ECIH

Security police - permissive

open with blacklisting

Security police - prudent

clsoed with whitelisting

Security police - paranoid

no internet connection, forbids everything

Motive

if server stores something valuable

Incident management

Identify, analyze, prioritize and resolve incident to restore normal operation asap

Triage

Analyze, validate, categorize

Root cause

found in (6) Evidence Gathering and Forensics, eliminated in (7) Eradication

Vulnerability assemsent

pen testing to identify vulnerabilities

Threat assesment

process of analyzing data to create TI. Threat data is confronted with actual systems to match real-worl attacks

Threat correlation

reduces False-positives

Risk

degree of uncertainty or expectation of potential damage

Risk =

Threats X Vulnerabilities

Risk mitigation strategiy: Assumption

accept risk/bring to acceptable level

Risk mitigation strategy: Avoidance

Shutting down systems

Risk mitigation strategy: Limitation

use of supportive preventive and detective controls

Risk mitigation strategy: Planning

be prepared? know how to act

Risk mitigation strategiy: Research and Acknowledgement

analyze culnerabilities to countermeasure

Risk mitigation strategiy: Transference

insurance

CAT 0

Exercise/Network Defense Testing - not applicable (hrs)

CAT 1

Unauthorized Access - 1 (hrs)

CAT 2

DoS - 2(hrs)

CAT 3

Malicious code - Daily

CAT 4

Inappropriate usage - Weekly

CAT 5

Scans/Probes/Attempted Access - Monthly

CAT 6

Invetigation - not apllicable (hrs)

Setting up computer forensics lab

1) Planning and budgeting 2) Physical location 3) Work area considerations 4) Human resource consideration 5) Physical security recommendations 6) Forensics lab licensing

TRIAGE: Analysis and Validation

analyze indicators. examine security solutions. Log analysis, event correlation, natwork and system profiling, network traffiic and bandwidth, checksum, FIM

TRIAGE: Incident Classification

correlates severity, nature, criticality

TRIAGE: Prioritization

LOW - lss of passwd, scans and probes, wirus or worm. MIDDLE - unauthorized access, unflierdly employee termination, virus/work outbreeak. HIGH - dos, computer break-in, violation of law, cyber terrorism, damage over 100k$

Forensics policy

set of procedures to preserve and extract forensics evidence

Evidence bag content list

1) date and time 2) info of incider responder who seized info 3) exhibit number 4) site from which was siezed 5) details of content of the bag 6) submitting agencies and addresses

Volatile data includes:

psswd in clear text, executed commands, loging info, trojan horses, open ports, date and time, attached devices

Order of volatility

1) Registry and Cache 2) routing tables, processes, kernel 3) temp system files 4) disk and storage devices 5) remote logging 6) physical conf and network topology 7) archival media

uptime check tools

1 - PsUpTime(win) 2 - NetStatistics(Linux) 3 - Uptime and W(Linux)

Trojan

hidden in harmless, To control or damage systems, activated BY USER. Steal info, damage host

Backdoor

installed without user knowledge

rootkit

gain root by exploiting vulnerabilities

ransomware

usually spread by trojans

Virus

self-replicatin, withour user knowledge, can spread with assistance of user

Worms

spread without human intervention. To overload system. some carry payload to damage systems. Used to isntall backdoor

backdoor trojans

used to create botnet

Pharming

redirects web traffic to malicious site - DNS cache poisoning or HostFile modification

Spimming

exploits instans messages systems

puddle phishing

small orghanizations

CEO scam

spoofed CEO address

Mole detection

piece of fake info is given

Profiling

Observing behaviour. Everyone is different so profiling defines pattern of normality

Behavioral Analysis

compare past behavious also with other users. build profiles for each group, UEBA, SIEM, DLP. discover outliners in each group. Uses machine learning

DNS footprinting

DNS footprinting - extracting DNS info from public resources

DDoS Eradication: Egress filtering

DDoS Eradication: Egress filtering - scans leaving IP packets headers

DDoS Eradication: Ingress filtering

DDoS Eradication: Ingress filtering - prevents spoofing and flooding attacks

DDoS Eradication: Rate Limiting

DDoS Eradication: Rate Limiting - controls rate of outbound or inbound traffic

DDoS Eradication: RFC 3704 Filtering

DDoS Eradication: RFC 3704 Filtering - deying traffic with spoofed addresses - bogon list

CBCC LOG name: output

CBCC LOG name: output: 0-minimal info 1-bit more info, flags bits, previous LSN 2-detailed info 3-full info about each operation 4-same as 3 but with hex dump

Containment of Insider

Containment of Insider - seize all allocated devices, proper legal actions, inform about potential loss, and many abvious more

Eradicating insider

Eradicating insider - DCAP (Data centric audit and protection) monitoring and analyze user privilages, detecting unauthorized changes. And many more

Vulnerability

Vulnerability - existence of weakness, when exploited leads to compromise of a system

