a Cryptolocker infection chain
Stegomalware
Click to edit Master title style
• Stegomalware uses steganography to
avoid detection
• Steganography is a method of hiding
concealing files, messages, images, or
videos within another file, message,
image, video or network traffic
• Cryptography offers confidentiality – not
steganography
Samples and Case Studies
Click to edit Master title style
•
•
•
•
Rig EK Exploit Toolkit
Facebook Compromise of 2013
WannaCry Ransomware of 2017
Marriot Data Breach of 2018
Rig EK Exploit Toolkit
Click to edit Master title style
• Rig Exploit Kit (EK) is one of the best-known malware and
exploit tools to attack popular applications
• It has been used more recently to launch cryptojacking
campaigns
• Fallout EK, GrandSoft EK, Magnitude EK, Underminer EK,
GreenFlash Sundown EK
Facebook Compromise of 2013
Click to edit Master title style
• Internal Facebook workstations were attacked in 1/2013 due
to insecure Java builds
• Developers went to mobile development site that hosted an
Oracle Java exploit
• Apple and Microsoft were also affected around the same
time
WannaCry Ransomware of 2017
Click to edit Master title style
•
•
•
•
CIA attack spread over 150 nations and over 200,000 devices
Banks, schools, hospitals, municipalities and more
Many organizations decided to pay the $3 - $600+ ransom
Began on 5/12/2017 in Asia using a U.S. born kit (NSA) on
mostly Microsoft systems
WannaCry Ransomware of 2017
Click to edit Master title style
• Multi-layered attack used Eternal Blue against SMBv1 and
DoublePulsar trojan backdoor
• Ping first did diagnostics
• Kill terminated running processes
• Exec loaded ransomware on the victim system
Common WannaCry Characteristics
Click to edit Master title style
• The system could be reached from the Internet
• Security flags and alerts from scanning and enumeration were
ignored
• Exploited unpatched known vulnerabilities
• Systems used weak and long-term credentials
Marriot Data Breach of 2018
Click to edit Master title style
• A data breach of 8.6 million credit cards and over 25 million
passports
• Timeline of breach:
• First active in Q3 of 2014
• Marriot discovered 9/8/18
• Breach reported 11/30/18
• 380 - 500+ records affected and full impact TBD
Marriot implemented:
Free Web Watcher enrollment for customers with free credit monitoring
Created new call centers to deal with calls
Millions spent on new security technology
Thousands of people hours to find root of attack – still ongoing
Internet of Things (IoT)
Click to edit Master title style
• This is the most rapidly emerging global vulnerabilities
• There will soon be billions of IPv4 and IPv6 devices in homes,
offices, retail sites, factories, utility companies, hospitals,
cars, and many other places
• With the explosion of Internet-connected devices, you must
find solutions to connect them and collect, store, analyze, and
secure the device and data
Internet of Things (IoT)
Click to edit Master title style
• IoT developers are building industrial IoT applications for
predictive quality and maintenance as well as the remote
monitoring of operations
• They build connected home applications for automation,
security, monitoring, and home networking
• Some IoT developers are building commercial applications for
traffic monitoring, public safety, and health monitoring
• Eventually everything will be identified with a unique IPv6
address for global end-to-end connectivity
Example: AWS IoT Defender
Click to edit Master title style
AWS IoT Device Defender is a fully managed service that helps you secure your fleet
of IoT devices. AWS IoT Device Defender continuously audits your IoT configurations
to make sure that they aren’t deviating from security best practices. A configuration is
a set of technical controls you set to help keep information secure when devices are
communicating with each other and the cloud. AWS IoT Device Defender makes it
easy to maintain and enforce IoT configurations, such as ensuring device identity,
authenticating and authorizing devices, and encrypting device data. AWS IoT Device
Defender continuously audits the IoT configurations on your devices against a set of
predefined security best practices. AWS IoT Device Defender sends an alert if there
are any gaps in your IoT configuration that might create a security risk, such as
identity certificates being shared across multiple devices or a device with a revoked
identity certificate trying to connect to AWS IoT Core.
