2024-06-10T09:16:21+03:00[Europe/Moscow] en true What is threat modeling, what to ask yourself when thinking of Threat Modeling, what is Adversary Capabilities?, What attack framework describes an adversary’s capabilities?, what is the Acquired level?, what is augmented attacker level, what is developed attacker level, what is Advanced attacker level, what is integrated Attacker level, what is total attack surface, where to check for total attack surface, the attack vectors according to MITRE, Cyber attack vector, Physical attack vector, Human attack vectors, What is Likelihood, Threat Modeling Questions, what is cyber threat hunting, Threat hunting approach, threat hunting methodology, Questions to ask to justify threat hunting, what is Asset Criticality?, what are some Assets, What do we keep track of with Assets?, What is a Infrastructure Vulnerability Scanner?, What does a vulnerability scanner do during Mapping and Enumeration, Passive Scanning, Active Scanning, Credentialed Scan, Non-Credentialed Scan, Server based Scanning, Agent based Scanning, Downside of Agent based scanning, Segmentation, Frequency of scans, Choosing Scanner, Nessus, Qualys, and OpenVAS, How good is a vulnerability scanner?, What is the value of a paid subscription for commercial products for vulnerability scanners?, Security Content Automation Protocol (SCAP)), What developed most of the SCAP components?, How is SCAP protocol used on hosts?, what are some Identifiers?, what is CVE, What does a CVE name look like?, what is CPE, What uses CPE?, what is CEE (Common Configuration Enumeration), what is CWE (Common Weakness Enumeration)?, what is CAPEC (Common Attack Patten Enumeration and Classification), what is OVAL (Open Vulnerabilities and Assessment Language), What is XCCDF (Extensible Configuration Checklist Description Format), What is the result of a vulnerability scan?, what is CVSS (Common Vulnerability Scoring System), Should the highest score on the CVSS take the most priority?, Do vulnerability scanners make mistakes?, What is the ideal situation for a vulnerability scanner?, What can you scan for?, what does it mean when vulnerability is not detected?, what are bad results or false results for a vulnerability scanner?, What to to do avoid False results when vulnerability scanning, what's wrong with non credentialed scans?, what is CVSS score do, CVE, Attack Vectors, Attack Complexity, Privileges Required, User interaction, Scope, Impact Metrics, Exploit Code Maturity (E), Remediation Level (RL), Report Confidence, Security Requirement, Enumeration phase, What does Enumeration mean, Active enumeration, Passive enumeration, Semi passive Enumeration, what is pof, what is zeek, active scanning techniques can be categorized into two, Footprinting, Fingerprinting, Nmap flashcards
Threat Modeling to Nmap and Numeration (way to list whatever is in your network)

Threat Modeling to Nmap and Numeration (way to list whatever is in your network)

  • What is threat modeling
    it is how you describe all the threats, and the cybersecurity risks that threaten your business. how would an attack look like? where do you expect attacks to come from? inside, outside, internet, mobile, etc? important to decide where we should focus our attentions
  • what to ask yourself when thinking of Threat Modeling
    What is the risk of loosing C, I, or A? Some situations we don't care about confidentiality such as a news site, but we would care about integrity. How likely is an attack to happen? what defenses do we have? What is missing?
  • what is Adversary Capabilities?
    it is something we should know about after doing our homework with Threat Modeling and threat hunting. by definition it the ability to develop an attack and execute it
  • What attack framework describes an adversary’s capabilities?
    MITRE ATT&CK Framework.
  • what is the Acquired level?
    beginner hacker, not a lot of resources, uses commodity malware, malware developed by others, will follow the book, not inventive.
  • what is augmented attacker level
    used known vulnerabilities, reseaches beforehand, use custom malware, limited human interactions,
  • what is developed attacker level
    can develop their own malware, and own delivery mechanisms, expertise, to discover new vulnerabilities, relies on strong human interactions like threating people
  • what is Advanced attacker level
    ability to influence commercial products and services during lifecycle, creating own vulnerabilities during production lifecycle
  • what is integrated Attacker level
    extremely skilled, any resources at disposal, generate own opportunities, own vulnerabilities, leverage political and military assets.
  • what is total attack surface
    it is everything you owned and can be attacked by someone
  • where to check for total attack surface
    Corporate network (what ports you have in building, what wireless networks you have accessbile outside building), check Cloud, Online Precense, check Internal apps, buildings and people
  • the attack vectors according to MITRE
    Cyber, Physical, Human,
  • Cyber attack vector
    IT Systems, social media, e-mail, USB drives, open ports
  • Physical attack vector
    doors, locks, access cards, surveillance
  • Human attack vectors
    impersonation, phishing, coercion, blackmail
  • What is Likelihood
    checks if it is a real threat or just a probable one, will it actually happen, or an asteroid hitting earth, Has it happened to us before or someone else before?
  • Threat Modeling Questions
    What's the motivation behind an attack?
