What is threat modeling
it is how you describe all the threats, and the cybersecurity risks that threaten your business. how would an attack look like? where do you expect attacks to come from? inside, outside, internet, mobile, etc? important to decide where we should focus our attentions
what to ask yourself when thinking of Threat Modeling
What is the risk of loosing C, I, or A? Some situations we don't care about confidentiality such as a news site, but we would care about integrity. How likely is an attack to happen? what defenses do we have? What is missing?
what is Adversary Capabilities?
it is something we should know about after doing our homework with Threat Modeling and threat hunting. by definition it the ability to develop an attack and execute it
What attack framework describes an adversary’s capabilities?
MITRE ATT&CK Framework.
what is the Acquired level?
beginner hacker, not a lot of resources, uses commodity malware, malware developed by others, will follow the book, not inventive.
what is augmented attacker level
used known vulnerabilities, reseaches beforehand, use custom malware, limited human interactions,
what is developed attacker level
can develop their own malware, and own delivery mechanisms, expertise, to discover new vulnerabilities, relies on strong human interactions like threating people
what is Advanced attacker level
ability to influence commercial products and services during lifecycle, creating own vulnerabilities during production lifecycle
what is integrated Attacker level
extremely skilled, any resources at disposal, generate own opportunities, own vulnerabilities, leverage political and military assets.
what is total attack surface
it is everything you owned and can be attacked by someone
where to check for total attack surface
Corporate network (what ports you have in building, what wireless networks you have accessbile outside building), check Cloud, Online Precense, check Internal apps, buildings and people
the attack vectors according to MITRE
Cyber, Physical, Human,
Cyber attack vector
IT Systems, social media, e-mail, USB drives, open ports
Physical attack vector
doors, locks, access cards, surveillance
Human attack vectors
impersonation, phishing, coercion, blackmail
What is Likelihood
checks if it is a real threat or just a probable one, will it actually happen, or an asteroid hitting earth, Has it happened to us before or someone else before?
Threat Modeling Questions
What's the motivation behind an attack?
what is cyber threat hunting
the actual activity of searching out cyber threats that would’ve remained undiscovered otherwise, similar to real world hunting, requires skills, patience, keen eye
Threat hunting approach
Be proactive, search for TTPs and IoCs, Act before you have proof which is proactive, not INCIDENT RESPONSE
threat hunting methodology
start from scratch, if you start from seeing abnormal logs, then it is incident response, not threat hunting and not being proactive. you must establish hypothesis, profile and look for threat actors (APTs, hacktivists, organized crime, etc), Look for IoCs (usually already on device)
Questions to ask to justify threat hunting
Have you been compromised? Discover new attack surfaces, Improve threat detection, Provides security Intelligence, identify critical assets
what is Asset Criticality?
How important is an asset. need to prioritize what to monitor to prioritize what to fix. not everything is critical.
what are some Assets
People, Tangible Assets, and Intangible Assets (ideas)
What do we keep track of with Assets?
use a dedicated tool. check type, models, SN, ID, location, user, value, service
What is a Infrastructure Vulnerability Scanner?
Not Nmap, this looks for vulnerabilities, scans network, hosts, endpoints, servers, anything running and searches for anything of security concern like what versions patches of OS, services running, configuration of our devices, network shares, user accounts, weak security policies
What does a vulnerability scanner do during Mapping and Enumeration
creates an inventory of what we have in our network (servers, devices, services, what ports, what version, plugins, configuration etc) similar to Nmap
Passive Scanning
Look for public info, capture network traffic, don’t get involved, don't interact with target, zero impact on network and services, cannot be detected, not much detail
Active Scanning
Directly interact with target, actively send requests and analyze answers, visible and noisy, can create performance issues and downtime, easily detected, hits firewalls, open ports, IPS, etc to see how they react, might crash servers
Credentialed Scan
Relies on user account from admin, scanner logs in to the target, preforms checks using that account, very in depth analysis, insider point of view, highest level of detail provided,
Non-Credentialed Scan
No user account, outsider point of view, trial and error, not so accurate, higher risk of downtime and may cause crashing
Server based Scanning
connect to a service and scan
Agent based Scanning
agents installed on each host(device) which will do the scanning and then report findings back to central console, this type of scan is always credentialed by default, low resource consumption, works with offline cuz happens locally.
