├── .gitignore ├── CYSA-Exam-Guide-Second-Edition ├── README.md ├── The-Importance-of-Threat-Data-and-Intelligence.md ├── Threat-Intelligence-in-Support-of-Organizational-Security.md ├── Threats-and-Vulnerabilities-Associated-with-Operating-in-the-Cloud.md ├── Threats-and-Vulnerabilities-Associated-with-Specialized-Technology.md ├── Vulnerability-Assessment-Tools.md └── Vulnerability-Management-Activities.md ├── Effective-Cybersecurity ├── Chapter1.md └── README.md ├── LICENSE ├── Objectives-Explained ├── README.md ├── Security-Operations │ ├── Infrastructure-Concepts │ │ ├── Containerization.md │ │ ├── Serverless.md │ │ └── Virtualization.md │ ├── Log-Ingestion │ │ ├── Logging-Levels.md │ │ └── Time-Synchronization.md │ ├── Network-Architecture │ │ ├── Cloud.md │ │ ├── Hybrid.md │ │ ├── Network-Segmentation.md │ │ ├── On-Premises.md │ │ ├── Secure-Access-Secure-Edge.md │ │ ├── Software-Defined-Network.md │ │ └── Zero-Trust.md │ ├── OS-Concepts │ │ ├── File-Structure.md │ │ ├── Hardware-Architecture.md │ │ ├── System-Hardening.md │ │ ├── System-Processes.md │ │ └── Windows-Registry.md │ └── README.md └── exam-objectives.pdf ├── README.md ├── TryHackMe ├── Active-Directory-Basics.md ├── Cyber-Kill-Chain.md ├── Diamond-Model.md ├── MITRE.md ├── Nessus.md ├── Pyramid-of-Pain.md └── README.md └── _assets ├── BiancosPyramidOfPain.png ├── ICS-example.jpg ├── IaaS-Model.jpg ├── PaaS.jpg ├── Process_Memory.jpg ├── Process_States.jpg ├── SaaS-Model.jpg └── THMPyramidOfPain.png /.gitignore: -------------------------------------------------------------------------------- 1 | # Open files 2 | *.swp 3 | 4 | -------------------------------------------------------------------------------- /CYSA-Exam-Guide-Second-Edition/README.md: -------------------------------------------------------------------------------- 1 | # CySA Exam Guide Second Edition 2 | 3 | *CompTIA CySA+ Cybersecurity Analyst Certification Exam Guide Second Edition (Exam CS0-002)* By Brent Chapman and Fernando J. Maymi -------------------------------------------------------------------------------- /CYSA-Exam-Guide-Second-Edition/The-Importance-of-Threat-Data-and-Intelligence.md: -------------------------------------------------------------------------------- 1 | # The Importance of Threat Data and Intelligence 2 | 3 | ## Introduction 4 | 5 | - threat data leads to threat intelligence when processed by quality analysts 6 | - threat intelligence = knowledge of malicious actors and their behaviors 7 | - cyber threat intelligence = *actionable knowledge and insight on adversaries and their malicious activities enabling defenders and their organizaitons to reduce harm through better security decision-making* 8 | 9 | ## Foundations of Intelligence 10 | 11 | | Discipline | Name | Description | 12 | | ---------- | ---- | ----------- | 13 | | SIGINT | Signals Intelligence | Intercepts of electronic communications | 14 | | HUMINT | Human Intelligence | Intel gathered from all human sources | 15 | | OSINT | Open Source Intelligence | Collection of publicly available information in any form | 16 | | MASINT | Measurement and Signature Intelligence | Non-SIGINT data and imagery intel | 17 | | GEOINT | Geospatial Intelligence | Imagery and geospatial data | 18 | | All Source | All Source | All data available on a subject from all of the above disciplines | 19 | 20 | ## Intelligence Sources 21 | 22 | - the reality of the commercial space is that intelligence sources are limited (not so much in government) 23 | - a combination of free and paid intelligences sources tends to be a winning combination in industry 24 | 25 | ### Open Source Intelligence 26 | 27 | - OSINT must be free and legitimately acquired 28 | - OSINT helps keep security professionals on the same page as industry trends 29 | - used to discover threat indicators for specific actors 30 | - used by pentesters for discovering potential attack vectors or weaknesses 31 | - OSINT is helpful for malicious actors because it allows them gather intelligence without directly interacting with the target 32 | - passive reconnaissance = process of gather intelligence about an entity without interacting with it directly 33 | 34 | #### Google 35 | 36 | | Operator | Results | Example | 37 | | -------- | ------- | ------- | 38 | | site: | limited to specified domain | site:github.com | 39 | | inurl: | specified contents must exist within url | inurl:/willisman31 | 40 | | filetype: | results are only of the specified file type | filetype:pdf | 41 | | intitle: | pages with the indicated text in their tile | intitle:Github | 42 | | link: | results that contain a link to the indicated url | link:github.com/willisman31 | 43 | | cache: | results contain only google's latest cached copies of results | cache:github.com/willisman31 | 44 | 45 | - further google dorking operators can be found [here](https://hackr.io/blog/google-dorks-cheat-sheet) 46 | - visiting the google results during recon will leave a trace of your presence 47 | - to avoid leaving a trace, use the Google-cached version 48 | 49 | #### Internet Registries 50 | 51 | - internet registries are needed in order to manage domains and IP addresses and prevent conflicts and overlaps 52 | 53 | ##### Regional Internet Registries 54 | 55 | | Registry | Geographic Region | 56 | | -------- | ----------------- | 57 | | AFRINC | Africa and parts of the Indian Ocean | 58 | | APNIC | Portions of Asia and Oceania | 59 | | ARIN | Canada, US, parts of North American islands | 60 | | LACNIC | Latin American, parts of North American islands | 61 | | RIPE NCC | Europe, Middle East, Central Asia | 62 | 63 | - Regional Internet Registries (RIRs) = corporations that control assignment of IPs; each has their own geographic region of responsibility as denoted above 64 | - RIRs get their authority from the Internet Corporation for Assigned Names and Numbers (ICANN) 65 | 66 | ##### Domain Name System (DNS) 67 | 68 | - DNS = mechanism for assigning domain names to servers 69 | - translates (human-readable) domain names into server addresses 70 | - gain information about live DNS data using the following tools: 71 | - nslookup 72 | - host 73 | - dig 74 | - DNS harvesting = process of interrogating DNS servers to discover information about a network 75 | - zone transfer = copying of DNS data across multiple DNS servers 76 | - zone transfers are a frequent point of exploitation because they are accepted by default 77 | - managed by access control lists (ACLs) 78 | - can be initiated by another DNS server or from a client 79 | - domain registration requires that the registrant provide details about themself (can be individual or organization) 80 | - details include the following: 81 | - name 82 | - phone number 83 | - email contact 84 | - DNS information 85 | - mailing address 86 | - these details can be harvested using a tool called WHOIS and are public by default 87 | - some registrars (companies/agents who indirectly lease domains from ICANN) provide private registration so that registrant details point to the registrar rather than the end client 88 | 89 | #### Job Sites 90 | 91 | - job site members provide lots of private information freely 92 | - harvesting of this information is typically trivial 93 | - leads to easy phishing campaigns 94 | - companies also make themselves vulnerable by using job sites- if a company is looking for a SME or admin with a particular experience, it's likely that the company uses those technologies 95 | 96 | #### Social Media 97 | 98 | - Reddit and Twitter in particular are useful sources of rapidly updated information about live events 99 | - social media sites are also useful mediums for gathering target and attacker information based on their public personas 100 | - social engineering also makes use of social media both as a platform for attack and for targetting specific individuals using personal information mined off these sites 101 | 102 | ### Proprietary/Closed Source Intelligence 103 | 104 | - never rely on a single source in intel gathering 105 | - reduces confirmation bias 106 | - helps ensure more successful campaigns as intel is more accurate 107 | - OSINT is often best used to corroborate closed source data 108 | 109 | #### Internal Network 110 | 111 | - analysis of internal network activity helps establish a baseline for activity 112 | - internal network data can come from the following sources: 113 | - DNS 114 | - VPNs 115 | - firewalls 116 | - authentication logs 117 | 118 | #### Classified Data 119 | 120 | - make sure that your closed source data is being protected before, during, and after you're done analyzing it 121 | - classified data in particular requires additional protections beyond the scope of this section 122 | 123 | #### Traffic Light Protocol 124 | 125 | - Traffic Light Protocol (TLP) = color coded designations for information sharing 126 | - created by UK National Infrastructure Security Coordination Center (NISCC) 127 | - Not a control scheme, just a guideline 128 | 129 | | Color | Usage | Sharing | 130 | | ----- | ----- | ------- | 131 | | Red - not for disclosure; for participant use only | use only when information cannot be acted upon by 3rd parties | not for disclosure beyond initial exchange | 132 | | Amber - limited disclosure within participant org | requires support in order to be acted upon | to be shared only within participant org | 133 | | Green - limited disclosure within community | useful for spreading awareness within community | share with peers and partner orgs, not with general public | 134 | | White - unlimited disclosure | little or no risk of damage from release | distributable without restriction | 135 | 136 | ## Characteristics of Intelligence Source Data 137 | 138 | - no such thing as comprehensive intelligence source- multiple sources must always be used to supplement and check each other 139 | - prioritize data that can be used to produce *actionable*, *timely*, *consistent* results 140 | - good intel has 3 elements: 141 | 1. timeliness 142 | 2. relevance 143 | 3. accuracy 144 | - noise generation and intel failure is inversely proportional to those 3 elements 145 | - all commercial intelligence sources are too generic to be used alone 146 | 147 | ### Timeliness 148 | 149 | - intelligence that is delivered too late is not actionable 150 | 151 | ### Relevancy 152 | 153 | - prepare threat intel for the appropriate audience 154 | - provide details that are most actionable to the parties who will receive the intel 155 | 156 | ### Accuracy 157 | 158 | - obviously anything you're presenting as truth should be maximally accurate 159 | - this means keeping assumptions to an absolute minimum if not eliminating them entirely 160 | 161 | ## Confidence Levels 162 | 163 | - intelligence providers use 3 levels of analytic confidence 164 | - these levels acknowledge incomplete or fragmented information 165 | - these are human judgements, not objective quantitative measurements 166 | 167 | | Level | Description | 168 | | ----- | ----------- | 169 | | High | based on high quality info; still possibly incorrect | 170 | | Moderate | credible source and plausible; not good enough for high confidence | 171 | | Low | too fragmented or incomplete as basis of solid analytic inferences; may be concerns about source(s) | 172 | 173 | ## Indicator Management 174 | 175 | - indicator = observable artifact on a network 176 | - include both data and context 177 | 178 | ### Indicator Lifecycle 179 | 180 | - vet the indicator -> decide if indicator is valid 181 | - research origin, determine usefulness and reliability 182 | - sharing threat data can help industry security operations 183 | 184 | ## Structured Threat Information Expression 185 | 186 | - Structured Threat Information Expression (STIX) = MITRE-led effort to communicate threat data in common language 187 | - STIX 2.0 framework has 12 SDOs (STIX Domain Objects) and 2 SROs (STIX Relationship Objects) 188 | - under framework, analysts show relationships between SDOs using SROs 189 | - visually representable with JSON 190 | - simple structure of data storage allows easy integration into automations 191 | 192 | ### SDOs 193 | 194 | #### Attack Pattern 195 | 196 | - attack patterns are a part of an attacker's TTPs (tactics, techniques, and procedures) 197 | - a combination of actions, not just a single event 198 | - useful for describing types of attacks and *how* they are executed 199 | 200 | #### Campaign 201 | 202 | - collection of behaviors against a type of target over a set period of time 203 | - campaign = attacks over a finite period that share the same attacker, victim (or victims), and type of attack 204 | 205 | #### Course of Action 206 | 207 | - preventative measures or reactions addressing an attack 208 | - includes both technical and policy implementations 209 | 210 | #### Identity 211 | 212 | - representation of individuals, organizations, groups 213 | - may be entity specific (a person or organization name) or industry- or sector-wide 214 | - the targets 215 | 216 | #### Indicator 217 | 218 | - observable data used to detect suspicious activity in an environment (network, system, device, etc.) 219 | - must be accompanied by context in order to be useful 220 | 221 | #### Intrusion Set 222 | 223 | - compilation of a single entity's behaviors/TTPs/properties 224 | - focus on resources and patterns of behavior rather than identity of the attacker 225 | - different from campaigns because they are not bound by a set timeframe 226 | 227 | #### Malware 228 | 229 | - malicious software 230 | - type of TTP 231 | 232 | #### Observed Data 233 | 234 | - any observable artifacts derived from a system or network 235 | - this is not quite information- it is raw data 236 | - information falls short of intelligence 237 | 238 | #### Report 239 | 240 | - finished intelligence product detailing aspect(s) of a security event 241 | - may reference other SDOs 242 | - ties in relevant details to explain what happened 243 | 244 | #### Threat Actor 245 | 246 | - individuals/groups behind malicious activities 247 | - sophistication, PII, motivations can all be tied into this object 248 | - understanding goals of a threat actor can help predict their movements 249 | 250 | #### Tool 251 | 252 | - software used in a campaign 253 | - tools are NOT malware; may include common software development utilities or systems administration mechanisms 254 | - can be more difficult to protect against because legitimate users may also use the utility and commercial protection mechanisms may not recognize it as a threat 255 | 256 | #### Vulnerability 257 | 258 | - software mistake 259 | - exploited by attacker for unauthorized access 260 | - different from malware; may be targetted by malware 261 | 262 | ### SROs 263 | 264 | #### Relationship 265 | 266 | - connection between SDOs 267 | - explains how they interact 268 | - below is an EXAMPLE of some common relationships 269 | 270 | | Source SDO | Relationship SRO | Target SDO | 271 | | ---------- | ---------------- | ---------- | 272 | | campaign | attributed to | threat actor | 273 | | malware | targets | identity | 274 | | attack pattern | uses | malware | 275 | | course of action | mitigates | vulnerability | 276 | | indicator | indicates | tool | 277 | 278 | #### Sighting 279 | 280 | - provides information about an SDO 281 | - heavy focus on quantitative details: 282 | - last occurrence 283 | - first occurence 284 | - frequency 285 | - number of occurences 286 | - where were the occurrences 287 | - next step up from observed data 288 | 289 | ### Trusted Automated Exchange of Indicator Information (TAXII) 290 | 291 | - defines how threat data are shared between partners 292 | - supports STIX data with API design 293 | - 3 models for sharing: 294 | 1. hub and spoke -> end users share data with hub by pulling and/or pushing to it 295 | 2. source/subscriber -> subscribers pull down data from source- data flows outward only 296 | 3. peer-to-peer -> peers share with each other in network 297 | - 2 services: 298 | 1. collections = interface for SDO