  • what is cyber threat hunting
    the actual activity of searching out cyber threats that would’ve remained undiscovered otherwise, similar to real world hunting, requires skills, patience, keen eye
  • Threat hunting approach
    Be proactive, search for TTPs and IoCs, Act before you have proof which is proactive, not INCIDENT RESPONSE
  • threat hunting methodology
    start from scratch, if you start from seeing abnormal logs, then it is incident response, not threat hunting and not being proactive. you must establish hypothesis, profile and look for threat actors (APTs, hacktivists, organized crime, etc), Look for IoCs (usually already on device)
  • Questions to ask to justify threat hunting
    Have you been compromised? Discover new attack surfaces, Improve threat detection, Provides security Intelligence, identify critical assets
  • what is Asset Criticality?
    How important is an asset. need to prioritize what to monitor to prioritize what to fix. not everything is critical.
  • what are some Assets
    People, Tangible Assets, and Intangible Assets (ideas)
  • What do we keep track of with Assets?
    use a dedicated tool. check type, models, SN, ID, location, user, value, service
  • What is a Infrastructure Vulnerability Scanner?
    Not Nmap, this looks for vulnerabilities, scans network, hosts, endpoints, servers, anything running and searches for anything of security concern like what versions patches of OS, services running, configuration of our devices, network shares, user accounts, weak security policies
  • What does a vulnerability scanner do during Mapping and Enumeration
    creates an inventory of what we have in our network (servers, devices, services, what ports, what version, plugins, configuration etc) similar to Nmap
  • Passive Scanning
    Look for public info, capture network traffic, don’t get involved, don't interact with target, zero impact on network and services, cannot be detected, not much detail
  • Active Scanning
    Directly interact with target, actively send requests and analyze answers, visible and noisy, can create performance issues and downtime, easily detected, hits firewalls, open ports, IPS, etc to see how they react, might crash servers
  • Credentialed Scan
    Relies on user account from admin, scanner logs in to the target, preforms checks using that account, very in depth analysis, insider point of view, highest level of detail provided,
  • Non-Credentialed Scan
    No user account, outsider point of view, trial and error, not so accurate, higher risk of downtime and may cause crashing
  • Server based Scanning
    connect to a service and scan
  • Agent based Scanning
    agents installed on each host(device) which will do the scanning and then report findings back to central console, this type of scan is always credentialed by default, low resource consumption, works with offline cuz happens locally.
  • Downside of Agent based scanning
    need to install agent on device and manage the agents, vulnerable backdoor may cause vulnerabilities cuz additional attack surface
  • Segmentation
    subnets, VLANS, VPNs, reachability? Consider using a dedicated management network designed for managing controlling scanning
  • Frequency of scans
    depends on your risk appetite, scans may cause service degradation, time constraints, licensing limitation, so scan when regulations say so after security breach when something changes
  • Choosing Scanner
    Free versus paid (usually proprietary often more maintained), General purpose versus Specialized scanners.
  • Nessus, Qualys, and OpenVAS
    vulnerability scanners
  • How good is a vulnerability scanner?
    good as its vulnerability database
  • What is the value of a paid subscription for commercial products for vulnerability scanners?
    They usually have a much better and more up-to-date vulnerability database
  • Security Content Automation Protocol (SCAP))
    A method for standardizing and automating the vulnerability management and policy compliacne in your organization, it is a protocol that can be used by a vulnerability scanner to atomically meet some configuration baseline. Does the host pass the necessary test, is that host secure enough?
  • What developed most of the SCAP components?
    MITRE
  • How is SCAP protocol used on hosts?
    Used to determine if a host meets some predefined configuration baseline. it does this by defining some idenfiers that help us describe specific platforms or vulnerbilities
  • what are some Identifiers?
    CVE (Common Vulnerability and Exposures), CV
  • what is CVE
    it is a list of vulnerabilities
  • What does a CVE name look like?
  • what is CPE
    it is Common Platform Enumeration: a way to describe platforms to which the vulnerabilities apply to. It describes operation systems, applications, hardware devices, chipsets, anything that can have a vulnerability and is considered a platform. this database is used every time Nmap or other network scanning tools try to identify the operating system running on a specific scan host
  • What uses CPE?
    Network scanners such as Nmap
  • what is CEE (Common Configuration Enumeration)
    a collection of best practices for configuring hardware and software.
  • what is CWE (Common Weakness Enumeration)?
    a collection of flaws in designed of software that could potentially lead to vulnerabilities
  • what is CAPEC (Common Attack Patten Enumeration and Classification)
    similar to attack framework or attack database but focuses on the application and the exploit while the attack framework focuses more on the attacker and intrusion event.
  • what is OVAL (Open Vulnerabilities and Assessment Language)
    used for reporting because it describes using XML and the state of a system from a security perspective, so basically a security assessment report.
  • What is XCCDF (Extensible Configuration Checklist Description Format)
    used to develop and audit security checklists so basically making security checklists and check your environment for configuration best practices
  • What is the result of a vulnerability scan?
    generate a report of all the vulnerabilitie found in a system or network and include : assets, its vulnerabilities, and a CVSS score, the score is very useful to determine how critical that specific vulnerability really is
  • what is CVSS (Common Vulnerability Scoring System)
    a unified metric and this metric takes in multiple factors to help you prioritize what you need to fix, where to focus efforts first.
