Ethical Hacker Cert.

Information Security

C.I.A.A.N

• Confidentiality

• Integrity

• Availability

• Authenticity

• Non- repudiation

Confidentiality

• The assurance that the information is accessible only to authorized

Integrity

• The trustworthiness of data or resources in the prevention of improper and unauthorized changes

• The assurance that information is sufficiently accurate for its purpose

Availability

• The assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users

Authenticity

• The characteristics of communication, documents, or any data that ensures the quality of being genuine or uncorrupted

• To confirm that a user is genuine

Non-repudiation

• A way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message

Motives, Goals, and Objectives of Information Security

Attacks = Motive (Goal) + Method + Vulnerability

Classification of Attacks

Passive

• Passive attacks involve intercepting and monitoring network traffic and data flow on the target network and do not tamper with the data.

• Attackers perform reconnaissance on network activities using sniffers.

• No active interaction with the target system or network

• Allow attackers to capture the data or files being transmitted in the network without the consent of the user

Active

• Tampers with the data in transit or disrupt communication or services between the systems to bypass or break into secured systems.

• Attackers launch attacks on the target system or network by actively sending traffic that can be detected.

• Performed on the target network to exploit the information in transit.

• Penetrate or infect the target’s internal network and gain access to a remote system to compromise the internal network.

Close-in

• Attacks are performed when the attacker is close to the target system or network.

• The main goal of performing this type of attack is to gather or modify information or disrupt its access.

Insider

• Attacks are performed by trusted persons who have physical access to the critical assets of the target.

• An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization’s information or information system.

• Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information.

Distribution

• Attacks occur when attackers tamper with hardware or software before installation.

• Attackers tamper with the hardware or software at its source or when it is in transit.

Information Warfare

• Command and control warfare (C2 Warfare)

• Intelligence-based warfare

• Electronic warfare

• Psychological warfare

• Hacker warfare

• Economic warfare

• Cyber warfare

• Defensive Information warfare

  • All strategies and actions to defend against attacks on ICT assets

• Offensive Information warfare

  • Attacks against the ICT assets of an opponent

Hacking Methodologies and Frameworks

CEH Hacking Methodology

Footprinting

• The preparatory phase.

• Gathers as much information as possible about the target before launching an attack.

• The attacker creates a profile of the target organization and obtains information.

Scanning

• Used to identify active hosts, open ports, and unnecessary services enabled on particular hosts.

• Scan the network for specific information.

Enumeration

• Making active connections to a target system or subjecting it to direct queries.

• Method of intrusive probing

Vulnerability Analysis

• the examination of the ability of a system or application,

• including its current security procedures and controls, to withstand assault

System Hacking

1. Gaining access

2. Escalating privileges

3. Maintaining Access

4. Clearing Logs

Gaining access

• the point at which the attacker obtains access to the operating system (OS) or applications on a computer or network

Escalating privileges

• After gaining access to a system using a low-privilege user account, the attacker may attempt to increase their privileges to the administrator level to perform protected system operations to proceed to the next level of the system hacking phase, which is the execution of applications.

Maintaining Access

• The phase in which an attacker attempts to retain ownership of the system.

Clearing Logs

• To remain undetected,

• Attackers erase all the evidence of security compromise from the system

• Modify or delete logs in the system using certain log-wiping utilities

Cyber Kill Chain Methodology

• a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities.

• aims to actively enhance intrusion detection and response.

• equipped with a seven-phase protection mechanism to mitigate and reduce cyber threats.

• provides greater insight into the attack phases, which helps understand the adversary’s TTPs beforehand.

Reconnaissance

• to collect as much information about the target as possible to probe for weak points before actually attacking

Weaponization

• adversary selects or creates a tailored deliverable malicious payload

• using an exploit and a backdoor to send it to the victim

Delivery

• payload is transmitted to the intended victim(s) as an email attachment, via a malicious link on websites, or through a vulnerable web application or USB drive

• a key stage that measures the effectiveness of the defense strategies implemented

Exploitation

• the organization may face threats such as authentication and authorization attacks, arbitrary code execution, physical security threats, and security misconfiguration

Installation

• adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period

• adversary gains the capability to spread the infection to other end systems in the network

Command and Control

• adversary creates a command and control channel, which establishes two-way communication between the victim’s system and the adversary-controlled server to communicate and pass data back and forth.