storage 299 | 2. channels = pathways for clients to publish data to other clients 300 | 301 | ### OpenIOC 302 | 303 | - framework created by Mandiant (or FireEye- who knows anymore?) to organize attacker TTP info and other IOCs (Indicators of Compromise) 304 | - machine-readable format for easy sharing and automation 305 | - 3 main components: 306 | 1. IOC metadata = indexing and reference info about IOC; includes author name, IOC name, description 307 | 2. reference = describe how IOC fits into an environment and sharing guidelines 308 | 3. description = everything else; the "meat" of the indicator 309 | 310 | ## Threat Classification 311 | 312 | - incident = any activity that results in some form of harm to the system or increases likelihood of breach of confidentiality 313 | - identifying incidents starts with establishing a baseline of normal system activity 314 | - make an incident response plan 315 | 316 | ### Known Threats vs. Unknown Threats 317 | 318 | - AV software, IPSs, IDSs, etc. use 2 mechanisms for detecting malicious activity 319 | 1. signature-based = using historical data collected on known threats 320 | 2. heuristic analysis = observe behavior as it happns and determine from there if the activity is malicious 321 | - leverage sandbox environments for testing executables and suspicious files 322 | - absence of evidence != evidence of absence 323 | - just because there is no malicious activity detected does not mean that there is none 324 | - reduce assumptions to improve accuracy 325 | - one option is to treat everything as untrusted 326 | 327 | #### Zero Day 328 | 329 | - zero day vulnerability = software flaw unknown to the developer 330 | - zero day exploit = code written to take advantage of zero day vulnerability 331 | 332 | ##### The Emergence of the Exploit Marketplace 333 | 334 | - recent increase in zero day exploits 335 | - due to their value, zero day exploits are sold in black markets to criminal groups that can profit from leveraging them 336 | - bug bounty programs are the other side of the same coin- software development companies pay distributed markets for first crack at their own zero days so they can be resolved before criminal exploitation 337 | 338 | ##### Preparation 339 | 340 | - no single solution can protect anyone or anything completely 341 | - layer defenses and prevent single points of failure 342 | - even with an incident response plan, organizations should have proactive operations to deal with security threats 343 | - info sources on software bugs: 344 | - SANS Internet Storm Center 345 | - CERT Coordination Center at Carnegie Mellon 346 | 347 | #### Advanced Persistent Threat (APT) 348 | 349 | - APT = stealthy continuous, usually coordinated, hacking effort 350 | - usually orchestrated by a government or organization with extensive resources 351 | - goal is to maintain long term access to target systems while evading detection 352 | 353 | ##### Advanced 354 | 355 | - well-equiped, well-trained, well-funded; APTs coordinate many sources of information to gather intelligence on a target 356 | 357 | ##### Persistent 358 | 359 | - individual operators have a good understanding of their role in a campaign or hacking effort and can pinpoint weak spots through long-term engagement 360 | 361 | ##### Threat 362 | 363 | - APT campaigns serve a larger purpose than a single cyber event in a bubble- there is a broader goal in mind and an attack represents just one step in achieving that goal 364 | - because APTs are by definition advanced, successful organizations will very often share information about them so that they can be combatted on a bigger scale 365 | 366 | ## Threat Actors 367 | 368 | - threat actors are a diverse bunch in terms of sophistication, resources, and intent among other things 369 | 370 | ### Nation-State Threat Actors 371 | 372 | - these are the most sophisticated threats because of the resources, manpower, training, and support that can be provided to offensive programs 373 | - with huge budgets, they can buy or develop their own zero days with great frequency 374 | - may involve private businesses as contractors 375 | - may incorporate false flags into their campaigns to avoid be identified by defenders 376 | - simple intelligence operations for one nation may appear to another as a threat actor 377 | 378 | ### Hactivists 379 | 380 | - attackers with a specific cause or purpose they are supporting outside of the government space 381 | - typically reliant on large participation in order to be effective 382 | - little (if any) emphasis on stealth or monetary incentives 383 | - commonly attack availability of a system 384 | 385 | ### Organized Crime 386 | 387 | - driven by monetary incentives 388 | - selling intellectual property 389 | - ransoming assets 390 | - stealing compute for crypto-mining 391 | - generally low-risk operations with high return on investment 392 | - growth of cryptocurrencies have allowed money to be moved more easily 393 | 394 | ### Insider Threat Actors 395 | 396 | - threat actors that work from within an organization (pretty self-explanatory) 397 | - traditional security perimeters are ineffective 398 | - solutions to combat them must be multi-dimensional and layered 399 | 400 | #### Intentional 401 | 402 | - organization members with privileged access of some sort who wish to use their access for money or revenge 403 | - combat with role based access control 404 | - monitor anomalous network activity 405 | - remove employee access upon termination 406 | 407 | #### Unintentional 408 | 409 | - human error or negligence can make people unwitting threat actors 410 | - mistakes happen, good controls can limit the damage done 411 | 412 | ## Intelligence Cycle 413 | 414 | - 5-or 6-step method for converting raw data into actionable intelligence 415 | - cycle is continuous and can progress without total completion of the previous step 416 | 417 | ### Requirements 418 | 419 | - question identification, prioritization, and refinement 420 | - planning and direction as needed 421 | 422 | ### Collection 423 | 424 | - data is collected to fill gaps in intelligence 425 | - setting up data sources inside and outside of the system 426 | 427 | ### Analysis 428 | 429 | - making sense of collected data 430 | - utilize automation, trained professionals, or other means of data processing 431 | - output of this phase is actionable intelligence 432 | 433 | ### Dissemination 434 | 435 | - distributing of requested intelligence 436 | - requesters can then utilize the processed intelligence as demanded by their organizational goals 437 | 438 | ### Feedback 439 | 440 | - each phase includes a refinement; feedback phase is a dedicated part of the cycle when the team can reformulate their processes to improve 441 | - self-appraisal as well as appraisal by client (whomever requested the intelligence) 442 | 443 | ## Commodity Malware 444 | 445 | - pervasive malware made available for sale to other threat actors 446 | - horizontal integration is about as common in organized crime as it is in modern business- just because a group can build malware doesn't also mean that they're optimized to profit from its delivery 447 | 448 | ### Malware-as-a-Service 449 | 450 | - malware built to order 451 | - may include customer support, regular updates, bug fixes (Windows = malware /s) 452 | - often cloud-hosted to offer better service to buyers 453 | 454 | ## Information Sharing and Analysis Communities 455 | 456 | - different industries have dedicated security-specialized communities for sharing information 457 | - ISAC = information sharing and analysis community 458 | - some examples are included below: 459 | 460 | | Industry | Name | 461 | | ----------- | ---- | 462 | | Automotive | Auto-ISAC | 463 | | Aviation | A-ISAC | 464 | | Communications | NCC | 465 | | Electricity | E-ISAC | 466 | | Elections Infrastructure | EI-ISAC | 467 | | Financial Services | FS-ISAC | 468 | | Health | H-ISAC | 469 | | Information Technology | IT-ISAC | 470 | | MultiState | MS-ISAC | 471 | 472 | - ISAOs (Information Sharing and Analysis Organizations) = public organizations for sharing security information not specific to a given industry -------------------------------------------------------------------------------- /CYSA-Exam-Guide-Second-Edition/Threat-Intelligence-in-Support-of-Organizational-Security.md: -------------------------------------------------------------------------------- 1 | # Threat Intelligence in Support of Organizational Security 2 | 3 | ## Intro 4 | 5 | - alert fatigue = too many false alarms, leading to decrease in responsiveness from incident responders 6 | - adding more layers of threat intelligence increases context for events and decreases false alarms 7 | 8 | ## Levels of Intelligence 9 | 10 | - security efforts should impair the ability of threat actors to attack or damage the organization 11 | - threat intelligence needs to work to anticipate attacker actions 12 | - various levels of threat intelligence must exist so as to inform different levels of an organziation's hierarchy to take appropriate actions 13 | 14 | | Level | Description | 15 | | ----- | ----------- | 16 | | Strategic | Highest level of intelligence; used to inform organization leaders of key concerns; not overtly technical | 17 | | Operational | Who/when/what are we defending and for how long? What should be done to achieve strategic goals and what resources do we need? | 18 | | Tactical | Precisely what are the defenders doing in response to actions by attackers; highly actionable level of intel | 19 | 20 | ## Attack Frameworks 21 | 22 | - frameworks add structure to thought processes and aid in understanding concepts, timelines, and motivations of attackers 23 | - better understanding of attackers means it is easier for defenders to stop them 24 | 25 | ### MITRE ATT&CK 26 | 27 | - MITRE = federally-funded research organization with cybersecurity specialty 28 | - created the following systems and frameworks: 29 | - Cyber Observable eXpression (CybOX) 30 | - Common Vulnerabilities and Exposures (CVE) 31 | - Trusted Automated Exchange of Intelligence Information (TAXII) 32 | - Structured Threat Information Expression (STIX) 33 | - ATT&CK = Adversarial Tactics, Techniques, and Common Knowledge 34 | - has 3 flavors: 35 | 1. Enterprise ATT&CK = *SEE BELOW* 36 | 2. PRE-ATT&CK = TTPs used by attackers before launching an attack 37 | 3. Mobile ATT&CK = TTPs used by attackers to get at mobile platforms 38 | 39 | #### Enterprise ATT&CK 40 | 41 | - most widely used and relevant ATT&CK model 42 | - 12 categories: 43 | 1. Initial Access - how they get into your network/system 44 | 2. Execution - run malicious code on your system 45 | 3. Persistence - maintain presence on your system 46 | 4. Privilege Escalation - gain positions of higher privilege 47 | 5. Defense Evasion - maneuvers used to avoid detection 48 | 6. Credential Access - gathering of names, passwords, tokens 49 | 7. Discovery - increase understanding of network/system 50 | 8. Lateral Movement - pivot and gain access to other systems on network/subsystems 51 | 9. Collection - capture of artifacts 52 | 10. Command and Control - taking control of your system by attackers 53 | 11. Exfiltration - getting your data our of your system by attackers 54 | 12. Impact - what is done by attackers to destroy or damage your system/network 55 | - common language is important for communicating across teams 56 | - hundreds of techniques across categories 57 | - [MITRE ATT&CK Navigator](https://mitre.github.io/attack-navigator/enterprise/) 58 | - allows tracking of techniques, tactics, and offenders who commonly utilize them 59 | 60 | ### The Diamond Model of Intrusion Analysis 61 | 62 | - developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz to emphasize relationships and characteristics between the following: 63 | 1. Adversary 64 | 2. Capability 65 | 3. Victim 66 | 4. Infrastructure 67 | - model is dynamic, adjusts with adversary actions 68 | - model integrates with 7 axioms which capture the nature of all threats (supposedly): 69 | 70 | | Axiom | Conclusion | 71 | | ----- | ---------- | 72 | | Every intrusion is trying to produce a result which furthers the goals of the adversary | Every incident involves the 4 components of the diamond model and can be mapped against them | 73 | | There are adversaries that want to compromise systems for their own benefit | Threat actors are always there; if we know what they want, we can better protect our systems | 74 | | Every system has vulnerabilities and exposures | No technology is purely safe with no exceptions | 75 | | All malicious activity has at least 2 ordered aspects required for successful exploitation | Dependencies must be fulfilled in successful attacks; break the chain, break the attack | 76 | | External resources are needed in every successful attack | Preventing attackers from effectively leveraging these resources will limit the effectiveness of their attempts | 77 | | There is always some kind of prior relationship between victim and attacker | Attacks are becoming more and more difficult to execute, so attackers will only dedicate much time to victims that hold significance to them | 78 | | There is a subset of attackers capable of and motivated in sustaining prolonged malicious efforts against any given victim; these are *persistent adversaries* | Determining which operations require long-term access in order to succeed can help defenders combat them | 79 | 80 | ### Kill Chain 81 | 82 | - phased model which organizes enemy activities in a military operations 83 | - common example is F2T2EA (Find, Fix, Track, Target, Engage, Assess), born from Air Force need for responsive, agile framework to improve air strike response times 84 | - cyber kill chains exist as well to break down attack stages to help defenders pinpoint where in an attack they can develop the most effective countermeasures 85 | 86 | #### Lockheed Martin Cyber Kill Chain 87 | 88 | - developed in 2011 as whitepaper by security team members 89 | - help defenders build layers of security to thwart attacks at any stage 90 | - loose map, not a definitive blueprint of attack chains 91 | - consists of 7 steps: 92 | 1. Reconnaissance - gather as much information as possible on the target; may be either passive or active 93 | - defenders need to know what information about their org is available and how it can be leveraged against them 94 | 2. Weaponization - transformation of information gathered in reconnaissance into attacks 95 | - hard for defenders to intervene because this stage occurs almost entirely on the attacker side 96 | - best hope is usually to try to extrapolate possible attacks from data that could have been exposed 97 | 3. Delivery - transmission of weaponized attack; phishing emails, MITM attacks, tainted USB injection are examples of delivery mechanisms 98 | - combination of technical controls and policies help prevent successful attack delivery 99 | 4. Exploitation - leveraging of the delivered payload by the attacker; includes *execution* of payload 100 | - least privilege and patching known vulnerabilities are often successful at limiting impact 101 | 5. Installation - placement of backdoor or agent to allow persistence for the attacker 102 | - endpoint detection/monitoring programs help protect against known mechanisms for persistent access 103 | 6. Command and Control (C2) - attacker creates a channel to access system remotely in perpetuity 104 | - C2 agents have a common traffic pattern which makes it possible to determine when they're present on a network; while they may try to encrypt their way around inspection, defenders who know what's going on within their network should be able to find see this traffic quickly 105 | - common channels are DNS, HTTP, and email 106 | 7. Actions on Objectives - the reason the defender bought the ticket in the first place: accomplishing their goal 107 | - data loss prevention software may be successful against some attackers 108 | - redundant and TESTED backups