Downside of Agent based scanning
need to install agent on device and manage the agents, vulnerable backdoor may cause vulnerabilities cuz additional attack surface
Segmentation
subnets, VLANS, VPNs, reachability? Consider using a dedicated management network designed for managing controlling scanning
Frequency of scans
depends on your risk appetite, scans may cause service degradation, time constraints, licensing limitation, so scan when regulations say so after security breach when something changes
Choosing Scanner
Free versus paid (usually proprietary often more maintained), General purpose versus Specialized scanners.
Nessus, Qualys, and OpenVAS
vulnerability scanners
How good is a vulnerability scanner?
good as its vulnerability database
What is the value of a paid subscription for commercial products for vulnerability scanners?
They usually have a much better and more up-to-date vulnerability database
Security Content Automation Protocol (SCAP))
A method for standardizing and automating the vulnerability management and policy compliacne in your organization, it is a protocol that can be used by a vulnerability scanner to atomically meet some configuration baseline. Does the host pass the necessary test, is that host secure enough?
What developed most of the SCAP components?
MITRE
How is SCAP protocol used on hosts?
Used to determine if a host meets some predefined configuration baseline. it does this by defining some idenfiers that help us describe specific platforms or vulnerbilities
what are some Identifiers?
CVE (Common Vulnerability and Exposures), CV
what is CVE
it is a list of vulnerabilities
What does a CVE name look like?
what is CPE
it is Common Platform Enumeration: a way to describe platforms to which the vulnerabilities apply to. It describes operation systems, applications, hardware devices, chipsets, anything that can have a vulnerability and is considered a platform. this database is used every time Nmap or other network scanning tools try to identify the operating system running on a specific scan host
What uses CPE?
Network scanners such as Nmap
what is CEE (Common Configuration Enumeration)
a collection of best practices for configuring hardware and software.
what is CWE (Common Weakness Enumeration)?
a collection of flaws in designed of software that could potentially lead to vulnerabilities
what is CAPEC (Common Attack Patten Enumeration and Classification)
similar to attack framework or attack database but focuses on the application and the exploit while the attack framework focuses more on the attacker and intrusion event.
what is OVAL (Open Vulnerabilities and Assessment Language)
used for reporting because it describes using XML and the state of a system from a security perspective, so basically a security assessment report.
What is XCCDF (Extensible Configuration Checklist Description Format)
used to develop and audit security checklists so basically making security checklists and check your environment for configuration best practices
What is the result of a vulnerability scan?
generate a report of all the vulnerabilitie found in a system or network and include : assets, its vulnerabilities, and a CVSS score, the score is very useful to determine how critical that specific vulnerability really is
what is CVSS (Common Vulnerability Scoring System)
a unified metric and this metric takes in multiple factors to help you prioritize what you need to fix, where to focus efforts first.
Should the highest score on the CVSS take the most priority?
Not the single best factor and to keep in mind, because sometimes a low vulnerability that can be fixed in one or two minutes or five minutes may take precedence than one that can only be fixed in one or two weeks?
Do vulnerability scanners make mistakes?
yes, sometimes because of network filtering that doesn't allow it to reach the device its suppose to scan or it reaches it device and does not have enough provides
What is the ideal situation for a vulnerability scanner?
when it is True Positive, meaning a vulnerability that matches a CVE is really present on that host device or software or network, another is when it is a true Negative which means no vulnerability has been detected and no vulnerability exists on that device
What can you scan for?
only things you know about in your database
what does it mean when vulnerability is not detected?
it simply means it is not in your database, it might be there but it has not been discovered by anyone yet, it can provide false results
what are bad results or false results for a vulnerability scanner?
