Week 2 Notes - So you want to be hacker

Hackers

  • White Hat, Black Hat, Grey Hat, Script Kiddies, Green Hat, Blue Hat, Red Hat, State/Nation Sponsored, Hacktivists, Malicious Insiders / Whistle-blowers

  • Ethical, malicious, or mixed-intent actors with varying skills and aims.

Hacker Teams

  • Red Team: attackers; simulate real breaches with full attack methods.

  • Blue Team: defenders; harden systems and respond to attacks.

  • Purple Team: blend of Red and Blue; coordinate testing and defence to improve detection and response.

  • White Team: governance; sets rules of engagement and monitors progress.

  • Orange Team: security awareness for developers; bridges Red and Yellow for secure design.

  • Yellow Team: software builders; focus on secure design and development.

  • Green Team: DFIR output and logging; strengthen monitoring and integrity.

  • Gold Team: tabletop exercises; test incident response plans across the business.

  • Secondary colour teams are allied functions (Yellow, Green, Orange) supporting security; not directly attackers.

Threat vs Vulnerability vs Control

  • Threat: circumstances with potential to cause loss or harm.

  • Vulnerability: weakness that can be exploited.

  • Control: action or mechanism that reduces or blocks a vulnerability or threat.

  • Relationship: a threat is mitigated by controlling a vulnerability; a wall analogy shows a crack (vulnerability) that an increasing threat could exploit.

  • Summary: Threat + Vulnerability = Risk when exploited; controls reduce risk.

Risk and the FAIR model

  • Risk = Vulnerability × Threat (high-level relation) Risk=Vulnerability×Threat\text{Risk} = \text{Vulnerability} \times \text{Threat}

  • FAIR (Factor Analysis of Information Risk) is a quantitative model for information risk.

  • Key components in FAIR:

    • TEF: Threat Event Frequency

    • LEF: Loss Event Frequency

    • Vulnerability: how likely a threat event will succeed

    • POA: Probability of Action

    • TCap: Threat Capability

    • RS: Resistance

    • LM: Loss Magnitude (primary and secondary)

  • Purpose: map threats, vulnerabilities, and losses to inform risk decisions.

Reconnaissance

  • Reconnaissance is the first phase of a cyber attack; goal is to identify target weaknesses.

  • Two methods:

    • Passive (footprinting): information gathering with minimal target interaction.

    • Active (scanning): interacting with the target to discover openings.

  • Information sought includes host/user details, network topology, services, domains, security policies, and more.

Reconnaissance (Passive)

  • Footprinting concepts: avoid triggering alarms; monitor logs and thresholds.

  • Common footprinting methods: search engines, social networks, WHOIS, DNS footprinting, competitive intelligence, etc.

Reconnaissance (Active)

  • Tools: Ping, Traceroute, Nmap.

  • Purpose: determine live hosts, network topology, and open ports/services.

  • Example output of Nmap can reveal potential vulnerabilities to target.

Interaction

  • Interaction types: Trusts, Accesses, and Visibility.

  • Trusts: interactions between familiar entities; less obvious risk if trusted.

  • Accesses: interactions with unknown entities; higher risk.

  • Visibility: knowledge of assets and their presence; privacy can reduce visibility but may not imply security.

  • Security goal: protect assets from both unknown and trusted interactions while maintaining necessary visibility.

Visibility and camouflage

  • Visibility enables asset awareness but can be exploited; privacy is not a substitute for security.

  • Camouflage or security by obscurity is not reliable security.

Attack Surfaces / Vectors

  • Attack surface: total sum of points where an attacker could enter or extract data; can be physical or digital.

  • Attack vector: the means by which an intrusion occurs.

  • Attack Surface Analysis aims to:

    • Understand risk areas in an application

    • Make developers aware of open attack points

    • Minimise exposed surfaces

    • Detect when the attack surface changes and reassess risk

Attack Surfaces / Vectors – Roles and purposes

  • Security architects and testers map and measure surfaces.

  • Developers should monitor the surface during design and changes.

  • Orange Team helps in aligning security awareness with development.

Defining the Attack Surface

  • The surface includes: all paths for data/commands, protection code, authentication/authorization, logging, encoding, data protection, and data themselves (PII, secrets).

  • Also includes the protective data code (encryption, integrity checks, access auditing).

Identifying and Mapping the Attack Surface

  • Build a baseline map of attack surface from attacker’s perspective.

  • Review design/architecture docs; inspect source code; identify entry/exit points.

  • Typical entry/exit points: UI forms, HTTP headers, APIs, files, databases, local storage, emails, run-time args, etc.

Types of entry/exit points and focus areas

  • Group by function and technology: authentication, admin interfaces, data entry CRUD, workflows, APIs, monitoring interfaces, external interfaces, etc.

  • Large surfaces may number in the thousands; break down into manageable categories for review.

  • Identify valuable data (confidential, regulated) and how it is protected.

Measuring and Assessing the Attack Surface

  • Identify high-risk areas, especially remote and anonymous access points.

  • Focus areas: internet-facing code, web forms, externally sourced files, old interfaces, custom APIs, cryptography/authentication.

  • Assess compensating controls: firewalls, IDS/IPS, monitoring, and governance.

Managing the Attack Surface

  • Baseline understanding; assess changes during development; apply threat/risk assessments as changes occur.

  • Plan and adjust controls as the surface evolves.

Week 2 Activities and Readings

  • Reading: Hacker High School – Lesson 1 and Lesson 2 PDFs linked in course.

  • Optional: Security in Computing (Pfleeger & Pfleeger), Chapter 1.

  • Discuss readings and questions in weekly lectures.

Quick recap for last-minute recall

  • Distinguish hacker types and teams (White/Black/Grey, Script Kiddies, Red/Blue/Purple/Gold/White/Orange/Yellow/Green).

  • Differentiate Threat, Vulnerability, and Control; understand how they interact to form risk.

  • Recognize reconnaissance phases (Passive vs Active) and common tools.

  • Understand attack surfaces vs attack vectors and the purpose of Attack Surface Analysis.

  • Remember the main roles of Gold, White, Orange, Yellow, Green, Red, Blue, Purple teams in practice.