Defense in Depth
Click to edit Master title style
• Defense in depth involves
implementing multiple layers of
security to defend property,
facilities, systems, applications,
and data
• Can be physical, logical or
virtual
•
The goal is to protect CIA and
beyond (prevent D.A.D.)
• Security is a continuous
balancing act
• According to the SANS institute,
there are four fundamental
approaches to DiD, based on risk
treatment:
•
•
•
•
Uniform protection
Protected zoning
Information-centric
Analyze threat vectors
Confidentiality vs. Disclosure; Integrity vs. Alteration; Availability vs. Destruction is
often quoted. However, this isn’t the most accurate as the opposite of destruction
would be “Durability”.
Uniform Protection
Click to edit Master title style
• Involves identical controls for all systems
which are deemed to be of equal value
• Assets are not considered to be missioncritical
• A very traditional and common approach at
least as the starting point in the lifecycle
• “Drinking the firewall Kool-Aid”
Protected Zoning
Click to edit Master title style
• Creates logical and physical security domains or zones
• Software-defined-networking using VLANs and PVLANs is a
modern example
• There are interface points between all zones and mediated
access from any public zones (Internet)
• Can also be a secure enclave on a mobile or embedded
device
Zoning
Click to edit Master title style
172
Cloud Service Provider Zoning DiD
Click to edit Master title style
Data or Information-Centric DiD
Click to edit Master title style
Network
Endpoint
Application
Data
At the center is data and information in this model: IP, PII, PHI. But it could be things
stored in a walk-in safe or highly secure room such as where safe deposits boxes are
in a bank. Or perhaps it is an HSM storing Private Keys and Access Keys.
This process involves asset assessment, valuation, labeling (tags), classification, and
handling = risk management.
Could involve elaborate DLP systems and Digital Rights Management solutions
Vector-oriented DiD
Click to edit Master title style
• Identifying all ingress and egress points and all probable
threat agents and specific vectors
• Disable USB fobs
• Block email attachments
• Use DLP engines for IP leakage
• Leverage the threat matrices and risk registers
• Conduct vulnerability and risk assessment with a quantitative
analysis focus
• OpenFAIR is an emerging taxonomy to identify vulnerability and
handle subjectively
NIST Security Strategy
Click to edit Master title style
Understand the Physical Architecture
Click to edit Master title style
• Where is the defensible property boundary?
• Work back to the location of core mission-critical assets
•
•
•
•
•
•
•
Gates and fences
Guards
Lighting and sensors
Bollards
Locks and cameras
All entry/exit points
Service provider junctions and demarcation
Understand the Physical Architecture
Click to edit Master title style
• Diagram the physical topology of the campus with graphical
tools
• Include wireless analysis and topologies
• Document all cable runs and distribution frames
• Map the physical topologies to the logical networking flow
Recognize All Communication Flows
Click to edit Master title style
• Identify all information flows with all possible technologies
•
•
•
•
•
Corporate edge
Email and webmail
Messaging and social media
Telephony and cellular
Bluetooth, RFID, NFC, etc.
• Information flow may also be governed by mandatory access
control architectures
Identify Critical Data
Click to edit Master title style
•
•
•
•
•
Data at rest, in transit, in use
Understand the SAN, NAS solutions
Evaluate all database and storage systems
Abstract data whenever possible
Strict access controls and mediated access
What is Active Defense?