can help recovery 109 | 110 | ## Threat Research 111 | 112 | - growing field as security frameworks, teams, and practices mature 113 | - ask questions, answer them, rinse and repeat 114 | 115 | ### Reputational 116 | 117 | - malware signatures and IP and domain reputations help defenders filter high risk traffic from their network 118 | - information is leveraged with firewalls, gateways, intrusion detection systems (IDSs), among others 119 | - reputation of URLs, domains, and IPs can be established with free and commercial services 120 | - higher scores are associated with higher rates of security incidents 121 | - Google offers a basic version of this service, notifying users before they access sites that are suspected of being controlled by malicious actors 122 | - Google subsidiary, VirusTotal, offers reliable results on URLs and file hashes and comes with a nifty API 123 | - Cisco's Talos team proivdes a reputation center with lookup capabilities 124 | 125 | ### Behavioral 126 | 127 | - just observing what an artifact does rather than trying to reverse engineer it 128 | - done using isolated environments or sandboxes 129 | - Cuckoo Sandbox = common open source sandbox tool 130 | - REMnux = Linux distro for malware reverse engineering 131 | - may be a pointless exercise if the malware has been engineered to change its behavior when it detects it's in a sandbox 132 | 133 | ### Indicator of Compromise 134 | 135 | - IoC = artifact which shows possibility of attack or compromise; 2 components: 136 | 1. data 137 | 2. context 138 | - Pyramid of Pain (shown below), created by David Bianco to categorize IoCs, the higher in the pyramid defenders attack the IoCs the more difficult it is for attackers to overcome 139 | 140 | ![Bianco's Pyramid of Pain](../_assets/BiancosPyramidOfPain.png "Bianco's Pyramid of Pain") 141 | 142 | ### Common Vulnerability Scoring System (CVSS) 143 | 144 | - framework used to standardize the severity of a given vulerability 145 | - de facto standard (likely to appear on exam) 146 | - 3 metric groups: 147 | 1. base = characteristics that remain constant over time 148 | 2. temporal = characteristics that change with time 149 | 3. environmental = characteristics unique to a user's environment 150 | 151 | ## Threat Modeling Methodologies 152 | 153 | - procedural approach to thinking like the attacker 154 | - create various prototypes of possible attackers and try to find weak points they may exploit 155 | - the goal shapes the approach, some models may seek holistic improvements, others may target very specific points in the system 156 | - threat models should be an input in the earliest stage of SDLC (Systems Development Lifecycle) 157 | - ensures greater emphasis on potential threats 158 | - greatest influence on system architecture 159 | 160 | ### Adversary Capability 161 | 162 | - understand what a potential attacker can do to you 163 | - who's attacking, why, how 164 | 165 | ### Total Attack Surface 166 | 167 | - logical and physical space that can be targeted by attacker 168 | - mapping is an important step towards understanding exposed surface 169 | - analysis of attack surface is done by other security professionals 170 | - analysts are more concerned about how architecture can be changed to accomodate this 171 | 172 | ### Attack Vector 173 | 174 | - find the most likely path to the jewels 175 | - done with red teaming, tabletop exercises, visualization 176 | - cut out the paths in as many places as possible 177 | 178 | ### Impact 179 | 180 | - potential damage arising from a single security incident 181 | - mechanism for communicating risk 182 | 183 | ### Likelihood 184 | 185 | - chance of successful exploitation of a vulnerability 186 | 187 | ### STRIDE 188 | 189 | - threat modeling framework with 6 categories invented in 1999 by Microsoft 190 | 191 | | Threat | Property | Definition | 192 | | ------ | -------- | ---------- | 193 | | Spoofing | Authentication | impersonation of an entity | 194 | | Tampering | Integrity | improperly modifying data | 195 | | Repudiation | Nonrepudiation | claiming not to have performed an action nor knowing who did | 196 | | Information Disclosure | Confidentiality | exposing data to unauthorized parties | 197 | | Denial of Service | Availability | denying or degrading service or other resources to legitimate users | 198 | | Elevation of Privilege | Authorization | improperly gaining capabilities | 199 | 200 | ### PASTA 201 | 202 | - Process for Attack Simulation and Threat Analysis (PASTA) = risk-focused threat modeling framework 203 | - aims to align technical requirements with business goals 204 | 205 | | Stage | Key Tasks | 206 | | ----- | --------- | 207 | | Define Objectives | identify business objectives and security requirements; perform business impact analysis | 208 | | Define Technical Scope | record infrastructure, application, and software dependencies and technical environment scope | 209 | | Application Decomposition | identify use cases, actors, assets, services, roles, and data sources; create data flow diagrams | 210 | | Threat Analysis | Analyze attack scenarios; perform threat intel correlation, analytics | 211 | | Vulnerability and Weaknesses Analysis | catalog vulnerability reports; map known vulnerabilities; perform design flaw analysis | 212 | | Attack Modeling | analyze complete attack surface | 213 | | Risk and Impact Analysis | qualify and quantify business impact; catalog mitigations; identify residual risk | 214 | 215 | ## Threat Intelligence Sharing with Supported Functions 216 | 217 | ### Incident Response 218 | 219 | - incident response is a position for more experienced security professionals due to wide breadth of knowledge needed for functions 220 | - speed is a necessity for a successful program 221 | - playbooks and automated responses are gaining popularity as a result 222 | - repeatable, scalable, reliable processes are the goal 223 | 224 | ### Vulnerability Management 225 | 226 | - every system has vulnerabilities, dilligence is needed to identify these vulnerabilities and patch them 227 | - NIST's National Vulnerability Database (NVD) lists all vulnerabilities known to NIST (though admittedly later than they are known to the general public), in an attempt to make it easy for defenders to know if they have active vulnerabilities in their environments 228 | - threat intelligence adds an operational context to these vulnerabilities, answering whether these vulnerabilities are actively being exploited by attackers 229 | - it's not about what can be exploited, it's about what is likely to be exploited; totally impenetrable security is virtually impossible, so the goal is to prioritize the easiest and likeliest paths to exploitation and block them 230 | - some free sources for intelligence related vulnerabilities are listed below: 231 | 232 | | Type | Description | 233 | | ---- | ----------- | 234 | | Information Security Sites | Vendor blogs and disclosres | 235 | | Social media | Twitter is a great location to pick up news on the latest vulnerabilities, exploits, and attack patterns | 236 | | Code repos | GitHub has lots of PoCs | 237 | | Paste sites | Pastebin, Ghostbin, and others often host lists of exploits | 238 | 239 | ### Risk Management 240 | 241 | - risk is understood in terms of impact and probability 242 | - threats are described with the following: 243 | - capability 244 | - intent 245 | - opportunity 246 | - risk management teams try to predict the future 247 | - threat intelligence is a tool they use to *attempt* to do this 248 | - again, prioritization is the name of the game; here, it's about assets 249 | 250 | ### Security Engineering 251 | 252 | - threat intelligence offers insight into the effectiveness of security implementations within an organization 253 | - TI feedback can be analyzed and acted upon engineers to build better systems 254 | 255 | ### Detection and Monitoring 256 | 257 | - threat intelligence helps teams make better decisions because they have the context needed to understand what's going on outside of their immediate environment that could impact them; this insight helps teams know what to look for on their systems and networks 258 | - it's about seeing the forest for the trees -------------------------------------------------------------------------------- /CYSA-Exam-Guide-Second-Edition/Threats-and-Vulnerabilities-Associated-with-Operating-in-the-Cloud.md: -------------------------------------------------------------------------------- 1 | # Threats and Vulnerabilities Associated with Operating in the Cloud 2 | 3 | - the cloud needs to be defended just like any other infrastructure 4 | - understanding the threats, vulnerabilities, and responsibilities in the cloud is critical for defenders 5 | 6 | ## Cloud Service Models 7 | 8 | - Software as a Service (SaaS) - vendor manages software, storage, infrastructure 9 | - Platform as a Service (PaaS) - vendor manages platform on which software is deployed to internet 10 | - Infrastructure as a Service (IaaS) - vendor manages hardware only, consumer determines configurations, platform and software 11 | 12 | ### Shared Responsibility Model 13 | 14 | - describes which party is responsible for which aspects of security within the cloud 15 | - different cloud services and CSPs (Cloud Service Providers) offer different levels of security 16 | 17 | ### Software as a Service 18 | 19 | - most common software delivery method 20 | - users are responsible for data protection, vendor covers the rest 21 | ![SaaS Technology Stack](../_assets/SaaS-Model.jpg "SaaS Technology Stack Areas of Responsibility") 22 | - three common types of vulnerabilities which affect SaaS products are the following: 23 | 1. visibility - organizations need to know where their data is going in order to manage it 24 | 2. management - IAM; who gets to see what data and when 25 | 3. data flow - know where the data goes, once it's out it's gone 26 | - define the boundaries of where data is supposed to and allowed to go 27 | 28 | #### Security as a Service (SECaaS) 29 | 30 | - security services offered like SaaS cloud model 31 | - similar to MSSPs 32 | 33 | ### Platform as a Service 34 | 35 | - build your own coded application using our environment 36 | ![PaaS Technology Stack](../_assets/PaaS-Model.jpg "PaaS Technology Stack Areas of Responsibility") 37 | - you need to build secure applications and trust that your cloud vendor has good processes in place to protect their areas of responsibility 38 | 39 | ### Infrastructure as a Service 40 | 41 | - a step further down the ladder and closer to the metal in terms of how much the customer controls 42 | ![IaaS Technology Stack](../_assets/IaaS-Model.jpg "IaaS Technology Stack Areas of Responsibility") 43 | - the closer you get to the bottom of the stack, the more control you have and the more vulnerabilities you have to manage yourself 44 | 45 | ## Cloud Deployment Models 46 | 47 | - choose a model that fits your risk appetite, goals, and assets 48 | 49 | ### Public 50 | 51 | - you share infrastructure/computing resources with public organizations (Microsoft, Google, Amazon, etc.) 52 | 53 | ### Private 54 | 55 | - the same organization owns all the infrastructure being used 56 | - common in very big organizations that have sensitive data (government contractors, banks, large manufacturers will often have private clouds to share between internal projects) 57 | 58 | ### Community 59 | 60 | - infrastructure is shared across a select few organizations 61 | - often built for orgs operating in the same environment 62 | - ex. Azure's Government Community Cloud (GCC) 63 | 64 | ### Hybrid 65 | 66 | - combination of private and public cloud models 67 | - common for banks, who will often have services open to the public and lots of data that they want to control entirely 68 | 69 | ## Serverless Architecture 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /CYSA-Exam-Guide-Second-Edition/Threats-and-Vulnerabilities-Associated-with-Specialized-Technology.md: -------------------------------------------------------------------------------- 1 | # Threats and Vulnerabilities Associated with Specialized Technology 2 | 3 | - attackers look for the easiest path to exploitation 4 | - once all the easy ways in are remediated, the attackers are likely to move on to an easier target (unless there's something very special about your assets) 5 | - common flaws found way too frequently: 6 | - missing patches/updates 7 | - misconfigured firewall rules 8 | - weak passwords 9 | 10 | ## Access Points 11 | 12 | - WAPs are some of the most commonly vulnerable network components 13 | - BYOD policies pose a challenge for security teams 14 | - WEP is insecure and should NEVER be used in a secure network 15 | - rogue WAPs can be connected to a network unless additional protections are implemented 16 | - IEEE 802.1X standard should be implemented 17 | - client authentication required 18 | - granular access controls 19 | - minimum patch/update requirements for connected clients 20 | 21 | ## Virtual Private Networks 22 | 23 | - VPNs connect devices that are on different networks as though they are on the same 24 | - VPN connections are made using several special protocols: 25 | - Internet Protocol Security (IPSec) 26 | - Layer 2 Tunneling Protocol (L2TP) 27 | - Transport Layer Security (TLS) 28 | - Datagram Transport Layer Security (DTLS) (Cisco devices) 29 | - VPNs can expose corporate networks to dangers by allowing untrusted, unpatched, and infected devices to connect from anywhere 30 | - we can keep out untrusted connections by requiring a preinstalled certificate on clients 31 | - we can keep out unpatched connections by implementing Network Access Control to actively check update status of clients before connecting 32 | 33 | ## Mobile Devices 34 | 35 | - given their uniquely privileged access to private data, they are a lucrative target for attackers 36 | - mobile devices are much more susceptible to physical theft than other computing mediums 37 | - "physical access is total access" - it's much harder to protect data when it's literally in the hands of attackers 38 | - three categories of mobile vulnerabilities: 39 | 40 | ### Network Vulnerabilities 41 | 42 | - 2 network entries: 43 | - attacks from poorly configured/built mobile networks 44 | - attacks on the mobile device's mobile interface 45 | - when the network infrastructure itself is exploited, everyone who uses it is vulnerable 46 | - this is especially problematic when threat actors have government-level control over these networks 47 | - attacks on mobile interfaces are rare, but high impact events 48 | 49 | ### Device Vulnerabilities 50 | 51 | - vulnerabilities to a physical device can be absolutely devastating because the only remediation is to get a new device 52 | - a really cool example of this is the rowhammer attack 53 | - this attack is based on how dynamic RAM (DRAM) is accessed in modern computers where a small electrical signal changes leaks to nearby cells in memory whenever a certain cell is accessed. In theory, this can be leveraged into privilege escalation by creating a large enough electrical charge to change specific memory addresses. Realistically, it's basically impossible in any practical setting, but it does show that virtually all hardware is susceptible to attack 54 | 55 | ### Operating System Vulnerabilities 56 | 57 | - developers aim to limit time between patch release and installation; attackers want the reverse so they maximize the time that an exploit is viable 58 | - window of vulnerability = time between vulnerability discovery and patch installation 59 | - Android devices tend to have larger windows of vulnerability because of the need to coordinate across multiple vendors 60 | - iOS doesn't have this problem because of its centralization 61 | 62 | ### App Vulnerabilities 63 | 64 | - quick software development cycles tend to cause more vulnerabilities 65 | - later sections will cover this more deeply 66 | 67 | ### Improper Platform Usage 68 | 69 | - it is not unusual for developers to take shortcuts in app development that cause vulnerabilities 70 | - when developers make mistakes, whether from misunderstanding or laziness, it can lead to vulnerabilities 71 | 72 | ### Insecure Data Storage 73 | 74 | - privacy and security are risked when data is not handled carefully 75 | - data at rest and in motion must be protected; common problems include: 76 | - world readable files 77 | - improper logging 78 | - secretly generated analytics 79 | 80 | ### Insecure Authentication 81 | 82 | - local authentication means locally stored passwords 83 | - when passwords are stored locally, they are outside of the control (and protection) of an app/platform/software developer 84 | - insufficient password policies increase the likelihood of exploitation 85 | 86 | ### Insecure Authorization 87 | 88 | - inaccurate permissions for resources to which any user or role should have access 89 | - order of authentication is also important- if an API call can be completed before authentication, it's also an authorization issue 90 | 91 | ### Code Quality Vulnerabilities 92 | 93 | - code reuse means potentially reusing old mistakes and vulnerabilities 94 | - increased dependence on third party libraries means that attackers just need to poison one pool to affect many apps 95 | - code review with SMEs is an effective step to ensure code quality 96 | - code should not be able to run if it has been manipulated after deployment 97 | - prevents injections 98 | 99 | #### Messaging Platforms 100 | 101 | - example of RCE from WhatsApp 2019 102 | - app vulnerability could be leveraged to attack the entire device 103 | 104 | ## Internet of Things 105 | 106 | - IoT devices are generally non-traditional computing devices; in enterprise settings, they (theoretically) make processes more efficient 107 | - common enterprise IoT devices include: 108 | - CCTV cameras 109 | - smart thermostats and lighting devices 110 | - printers 111 | - provide visibility into status of assets, but also increase attack surface 112 | - patches are tough to install on these devices, but are still important for security 113 | - default passwords should be changed before the devices are put into use 114 | 115 | ### The Mirai Botnet 116 | 117 | - botnet that targets IoT devices for DDoS attacks 118 | - in 2016 it took down a bunch of popular websites 119 | - creating strong passwords and closing unused ports are really effective protections 120 | 121 | ### Medical Devices 122 | 123 | - PoCs have been developed to act on medical IoT devices, but none have been found in the wild 124 | - despite the fact that none have been exploited, they should still be strongly protected 125 | 126 | ## Embedded Systems 127 | 128 | - these systems are run by firmware or hardwired instructions 129 | - since the code that they run is so deeply engrained in them, it is very hard to remediate vulnerabilities and monitor their activity centrally 130 | 131 | ### Real-Time Operating Systems 132 | 133 | - a RTOS is used for low-latency output for input 134 | - used in vehicles, manufacturing equipment, aircraft 135 | - used heavily for optimizing task scheduling 136 | 137 | ### System on a Chip 138 | 139 | - combination of software and hardware in a single integrated circuit and processor 140 | - hardware verifications must be performed as well as software verfications 141 | - hardware and software are tightly coupled 142 | 143 | ### Field Programmable Gate Array 144 | 145 | - programmable chips for a variety of specialized functions 146 | - processes are defined using hardware description language (HDL) which may be a target for attack 147 | 148 | ## Physical Access Control 149 | 150 | - combination of hardware and logical artifacts to authenticate a user based on credentials 151 | - RFID badges and card readers are very common for this 152 | - when physical access is controlled by only one protection, it is usually possible to overcome 153 | - if a door is controlled by a badging scheme, the badge may be forged, the reader may be hacked, or, depending on implementation, the attacker may simply remove the reader and open the door by immitating the electical pulse sent by the reader to signify a successful read 154 | - spoofing by replay or cloning is a common attack 155 | - replays are done by repeating an authentic packet or communication to receive the same access 156 | - cloning is done by copying some information or artifact to emulate its functionality 157 | 158 | ## Connected Vehicles 159 | 160 | - connected vehicles add new vulnerabilities besides the traditional hardware problems 161 | - detection and remediation is very difficult 162 | 163 | ### CAN Bus 164 | 165 | - CAN Bus = controller area network; defines control of systems by vehicle components usually with ECUs (electronic control units) 166 | - has no ingrained security 167 | - highly susceptible to MITM attacks 168 | 169 | ### Drones 170 | 171 | - remote control of drones is susceptible to attack 172 | - drones can be used for cheap surveillance or denial of service attacks on physical aviation 173 | 174 | #### Hardware Security 175 | 176 | - hardware components for drones can be easily swapped out with those from an attacker 177 | - secure storage is important for preventing attacks on hardware 178 | 179 | #### Communications Channels Security 180 | 181 | - drones that communicate over networks have the same vulnerabilities as those networks 182 | - direct and encrypted communication can help prevent this 183 | 184 | #### Web Portal Security 185 | 186 | - the portals used to take control of drones via a web app are also a potential attack vector 187 | 188 | ## Industrial Control Systems 189 | 190 | - cyber systems which control physical behaviors 191 | ![ICS Example](../_assets/ICS-example.jpg "Example of ICS infrastructure") 192 | - heavily reliant on firmware 193 | - updates and patches are super difficult to deploy, they typically cannot be centralized or automated and require downtime 194 | - default passwords are difficult to change and are publicized by the vendor 195 | 196 | ### Vulnerabilities in Interconnected Networks 197 | 198 | - every endpoint on a network is a potential entry point for attackers, limit your endpoints and segment your networks 199 | 200 | ## SCADA Devices 201 | 202 | - SCADA = Supervisory Control and Data Acquisition system; type of ICS used for controlling and monitoring widely distributed (by area) devices 203 | - used for transmissions and pipelines 204 | - historically reliant on obscurity for security 205 | - reliance on remote stations for transmissions 206 | 207 | ### Modbus 208 | 209 | - prioritizes functionality over security in communications 210 | - de facto standard for communicating between PLCs 211 | - easy to intercept, replay, and forge packets 212 | 213 | ## Process Automation Systems 214 | 215 | - PAS = workflow automation system (WAS); automate day-to-day business processes 216 | - when complex processes or those with edge cases are automated, the possibility for exploitation is high 217 | -------------------------------------------------------------------------------- /CYSA-Exam-Guide-Second-Edition/Vulnerability-Assessment-Tools.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Assessment Tools 2 | 3 | - you don't need to know every tool in detail, just when and how to use each class of tool 4 | 5 | ## Web Application Scanners 6 | 7 | - scan from perspective of outside user 8 | - only scan for vulnerabilities and exploits that have had a plug-in developed and installed 9 | - given the broad usage of web app scanners, it would be useful to be able to develop specialized tests for your specific environment using the scanner's programming language 10 | 11 | ### OWASP Zed Attack Proxy (ZAP) 12 | 13 | - OWASP = Open Web Application Security Project 14 | - ZAP sits between user browser and web app collecting and modifying packets to test app responses 15 | 16 | ### Burp Suite 17 | 18 | - map and analyze web app vulnerabilities 19 | - combines automated and manual testing 20 | - paid version offers greater automation 21 | 22 | ### Nikto 23 | 24 | - focused on SQL and command injection, XSS, and misconfigurations 25 | - CLI utility- no GUI 26 | - fast if you know what you're doing 27 | 28 | ### Arachni 29 | 30 | - speed-focused web scanner 31 | - parallel scanning 32 | - performs "meta-analysis" to reduce false positives 33 | - needs only a target URL to start scanning 34 | 35 | ## Infrastructure Vulnerability Scanners 36 | 37 | - modern scanners can only find vulnerabilities they know about; in order to know about a vulnerability, a plug-in or extension must be built and installed for it; as a scanner learns about tens of thousands of vulnerabilities, it grows to be an enormous size 38 | - understand tradeoffs made between agent-based and server-based and between authenticated and unauthenticated 39 | 40 | ### Nessus 41 | 42 | - created and maintained by Tenable 43 | - 80k+ plug-ins 44 | - plug-ins are written using Nessus Attack Scripting Language (NASL) 45 | - Nessus subscription service offers updated plug-ins daily for vulnerabilities discovered within 24 hours 46 | - can be accessed/controlled from browser 47 | - can be aimed at one or multiple devices specified by IP or IP range with CIDR notation 48 | - offers compliance checks 49 | - details are included on each discovered vulnerability 50 | 51 | ### OpenVAS 52 | 53 | - Open Vulnerability Assessment System = OpenVAS; includes vulnerability identification and management 54 | - free and open source framework based on early Nessus project 55 | - 47k+ network vulnerability test (NVTs) 56 | - interface in browser 57 | - provides details of detected vulnerabilities and confidence of detection 58 | 59 | ### Qualys 60 | 61 | - Qualys is a security company 62 | - QualysGuard is a vulnerability assessment and management SaaS product 63 | - interface in browser 64 | - offers several report templates 65 | 66 | ## Software Assessment Tools and Techniques 67 | 68 | - number of vulnerabilties correlates with software program size 69 | - the following methods are used to detect software vulnerabilities: 70 | - static analysis 71 | - dynamic analysis 72 | - reverse engineering 73 | - fuzzing 74 | - multiple assessment types should be used in tandem to decrease the number of missed vulnerabilities 75 | 76 | ### Static Analysis 77 | 78 | - examining application code without executing it 79 | - static analysis is done by automation, code review is done by humans 80 | - OWASP **Lapse+** looks for vulnerabilities in java code 81 | - static analysis by automation rarely uncovers runtime errors 82 | 83 | ### Dynamic Analysis 84 | 85 | - what does the program *do* 86 | - typical method is to sandbox the program and see what happens 87 | - faster and cheaper, easier to perform 88 | 89 | ### Reverse Engineering 90 | 91 | - turn an executable binary into higher level code to better understand it 92 | - discover dependencies, expected input, inefficiencies and dangerous code 93 | 94 | #### Engineering and Reverse Engineering 95 | 96 | - programs are written in "high-level" code (Java, C#, etc.) 97 | - these programs are then compiled (using a "compiler") into assembly language 98 | - assembly language is then assembled (using an "assembler") into machine code 99 | - machine code is run by the CPU 100 | - reverse engineering reverses this process from machine code, to assembly, to high level code 101 | 102 | ### Fuzzing 103 | 104 | - sending a lot of random and garbage input to program to make it break 105 | - rarely purely random, common flaws are targeted - null input, overflow, mistyped data 106 | 107 | #### untidy 108 | 109 | - XML fuzzer 110 | - transforms valid XML before inputting it 111 | 112 | #### Peach Fuzzer 113 | 114 | - uses XML modules called "pits" 115 | - configurable; must have settings adjusted before testing 116 | 117 | #### Microsoft SDL Fuzzers 118 | 119 | - no longer supported 120 | - fuzzers created by Microsoft to be part of SDLC toolset for verification phase 121 | 122 | ## Enumeration Tools and Techniques 123 | 124 | - network scans look to determine what is open on a network 125 | - horizontal scans look for different available hosts 126 | - vertical scans look for different available ports on a single host 127 | 128 | ### nmap 129 | 130 | - network mapper 131 | - CLI or GUI options 132 | - Zenmap = Windows GUI 133 | - NmapFE = Linux GUI 134 | - Xnmap = MacOS GUI 135 | - not the most rich scans, but offer very precise results and scripting extensions 136 | 137 | ### hping 138 | 139 | - built on ping function 140 | - offers packet analysis for TCP, UDP, ICMP 141 | - traceroute functionality 142 | - IP fragmentation 143 | 144 | ### Passive vs Active Enumeration Techniques 145 | 146 | - passive enumeration - gain info without direct interaction 147 | - ex. whois, nslookup, dnsrecon 148 | - active enumeration - direct interfacing with target 149 | 150 | ### nslookup 151 | 152 | - basically a DNS interface 153 | - resolves IP address of a host FQDN 154 | - can do reverse as well 155 | - obtain DNS records/data 156 | 157 | ### responder 158 | 159 | - poisons name services 160 | - gathers hashes and credentials within its network 161 | - if a Windows host is unable to resolve a hostname with DNS, it falls back on LLMNR or NBT-NS 162 | - LLMNR = Link-Local Multicast Name Resolution 163 | - NBT-NS = NetBIOS-Name Service 164 | - both services are used to resolve hostnames from other clients on local network 165 | - CLI tool 166 | 167 | ## Wireless Assessment Tools 168 | 169 | - while networks are typically more secure when wireless isn't an option, implementing this policy is not usually feasible 170 | - for WLAN analysis, WLAN interface card connects to wireless access point (WAP) 171 | - interfacing card is in client mode 172 | - WAP is in master mode 173 | - AKA infrastructure mode 174 | - interface card will have management permissions for all WLAN configs 175 | - mesh mode = allows interface to negotiate directly with interfaces in ad hoc mode 176 | - ad hoc mode = client interfaces with no master 177 | - monitor mode = see all available WLANs and their characteristics without joining them 178 | - know your devices - keep track of your WAPs, know what is normal, know your settings and why they're there 179 | - record your clients and authenticate 180 | - authenticate with WPA Enterprise and IEEE 802.1X 181 | 182 | ### Aircrack-ng 183 | 184 | - open source suite of wireless tools for auditing WLAN security 185 | - offers the following attacks: 186 | - WPA keys 187 | - replay attacks 188 | - deauthentication 189 | - fake access point creation 190 | - with the right hardware: 191 | - wireless monitoring 192 | - wireless injection 193 | - packet captures 194 | 195 | ### Reaver 196 | 197 | - wireless protocols have well known flaws 198 | - Reaver takes advantage of WPS (Wi-Fi protected setup) feature 199 | - WPS uses a PIN which is split in half for validation 200 | - since the sample space is half the size, it is exponentially easier for Reaver to guess 201 | - CLI tool 202 | - attack can be prevented by disabling WPS feature which is not necessary for wireless network 203 | 204 | ### oclHashcat 205 | 206 | - graphics card-optimized version of hashcat used for cracking passwords 207 | - graphics cards allow for lots of parallel processes 208 | - supports the following attack modes: 209 | - brute-force attack - guess every combination until right one is found 210 | - combinator attack - combine different words/strings from dictionary to find password 211 | - dictionary attack - guess password using entries from a list of common passwords 212 | - hybrid attack - basically a combinator attack, one side is dictionary attack, the other is brute-force 213 | - mask attack - dictionary attack where certain placeholders are replaced with other chars 214 | - ex. dictionary entry is "password" mask attack might guess "p@$$w0rd" 215 | - rule-based attack - make guesses based on rules for password, so you might make a rule that says every password must be a certain length, have at least one digit, one uppercase, lowercase, etc. 216 | 217 | ## Cloud Infrastructure Assessment Tools 218 | 219 | - cloud services have their own unique set of vulnerabilities 220 | - data spillage 221 | - instance takeover 222 | 223 | ### Scout Suite 224 | 225 | - open source tool by NCC Group to determine security posture of cloud assets in GCP, AWS, and Azure 226 | - works with platform API 227 | - requires configuration for specific environment 228 | 229 | ### Prowler 230 | 231 | - scalable and repeatable means to determine security readiness 232 | - built for AWS platform 233 | - checks for best practices divided into the following groups: 234 | - IAM 235 | - Logging 236 | - Monitoring 237 | - Networking 238 | - CIS Level 1 239 | - CIS Level 2 240 | - Forensics 241 | - GDPR 242 | - HIPAA 243 | 244 | ### Pacu 245 | 246 | - built by Rhino Security Labs for AWS 247 | - easy to build on 248 | - open source on GitHub 249 | - used in pentesting and compliance assurance 250 | -------------------------------------------------------------------------------- /CYSA-Exam-Guide-Second-Edition/Vulnerability-Management-Activities.