Cybersecurity – Attack and Defense Strategies

Cover
Copyright
Contributors
Table of Contents
Preface
Chapter 1: Security Posture
	Why security hygiene should be your number one priority
	The current threat landscape
		Supply chain attacks
		Ransomware
		The credentials – authentication and authorization
		Apps
		Data
	Cybersecurity challenges
		Old techniques and broader results
		The shift in the threat landscape
	Enhancing your security posture
		Zero Trust
		Cloud Security Posture Management
		Multi-cloud
	The Red and Blue Teams
		Assume breach
	Summary
	References
Chapter 2: Incident Response Process
	The incident response process
		Reasons to have an IR process in place
		Creating an incident response process
		Incident response team
		Incident life cycle
	Handling an incident
		Incident handling checklist
	Post-incident activity
		Real-world scenario 1
		Lessons learned from scenario 1
		Real-world scenario 2
		Lessons learned from scenario 2
	Considerations for incident response in the cloud
		Updating your IR process to include the cloud
		Appropriate toolset
		IR process from the Cloud Solution Provider (CSP) perspective
	Summary
	References
Chapter 3: What is a Cyber Strategy?
	How to build a cyber strategy
		1 – Understand the business
		2 – Understand the threats and risks
		3 – Proper documentation
	Why do we need to build a cyber strategy?
	Best cyber attack strategies
		External testing strategies
		Internal testing strategies
		Blind testing strategy
		Targeted testing strategy
	Best cyber defense strategies
		Defense in depth
		Defense in breadth
	Benefits of having a proactive cybersecurity strategy
	Top cybersecurity strategies for businesses
		Training employees about security principles
		Protecting networks, information, and computers from viruses, malicious code, and spyware
		Having firewall security for all internet connections
		Using software updates
		Using backup copies
		Implementing physical restrictions
		Securing Wi-Fi networks
		Changing passwords
		Limiting access for employees
		Using unique user accounts
	Conclusion
	Further reading
Chapter 4: Understanding the Cybersecurity Kill Chain
	Understanding the Cyber Kill Chain
		Reconnaissance
			Footprinting
			Enumeration
			Scanning
		Weaponization
		Delivery
		Exploitation
			Privilege escalation
			Examples of attacks that used exploitation
		Installation
		Command and Control
		Actions on Objectives
			Data exfiltration
		Obfuscation
			Examples of attacks that used Obfuscation
	Security controls used to stop the Cyber Kill Chain
		Use of UEBA
		Security awareness
	Threat life cycle management
		Forensic data collection
		Discovery
		Qualification
		Investigation
		Neutralization
		Recovery
	Concerns about the Cybersecurity Kill Chain
	How the Cyber Kill Chain has evolved
	Tools used during the Cyber Kill Chain
		Metasploit
		Twint
		Nikto
		Kismet
		Sparta
		John the Ripper
		Hydra
		Aircrack-ng
		Airgeddon
		Deauther Board
		HoboCopy
		EvilOSX
	Comodo AEP via Dragon Platform
		Preparation phase
			Intrusion phase
			Active Breach phase
	Summary
		Further reading
		References
Chapter 5: Reconnaissance
	External reconnaissance
		Scanning a target’s social media
		Dumpster diving
		Social engineering
			Pretexting
			Diversion theft
			Water holing
			Baiting
			Quid pro quo
			Tailgating
			Phishing
			Spear phishing
			Phone phishing (vishing)
	Internal reconnaissance
	Tools used for reconnaissance
		External reconnaissance tools
			SAINT
			Seatbelt.exe
			Webshag
			FOCA
			PhoneInfoga
			theHarvester (email harvester)
			Open-source intelligence
			Keepnet Labs
		Internal reconnaissance tools
		Airgraph-ng
			Sniffing and scanning
			Prismdump
			tcpdump
			Nmap
			Wireshark
			Scanrand
			Masscan
			Cain and Abel
			Nessus
		Wardriving
		Hak5 Plunder Bug
			CATT
			Canary token links
	Passive vs. active reconnaissance
	How to combat reconnaissance
	How to prevent reconnaissance
	Summary
		References
Chapter 6: Compromising the System
	Analyzing current trends