false negatives or when the scanner fails to detect a vulnerability and false positives or when the scanner tells you there is a vulnerability that doesn't really exists
What to to do avoid False results when vulnerability scanning
make sure scanning traffic is allowed, is it credentialed scan? make sure its credentialed, fine tune the scanning to tell tell what is a false positive and false negative so it doesn't happen, check your baseline, make sure it applies to you
what's wrong with non credentialed scans?
will generate more false positives and does not have much visibility as credentialed scans
what is CVSS score do
it is a numerical value assigned to a specific vulnerability and to say how bad a vulnerability is to be, helps with prioritizing what vulnerability needs to be fixed and is worth?
CVE
a list of known vulnerabilities we know of, includes CVE, relevant date, does not include CVSSS score
Attack Vectors
where should the attacker be for the exploit to succeed, larger score the more remote the attacker is, N is the worst because means the attack can be conducted across multiple networks even, Adjacent is located on the same subnet or VLAN as the target such as exploited over a securely administered VPN, Local means attacker has read write permissions on target device, Physical means the attacker is required to be physically within the vincity to manipulate the component
Attack Complexity
includes all the conditions that are somehow outside of the attackers control, some conditions that the attacker must overcome to deploy its attack, low means the attacker can expect success overtime they attempt, a high means the attacker must do a lot to succeed.
Privileges Required
refers to the metric that descibes how much privledge an attacker must have before successfully attempting to exploit that vulnerability, none means anybody can exploit, low means attacker requires some privileges, high means attacker reuqires privledges that provide administrative or roolt level to exploit
User interaction
describes the requirement for some other human other person other than the attacker to interact in order to be successful in compromise of that component, none means can be exploited without any interactions from any user, requires some user to take some action before it can be exploited
Scope
desires if a vulnerability in one component can impact other resources outside that components security scope. unchanged means only that component, changed means allowing to compromise other components
Impact Metrics
refers to impact to confidentiality, integrity, and availability
Exploit Code Maturity (E)
measure the maturity of the exploit code but based on current state of the exploit technique, how available is the exploit code, is open to everyone? not define means not enough info to determine if exploit code exists, high means there is readily available code out there, going to work in everytime, functional means readily avaialable but might not work everytime, proof of concept means some code available but as proof of concept, not practical, Unproven means no exploit code is available
Remediation Level (RL)
is there solution for that weakness for that vulnerability, Not defined means theres not enough info to determine if theres a fix, unavailable means no solution, workaround means unofficial or non vendor fix, Tempoary fix means official but only tempoary prob relies of disable, Official fix means there is a offficial fix that works
Report Confidence
how confident can we be that this vulnerability actaully exists, might be we might not know root cause, or the vulnerability was found but no way to replicate, confirmed means able to confirm it exists, reasonable means research but no code for it yet, Unknown means there are reports vulenerabilty might be present, but not sure
Security Requirement
allows the analysts to customize their own CVSS score to reflect the important of the affected assets,
Enumeration phase
list all systems on your network (such as workstations, printers, IP cameras, IoT devices, anything that can connect to network and everything that can be a security risk is also the first phase an attacker will go through
What does Enumeration mean
scanning networks and hosts
Active enumeration
Make some noises and will interact with target
Passive enumeration
Makes no noise and listens to network traffic
Semi passive Enumeration
looks like normal traffic, low and slow attacks that scan so slowly that any defense system wont be able to detect
what is pof
a passive scanning tool that intercept tcp connections and looks at tcp flags and headers to determine version, operation system browser uptime of devices without sending any traffic
what is zeek
a passive scanner that can read packet capture (pcap) files
active scanning techniques can be categorized into two
Foot printing and Fingerprinting
Footprinting
discovering the layout of the network like the subnets, IP addresses, routings dhcp options, routing protocols
Fingerprinting
discovering what is running on a specific host, what ports are open Os version, public file shares
Nmap
the swiss army knife, the holy grail of network scanning and host scanning, number one tool,