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Management Activities 2 | 3 | ## Vulnerability Identification 4 | 5 | - vulnerability scanning = automation of security checks against org's systems; point out weaknesses in system 6 | - key aspect of network security 7 | - single purpose tools, do not analyze context, can't chain exploits (so a bunch of small vulnerabilities that can create a big hole only appear as small vulnerabilities), they don't act like an attacker- they act like an automated system searching for a predetermined list of potential vulnerabilities 8 | 9 | ### Regulatory Environments 10 | 11 | - many organizations are forced to operate under the control of laws, rules, and regulations of governments, industry groups, or other regulatory bodies 12 | - orgs within regulatory environments generally have to deal with compliance in some way, and that compliance often has a security aspect 13 | 14 | #### ISO/IEC 27001 Standard 15 | 16 | - The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly maintain this standard on Information Security Management Systems (ISMS) 17 | - VERY common voluntary standard 18 | - three stages of certification: 19 | 1. desk-side audit to ensure documentation for vulnerability management 20 | 2. implementation audit to ensure documentation is followed 21 | 3. surveilance audit ensures that implementation is continued 22 | 23 | #### Payment Card Industry Data Security Standard (PCI DSS) 24 | 25 | - applies to all orgs who process credit card payments from the five major issuers: 26 | - Visa 27 | - Mastercard 28 | - Amex 29 | - Discover 30 | - JCB 31 | - requirement 11 focuses on regular testing of security systems and processes 32 | - requires internal and external scans every quarter and whenever significant changes are implemented 33 | - high risk vulernabilities must be resolved 34 | 35 | #### Health Insurance Portability and Accountability Act (HIPAA) 36 | 37 | - creates penalties for failure to protect protected health information (PHI) 38 | - requires orgs to conduct vulnerability assessments and implement reasonable security measures 39 | 40 | #### Corporate Security Policy 41 | 42 | - high level statement of security policy within an org established by senior management 43 | - accompanied by issue-specific and system-specific security policies that prescribe security implementations at a slightly more detailed level with smaller scope 44 | 45 | ### Data Classification 46 | 47 | - classification tag specifies sensitivity of data to which it is attached 48 | - outside of the government, data classification levels are specified at a company-level 49 | - additional governance exists for classified data for government and contractor data that are not included here 50 | - common levels include the following: 51 | - private - could raise personal privacy concerns 52 | - confidential - data could seriously damage organization 53 | - proprietary (or sensitive) = data could cause some damage, not major 54 | - public - no adverse effect of release 55 | - classification levels should not overlap 56 | - classification levels should consider the following factors: 57 | - level of damage caused by disclosure 58 | - level of damage caused by loss of integrity 59 | - lost opportunities 60 | - regulatory requirements 61 | - data age 62 | - relevance of data to security posture 63 | 64 | ### Asset Inventory 65 | 66 | - you can't protect what you don't know about 67 | - inventory includes anything of value to an org 68 | - determining value tends to be more difficult than establishing inventory 69 | 70 | #### Servers 71 | 72 | - losing track of everything on a server leaves it vulnerable to attacks on obscure pre-installed apps (*cough cough* Windows Server *cough*) 73 | - misconfigurations and ignoring unused features leaves servers vulnerable to exploits on those services 74 | - need everything you use and secure everything you use and remove the dross because it just provides more attack surface 75 | - shadow IT = unmonitored activities by other members of an org to add functionality that security and sys admin teams are unaware of and thus don't secure 76 | 77 | #### Endpoints 78 | 79 | - devices used by end-users 80 | - most common entry point into a network 81 | - the decentralized, unmanaged distribution and use of these devices has historically made them a very weak point for many security operations 82 | 83 | #### Critical Assets 84 | 85 | - everything needed to perform essential functions of an org 86 | - must be heavily defended because the org relies on them for revenue 87 | 88 | #### Noncritical Assets 89 | 90 | - not imperative for successful security operation 91 | - lower priority than critical assets 92 | - always consider the business implications of security decisions 93 | 94 | ### Active vs Passive Scanning 95 | 96 | - scanning = method to learn about a network/system/device through its responses 97 | - scanner come in one of three flavors: 98 | 1. network mappers 99 | 2. host/port scanners 100 | 3. web app vulnerability scanners 101 | - (not from book:) active scanning = poke the devices and see what comes back 102 | - (also not from book:) passive scanning = monitor what happens on a network or system without stimulating it directly 103 | 104 | ### Mapping/Enumeration 105 | 106 | - network mapping aims to understand network layout (topology discovery): 107 | - perimeter networks 108 | - demilitarized zones (DMZs) 109 | - key network devices 110 | - steps for mapping: 111 | - sweep the network - see what devices are online; commonly done with *NMap* 112 | - after a sweep an attacker may make a second pass to fill in details on interesting results 113 | 114 | #### Port Scanning 115 | 116 | - port scanners = programs for probing open ports on a host 117 | - used for service discovery 118 | - OS may be inferred based on OS fingerprinting done by some port scanners (not always reliably) 119 | 120 | #### Web App Vulnerability Scanning 121 | 122 | - web app vulnerability scanner = automated tool for scanning web apps for security vulnerabilities including SQLi, CSRF, command injection, and improper server configs, among others 123 | - additional features for these scanners may be implemented with plug-ins and APIs 124 | - these scanners have become commonly used by genuine attackers, not just red teamers 125 | 126 | ## Scanning Parameters and Criteria 127 | 128 | - no single solution as to optimal scanning frequency - it's about the why 129 | - make the calculations up front about when is best for the business, how often is sufficient, and so on 130 | - setting up periodic rather than ad hoc scans also provides you with a better understanding of exactly what you security posture is 131 | 132 | ### Risks Associated with Scanning Activities 133 | 134 | - risk appetite = amount of risk a business is willing to accept 135 | - find the balance between acceptable risk and acceptable resource expenditure to minimize those risks 136 | - risk can never be zero, so there must be some tradeoff 137 | 138 | ### Regulatory Requirements 139 | 140 | - scanning frequency requirements may be handed to you by regulations 141 | - semiannual scans are considered a **minimum** by industry experts 142 | - probably as a condition of "acceptable security" 143 | 144 | ### Technical Constraints 145 | 146 | - security operations are constrained by a number of factors: personnel, time, compute, etc. 147 | - technical constraints are those on personnel and computational resources like memory space or compute time 148 | - identifying constraints is a good first step 149 | - increasing scans is possible when constraints are greater than the current operation uses 150 | 151 | ### Workflow 152 | 153 | - establishing consistent patterns of work within security teams helps to ensure that all of their tasks are completed with regularity and consistency 154 | - when defenders know what to expect, then deviations from the norm become even more obvious 155 | 156 | ### Sensitivity Levels 157 | 158 | - even when conducting security assessments, it's important that the process of scanning or any other operations do not violate individual security 159 | - example: scanning, finding, and saving an employee's plain text list of passwords on their work computer 160 | - security should also not compromise assets in a way that lowers their value 161 | - example: if a security scan (or other operation) hurts the availability of a server processing payments, then there needs to be a mechanism to pick up the slack from that server while it's being scanned 162 | 163 | ### Vulnerability Feed 164 | 165 | - different feeds will eventually have all the same vulnerabilities, but they may pick them up sooner or later than one another 166 | - pick a feed that closely matches with your scanning frequency 167 | - since vulnerabilities will be reported between scans, security professionals need to determine whether an out-of-cycle scan is worth the trouble in order to justify the extra cost 168 | 169 | ### Scope 170 | 171 | - managing the scope of a scan is important both from a cost perspective and for managing the availability of assets 172 | 173 | ### Noncredentialed vs Credentialed 174 | 175 | - noncredentialed scans look at the environment from the perspective of an outsider/unauthorized user 176 | - black box 177 | - more realistic, more secure 178 | - less insight into the environment 179 | - credentialed scan does the opposite, uses perspective of insider/permitted entity 180 | - white box 181 | - credentialed scans should not get full admin rights unless absolutely necessary to achieve full scope (should be a rarity if it happens ever) 182 | 183 | ### Server-Based vs Agent-Based 184 | 185 | - agent-based scanners require process(es) running on the scanned device 186 | - take up compute from each device 187 | - server-based scanners do not require processes to run on scanned devices 188 | - require more network bandwidth 189 | 190 | ### Internal vs External 191 | 192 | - external scanners look at devices from outside of the (local) network 193 | - see what most attackers will see 194 | - internal scanners look from within the network 195 | - large corporations may have massive internal networks so the possibility of an infiltration is higher 196 | - internal scanners are usually surplus to all but the largest networks 197 | 198 | ### Types of Data 199 | 200 | - when reporting on data discovered from scans, consider the following: 201 | - intended audience 202 | - regulatory requirements 203 | - prioritized assets 204 | 205 | ### Tool Updates and Plug-Ins 206 | 207 | - since new vulnerabilities are discovered all the time, keeping scanners up to date with these vulnerabilities is what makes them effective 208 | - plug-in = simple program that looks for the presence of a single flaw 209 | 210 | ### SCAP 211 | 212 | - Security Content Automation Protocol (SCAP) = NIST-developed standard for vulnerability management 213 | - scanners can be SCAP certified and have SCAP module appropriate to an environment 214 | - enables automation 215 | 216 | ### Special Considerations 217 | 218 | - scanners need their own set of permissions in order to run on a network (aside from credentialed/noncredentialed considerations) 219 | - some kind of service account is best for this 220 | - make sure that your scan isn't being picked up by IDS/IPS on network 221 | - scanners have their own set of vulnerabilities that can be attacked 222 | - these need to be patched and managed just like the rest of the system 223 | 224 | ## Intrusion Prevention System, Intrusion Detection System, and Firewall Settings 225 | 226 | - vulnerability scanning and IDS/IPS/firewalls don't play well together 227 | - whitelisting scanners and publishing planned scans can help limit friction between security teams/systems 228 | 229 | ### Generating Reports 230 | 231 | - vulnerability scans need to end with an actionable report of vulnerabilities in the scanned system 232 | - automate report formatting, statistics, distribution as admin 233 | 234 | #### Automated vs Manual Distribution 235 | 236 | - unless you are the only security person/admin, automate distribution of scan reports so that the right people get the right information as soon as possible 237 | 238 | #### Validation 239 | 240 | - once the report is in the hands of an analyst, it needs to be validated for accuracy 241 | - once distributed to the first tier of security professionals and sysadmins, the validity of every reported vulnerability needs to be ensured before it goes any further 242 | 243 | #### True Positives 244 | 245 | - when an accurate vulnerability report comes through, analysts need to determine the fastest, most effective way of solving the problem that aligns with business needs 246 | 247 | #### Compare to Best Practices or Compliance 248 | 249 | - the Defense Information Systems Agency (DISA) of the DoD creates Security Technical Implementation Guides (STIGs) which are combined with NSA guides for configuration standards for the DoD 250 | - STIGs guide system hardening efforts 251 | - not all STIGs are open to the public- some require PKI certs 252 | 253 | #### Reconcile Results 254 | 255 | - take notes on everything: they will make your life so much easier 256 | - what you did 257 | - why you did it 258 | - why it worked/didn't work 259 | - notes help investigations 260 | 261 | #### Review Related Logs and/or Other Data Sources 262 | 263 | - correlate scanning results with expected state of system/network 264 | - not just in terms of vulnerabilities, but everything; example: if a port isn't supposed to be open and is, even if it isn't a "vulnerability" it's still a problem 265 | - review of logs will help determine whether vulnerabilities have already been exploited 266 | - Security Information and Event Management (SIEM) tools help correlate all of this 267 | 268 | #### Determine Trends 269 | 270 | - somehow track how vulnerabilities have changed over time on your system/network (either through built-in scanning/SIEM functionality or your own tooling) 271 | - ticketing software can also help track vulnerabilities over time 272 | 273 | #### False Positives 274 | 275 | - false positives cause small issues in small orgs with a few dozen/hundred endpoints, but they are multiplied in large orgs with thousands/tens of thousands of endpoints 276 | - ensuring that tests check the right indicators can limit these errors 277 | - check the assumptions of the program 278 | - custom systems have higher rates of false positives because more assumptions of the scanner devs are wrong 279 | 280 | #### True Negatives 281 | 282 | - true negatives are awesome: no vulnerability is the best vulnerability 283 | - impossible to prove: absence of evidence is not evidence of