Actions on objectives

• The adversary gains access to confidential data, disrupts the services or network, or destroys the operational capability of the target by gaining access to its network and compromising more systems.

Tactics, Techniques, and Procedures (TTPs)

• “tactics, techniques, and procedures” refer to the patterns of activities and methods associated with specific threat actors or groups of threat actors

• to protect their networks against threat actors and upcoming attacks. TTPs enable organizations to stop attacks at the initial stage, thereby protecting the network against massive damage.

Tactics

• It is defined as a guideline describing how an attacker performs their attack from beginning to end.

• describe the way the threat actor operates during different phases of an attack

• used to gather information for the initial exploitation

Techniques

• methods used by an attacker to achieve intermediate results during their attack

• stage mainly describes the tools used for information gathering and initial exploitation

• stages of an attack mostly depend on technical tools for initially escalating privileges on systems that are compromised or performing lateral movements within the target organization’s network

• in the last stage of an attack can have both technical and nontechnical aspects

Procedures

• is defined as the organizational approach followed by the threat actors to launch their attack.

• involve a sequence of actions performed by the threat actors to execute different steps of an attack life cycle

Adversary Behavioral identification

• internal reconnaissance

• Use of PowerShell

• Unspecified proxy activities

• Use of command line interface

• HTTP User agent

• Command and control server

• Use of DNS Tunneling

• Use of Web shell

• Data staging

• Indicators of compromise (IoCs)

• Categories of Indicators of Compromise

• Email Indicators

• Network Indicators

• Host-based Indicators

  MITRE Att & ck Framework

• MITRE ATT&CK comprises three collections of tactics and techniques

  • Enterprise, Mobile, and PRE-ATT&CK matrices

Diamond Model of Intrusion Analysis

• model offers a framework and a set of procedures for recognizing clusters of events that are correlated on any of the systems in an organization.

• Analysts can identify the events and connect them as activity threads to determine how and what transpired during an attack.

• identify whether any data are required by examining the missing features.

Adversary

• refers to an opponent or hacker responsible for the attack event.

Victim

• the target that has been exploited or the environment where the attack was performed.

Capability

• refers to all the strategies, methods, and procedures associated with an attack.

Infrastructure

• refers to the hardware or software used in the network by the target that has a connection with the adversary

Timestamp

• feature can reveal the time and date of an event. It is important as it can indicate the beginning and end of the event.

Phase

• helps in determining the progress of an attack or any malicious activity

Result

• the outcome of any event.

• security fundamentals such as confidentiality(C) compromised, integrity(I) compromised, and availability(A)

Direction

• refers to the direction of the attack.

Methodology

• refers to any technique that the adversary uses to perform an attack

Resource

• feature entails the use of external resources like tools or technology used to perform the attack

Socio-political meta-feature

• describes the relationship between the adversary and victim

Technology meta-feature

• describes the relationship between the infrastructure and capability

Hacking

• exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources.

• A hacker is a person who breaks into a system or network without authorization to destroy, steal sensitive data, or perform malicious attacks.

Black Hat

• extraordinary computing skills for illegal or malicious purposes

White Hat

• penetration testers are individuals who use their hacking skills for defensive purposes.

Gray Hat

• individuals who work both offensively and defensively at various times

Suicide Hackers

• individuals who aim to bring down critical infrastructure for a “cause.”

Script Kiddies

• Script kiddies are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers.

Cyber Terrorists

• individuals with a wide range of skills, motivated by religious or political beliefs, to create fear of large-scale disruption of computer networks.

State-Sponsored Hackers

• skilled individuals having expertise in hacking and are employed by the government to penetrate, gain top-secret information from, and damage the information systems of other government or military

Hacktivist

• a form of activism in which hackers break into government or corporate computer systems as an act of protest.

Hacker Teams

• a consortium of skilled hackers with their own resources and funding.

• detect vulnerabilities, develop advanced tools, and execute attacks with proper planning.

Industrial Spies

• individuals who perform corporate espionage by illegally spying on competitor organizations.

• focus on stealing critical information such as blueprints, formulas, product designs, and trade secrets.

Insiders

• any employee (trusted person) who has access to critical assets of an organization.

• involves the use of privileged access to violate rules or intentionally cause harm to the organization’s information or information systems.

Criminal Syndicates

• are groups of individuals or communities that are involved in organized, planned, and prolonged criminal activities. They exploit victims from distinct jurisdictions on the Internet, making them difficult to locate.