Click to edit Master title style
• Active defense involves an offensive approach to security
defense
• Involves understanding more about how the attack is
performed
• Takes the point of view of the attacker
• Enhances existing technologies
Enhance and augment – not replace technologies
Active Defense Lifecycle
Click to edit Master title style
Phase 1 - Identify Critical Internal Assets
Phase 2 – Provide Environmental Context
Phase 3 – Classify Threat Agents
Phase 4 – Launch Active Threat Campaigns
Spectrum of Attacks and Defenses
Click to edit Master title style
@ Defense Science Board
Main Types of Active Defense
Click to edit Master title style
Deception
Attribution
Counterattack
Deception as Active Defense
Click to edit Master title style
• Slows down or redirects the attacker
• Presents false information
•
•
•
•
Honeypots and honeynets
Evil twin WAPs
Server decoys
DNS fabrication
• Has the lowest impact from a legal perspective but can affect
scanning and pentesting
Attribution as Active Defense
Click to edit Master title style
• Attribution discovers information about the attacker(s) and
their goals or targets
• It is a valuable activity for incident response team members
• It may be ineffective since source addresses are likely spoofed
• It actively uses trace back tools and beaconing software
Counterattack as Active Defense
Click to edit Master title style
• This strategy involves:
• Information gathering
• Seek and disrupt
• Seek and destroy
• Attack back involves the most
negative legal issues
• It has a high degree of risk and
consequences
Honeypots
Click to edit Master title style
• Honeyfiles are bait files strategically placed for attackers to
access (passwords.txt)
• They usually reside on a file server, which will trigger an alert
when read
• These also include honeytokens, honeycreds, honeynets
Tarpits
Click to edit Master title style
•
A Tarpit is a network security technique of delaying inbound
connections to intentionally slow down scanning attacks and spam
• This method can often restrict and discourage spammers from
sending bulk messages towards you
• Tarpits are applied to:
• Networks
• Email (ESMTP)
• Authentication
(Teergube in German). To avoid being tarpitted, a spammer may send bulk emails in
short batches over a relatively longer period than normal.
Decoys
Click to edit Master title style
• Decoys can be honeycreds representing fake privileged
accounts
• They are also decoy IP addresses and honeynets
• Routers and firewalls
• Virtual machines
• They can be TCP and UDP ports on a gateway or server
Jailed Environments
Click to edit Master title style
• A jailed environment is a subcomponent of a host
environment that allows all attackers in
• The authentic environment allows authorized access while
attackers are redirected to the jailed environment for active
defense measures
• This can also be an evil twin wireless environment
Fake DNS Records
Click to edit Master title style
• DNS is a common recon action by attackers
• Bogus DNS records can redirect attackers to honeypot
databases or domain controllers in a jailed subnet
• Often used in combination with other active defense
measures such as decoys
False Headers
Click to edit Master title style
• Various TCP/IP services will offer metadata in headers
• HTTP response, SMTP, and FTP headers are common vectors
• As a countermeasure, remove header data or insert false
information into header
• Example: declare that a web server is running IIS when it is
really running Apache
Service banners are often used by system administrators for inventory taking of
systems and services on the network. The service banners identify the running
service and often the version number too. Banner grabbing is a technique to retrieve
this information about a particular service on an open port and can be used during a
penetration test for performing a vulnerability assessment. When using Netcat for
banner grabbing you actually make a raw connection to the specified host on the
specified port. When a banner is available, it is printed to the console.
Making a Raw Connection with Netcat
Click to edit Master title style
Example: To demonstrate how a raw connection works we issue some FTP commands after
we’re connected to the target host on the FTP service. Let’s then see if anonymous access is
allowed on this FTP server by issuing the USER and PASS command followed by anonymous.
Netcat is the Swiss army knife of networking tools and it can be run standalone or in
Kali Linux as seen here. The most common cracking uses for Netcat are setting up
reverse and bind shells, piping and redirecting network traffic, port listening,
debugging programs and scripts and banner grabbing by making a raw connection to
an FTP or Web server.
https://www.hackingtutorials.org/networking/hacking-with-netcat-part-3-advancedtechniques/
To demonstrate how a raw connection works we will issue some FTP commands after
we’re connected to the target host on the FTP service. Let’s see if anonymous access
is allowed on this FTP server by issuing the USER and PASS command followed by
anonymous.