absence 284 | 285 | #### False Negatives 286 | 287 | - incorrect assertion of absence of a vulnerability 288 | - type 2 error 289 | - results in false sense of security 290 | - possible causes include: 291 | - incorrect type of scan initiated 292 | - vulnerability is too new 293 | 294 | ### Remediation 295 | 296 | - scanners try to provide as much detail about discovered vulnerabilities as possible 297 | - remediation should be begun as soon as possible 298 | - continuous, thoughtful, thorough, and iterative processes are needed for maximally effective remediation of vulnerabilities 299 | - add notes on remediation efforts to scan results and reports 300 | 301 | #### Patching 302 | 303 | - patching is a necessary evil because of the tradeoff between downtime and security 304 | - the predictability of patching cycles and the delay between patch release and installation convinced Microsoft to move away from its regular cycles and focus auto-updates instead 305 | - limiting the resultant downtime from system restarts might also be a good idea 306 | 307 | #### Prioritizing 308 | 309 | - given the number of vulnerabilities that may discovered from any scan, there needs to be some method for determining which will be dealt with first 310 | - considerations should be given to technical capacity of security team and business goals among others 311 | 312 | #### Criticality 313 | 314 | - Nessus and OpenVAS provide basic severity scores to help sysadmins and sec analysts make determinations on what needs to be attended first 315 | 316 | #### Hardening 317 | 318 | - dynamic process to make it harder to break into networks/systems to begin with, and harder to stay hidden if successful 319 | - balance usability and security 320 | - if you focus too much on security, you negate the business benefits of security because the asset becomes unusable 321 | - there needs to be parallel focus on both security and usability, it is possible to enhance both simultaneously with intelligent solutions 322 | - if you don't need something, **TURN IT OFF** 323 | 324 | ##### Exam Tip 325 | 326 | - well-known ports = TCP and UDP ports 0-1023 327 | - registered ports = TCP and UDP ports 1024-49151 328 | - ephemeral/dynamic ports = TCP and UDP ports 49152+ 329 | 330 | #### Compensating Controls 331 | 332 | - controls that are used to help minimize security risks but don't quite meet security goals because of some constraint 333 | - better than nothing, but not ideal 334 | 335 | #### Risk Acceptance 336 | 337 | - not every vulnerability can be remediated, in this case there is acceptance of the risk it brings 338 | - when a vulnerability is accepted, it must still be catalogued and there must be some internal process to keep track of it so appropriate action can be taken if situations change 339 | 340 | ##### Verification of Mitigation 341 | 342 | - implement some kind of testing process to ensure that security controls were implemented correctly 343 | 344 | ## Inhibitors to Remediation 345 | 346 | - remediation is not always smooth sailing- obstacles arise often, some solutions are offered below 347 | 348 | ### Memorandum of Understanding (MOU) 349 | 350 | - outlines duties/expectations of all relevant actors 351 | - cover what happens when after who does what how so that everyone goes home happy 352 | 353 | ### Service Level Agreement (SLA) 354 | 355 | - an agreement between an IT service provider and recipient which outlines roles, responsibilities, and limits of services provided 356 | 357 | ### Organizational Governance 358 | 359 | - finding a means of balancing the divergining interests of various stakeholders within a single organization 360 | - strong communication enables good decisions 361 | 362 | ### Business Process Interruption 363 | 364 | - because of how streamlined many IT operations are, companies will do everything they can to avoid interruptions because they struggle to afford them 365 | 366 | ### Degrading Functionality 367 | 368 | - there must be a balance between implementing security and maintaining the level of operation in IT services 369 | 370 | ### Legacy and Proprietary Systems 371 | 372 | - age of these systems is often due to the complexity or size of the problem they solve 373 | - makes replacement tricky if feasible at all 374 | - finding one's way through these systems is hard enough, finding their inevitable vulnerabilities is a massive challenge 375 | - easy and common to just leave it alone and hope that no attacker can figure it out either 376 | - these systems may be too difficult to patch for the personnel available and the time disposable 377 | - add security to other levels 378 | - add compensating controls 379 | - monitor them 380 | 381 | ## Ongoing Scanning and Continuous Monitoring 382 | 383 | - subscription scanning tools are a thing 384 | - offered from the cloud 385 | - scanning frequently and remediating quickly is important no matter how you scan 386 | -------------------------------------------------------------------------------- /Effective-Cybersecurity/Chapter1.md: -------------------------------------------------------------------------------- 1 | # Chapter 1: Best Practices, Standards, and a Plan of Action 2 | 3 | ## Defining Cyberspace and Cybersecurity 4 | 5 | - Cyberspace = artifacts derived of computers and communications technology as well as their metadata and interactions 6 | - Cybersecurity = all mechanisms used to protect cyberspace and assets; security objectives include preventing compromise of the following: confidentiality, integrity, and availability 7 | - the following terms are closely related to cybersecurity: 8 | - information security = protection of the confidentiality, integrity, and availability of information; may include other provisions such as authenticity, accountability, non-repudiation, and reliability 9 | - network security = protection of networks and their services from unauthorized modification, destruction, or disclosure; assurance that networks perform their functions as expected. 10 | - cybersecurity fully encompasses network security and overlaps with information security, though infosec has a heavier emphasis on protection of physical assets 11 | - in practice, information security and cybersecurity are terms used interchangeably 12 | - Cybersecurity objectives: 13 | - availability = system is accessible, usable, and/or operational (as applicable) on demand 14 | - integrity = data has not been changed in any way for any reason without authorization 15 | - authenticity = confirmation of identity and permission for access 16 | - non-repudiation = sender is given proof of delivery, recipient is given proof of sender identity; ensures neither side can deny receipt 17 | - confidentiality = data is not disclosed without user authorization 18 | - accountability = -------------------------------------------------------------------------------- /Effective-Cybersecurity/README.md: -------------------------------------------------------------------------------- 1 | # Effective Cybersecurity 2 | 3 | *Effective Cybersecurity: A Guide to Using Best Practices and Standards* by William Stallings -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Jacob Willis 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Objectives-Explained/README.md: -------------------------------------------------------------------------------- 1 | # Exam Objectives Explained 2 | 3 | In this directory are all of my notes on each exam objective publicly listed on the CompTIA website for the CS0-003 beta exam. I have tried to balance my explanations to provide clarity and depth while at the same time avoiding details that would be superfluous to this particular exam; in keeping with this, I have included additional resources with my notes in case you have questions I have not answered. -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Infrastructure-Concepts/Containerization.md: -------------------------------------------------------------------------------- 1 | # Containerization 2 | 3 | ## Explanation 4 | 5 | Containerization is a kind of cousin to virtualization, containers are minimalist operating systems which run all the code necessary for a specific application on top of an existing infrastructure (this may be a dedicated hypervisor or regular operating system). Most big PC video games are run within containers, because the developers have no way of knowing whether all of the game's dependencies exist on every user's device. Containers also have backend functions, when an application is being run in the cloud, it may be most efficient just to package the minimum code needed in order for the application to run and place it onto the a virtual server. Not to get too detailed, but when you run a big application for lots of people, eventually a single server (or container) isn't enough for everyone to get decent service, so you need to scale up; when you scale up, you don't want to pay for any more computing resources than are absolutely necessary, but you still need all the same code that made the app run in the first place- this is what containers accomplish. 6 | 7 | ## Importance 8 | 9 | Containers are everywhere doing everything, their popularity continues to grow as they are a cheap means of achieving efficient, scaleable architecture; since they're everywhere and doing everything, if they're misconfigured then they're misconfigured everywhere and everything is at risk. 10 | 11 | ## Example 12 | 13 | Docker is by far the most popular containerization platform, when combined with Kubernetes (an orchestration platform for controlling, monitoring, and scaling containers), you can achieve a balanced, scaleable virtual infrastructure. 14 | 15 | ## Resources 16 | 17 | - [FreeCodeCamp - A Beginner-Friendly Introduction to Containers, VMs and Docker](https://www.freecodecamp.org/news/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b/) 18 | - [Docker - Use containers to Build, Share and Run your applications](https://www.docker.com/resources/what-container/) 19 | - [Google Cloud - What are Containers?](https://cloud.google.com/learn/what-are-containers) 20 | - [NetApp - What are containers?](https://www.netapp.com/devops-solutions/what-are-containers/) -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Infrastructure-Concepts/Serverless.md: -------------------------------------------------------------------------------- 1 | # Serverless 2 | 3 | ## Explanation 4 | 5 | The goal of serverless is to abstract infrastructure entirely, so functions or jobs are performed in the cloud on demand and charged purely on usage rather than a schedule. Serverless architecture is very advantageous to companies who have a very wide range of service usage because they only have to pay for cloud services when a customer executes a serverless function. 6 | 7 | ## Importance 8 | 9 | Understanding the infrastructure that you're protecting is massively important- serverless application are especially vulnerable to DDoS attacks, since they are massively scalable the issue isn't about losing availability, it's that the attack will get VERY expensive very fast. 10 | 11 | ## Example 12 | 13 | AWS services like Fargate and Lambda (especially Lambda) are super commonly used in industry 14 | 15 | ## Resources 16 | 17 | - [Cloudflare - What is serverless computing?](https://www.cloudflare.com/learning/serverless/what-is-serverless/) 18 | - [AWS - Serverless Computing](https://aws.amazon.com/serverless/) 19 | - [Red Hat - What is serverless?](https://www.redhat.com/en/topics/cloud-native-apps/what-is-serverless) 20 | - [IBM - What is Serverless Computing](https://www.ibm.com/cloud/learn/serverless) 21 | - [Serverless - Infrastructure and Compute Providers](https://www.serverless.com/framework/docs/providers/) 22 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Infrastructure-Concepts/Virtualization.md: -------------------------------------------------------------------------------- 1 | # Virtualization 2 | 3 | ## Explanation 4 | 5 | Virtualization is a mechanism for abstracting hardware into code; this means that a single physical server can actually host many different systems on top of it. This creates a cost benefit, because separate hardware is no longer a requirement for running separate systems. These separate systems have limited visibility into each other (if they have any at all) and they are run by a "hypervisor". The hypervisor manages these systems at a high level and allocates hardware resources as configured by the administrator. 6 | 7 | ## Importance 8 | 9 | Virtualization provides security benefits because different systems can exist on the same hardware so that if one application running on one system is compromised, the others maintain an additional layer of security. 10 | 11 | ## Example 12 | 13 | VirtualBox is a hypervisor that can be run on top of Windows or MacOS; it allows you to run a separate operating system on top of your existing system. VMWare, Hyper-V, and OpenShift are also hypervisors that accomplish virtualization to similar effect. 14 | 15 | ## Resources 16 | 17 | - [VMWare - What is virtual infrastructure?](https://www.vmware.com/topics/glossary/content/virtual-infrastructure.html) 18 | - [DNSStuff - What is Virtual Infrastructure and How to Manage It](https://www.dnsstuff.com/what-is-virtual-infrastructure) 19 | - [IBM - Virtualization](https://www.ibm.com/cloud/learn/virtualization-a-complete-guide) -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Log-Ingestion/Logging-Levels.md: -------------------------------------------------------------------------------- 1 | # Logging Levels 2 | 3 | ## Explanation 4 | 5 | - log level = log severity; how important a log is relative to others 6 | - common log levels: 7 | - TRACE = verbose tracking for deep insight into system activity 8 | - DEBUG = used for troubleshooting in test env 9 | - INFO = what happened and when; not indicative of a problem, just system status 10 | - WARN = unexpected problem occurred, something didn't work right, but the system as a whole keeps working 11 | - ERROR = loss of functionality 12 | - FATAL = something really important broke, and now the business is suffering 13 | 14 | ## Importance 15 | 16 | - helps prevent alert fatigue 17 | - if FATAL logs are treated by the system the same as TRACE logs, analysts wouldn't be able to see through all the noise 18 | 19 | ## Example 20 | 21 | | Log Level | Example | 22 | | --------- | ------- | 23 | | TRACE | File writes, method/file execution | 24 | | DEBUG | Content of DB/file writes, variable values at key points | 25 | | INFO | User login, session timeout | 26 | | WARN | Error parsing file | 27 | | ERROR | One of several payment systems is unavailable | 28 | | FATAL | User login service disabled | 29 | 30 | ## Additional Resources 31 | 32 | - [Sematext](https://sematext.com/blog/logging-levels/) 33 | - [Crowdstrike](https://www.crowdstrike.com/cybersecurity-101/observability/logging-levels/) 34 | - [Section](https://www.section.io/engineering-education/how-to-choose-levels-of-logging/) 35 | - [IBM](https://www.ibm.com/docs/en/cognos-analytics/10.2.2?topic=SSEP7J_10.2.2/com.ibm.swg.ba.cognos.ug_rtm_wb.10.2.2.doc/c_n30e74.html) -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Log-Ingestion/Time-Synchronization.md: -------------------------------------------------------------------------------- 1 | # Time Synchronization 2 | 3 | ## Explanation 4 | 5 | Time synchronization in the context of log ingestion refers to the alignment of clocks on all logging devices. 6 | 7 | ## Importance 8 | 9 | Without time synchronization it would be virtually impossible to track events through a system, it would be unclear whether events logged in two places refer to one and the same event or if the same event happened twice. 