Organized Hackers

• a group of hackers working together in criminal activities

Ethical Hacking Concepts

• ethical hacker follows processes similar to those of a malicious hacker.

Ethical Hacking

• The practice of employing computer and network skills is used to assist organizations in testing their network security for possible loopholes and vulnerabilities.

• ethical hackers usually employ the same tools and techniques as hackers, with the important exception that they do not damage the system,

• while ethical hackers are always completely open and transparent about what they are doing and how they are doing it.

Why ethical hacking is necessary

• Ethical hacking is necessary as it allows to counter attacks from malicious hackers by anticipating methods used by them to break into a system

• Ethical hackers must investigate whether such activities have been recorded and what preventive measures have been taken

• ethical hacking and subsequent patching of discovered vulnerabilities

• ethical hacker and the client work out a suitable framework for investigation beforehand

• The ethical hacker must also remember to convey to the client that it is never possible to guard systems completely but that they can always be improved.

Scope and Limitations of Ethical Hacking

• Ethical hacking is a structured and organized security assessment, usually as part of a penetration test or security audit,

• crucial component of risk assessment, auditing, counter fraud, and information systems security best practices

• to reduce Information and Communications Technology (ICT) costs by resolving vulnerabilities.

Information Security Controls

• prevent the occurrence of unwanted events and reduce risk to the organization’s information assets.

• confidentiality, integrity, and availability

Information Assurance (IA)

• the assurance of the integrity, availability, confidentiality, and authenticity of information

• information systems during the usage, processing, storage, and transmission of information.

Continual/Adaptive Security Strategy

• continuous prediction, prevention, detection, and response actions must be taken to ensure comprehensive computer network defense

Detection

• Assessing the network for abnormalities

Responding

• actions such as identifying incidents, finding their root causes, and planning a possible course of action for addressing them

Protection

• continuous prediction, prevention, detection, and response actions must be taken to ensure comprehensive computer network defense

Defense-in-Depth

• a security strategy in which security professionals use several protection layers throughout an information system.

• If a hacker gains access to a system, defense-in-depth minimizes any adverse impact

• gives administrators and engineers time to deploy new or updated countermeasures to prevent a recurrence of the intrusion.

What is Risk?

• Risk refers to the degree of uncertainty or expectation of potential damage that an adverse event may cause to the system

• RISK = Threats x Vulnerabilities x Impact

• RISK = Threat × Vulnerability × Asset Value

Risk Level

• assessment of the resulted impact on the network.

• Level of Risk = Consequence x Likelihood

Risk Matrix

• scales the risk occurrence or likelihood probability, along with its consequences or impact.

• The risk matrix defines various levels of risk and categorizes them as the product of negative probability and negative severity.

Risk Management

• the process of identifying, assessing, responding to, and implementing the activities that control how the organization manages the potential effects of risk.

Risk Management Objectives

• continuous process performed by achieving goals at every phase.

• ▪ Risk Identification/ Risk Assessment/ Risk Treatment/ Risk Tracking and Review

Risk Identification

• The initial step

• aim is to identify the risks—including the sources, causes, and consequences of the internal and external risks

Risk Assessment

• assesses the organization’s risks and estimates the likelihood and impact of those risks.

• is an ongoing iterative process that assigns priorities for risk mitigation and implementation plans,

• determine the quantitative and qualitative value of risk

• determines the kind of risks present, their likelihood and severity, and the priorities and plans for risk control.

Risk Treatment

• the process of selecting and implementing appropriate controls on the identified risks in order to modify them

• addresses and treats the risks according to their severity level

Risk Tracking and Review

• The tracking and review process should determine the measures and procedures adopted and ensure that the information gathered to perform the assessment was appropriate.

• review phase evaluates the performance of the implemented risk management strategies.

Threat

• the possibility of a malicious attempt to damage or disrupt a computer network or system

Cyber threat intelligence (CTI)

• the collection and analysis of information about threats and adversaries and the drawing up of patterns that provide an ability to make knowledgeable decisions for preparedness, prevention, and response actions against various cyberattacks.