NIST on User Responsibility
Click to edit Master title style
According to NIST:
"The responsibilities and accountability of owners, providers,
and users of computer systems and other parties concerned
with the security of computer systems should be explicit.
The assignment of responsibilities may be internal to an
organization or may extend across organizational boundaries.
Depending on the size of the organization, the program may be
large or small, even a collateral duty of another management
official."
Enhance and augment – not replace technologies
NIST on User Responsibility
Click to edit Master title style
According to NIST (continued):
"However, even small organizations can prepare a document
that states organization policy and makes explicit computer
security responsibilities.
This element does not specify that individual accountability must
be provided for on all systems.
For example, many information dissemination systems do not
require user identification and, therefore, cannot hold users
accountable."
Enhance and augment – not replace technologies
Acceptable Use Policies (AUP)
Click to edit Master title style
• The most important aspect of the written security policy from
the endpoint perspective is the Acceptable Use Policy (AUP)
• It should be a dynamic published document updated for new
technologies (augmented reality, TikTok, mobile solutions,
etc.)
Endpoint Physical Security
Click to edit Master title style
•
•
•
•
•
•
Computer and laptop locks
Clean desk policies
Visibility screens
Disable unused peripheral ports
Removable device policy
MDM onboarding and offboarding
• Geofencing
• Geotagging
• Remote-wipe
Clean desk = locked drawers, cabinets, and safes
Endpoint Physical Security
Click to edit Master title style
•
•
•
•
•
Use hardware and software multi-factor authentication
Consider biometric authentication
Disconnect and/or remove unused computers
Use client-side and full disk encryption
Employ SSO and/or password managers
Use smart cards and tokens according to AUP
Update Personal Endpoints
Click to edit Master title style
• Update and upgrade the most secure browsers and clients
• Auto-update with digitally signed patches (Java, Adobe,
Zoom, etc.)
• Update and upgrade all anti-x software
• Install manufacturer firmware updates
Browser Best Practices
Click to edit Master title style
• Be certain browser software is
updated
• Manage and disable
unnecessary/malicious plugins
• Always connect using HTTPS
and TLS1.2 or 1.3
• Choose EV validated sites if
possible
• Clear browser histories
automatically
• Use strong passwords and
password managers
• Never store passwords in a
browser
• Disable popups (install
AdBlock)
• Use VPNs and Proxy servers
(Cisco Umbrella)
• Make use of browser security
configurations
Web Safaris for Endpoint Protection
Click to edit Master title style
https://www.sans.org/securityresources/policies/general/pdf/acceptable-use-policy
https://www.quest.com/kace/
https://resources.infosecinstitute.com/best-practices-webbrowser-security/
https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy
https://www.quest.com/kace/
https://resources.infosecinstitute.com/best-practices-web-browser-security/
Host-Based IDS
Click to edit Master title style
• Host-based IDS monitors the host system infrastructure
through an installed agent to analyze traffic and log
suspicious and malicious behavior
• HIDS should provide deep visibility into critical systems and
files to detect and respond when anomalous activities are
discovered
• HIDS often works in conjunction with SIEM systems and other
advanced threat intelligence – often using Sec-as-a-Service
(MSSP)
Common HIDS Activities
Click to edit Master title style
• Detect attempts at unauthorized access
• Identify anomalous activities
• Enumerate access and changes to critical files with File
Integrity Monitoring (FIM)
• Protect integrity of data and other host-based assets
• Conduct continuous threat intelligence
• Integrate with other agents (VPN, .1X, OpenDNS, etc.)