10 | 11 | ## Example 12 | 13 | A well known example of hacking comes from Cliff Stoll's 1989 book, *The Cuckoo's Egg* detailing his endeavours in tracking down a hacker after noticing 9 seconds of unaccounted computing time on a UNIX mainframe Lawrence Berkeley National Laboratory. While these 9 seconds may have been noticed in the isolated LBL UNIX machine, as Stoll tracked the hacker the need to know his progression through different systems relied heavily on the synchronization of the various machines to show where the hacker moved and when. 14 | 15 | ## Additional Resources 16 | 17 | - [Stalking the Wily Hacker](http://pdf.textfiles.com/academics/wilyhacker.pdf) - Clifford Stoll's abridged account of his hunt for the LBL hacker 18 | - [Netsurion](https://www.netsurion.com/articles/5-cyber-security-myths-importance-of-time-synchronization-and-more) - a brief explanation of time synchronization with more resources in footnotes 19 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Network-Architecture/Cloud.md: -------------------------------------------------------------------------------- 1 | # Cloud 2 | 3 | ## Explanation 4 | 5 | 6 | 7 | ## Importance 8 | 9 | 10 | 11 | ## Example 12 | 13 | 14 | 15 | ## Resources 16 | 17 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Network-Architecture/Hybrid.md: -------------------------------------------------------------------------------- 1 | # Hybrid 2 | 3 | ## Explanation 4 | 5 | 6 | 7 | ## Importance 8 | 9 | 10 | 11 | ## Example 12 | 13 | 14 | 15 | ## Resources 16 | 17 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Network-Architecture/Network-Segmentation.md: -------------------------------------------------------------------------------- 1 | # Network Segmentation 2 | 3 | ## Explanation 4 | 5 | 6 | 7 | ## Importance 8 | 9 | 10 | 11 | ## Example 12 | 13 | 14 | 15 | ## Resources 16 | 17 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Network-Architecture/On-Premises.md: -------------------------------------------------------------------------------- 1 | # On-Premises 2 | 3 | ## Explanation 4 | 5 | 6 | 7 | ## Importance 8 | 9 | 10 | 11 | ## Example 12 | 13 | 14 | 15 | ## Resources 16 | 17 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Network-Architecture/Secure-Access-Secure-Edge.md: -------------------------------------------------------------------------------- 1 | # Secure Access Secure Edge (SASE) 2 | 3 | ## Explanation 4 | 5 | 6 | 7 | ## Importance 8 | 9 | 10 | 11 | ## Example 12 | 13 | 14 | 15 | ## Resources 16 | 17 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Network-Architecture/Software-Defined-Network.md: -------------------------------------------------------------------------------- 1 | # Software-Defined Networking (SDN) 2 | 3 | ## Explanation 4 | 5 | 6 | 7 | ## Importance 8 | 9 | 10 | 11 | ## Example 12 | 13 | 14 | 15 | ## Resources 16 | 17 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/Network-Architecture/Zero-Trust.md: -------------------------------------------------------------------------------- 1 | # Zero Trust 2 | 3 | ## Explanation 4 | 5 | 6 | 7 | ## Importance 8 | 9 | 10 | 11 | ## Example 12 | 13 | 14 | 15 | ## Resources 16 | 17 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/OS-Concepts/File-Structure.md: -------------------------------------------------------------------------------- 1 | # File Structure 2 | 3 | ## Explanation 4 | 5 | Not to be confused with the OS's file *system*, file structure refers to a kind of formatting that allows files to be understood by the OS and comes in 3 types: 6 | 7 | 1. text - characters organized by line 8 | 2. object - bytes organized by block 9 | 3. source - series of functions/processes 10 | 11 | File structures are frameworks for saving data in individual files, file systems are the larger mechanisms used by operating systems to organize files and directories at a higher level. 12 | 13 | ## Importance 14 | 15 | Different file structures communicate different behaviors to the operating system, understanding how these various frameworks can be manipulated can help attack and defend systems more effectively. 16 | 17 | ## Example 18 | 19 | PDF is one of the most common file formats sent between businesses, but it's also very commonly attacked and manipulated. Between 2014 and 2019, well over 1000 vulnerabilities were reported in the Adobe Acrobat Reader all stemming from its parsing of one type of structure. 20 | 21 | ## Resources 22 | 23 | - [Guru99](https://www.guru99.com/file-systems-operating-system.html) 24 | - [UIC](https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/10_FileSystemInterface.html) 25 | - [Infosec Institute - PDF format](https://resources.infosecinstitute.com/topic/pdf-file-format-basic-structure/) 26 | - [MIT Comm Lab](https://mitcommlab.mit.edu/broad/commkit/file-structure/) 27 | 28 | # Configuration File Locations 29 | 30 | Most global Linux config files will be located in the /etc directory 31 | 32 | Windows config files are sprawled much more loosely across the file system; another set of notes explained the Windows registry which holds a lot of configurations; some applications will hold their config files in %APPDATA%; the C:\Windows directory and its subdirectories also hold some configurations. -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/OS-Concepts/Hardware-Architecture.md: -------------------------------------------------------------------------------- 1 | # Hardware Architecture 2 | 3 | This is a very unclear part of the objectives given how broad the topic of computer hardware architecture is; I've included only very high-level notes here since this is a security exam, not an OS exam. 4 | 5 | ## Explanation 6 | 7 | Modern computer hardware architecture is almost universally comprised of the following components: 8 | 9 | - CPU = central processing unit; intreprets and processes information 10 | - memory = volatile storage used for immediate usage by CPU 11 | - storage = non-volatile memory used for storing data beyond immediate term 12 | - network card = network interface card, NIC; used to communicate with other devices on a network 13 | - video display = often takes the form of a GPU which is a bunch of smaller computing devices that operate in parallel; in smaller devices it may just be a card used to process graphics 14 | - I/O device = an device used to accept input from outside of the system 15 | - internal bus = mechanism for connecting all internal hardware 16 | 17 | All of these hardware components, except the CPU, rely on separate "drivers" that tell the kernel how to interact with them 18 | 19 | ## Importance 20 | 21 | Since each of these hardware components has its own software (or firmware), they each bring with them another potential attack vector. Hiding malware in a swapped hardware component is difficult to do, but also very difficult to detect. 22 | 23 | ## Resources 24 | 25 | - [digipen - Overview of Operating Systems and Computer Architecture](https://azrael.digipen.edu/~mmead/www/Courses/CS180/OSOverview.html) 26 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/OS-Concepts/System-Hardening.md: -------------------------------------------------------------------------------- 1 | # System Hardening 2 | 3 | ## Explanation 4 | 5 | Systems hardening refers to all measures taken to secure a system (not just operating systems). This includes adhering to best practices, having a streamlined process for updating with patches and service packs, and deploying additional measures like firewalls, endpoint protection systems, and enforcing least privilege. 6 | 7 | ## Importance 8 | 9 | The default settings for most operating systems prioritize out-of-the-box functionality over security, this means that security measures need to be activated within the OS and additional measures need to be installed as well. 10 | 11 | ## Example 12 | 13 | Windows does not encrypt hard drives by default (as of Windows 10), if someone were to gain physical access to the computer then they could read the contents of the drive with special software even without knowing the login information. 14 | 15 | ## Resources 16 | 17 | - [NIST SP 800-123](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf) 18 | - [Hysolate](https://www.hysolate.com/learn/os-isolation/os-hardening-10-best-practices/) 19 | - [Trent on Systems](https://www.trentonsystems.com/blog/system-hardening-overview) 20 | - [CSUSB](https://www.csusb.edu/its/security/technical/os-hardening) 21 | - [Beyond Trust](https://www.beyondtrust.com/resources/glossary/systems-hardening) -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/OS-Concepts/System-Processes.md: -------------------------------------------------------------------------------- 1 | # System Processes 2 | 3 | ## Explanation 4 | 5 | A process (or job) is a program being executed. 6 | 7 | ### Process Memory 8 | 9 | Process memory is made up of four different parts: 10 | 11 | 1. text - compiled code read from storage upon launch 12 | 2. data - global and static variables created before execution 13 | 3. heap - dynamic memory for calls from the process 14 | 4. stack - temporary data for params and local vars 15 | 16 | ![Process Memory](../../../_assets/Process_Memory.jpg "A process in memory") 17 | 18 | ### Process States 19 | 20 | Processes exist in one of five states: 21 | 22 | 1. New - process is being created 23 | 2. Ready - process is ready to run, but is not 24 | 3. Running - process is running 25 | 4. Waiting - process is ready to run, but cannot because it is waiting for resources to become available (keyboard input, disk access, timer, etc) 26 | 5. Terminated - process is done running 27 | 28 | ![Process States](../../../_assets/Process_States.jpg "Possible process states") 29 | 30 | ### Process Control Block 31 | 32 | Each process has a **Process Control Block** (PCB) made up of the following: 33 | 34 | - Process state - one of the five listed above 35 | - Process ID - unique numeric identifier 36 | - Pointer - pointer to parent process (nearly all processes have a parent) 37 | - Program counter - pointer to address of next instruction in process 38 | - CPU registers - where process is running; used when process is interrupted 39 | - CPU-scheduling info - priority and pointers to queues 40 | - Memory-management information - info about base and limit registers, page table 41 | - Accounting information - resources used by system 42 | - I/O status - IO devices allocated to the process 43 | 44 | Each process has its own unique PCB and each OS will handle PCBs differently 45 | 46 | ### Threads 47 | 48 | A thread is a segment of a process which represents a basic unit of processer time and has three possible states: 49 | 50 | 1. running 51 | 2. ready 52 | 3. blocked 53 | 54 | Threads take less time to terminate and do not isolate 55 | 56 | ## Importance 57 | 58 | Everything that happens on an OS happens as a process; processes are the basis of all higher level computation. 59 | 60 | ## Example 61 | 62 | View active processes on Windows: 63 | 64 | 1. *Win Key* 65 | 2. Type "cmd" 66 | 3. Run as administrator 67 | 4. Type "tasklist" in the command prompt 68 | 69 | View active processes on Linux: 70 | 71 | Type "ps" in terminal (or "htop" or "top") 72 | 73 | ## Resources 74 | 75 | - [UIC CS - Processes](https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/3_Processes.html) 76 | - [Study Tonight - Process in Operating System](https://www.studytonight.com/operating-system/operating-system-processes) 77 | - [TutorialsPoint - Process](https://www.tutorialspoint.com/operating_system/os_processes.htm) 78 | - [BinaryTerms - Process in Operating System](https://binaryterms.com/process-in-operating-system.html) 79 | - [Microsoft Learn - Proecsses and Threads](https://learn.microsoft.com/en-us/windows/win32/procthread/processes-and-threads) 80 | - [Geeks4Geeks - Difference between Process and Thread](https://www.geeksforgeeks.org/difference-between-process-and-thread/) -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/OS-Concepts/Windows-Registry.md: -------------------------------------------------------------------------------- 1 | # Windows Registry 2 | 3 | ## Explanation 4 | 5 | The Windows Registry is a database of settings, information, configurations, and options for the Windows operating system, some applications also use the registry. The registry is made up of keys and values, keys are like directories and values are like files (but not exactly). 6 | 7 | - Hives = main branches of the registry; 5 most common are as follows: 8 | 1. HKEY_CLASSES_ROOT (HKCR) = default file associations; which app opens/reads what file type 9 | 2. HKEY_CURRENT_USER (HKCU) = user-specific settings 10 | 3. HKEY_LOCAL_MACHINE (HKLM) = passwords, boot files, software installations, security settings; most critical 11 | 4. HKEY_USERS (HKU)= similar to current_user hive, but for accomodating multiple users at once 12 | 5. HKEY_CURRENT_CONFIG (HKCC) = real-time hardware monitoring; key values aren't saved permanently in this hive 13 | 14 | The registry was created to replace and centralize the contents of individual config files. These configurations were usually in .ini files, which are still used, but less heavily. 15 | 16 | ## Importance 17 | 18 | Every setting on your system needs to be tracked and stored with persistence, the registry is how Windows accomplishes that. The registry can be edited to help improve performance or remove unwanted programs. 19 | 20 | ## Demonstration 21 | 22 | To access the registry, click the Windows menu icon in the bottom left of your screen (*Win Key*), type *regedit* and *Enter*, allow regedit to make changes. The regedit application should open on your device if you have admin privileges. Regedit is used to make changes to the registry; feel free to look through the branches, but don't change anything unless you know what you're doing and have made a backup of your registry. 23 | 24 | To back up your registry, simply open regedit, select File from the menu at the top of the window, click export, and provide a name and save location. 25 | 26 | ## Additional Resources 27 | 28 | - [Computer Hope](https://www.computerhope.com/jargon/r/registry.htm) 29 | - [Avast](https://www.avast.com/c-windows-registry) 30 | - [Microsoft](https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users) 31 | -------------------------------------------------------------------------------- /Objectives-Explained/Security-Operations/README.md: -------------------------------------------------------------------------------- 1 | # Security Operations 2 | 3 | This section has the heaviest weight of all the exam domains at 33%. 4 | 5 | ## 1.1 Explain the importance of system and network architecture concepts in security operations. 6 | 7 | - [Log Ingestion](./Log-Ingestion/) 8 | - [Time Synchronization](./Log-Ingestion/Time-Synchronization.md) 9 | - [Logging levels](./Log-Ingestion/Logging-Levels.md) 10 | - [Operating System (OS) Concepts](./OS-Concepts) 11 | - [Windows Registry](./OS-Concepts/Windows-Registry.md) 12 | - [System Hardening](./OS-Concepts/System-Hardening.md) 13 | - [File Structure](./OS-Concepts/File-Structure.md) 14 | - [System Processes](./OS-Concepts/System-Processes.md) 15 | - [Hardware Architecture](./OS-Concepts/Hardware-Architecture.md) 16 | - [Infrastructure Concepts](./Infrastructure-Concepts/) 17 | - [Serverless](./Infrastructure-Concepts/Serverless.md) 18 | - [Virtualization](./Infrastructure-Concepts/Virtualization.md) 19 | - [Containerization](./Infrastructure-Concepts/Containerization.md) 20 | - [Network Architecture](./Network-Architecture/) 21 | - [On-premises](./Network-Architecture/On-Premises.md) 22 | - [Cloud](./Network-Architecture/Cloud.md) 23 | - [Hybrid](./Network-Architecture/Hybrid.md) 24 | - [Network Segmentation](./Network-Architecture/Network-Segmentation.md) 25 | - [Zero Trust](./Network-Architecture/Zero-Trust.md) 26 | - [Secure Access Secure Edge (SASE)](./Network-Architecture/Secure-Access-Secure-Edge.md) 27 | - [Software-Defined Networking (SDN)](./Network-Architecture/Software-Defined-Network.md) 28 | 29 | ## 1.2 Given a scenario, analyze indicators of potentially malicious activity. 30 | -------------------------------------------------------------------------------- /Objectives-Explained/exam-objectives.