• process of recognizing or discovering any “unknown threats”

• The main aim of CTI is to make the organization aware of existing or emerging threats and prepare them to develop a proactive cybersecurity posture in advance of exploitation

Types of Threat Intelligence

• collection

• data analysis

• intelligence consumption

Strategic Threat Intelligence

• Strategic threat intelligence provides high-level information regarding cybersecurity posture, threats, details about the financial impact of various cyber activities, attack trends, and the impact of high-level business decisions.

• The intelligence obtained provides a risk-based view that mainly focuses on high-level concepts of risks and their probability.

• used by the management to make strategic business decisions and to analyze their effect.

• form of a report that mainly focuses on high-level business strategies.

• intelligence helps organizations identify any similar past incidents, their intentions, and any attributes that might identify the attacking adversaries

Tactical Threat Intelligence

• a major role in protecting the resources of the organization.

• related to the TTPs used by threat actors (attackers) to perform attacks.

• how the adversaries are expected to perform their attack on the organization, identify the information leakage from the organization, and assess the technical capabilities and goals of the attackers along with the attack vectors

• collection sources for tactical threat intelligence include campaign reports, malware, incident reports, attack group reports, and human intelligence, among other information

• provides day-to-day operational support by helping analysts assess various security incidents related to events, investigations, and other activities.

Operational Threat Intelligence

• provides information about specific threats against the organization.

• provides contextual information about security events and incidents that help defenders disclose potential risks, provide greater insight into attacker methodologies, identify past malicious activities, and perform investigations on malicious activity in a more efficient way.

• helps organizations to understand the possible threat actors and their intention, capability, and opportunity to attack vulnerable IT assets and the impact of a successful attack

• collected from sources such as humans, social media, and chat rooms; it may and also be collected from the real-world activities and events that result in cyberattacks.

• generally appears as a report that contains identified malicious activities, recommended courses of action, and warnings of emerging attacks

Technical Threat Intelligence

• provides information about resources an attacker uses to perform an attack

• mainly focuses on a specific IoC.

• provides rapid distribution and response to threats

• collected from active campaigns, attacks that are performed on other organizations, or data feeds provided by external third parties.

• helps security professionals add the identified indicators to the defensive systems such as IDS and IPS, firewalls, and endpoint security systems.

• directly fed into the security devices in digital format to block and identify inbound and outbound malicious traffic entering the organization’s network.

• developing intelligence from raw data that supports organizations to develop defensive mechanisms to thwart emerging risks and threats.

Planning and Direction

• plan is developed based on the strategic intelligence requirement

• from data collection to delivery of final intelligence product and acts as a basis for the complete intelligence process.

• identifying the requirements of data, methods to be used to collect data, and establishing a collection plan.

Collection

• collecting the desired intelligence that is defined in phase one

• The intelligence is collected through sources like:

  • human intelligence (HUMINT)

  • imagery intelligence (IMINT)

  • measurement and signature intelligence (MASINT)

  • signal intelligence (SIGNT), open source intelligence (OSINT)

  • and IoCs, and other third parties.

Processing and Exploitation

• data obtained from previous phases is processed for exploitation and transformed into useful information that could be understood by the consumers.

Analysis and production

• includes facts, findings, and forecasts, which enable the estimation and anticipation of attacks and results.

• objective, timely, accurate, and actionable

• deduction, induction, abduction, and scientific method based on confidence

• try to combine these various sources into a single entity in this phase

• This phase identifies potential threats to the organization and further helps in developing appropriate countermeasures to respond to the identified threats

Dissemination and integration

• disseminated intelligence helps organizations in building defensive and mitigation strategies for the identified threats

• provides feedback giving more inputs to the information requirements thereby repeating the threat intelligence lifecycle

Threat Modeling

1. Identifying security objectives

2. Application Overview

   1. Identify roles

   2. Identify key usage scenarios

   3. Identify technologies

   4. identify application security mechanisms

3. Decompose the Application

   1. Identify trust boundaries

   2. identify data flows

   3. identify entry points

   4. Identify exit points

4. Identify Threats

5. Identify Vulnerabilities

Incident Management

• includes

  • Vulnerability analysis

  • Artifact analysis

  • Security awareness training

  • Intrusion detection

  • Public or technology monitoring

• Process

  • Improve service quality

  • Resolve problems proactively

  • Reduce the impact of incidents on an organization or its business

  • Meet service availability requirements

  • Increase staff efficiency and productivity

  • Improve user and customer satisfaction

  • Assist in handling future incidents

• Positions

  • Human resources

  • Legal counsel

  • firewall manger

  • outsourced service provider

Incident Handling and Response

• Incident handling and response (IH&R) is the process of taking organized and careful steps when reacting to a security incident or cyberattack