Snort – a network IDS
Click to edit Master title style
• Since the late 90’s it has been an open-source solution
• Has a powerful rule language
• New patterns can be used from the community
Alert tcp any any -> 10.10.10.0/24 80 (msg
“ i nbound HTTP Tr af f i c” ;
sid: 3251022;)
Intrusion Prevention Defined
Click to edit Master title style
• Intrusion Prevention Systems (IPS) are proactive inline
systems that have the ability to drop packets and block
attackers before the payload enters the network or host
•
•
•
•
•
Signature-based
Anomaly-based
Heuristic and UBA
Machine-learning
Cloud-based
Host-based IPS
Click to edit Master title style
• A host-based intrusion
prevention system (HIPS) is a
program that is usually
installed on a single host
• It often complements
traditional fingerprint-based
and heuristic antivirus
detection applications as part
of an integrated endpoint
security suite
• When malware or some other
exploit attempts to alter the
system or software, HIPS can
prohibit the action
automatically or alert the end
user to grant permission
• Most endpoint protection
systems are actually IPS
sensors installed on hosts that
can be deployed in IDS or IPS
modes
IPS Tuning
Click to edit Master title style
• True Positive
• Accurate + alarm fires
• True Negative
• Accurate + alarm does not fire
• False Positive
• Error + alarm fires
• False Negative
• Error + alarm does not fire
True positives: The security control, such as an IPS sensor, acted as a consequence of
malicious activity. This represents normal and optimal operation.
True negatives: The security control has not acted, because there was no malicious
activity. This represents normal and optimal operation.
False positives: The security control acted as a consequence of non-malicious activity.
This represents an error, generally caused by too tight proactive controls (which do
not permit all legitimate traffic) or too relaxed reactive controls (with too broad
descriptions of the attack).
False negatives: The security control has not acted, even though there was malicious
activity. This represents an error, generally caused by too relaxed proactive controls
(which permit more than just minimal legitimate traffic) or too specific reactive
controls (with too specific descriptions of the attack).
IEEE 802.1X (PNAC)
Click to edit Master title style
• The 802.1X framework delivers
authentication and authorization
of endpoints attempting to get
network access
• VLAN assignment - the
authentication server can
associate a VLAN with a specific
user or group and instruct the
switch to dynamically assign the
authenticated user into that
VLAN
VLANs = wired, wireless, Guest, Restricted until remediation, full access with
additional EAP (like EAP-TLS using PKI certificates), leverage SSO with directory
service as Identity Provider (OpenLDAP, AD)
IEEE 802.1X (PNAC)
Click to edit Master title style
•
ACL assignment - the authentication server associates an ACL with a
specific user or group and commands the NAD to dynamically
assign the ACL to the session of the user
• Time-based access - the authentication server can control the times
at which the user can connect to the network
• Security group access - security group access provides topologyindependent, scalable access control
• The ingress switches classify data traffic for a specific role and label
the traffic with security group tags
• The egress network devices read the security group tags and
perform filtering by applying the appropriate security group ACLs
to the packets
IEEE 802.1X (PNAC)
Click to edit Master title style
Supplicant
Authentication server
Authenticator
EAPOL-Start
EAP-Request/Identity
RADIUS Access-Request
EAP-Response/Identity
RADIUS Access-Challenge
EAP-Request/OTP
EAP-Response/OTP
RADIUS Access-Request
EAP-Success
Port authorizes
EAPOL-Logoff
Port unauthorized
RADIUS Access -Accept
IEEE 802.1AE (MACsec)
Click to edit Master title style
Guest user without
MACsec supplicant
AES-GCM-128 with GMAC or AES-GCM-256 with GMAC
Endpoint Detection and Response (EDR)
Click to edit Master title style
• Endpoint Detection and Response (EDR) are tools that are
mainly dedicated to detection and investigation of suspicious
activities and indicators of compromise (IoCs) on
hosts/endpoints
• EDR tools monitor endpoint and network events and send
information to a SIEM system or centralized database so
further analysis, investigation, and reporting can take place
Endpoint Detection and Response (EDR)
Click to edit Master title style
• A software agent installed on the host system often provides
the basis for event monitoring and reporting
• EDR systems are more modern than traditional HIDS/HIPS
solutions but considered legacy software compared to newer
next-generation endpoint protection
Key EDR Features
Click to edit Master title style
• Filtering - better solutions excel at filtering out false positives
which can lead to alert fatigue and increasing the possibility
for real threats to go unnoticed
• Advanced Threat Blocking -preventing threats as soon as
detected and throughout the lifecycle of the attack
• Incident Response Capabilities - threat hunting and incident
response can help avert full-scale data breaches to augment
DLP
• Multiple Threat Protection - advanced attacks can overwhelm
endpoints if the installed security solution is not prepared to
handle multiple types of threats simultaneously
Advanced Threat Blocking: Prevent threats as soon as detected and throughout the
lifecycle of the attack. Persistent attacks could eventually overcome security
measures on products with weaker offerings.