Threat

Threat - unddesired event - something that exists. The impact is potentially hazardous

Quantitive Risk

Quantitive Risk - deeper wiev (for example blood test)

Qualitative Risk

Qualitative - consequence X likelihood. (for example questions asked by doctors - simple)

Email bombing

Email bombing - sending email message to specific address

PKI

PKI - PUBLIC KEY INFRASTRUCTURE

Botnet

botnet - used to perform DDoS

Forensic readiness

Forensic readiness - organiztion ability to make optimal use of digital evidence

Forensics readiness plan

Forensics readiness plan - refers to set of procedures to achieve and maintain forensisc readiness

Forensisc Policy

Forensic Policy - set of procedures describing the actions to preserve and extract forensics evidence

Information Security Policy

Information Security Policy - basic security, requirements and rules to implement in order to protect and secure assets

Incident Management

Incident Management - set of defined processes to identify, analyze prioritize and resolve security incidents to restore to normal state

Policy

Policy - set of guidelines used to achieve goals

Pharming

pharming - aka domain spoofing. advanced form of phishing where attacker redirects connection

Risk Management

Risk Management - set of policies and procedures to identify, assess, prioritze, minimalize and control risks

Risk Assesment

Risk Assessment - refers to identification of the risk, estimate impact, and recommending mitigation measures

Risk Mitigation

Risk Mitigation - strategic approach to preparing to handle risks and reduce impact

Risk Determination

Risk Determination - crucial task in risk assessment. complex process based on various tangibler and intangible factors

Risk Management plan

Risk Management plan - defined as process designed to identify, eliminate and mitigate risks

Skimming

Skimming - stealing credit/debit card numbers by using special devices called skimmers

Threat Assessment

Threat Assessment - process of examining, filtering, modeling threat data to extract threat intelligence

Vulnerability Assesment

Vulnerability Assessment - zarzadzanie podatnosciami - skany, wiedza o podatnosciach, otwarte porty, miskonfiguracje. is the examination of the ability of system including curret sec. controls and rpocedures to withsand assault

Vulnerability assesment phase

Vulnerability assessment phase - refers to identifying vulns in infrastructure

Eradicating email

Eradicating email: use DNS filtering, disasble automatic download, new accouts

Threat intelligence

Threat intelligence - identify and minitage various risks

Identify risk by performing threat and vulnerability assessment

Identify risk by performing threat and vulnerability assessment

BEST PRACTICES IH&R - OWASP

BEST PRACTICES IH&R - OWASP - 1) Audit 2) Create response team 3) create documented IR plan 4) identify triggers 5) investigate problem, 6) triage and mitigate 7) recovery 8) document and report 9) process review 10) practise

BEST PRACTICES IH&R - ENISA (european)

BEST PRACTICES IH&R - ENISA (european): 1)develop workflow 2) develop IH process 3) legal officer 4) monitor netwrok 5) incident identification 6) final classification 7) up to date policies 8) eradication and revocery

BEST PRACTICES IH&R - GPG18 and Forensics REadiness Planning

BEST PRACTICES IH&R - GPG18 and Forensics REadiness Planning - 1) must develop forensics plan 2) which should be owned by director 3) should seek standard for forensics. 12 in total

Post incident avtivities

Post incident avtivities - 1) incident documentation 2) incident impact assesment 3) review and revise policies 4) close investigation 5) incident disclosure

Incident impact assesment

Incident impact assessment - determining losees (all types), find list of affeceted devices, finantial impact will help determine motive and perpetrator

DATE AND TIME are volatile

DATE AND TIME are volatile

Malware is most common threat

Malware is the most common threat - separate infected systems

Malware detection: Live systems/dynamic analysis

Malware detection: Live systems/dynamic analysis - analyzing live systems in operation. behavioral analysis. detects changes to the entities in system

Malware detection: memory dump/staticanalysis

Malware detection: memory dump/staticanalysis - analysis of memory dump or binary code

Malware detection: Intrustion analysis

Malware detection: Intrustion analysis - analysis of logs and alerts from systems

Guidelines for malware incidents:

Guidelines for malware incidents: educate, security policy, deal asap, monitor USB and downloads, seubscribe to sec bulletins, effective backup plan

Mail storming

Mail storming - like a bug, without human intervention, auto-forwarding

Preparation for email incidents includes

Preparation for email incidents includes - TRAINING AND AWARNESS PROGRAM

Network Unauthorized access Incidents include:

Network Unauthorized access Incidents include: Recon attacks, sniffing and spoofing, dns arp poisoning, firewall and IDS evasions attacks, Brute force

Only educationg employess can protect from social engineering

Only educationg employers can protect from social engineering

Permanent DoS aka...

Permanent DoS aka PHLASHING. causes irreversible damage by sending fake hardware update (method called bricking the system)

DRDoS

DRDoS - Distributed Reflection DoS - attackers usese corrupted system to make calls (one more "hop")

Eradication of WIRELESS using WPA2 with...