		Extortion attacks
		Data manipulation attacks
			Countering data manipulation attacks
		IoT device attacks
			How to secure IoT devices
		Backdoors
			How you can secure against backdoors
		Hacking everyday devices
		Hacking the cloud
			Cloud hacking tools
			Cloud security recommendations
		Phishing
		Exploiting a vulnerability
		Zero-day
			WhatsApp vulnerability (CVE-2019-3568)
			Chrome zero-day vulnerability (CVE-2019-5786)
			Windows 10 privilege escalation
			Windows privilege escalation vulnerability (CVE20191132)
			Fuzzing
			Source code analysis
			Types of zero-day exploits
	Performing the steps to compromise a system
		Deploying payloads
			Compromising operating systems
			Compromising a remote system
			Compromising web-based systems
	Mobile phone (iOS/Android) attacks
		Exodus
		SensorID
		iPhone hack by Cellebrite
		Man-in-the-disk
		Spearphone (loudspeaker data capture on Android)
		Tap ‘n Ghost
			iOS Implant Teardown
		Red and Blue Team tools for mobile devices
			Snoopdroid
			Androguard
		Summary
		References
Chapter 7: Chasing a User’s Identity
	Identity is the new perimeter
		Credentials and automation
	Strategies for compromising a user’s identity
		Gaining access to the network
		Harvesting credentials
		Hacking a user’s identity
		Brute force
		Social engineering
		Pass the hash
		Identity theft through mobile devices
		Other methods for hacking an identity
	Summary
	References
Chapter 8: Lateral Movement
	Infiltration
	Network mapping
		Scan, close/block, and fix
		Blocking and slowing down
		Detecting Nmap scans
		Use of clever tricks
	Performing lateral movement
		Stage 1 – User compromised (user action)
			Malware installs
			Beacon, Command & Control (C&C)
		Stage 2 – Workstation admin access (user = admin)
			Vulnerability = admin
		Think like a hacker
			What is the graph?
		Avoiding alerts
		Port scans
		Sysinternals
		File shares
		Windows DCOM
		Remote Desktop
			Remote Desktop Services Vulnerability (CVE-2019-1181/1182)
		PowerShell
			PowerSploit
		Windows Management Instrumentation
		Scheduled tasks
		Token stealing
		Stolen credentials
		Removable media
		Tainted shared content
		Remote Registry
		TeamViewer
		Application deployment
		Network sniffing
		ARP spoofing
		AppleScript and IPC (OS X)
		Breached host analysis
		Central administrator consoles
		Email pillaging
		Active Directory
		Admin shares
		Pass the Ticket
		Pass-the-Hash (PtH)
			Credentials: Where are they stored?
			Password hashes
		Winlogon
		lsass.exe process
			Security Accounts Manager (SAM) database
			Domain Active Directory Database (NTDS.DIT)
			Credential Manager (CredMan) store
			PtH mitigation recommendations
	Summary
		Further reading
		References
Chapter 9: Privilege Escalation
	Infiltration
		Horizontal privilege escalation
			Vertical privilege escalation
			How privilege escalation works
			Credential exploitation
			Misconfigurations
			Privileged vulnerabilities and exploits
			Social engineering
			Malware
		Avoiding alerts
		Performing privilege escalation
			Exploiting unpatched operating systems
			Access token manipulation
			Exploiting accessibility features
			Application shimming
			Bypassing user account control
			Privilege escalation and Container Escape Vulnerability (CVE-2022-0492)
			DLL injection
			DLL search order hijacking
			Dylib hijacking
			Exploration of vulnerabilities
			Launch daemon
			Hands-on example of privilege escalation on a Windows target
		Dumping the SAM file
		Rooting Android
		Using the /etc/passwd file
		Extra window memory injection
		Hooking
		Scheduled tasks
		New services
		Startup items
		Sudo caching
			Additional tools for privilege escalation
			0xsp Mongoose v1.7
			0xsp Mongoose RED for Windows
			Hot Potato
		Conclusion and lessons learned
		Summary
	References
Chapter 10: Security Policy
	Reviewing your security policy
		Shift left approach
	Educating the end user
		Social media security guidelines for users
		Security awareness training
	Policy enforcement
		Policies in the cloud