Multiple Threat Protection - advanced attacks, or multiple different attacks at once,
can overwhelm endpoints unless the installed security solution is prepared to handle
multiple types of threats at the same time (i.e. ransomware, malware, suspicious
data movements).
Next-generation Endpoint Protection
Click to edit Master title style
• IT hygiene
• Next-generation Antivirus
• Offers verifiable vendor claims
• Doesn’t focus exclusively on IoCs
• Looks for indicators of attack (IoA)
• Managed hunting service
• Threat intelligence
• Cloud-based architecture
IT Hygiene - allows you to identify and close gaps in your environment by offering the
visibility and information your security teams need to implement preemptive actions
and make sure you’re as prepared as possible to face today’s sophisticated threats.
Out-of-date and unpatched applications, credential abuse and employing stolen
credentials are key attack vectors. The ability to discover, patch and update
vulnerable applications and monitor login activities is critical.
Next-Generation Antivirus (NGAV)
Traditional antivirus (AV) solutions boast of up to 99 percent effectiveness, but a gap
of just one percent means 100% probability of a breach by adversaries using either
known or unknown malware. That’s why NGAV can be an important tool, though
finding the right solution can be challenging. A recent blog on this topic outlines the
four steps to choosing the right AV replacement. Among those steps is verifying
vendor claims. Organizations should be wary that some vendors claiming to have
behavioral analytics capabilities offer solutions that focus exclusively on indicators of
compromise (IOCs), which are only present after an attack has occurred. Effective
NGAV must also look for indicators of attack (IOAs) that identify active attacks and
allow you to stop an event before damage is done. This gives you a tremendous
advantage over attackers.
Managed Hunting
At the end of the day, attackers are people and as such, they can be adaptive and
creative — relying on technology alone to thwart them is simply not enough. To be
truly next-gen, a cybersecurity platform should include a managed hunting service.
An elite team can find things your automated response systems may miss. It can learn
from incidents that have taken place, aggregating crowdsourced data and providing
response guidance when malicious activity is discovered. Having expert hunters
working 24/7 on your behalf matches the ingenuity of determined attackers like no
automated technology can.
Threat Intelligence
Because sophisticated adversaries can move so quickly and stealthily, security teams
must receive intelligence that ensures your defenses are automatically and precisely
instrumented throughout your enterprise to stop breaches with minimum impact and
maximum protection. Such threat intelligence needs to provide more than the
tactical advantage of understanding and resolving incidents faster; it must also offer
the proactive alerts and reports that security experts need in order to prioritize their
resources at an operational level.
Cloud-Based Architecture
Delivering these crucial elements can only be accomplished via purpose-built cloud
architecture. The older on-premises model simply isn’t capable of performing the
tasks required of a true next-gen EPP solution, such as collecting a massive, rich data
set in real time, storing it for long periods and thoroughly analyzing it in a timely
manner to prevent breaches. With the cloud, it is possible to store and instantly
search petabytes of data, gaining historical context on any activity running on any
managed system. Many vendors claiming to have a cloud-based solution actually are
still relying on older architectures developed primarily for on-premises systems,
though perhaps retrofitted with some newer "cloud-enabled" features. Such a "bolton" model can never match the performance of a purpose-built, cloud-native
solution.