  • Should the highest score on the CVSS take the most priority?
    Not the single best factor and to keep in mind, because sometimes a low vulnerability that can be fixed in one or two minutes or five minutes may take precedence than one that can only be fixed in one or two weeks?
  • Do vulnerability scanners make mistakes?
    yes, sometimes because of network filtering that doesn't allow it to reach the device its suppose to scan or it reaches it device and does not have enough provides
  • What is the ideal situation for a vulnerability scanner?
    when it is True Positive, meaning a vulnerability that matches a CVE is really present on that host device or software or network, another is when it is a true Negative which means no vulnerability has been detected and no vulnerability exists on that device
  • What can you scan for?
    only things you know about in your database
  • what does it mean when vulnerability is not detected?
    it simply means it is not in your database, it might be there but it has not been discovered by anyone yet, it can provide false results
  • what are bad results or false results for a vulnerability scanner?
    false negatives or when the scanner fails to detect a vulnerability and false positives or when the scanner tells you there is a vulnerability that doesn't really exists
  • What to to do avoid False results when vulnerability scanning
    make sure scanning traffic is allowed, is it credentialed scan? make sure its credentialed, fine tune the scanning to tell tell what is a false positive and false negative so it doesn't happen, check your baseline, make sure it applies to you
  • what's wrong with non credentialed scans?
    will generate more false positives and does not have much visibility as credentialed scans
  • what is CVSS score do
    it is a numerical value assigned to a specific vulnerability and to say how bad a vulnerability is to be, helps with prioritizing what vulnerability needs to be fixed and is worth?
  • CVE
    a list of known vulnerabilities we know of, includes CVE, relevant date, does not include CVSSS score
  • Attack Vectors
    where should the attacker be for the exploit to succeed, larger score the more remote the attacker is, N is the worst because means the attack can be conducted across multiple networks even, Adjacent is located on the same subnet or VLAN as the target such as exploited over a securely administered VPN, Local means attacker has read write permissions on target device, Physical means the attacker is required to be physically within the vincity to manipulate the component
  • Attack Complexity
    includes all the conditions that are somehow outside of the attackers control, some conditions that the attacker must overcome to deploy its attack, low means the attacker can expect success overtime they attempt, a high means the attacker must do a lot to succeed.
  • Privileges Required
    refers to the metric that descibes how much privledge an attacker must have before successfully attempting to exploit that vulnerability, none means anybody can exploit, low means attacker requires some privileges, high means attacker reuqires privledges that provide administrative or roolt level to exploit
  • User interaction
    describes the requirement for some other human other person other than the attacker to interact in order to be successful in compromise of that component, none means can be exploited without any interactions from any user, requires some user to take some action before it can be exploited
  • Scope
    desires if a vulnerability in one component can impact other resources outside that components security scope. unchanged means only that component, changed means allowing to compromise other components
  • Impact Metrics
    refers to impact to confidentiality, integrity, and availability
  • Exploit Code Maturity (E)
    measure the maturity of the exploit code but based on current state of the exploit technique, how available is the exploit code, is open to everyone? not define means not enough info to determine if exploit code exists, high means there is readily available code out there, going to work in everytime, functional means readily avaialable but might not work everytime, proof of concept means some code available but as proof of concept, not practical, Unproven means no exploit code is available
  • Remediation Level (RL)
    is there solution for that weakness for that vulnerability, Not defined means theres not enough info to determine if theres a fix, unavailable means no solution, workaround means unofficial or non vendor fix, Tempoary fix means official but only tempoary prob relies of disable, Official fix means there is a offficial fix that works
  • Report Confidence
    how confident can we be that this vulnerability actaully exists, might be we might not know root cause, or the vulnerability was found but no way to replicate, confirmed means able to confirm it exists, reasonable means research but no code for it yet, Unknown means there are reports vulenerabilty might be present, but not sure
  • Security Requirement
    allows the analysts to customize their own CVSS score to reflect the important of the affected assets,
  • Enumeration phase
    list all systems on your network (such as workstations, printers, IP cameras, IoT devices, anything that can connect to network and everything that can be a security risk is also the first phase an attacker will go through
  • What does Enumeration mean
    scanning networks and hosts
  • Active enumeration
    Make some noises and will interact with target
  • Passive enumeration
    Makes no noise and listens to network traffic
  • Semi passive Enumeration
    looks like normal traffic, low and slow attacks that scan so slowly that any defense system wont be able to detect
  • what is pof
    a passive scanning tool that intercept tcp connections and looks at tcp flags and headers to determine version, operation system browser uptime of devices without sending any traffic
  • what is zeek
    a passive scanner that can read packet capture (pcap) files
  • active scanning techniques can be categorized into two
    Foot printing and Fingerprinting
  • Footprinting
    discovering the layout of the network like the subnets, IP addresses, routings dhcp options, routing protocols
  • Fingerprinting
    discovering what is running on a specific host, what ports are open Os version, public file shares
  • Nmap
    the swiss army knife, the holy grail of network scanning and host scanning, number one tool,