		Application whitelisting
		Hardening
	Monitoring for compliance
		Automations
	Continuously driving security posture enhancement via security policy
	Summary
	References
Chapter 11: Network Security
	The defense-in-depth approach
		Infrastructure and services
		Documents in transit
		Endpoints
		Microsegmentation
	Physical network segmentation
		Discovering your network with a network mapping tool
	Securing remote access to the network
		Site-to-site VPN
	Virtual network segmentation
	Zero trust network
		Planning zero trust network adoption
	Hybrid cloud network security
		Cloud network visibility
	Summary
	References
Chapter 12: Active Sensors
	Detection capabilities
		Indicators of compromise
	Intrusion detection systems
	Intrusion prevention system
		Rule-based detection
		Anomaly-based detection
	Behavior analytics on-premises
		Device placement
	Behavior analytics in a hybrid cloud
		Microsoft Defender for Cloud
		Analytics for PaaS workloads
	Summary
	References
Chapter 13: Threat Intelligence
	Introduction to threat intelligence
	Open-source tools for threat intelligence
		Free threat intelligence feeds
		Using MITRE ATT&CK
	Microsoft threat intelligence
		Microsoft Sentinel
	Summary
	References
Chapter 14: Investigating an Incident
	Scoping the issue
		Key artifacts
	Investigating a compromised system on-premises
	Investigating a compromised system in a hybrid cloud
		Integrating Defender for Cloud with your SIEM for investigation
	Proactive investigation (threat hunting)
	Lessons learned
	Summary
	References
Chapter 15: Recovery Process
	Disaster recovery plan
		The disaster recovery planning process
			Forming a disaster recovery team
			Performing risk assessment
			Prioritizing processes and operations
			Determining recovery strategies
			Creating the disaster recovery plan
			Testing the plan
			Obtaining approval
			Maintaining the plan
		Challenges
	Live recovery
	Contingency planning
		IT contingency planning process
			Development of the contingency planning policy
			Conducting business impact analysis
			Identifying the preventive controls
			Developing recovery strategies
			Plan maintenance
		Risk management tools
			RiskNAV
			IT and Cyber Risk Management software
	Business continuity plan
		Business continuity planning
		How to develop a business continuity plan
		7 steps to creating an effective business continuity plan
	Best practices for disaster recovery
		On-premises
		On the cloud
		Hybrid
	Summary
	Further reading
	References
Chapter 16: Vulnerability Management
	Creating a vulnerability management strategy
		Asset inventory
		Information management
		Risk assessment
			Scope
			Collecting data
			Analysis of policies and procedures
			Vulnerability analysis
			Threat analysis
			Analysis of acceptable risks
		Vulnerability assessment
		Reporting and remediation tracking
		Response planning
	Elements of a vulnerability strategy
	Differences between vulnerability management and vulnerability assessment
	Best practices for vulnerability management
		Strategies to improve vulnerability management
	Vulnerability management tools
		Asset inventory tools
			Peregrine tools
			LANDesk Management Suite
			Foundstone’s Enterprise (McAfee)
		Information management tools
		Risk assessment tools
		Vulnerability assessment tools
		Reporting and remediation tracking tools
		Response planning tools
		Intruder
		Patch Manager Plus
		Windows Server Update Services (WSUS)
		Comodo Dragon platform
		InsightVM
		Azure Threat and Vulnerability Management
		Implementing vulnerability management with Nessus
		OpenVAS
		Qualys
		Acunetix
	Conclusion
	Summary
		Further reading
		References
Chapter 17: Log Analysis
	Data correlation
	Operating system logs
		Windows logs
		Linux logs
	Firewall logs
	Web server logs
	Amazon Web Services (AWS) logs
		Accessing AWS logs from Microsoft Sentinel
	Azure Activity logs
		Accessing Azure Activity logs from Microsoft Sentinel
	Google Cloud Platform Logs
	Summary
	References
Other Books You May Enjoy
Index