Eradication of WIRELESS using WPA2 with AEC/CCMP

Preparation for cloud

Preparation for cloud besides obvious do not disclose location of data base unless necessary

DNS attacks

DNS attacks: 1) dns poisoning - spoofed website 2) cyber squatting - phishing with domain with simmilar name 3) domain hijacking - stealing CSP domain name 4) domain sniping - registering name just after expiration

Containment of CLOUD:

Containment of cloud: -block communication with external networks -route services thriugh backup -block IP and compromised accounts -stop vulnerable services

Eradicating of CLOUD:

Eradicating of CLOUD: -remove malware files -deny access to compromised -enable 2FA, captcha -enforce SLA for patching -run vuln scans and config audits

Recover after CLOUD:

Recover after CLOUD: -install from clean backup -enable compromised accounts after changing passwords -restart after installation of updates that are permissioned by stakeholders!

Common OUTSIDERS attacks: easvesdropping and wiretapping

Common OUTSIDERS attacks: easvesdropping and wiretapping - podsluchiwanie np przez corporate spies, can use sniffers

Common OUTSIDERS attacks: Creatin of false dossiers and misinformation

Common OUTSIDERS attacks: Creatin of false dossiers and misinformation -missleading information spreading

Common OUTSIDERS attacks: -Intimidating exisitng employees

Common OUTSIDERS attacks: -Intimidating exisitng employees - get personal info and then blackmail

Common OUTSIDERS attacks: Data theft and spolation

Common OUTSIDERS attacks: Data theft and spolation -corporate spies or insiders, extract sensitive data in bulk (hurtowo) using hidden files, USB

Common OUTSIDERS attacks: pod slurping

Common OUTSIDERS attacks: pod slurping -tooles runned by USB or other stortage device to scan for confidential data

Best practices against CLOUD:

Best practices against CLOUD: -SLA -AICPA SAS 70 Type II Audit -strong key generator

Web 2.0 is technologies are used to improve buisiness efficiency and support critical business functions

Web 2.0 is technologies are used to improve business efficiency and support critical business functions

Causes of WEB:

Causes of WEB: 1) Insecure coding 2) Configuiration errors 3) platform vulnerabilities 4) Logic Errors

!!! LDAP injections are used to achieve

LDAP injections are used to achieve: Login bypass, information disclosure, privilage escalation, information alteration

To test if the app is vuln to LDAP injection send qurery with meaning to generate invalid input. If server returns error, attacker can exploit with injection

To test if the app is vuln to LDAP injection send query with meaning to generate invalid input. If server returns error, attacker can exploit with injection

We can detect web attacks by looking at response codes

We can detect web attacks by looking at response codes - 302 redirects so there is a chance invalid request was redirected to somewhere critical

Incident responders can look for file access attempts greping log file for /etc/psswd

Incident responders can look for file access attempts greping log file for /etc/psswd

Containment of WEB:

Containment of WEB: -enable blackhole(block all traffic after threshhold) -increase server capacity -define level of load -deny unnecessary access -negotiate to buy time -identify entry points

WEB containment methods (3):

WEB containment methods (3): -Whitelisting/blacklisting -Web content filtering: prevents user to visit malicious sites -Proxy Servers: to prevent IP blocking or maintain anonimity, useful to monitor traffic and control it

Eradicating WEB services attacks:

Eradicating WEB services attacks: -SOAP -Configure WDSL Access Control permissions -docuemnt-centric authorization -detect web services anomalies and signature detection -filter improper SOAP and XML -maintain and update security rtepo for XML schemas

Eradicating CAPTCHA attacks:

Eradicating CAPTCHA attacks: -Dont make CPTHCA solutions directly accessible by client -disbale captcha reuse -use well-established captcha immplementation -include random letters -encrypt -use multiple fonts to increase complexity

Eradicating Directory traversal:

Eradicating Directory traversal: -define access rights to protected areas -apply checks/hot fixes to prevent exploit. of vuln. -update

Eradicating Watering hole Attacks:

Eradicating Watering hole Attacks: -Secure DNS servers -analyze user behaviour

Eradicating CSRF:

Eradicating CSRF: -logoff after using -dont use login details -check HTTP Refferer header and ignrore URL parameters when processing POST

Eradicating Cookie/Session poisoning attack

Eradicating Cookie/Session poisoning attack: -implement cookies timeout -cookie auth should be associated with IP -make logout function availabe

Recovery afret WEB:

Recovery afret WEB: -identify vulns -scan web app resources -patched backup version -define control access values

Best practices for SECURE CODING WEB APPS

Best practices for SECURE CODING -permit nodes <OBJECT>, disable <IFRAME> -limit script activity -limit length of input -terminate prev login sessions -track user login and activity history -terminate old sessions -encyrpted cookie during transmit

Fuzz testing against:

Fuzz testing against: buffer overflow, DoS, XSS, SQL injection