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/Objectives-Explained/exam-objectives.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CYSA-Study-Guide 2 | 3 | Notes I took to prepare for the CompTIA CySA+ exam (CS1-003 Beta). I am scheduled to take the exam 12/10/22; I will post whether this preparation was sufficient once I receive my exam results. In my professional work, I am a DevOps engineer, but my previous experience included building a cybersecurity program from scratch. I've done extensive studying on cybersecurity in the past, my degree emphasized security; I was in the top 1% on TryHackMe before beginning to study for the CySA+; I have previously attained cyber certifications including Security+ and Azure Security Fundamentals among others that also apply to the domain. 4 | 5 | ## Post-Test 6 | 7 | 12/10/22 - Immediate Reaction: I took the test earlier today and feel pretty good about it now, I finished with plenty of time to spare and didn't ever feel lost on the test. Honestly, my work experience paired with TryHackMe prepared me better than any other study mechanism I used. My advice is to know your Linux commands, your cybersecurity acronyms, and be able to explain why any given course of action may be the best way forward. 8 | 9 | 5/10/23 - Results: I passed with a score of 796/900, minimum passing score is 750. I hope these notes can be helpful to anyone looking to take the new CompTIA CySA+ exam when it is released in June, but keep in mind that knowing the content here alone is not enough. 10 | 11 | ## License 12 | 13 | Licensed under MIT License 14 | -------------------------------------------------------------------------------- /TryHackMe/Active-Directory-Basics.md: -------------------------------------------------------------------------------- 1 | # Active Directory Basics 2 | 3 | ## Windows Domains 4 | 5 | - created to overcome scaling difficulties 6 | - Windows Domain = group of users and computers under administration of one organization 7 | - centralize basic administration into a single repository - Active Directory (AD) 8 | - Domain Controller (DC) = server that runs AD services 9 | - centralize identity management 10 | - central configuration of security policies 11 | 12 | ### A Real-World Example 13 | 14 | - you've probably used AD when signing into an organization's device with credentials created by that org 15 | 16 | ### Welcome to THM Inc. 17 | 18 | - Configure domain "THM.local" 19 | - RDP THM\Administrator 20 | - domain = THM 21 | - user = Administrator 22 | 23 | ## Active Directory 24 | 25 | - Active Directory Domain Service (AD DS) - service that holds all information about objects in a domain 26 | - Users - type of domain object known as security principals 27 | - can act upon other objects in a domain 28 | - may be users or services 29 | - Machines - type of domain object, also considered security principals 30 | - are granted limited local admin rights on only themselves 31 | - passwords are created randomly with 120 characters 32 | - machine account is computer's name followed by dollar sign (e.g. *Computer-Name$*) 33 | - Security Groups - used for managing privileges in bulk 34 | - can include users, machines, other groups, objects 35 | - some important groups are listed below: 36 | | Security Group | Description | 37 | | -------------- | ----------- | 38 | | Domain Admins | administrators of the entire domain | 39 | | Server Operators | Administrators of DCs only | 40 | | Backup Operators | may access any file regardless of file permissions; meant for backing up data | 41 | | Account Operators | may create or modify domain accounts | 42 | | Domain Users | all user accounts in domain | 43 | | Domain Computers | all computers in domain | 44 | | Domain Controllers | all DCs in domain | 45 | 46 | ### Active Directory Users and Computers 47 | 48 | - on Windows Server open start menu and enter "Active Directory Users and Computers" to configure AD objects 49 | - objects are organized with OUs (Organizational Units) which classify sets of objects based on their policies 50 | - each user may be part of one OU at a time 51 | - OUs typically follow the structure of business units 52 | - domains come with some default containers: 53 | - builtin - default groups 54 | - computers - default location for machines added to the domain 55 | - domain controllers - default OU for DCs 56 | - users - default users and groups 57 | - managed service accounts - accounts used by domain services 58 | 59 | ### Security Groups vs OUs 60 | 61 | - OUs are for policy application and users can only be part of one OU at a time 62 | - Security groups are for granting permissions to resources 63 | 64 | ## Managing Users in AD 65 | 66 | - do the THM exercises and play around with a ~~really slow~~ normal Windows Server 67 | 68 | ## Managing Computers in AD 69 | 70 | - 3 types of devices/"computers": 71 | 1. Workstations - users PCs; most common 72 | 2. Servers - provide services among themselves 73 | 3. Domain Controllers - allow management of domain 74 | - create separate OUs for different device types 75 | 76 | ## Group Policies 77 | 78 | - 79 | 80 | -------------------------------------------------------------------------------- /TryHackMe/Cyber-Kill-Chain.md: -------------------------------------------------------------------------------- 1 | # Cyber Kill Chain 2 | 3 | ## Introduction 4 | 5 | - developed by Lockheed Martin in 2011, the cyber kill chain is created to help blue teams understand the phases of an attack by an APT 6 | - the phases are: 7 | 1. Reconnaissance 8 | 2. Weaponization 9 | 3. Delivery 10 | 4. Exploitation 11 | 5. Installation 12 | 6. Command and Control 13 | 7. Actions on Objectives 14 | 15 | ## Reconnaissance 16 | 17 | - collecting information about a target system 18 | - OSINT and email harvesting are often key actions of this phase for attackers 19 | 20 | ## Weaponization 21 | 22 | - creation or selection of weapons/exploits used in an attack 23 | - malware = malicious software 24 | - exploit = program to take advantage of a vulnerability 25 | - payload = malware that runs on the defended system 26 | 27 | ## Delivery 28 | 29 | - how the malware/payload is transmitted to the attacked system 30 | - common vectors include: 31 | - phishing 32 | - liberal distribution of infected USB drives 33 | - watering hole attacks 34 | 35 | ## Exploitation 36 | 37 | - taking advantage of a vulnerability 38 | - zero-day = vulnerability previously unknown to defenders 39 | - lateral movement = change of attacked system to find a way to escalate privileges 40 | 41 | ## Installation 42 | 43 | - create persistent backdoors 44 | - common avenues include: 45 | - web shell on webservers 46 | - meterpreter 47 | - creation or modification of Windows services 48 | - Adding "run keys" to Windows registry or startup folder 49 | - timestomping = modification of timestamps for actions performed on file to avoid detection 50 | 51 | ## Command and Control 52 | 53 | - remote manipulation of target system 54 | - also called C&C or C2 Beaconing; communication between C2 server and agent 55 | - common channels are HTTP(S) and DNS through DNS tunneling 56 | - DNS tunneling = infected device makes constant requests to attacker-controlled DNS server 57 | 58 | ## Actions on Objectives (Exfiltration) 59 | 60 | - may include some of the following activities: 61 | - credential harvesting 62 | - privilege escalation 63 | - internal recon 64 | - lateral movement 65 | - collection of sensitive data 66 | - deletion of backups/copies 67 | - overwrite/corrupt data 68 | 69 | -------------------------------------------------------------------------------- /TryHackMe/Diamond-Model.md: -------------------------------------------------------------------------------- 1 | # Diamond Model 2 | 3 | ## Introduction 4 | 5 | - 4 key features: 6 | - adversary 7 | - infrastructure 8 | - capability 9 | - victim 10 | - other dimensions: 11 | - social 12 | - political 13 | - technology 14 | 15 | ## Adversary 16 | 17 | - adversary operator = party conducting the attack 18 | - adversary customer = party benefitting from the attack 19 | 20 | ## Victim 21 | 22 | - victim personae = entities being attacked 23 | - victim assets = attack surfaces targeted by adversaries 24 | 25 | ## Capability 26 | 27 | - capability capacity = usable vulnerabilities and exposures 28 | - adversary arsenal = capabilities of adversary 29 | 30 | ## Infrastructure 31 | 32 | - Type 1 infrastructure = infrastructure owned by adversary 33 | - Type 2 infrastructure = infrastrucutre controlled by intermediary 34 | - service provider = orgs that provide services critical for type 1 or 2 infrastructure 35 | 36 | ## Event Meta Features 37 | 38 | - timestamp = when the event happened 39 | - phase = see Lockheed Martin Cyber Kill Chain 40 | - result 41 | - direction = victim-to-infrastructure, infrastructure-to-victim, infrastructure-to-infrastructure, adversary-to-infrastructure, intrastructure-to-adversary, bidirectional, unknwon 42 | - methodology = general classification of intrusion 43 | - resources 44 | 45 | -------------------------------------------------------------------------------- /TryHackMe/MITRE.md: -------------------------------------------------------------------------------- 1 | # MITRE 2 | 3 | ## Introduction to MITRE 4 | 5 | - MITRE = non-profit US corporation focused on cybersecurity research 6 | 7 | ## Basic Terminology 8 | 9 | - Advanced Persistent Threat (APT) = threat group or nation-state group that attacks other entities in long campaigns 10 | - may use advanced exploits/tactics, but usually don't need them in order to be successful 11 | - Tactics, Techniques, and Procedures (TTPs) = 12 | - Tactics = goal/objective 13 | - Techniques = how the tactics are achieved 14 | - Procedures = how the techniques are executed 15 | 16 | ## ATT&CK Framework 17 | 18 | - ATT&CK Framework = collection of common TTPs used by APTs 19 | - 14 categories each containing techniques for performing the tactic 20 | 21 | ## CAR Knowledge Base 22 | 23 | - CAR = The MITRE Cyber Analytics Repository; MITRE-developed analytics on the MITRE adversary model 24 | 25 | ## MITRE Engage 26 | 27 | - framework for planning and discussing adversary engagement operations 28 | - "Adversary Engagement Approach" accomplished by "Cyber Denial" and "Cyber Deception" 29 | - cyber denial = prevent adversary ability to conduct operations 30 | - cyber deception = place misleading artifacts for adversary 31 | - includes resources for getting started with Adversary Engagement Approach 32 | - engage categories: 33 | - prepare = actions that will lead to desired outcome 34 | - expose = trigger deception activities 35 | - affect = negatively impact adversarial operation with your own 36 | - elicit = observe adversaries and learn their TTPs 37 | - understand = output of operations 38 | 39 | ## MITRE D3FEND 40 | 41 | - knowledge graph of cyber counters 42 | - Detection, Denial, and Disruption framework empowering network defense 43 | 44 | ## ATT&CK Emulation Plans 45 | 46 | - MITRE ENGENUITY provides CTID, Adversary Emulation Library, and ATT&CK Emulation Plans 47 | - CTID = Center of Threat-Informed Defense; various companies/vendors conducting research to improve cyber defense 48 | - 49 | 50 | -------------------------------------------------------------------------------- /TryHackMe/Nessus.md: -------------------------------------------------------------------------------- 1 | # Nessus 2 | 3 | ## Introduction 4 | 5 | - Nessus = vulnerability scanner 6 | - like Nmap, but with a nice GUI 7 | - unique because it avoids making assumptions 8 | - free and paid options (like Burp Suite) 9 | - see [Tenable](https://www.tenable.com/products/nessus) 10 | 11 | ## Installation 12 | 13 | - See Guide [Here](https://docs.tenable.com/nessus/Content/GettingStarted.htm) 14 | - pretty straightforward stuff here 15 | - subscription is thousands of dollars per year 16 | - 7-day free preview of Nessus pro 17 | 18 | ## Navigation and Scans 19 | 20 | -------------------------------------------------------------------------------- /TryHackMe/Pyramid-of-Pain.md: -------------------------------------------------------------------------------- 1 | # Pyramid of Pain 2 | 3 | ## Introduction 4 | 5 | ![Pyramid of Pain](../_assets/THMPyramidOfPain.png "Pyramid of Pain") 6 | 7 | ## Hash Values (Trivial) 8 | 9 | - hashes are unique numeric values generated by mathematical procedures 10 | - used for identifying malicious artifacts 11 | - virustotal and opswat do hash lookups 12 | 13 | ## IP Address (Easy) 14 | 15 | - IP Addresses are a simple mechanism for filtering traffic that has historically been malicious 16 | - IP Addresses also loosely correlate to geography, so some information can be gleaned about origin 17 | 18 | ## Domain Names (Simple) 19 | 20 | - map of IP Address to string of text 21 | - harder to manage for attackers 22 | - punycode = conversion of ascii into unicode to decoy text 23 | - URL shorteners hide malicious domains 24 | - type a "+" sign at the end of a shortened URL to see the real site name 25 | 26 | ## Host Artifacts (Annoying) 27 | 28 | - observable items or changes on a host system left behind by attackers 29 | 30 | ## Network Artifacts (Annoying) 31 | 32 | - patterns, packets, traffic, activity over a network by attackers 33 | 34 | ## Tools (Challenging) 35 | 36 | - use AV signatures, detection rules, and YARA rules to stop/detect attackers 37 | - MalwareBazaar and Malshare provide samples, malicious feeds, and YARA results 38 | - SOC Prime Threat Detection Marketplace provides detection rules 39 | - SSDeep provides fuzzy hashing tools 40 | - fuzzy hashing = analysis of files with minor differences 41 | 42 | ## TTPs (Tough) 43 | 44 | - stopping an ATP's TTPs will make it extremely difficult for them to compromise your assets without making wholesale changes to their attack methodologies 45 | 46 | 47 | -------------------------------------------------------------------------------- /TryHackMe/README.md: -------------------------------------------------------------------------------- 1 | # TryHackMe 2 | 3 | **SPOILERS** 4 | 5 | These are the rooms which I have completed as part of my preparation for the CySA+ exam. I have included answers to questions when important for understanding a technology or concept. This isn't a comprehensive list of rooms completed as part of my prep. -------------------------------------------------------------------------------- /_assets/BiancosPyramidOfPain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/_assets/BiancosPyramidOfPain.png -------------------------------------------------------------------------------- /_assets/ICS-example.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/_assets/ICS-example.jpg -------------------------------------------------------------------------------- /_assets/IaaS-Model.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/_assets/IaaS-Model.jpg -------------------------------------------------------------------------------- /_assets/PaaS.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/_assets/PaaS.jpg -------------------------------------------------------------------------------- /_assets/Process_Memory.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/_assets/Process_Memory.jpg -------------------------------------------------------------------------------- /_assets/Process_States.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/_assets/Process_States.jpg -------------------------------------------------------------------------------- /_assets/SaaS-Model.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/_assets/SaaS-Model.jpg -------------------------------------------------------------------------------- /_assets/THMPyramidOfPain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/willisman31/CYSA-Study-Guide/8f58bf4f8fb1d84faebdf453a5194a399bb264b9/_assets/THMPyramidOfPain.png --------------------------------------------------------------------------------