• IH&R process involves defining user policies, developing protocols, building incident response teams, auditing organizational assets, planning incident response procedures, obtaining management approval, incident reporting, prioritization, and managing response

Steps involved in the IH&R process

1. Preparation

2. Incident Recording and Assignemnt

3. Incident Triage

4. Notification

5. Containment

6. Evidence Gathering and Forensic Analysis

7. Eradication

8. Recovery

9. Post-Incident Activities

Role of AI and ML in Cyber Security

• AI and ML in cybersecurity helps to identify new exploits and weaknesses, which can be easily analyzed to mitigate further attacks

• AI

  • Artificial Intelligence is the only solution to defend networks against the various attacks that an antivirus scan cannot detect.

• ML

  • ML is a branch of artificial intelligence (AI) that gives the systems the ability to self-learn without any explicit programs.

• Supervised Learning

  • uses algorithms that input a set of labeled training data to attempt to learn the differences between the given labels

  • classification and regression

  • Classification includes completely divided classes.

  • Regression is used when data classes are not separated, such as when the data is continuous.

• Unsupervised Learning

  • makes use of algorithms that input unlabeled training data to attempt to deduce all the categories without guidance

  • clustering and dimensionality reduction

  • Clustering divides the data into clusters based on their similarities,

  • Dimensionality reduction is the process of reducing the dimensions (attributes) of data

How do AI and ML prevent Cyber Attacks

• Password protection and authentication

• Phishing detection and prevention

• Threat detection

• Vulnerability management

• Behavioral analytics

• network security

• AI based antivirus

• fraud detection

• botnet detection

• AI to combat AI Threats

Information Security Laws and standards

• Payment card industry data security standard (PCI DSS)

• ISO/ IEC 27001:2013

• Regulation is intended to be suitable for serval different uses

Health Insurance Portability and Accountability Act (HIPAA)

• Electronic Transactions and Code Set Standards:

• Privacy Rule

• Security Rule

• Employer identifier standard

• National Provider Identifier Standard (NPI):

• Enforcement Rule

Sarbanes Oxley Act (SOX)

• Title I: Public Company Accounting Oversight Board (PCAOB):

• Title II: Auditor Independence:

• Title III: Corporate Responsibility:

• Title IV: Enhanced Financial Disclosures:

• Title V: Analyst Conflicts of Interest:

• Title VI: Commission Resources and Authority:

• Title VII: Studies and Reports:

• Title VIII: Corporate and Criminal Fraud Accountability:

• Title IX: White-Collar-Crime Penalty Enhancement:

• Title X: Corporate Tax Returns:

• Title XI: Corporate Fraud Accountability:

The Digital Millennium Copyright Act (DMCA)

• Title I: WIPO TREATY IMPLEMENTATION

• Title II: ONLINE COPYRIGHT INFRINGEMENT LIABILITY LIMITATION:

• Title III: COMPUTER MAINTENANCE OR REPAIR:

• Title IV: MISCELLANEOUS PROVISIONS:

• Title V: PROTECTION OF CERTAIN ORIGINAL DESIGNS

The Federal Information Security Management Act (FISMA)

• Standards for categorizing information and information systems by mission impact

• Standards for the minimum security requirements for information and information systems

• Guidance for selecting appropriate security controls for information systems

• Guidance for assessing security controls in information systems and determining their effectiveness

• Guidance for the security authorization of information systems

General Data Protection Regulation (GDPR)

• GDPR Data Protection Principles

  • Lawfulness, fairness, and transparency:

  • Purpose limitation

  • Data minimization:

  • Accuracy

  • Storage Limitation

  • Integrity and confidentiality

  • Accountability

Data Protection Act 2018 (DPA)

• The framework for data protection in the UK

• Protection of personal data

Cyber Law in different Countries

• Refers to any laws that deal with the Internet and other online communication technologies

• Cyber laws provide an assurance of the integrity, security, privacy, and confidentiality of information in both governmental and private organizations. These laws have become prominent due to the increase in Internet usage around the world.

Enumeration

• the process of extracting usernames, machine names, network resources, shares, and services from a system or network.

HoneyPots

• are traps set to detect, deflect, or counteract unauthorized intrusion attempts.