Endpoint Protection Suites
Click to edit Master title style
• These are all-in-one, full-scale security packages that offer a
single, integrated solution
• There is only one vendor to get the upgrades and updates
from
• Depending on the security vendor, the suite may also include
a two-way firewall, parental control system, a local spam
filter, VPN to protect your data in transit, online backup, and
dedicated ransomware protection
Endpoint Protection Suites
Click to edit Master title style
Endpoint Encryption Products
Click to edit Master title style
Endpoint Encryption Products
Click to edit Master title style
System Logging
Click to edit Master title style
• There are many sources of
system logs in the enterprise:
• Infrastructure devices
• Windows server system,
application, and security logs
• Web, Email, and Unified
Communications services
• Firewalls, IDS/IPS, WAF, and
specialty appliances
• Database and storage
•
•
•
•
•
•
•
•
Messages
Alerts
Traps
Log files
Debugging
Traces
Devices
Log servers
System Logging Concepts
Click to edit Master title style
• Log output can be overwhelming in the beginning
• Filtering and tuning is critical to gathering meaningful metrics
(events and information)
• There are too many standards!
• Some use the Syslog RFC as a standard
Cisco, Microsoft, Juniper, AWS flow logs, Linux builds
Syslog
Click to edit Master title style
• Syslog is a standard defined in IETF RFCs 3164 then 5424
• Messages include:
•
•
•
•
•
•
Time stamps
Event messages
Severity level (0-7)
Host IP addresses
Diagnostics
And more
Syslog is a standard for sending and receiving notification messages–in a particular
format–from various network devices. The messages include time stamps, event
messages, severity, host IP addresses, diagnostics and more. In terms of its built-in
severity level, it can communicate a range between level 0, an Emergency, level 5, a
Warning, System Unstable, critical and level 6 and 7 which are Informational and
Debugging.
Moreover, Syslog is open-ended. Syslog was designed to monitor network devices
and systems to send out notification messages if there are any issues with
functioning–it also sends out alerts for pre-notified events and monitors suspicious
activity via the change log/event log of participating network devices.
The Syslog protocol was initially written by Eric Allman and is defined in RFC 3164.
The messages are sent across IP networks to the event message collectors or syslog
servers. Syslog uses the User Datagram Protocol (UDP), port 514, to communicate.
Although, syslog servers do not send back an acknowledgment of receipt of the
messages. Since 2009, syslog has been standardized by the IETF in RFC 5424.
Syslog on a Cisco Device
Click to edit Master title style
Syslog on a Cisco Device
Click to edit Master title style
Syslog on a Cisco Device
Click to edit Master title style
Syslog on a Cisco Device
Click to edit Master title style
Syslog on a Cisco Device
Click to edit Master title style
Syslog on a Cisco Device
Click to edit Master title style
Log Distinctives to Remember
Click to edit Master title style
• Logs are critical records for metrics, indicators,
documentation, reporting, and governance
• Servers should be in a high-availability or cluster solution
• Logging may be a component of larger SIEM system or cloudbased analysis tool
Build a Basic Linux Log Server
Click to edit Master title style
1. Build a Linux server on a network, virtual environment, or
cloud service provider virtual network (AWS VPC)
2. Place in the same VLAN as devices generating logs
3. Allow SSH (TCP 22) and Syslog (TCP/UDP 514) access only
4. Forward syslog logs to the server IP address from Linux
source devices by modifying /etc/syslog.conf files
5. On Syslog server, change syslog.conf to send logs to files or
backend storage
6. Configure logrotate.conf on server to retain logs
Key Log Reporting Activity
Click to edit Master title style
• Authentication and
authorization
• Failures and critical errors
• Malware activities (IoC/IoA)
• Modification and change
reports
• Network activity
• Resource access
• Never Before Seen (NBS)
analytics reporting