DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

CISSP

12/18/2022

 
The Certified Information Systems Security Professional (CISSP) is a professional certification for individuals working in the field of information security. It is a globally recognized standard of achievement that demonstrates an individual's knowledge and experience in the field.

To prepare for the CISSP exam, there are a few steps you can follow:

Understand the exam content: The CISSP exam covers a wide range of topics, including security and risk management, asset security, security engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security. Familiarize yourself with the exam content outline and make sure you have a good understanding of each of the domains.

Get hands-on experience: While the CISSP exam tests your knowledge of theory, it is important to have practical experience in the field. Consider internships, on-the-job training, or other opportunities to gain hands-on experience in information security.

Take a training course: Many individuals choose to take a training course to prepare for the CISSP exam. These courses are typically led by experienced professionals who can provide in-depth knowledge of the exam content and help you understand the key concepts.

Use study materials: There are a variety of study materials available to help you prepare for the CISSP exam, including textbooks, practice exams, and online resources. Make use of these materials to reinforce your understanding of the exam content and identify areas where you need additional study.

Take practice exams: Practice exams can be a useful tool for identifying your strengths and weaknesses and helping you focus your study efforts. Take multiple practice exams to get a feel for the exam format and to identify any areas where you need additional study.

Remember to allow yourself enough time to study and prepare for the exam. It is also a good idea to take breaks and avoid trying to study for long periods of time without a break. Good luck!


Threat Hunting though outbound Traffic

7/4/2020

 
Data Exfiltration and Data Loss Prevention (DLP) is one of key topic of our discussion today. One of the ways to detect APT Groups and advanced ransomwares at early stage is by analyzing the outbound traffics. Most of the advanced treats will try to establish a C2 connection. 
Profile 'outbound' traffic data:
  • how much data is sent? 
  • who usually sends the data?
  • where are we sending the data (IP, Port)?
  • When it's usually sent?
You can use Flow Logs or NGFW logs to get the insights. Try to see if you can find outliers.
Some outliers can be: 
  • 24/7 Outbound Connection (Keep an eye)
  • Unauthorized C2 or VPN Connections
  • Insiders malicious activities 

Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns: 
  • High Bandwidth TLD
  • Low Level TLD
  • Top 10 TLD By Bandwidth
  • Top 10 Second Level Domain by Bandwidth


#Comment if you have additional tips.

Security Operation Center (SOC) Overview

6/18/2020

 
I have to build many SOC teams in my professional career. In this post, I’d like to declutter some of the myths about SOC. Let’s start with the basics.

One of the most important questions is why your organization needs a SOC?

Enterprise often collects a large amount of data in the form of logs. Simply storing the data is not valuable. The humongous amount of information needs to be searched for malicious activities. If there is malicious activity, you need a human to respond to it intelligently. SOC team members will do the Detection, Investigation, and Response to the incident. Another critical aspect of the SOC team (often overlooked) is the post-incident reviews. 

What are the sub-team/sub-group in a SOC?
Picture
Key Roles in a SOC Team?
  • SOC Manager
  • Cyber Security Analyst
  • Incident Responders/Commanders
  • Digital Forensics Experts
  • Detection Engineers
  • Security Architects/Program Manager/DevOps Engineers
​
Types of Security Operation Center (SOC)
Picture
Fully Outsourced SOC: Hiring, Building, and retaining SOC Teams are challenging and expensive. There are not a lot of experienced Cyber Security Analyst and Engineers out there in the market. It’s honestly a new career option. To avoid the hassle, the organization often decide to outsource the security operation fully to Managed Security Service Providers (MSSP).

There are a few advantages and disadvantages of having a fully outsourced SOC. The most significant benefit is the speed; you can have someone start looking at your data/alerts as soon as you sign the contract.In there is any anamoly, MSSP will do the hunt, investigation and escalated it to you pretty quickly.

​The biggest downside is the knowledge gap. All the knowledge/intelligence about your network/endpoint stays with the MSSP. As soon as you cancel the contract, it’s gone. Another significant disadvantage is the MSSP is expensive. You have to pay a lot of money out of your budget  for the SOC. In some cases, the quality of the investigation can be poor too.  

Even after outsourcing your SOC, mitigating a malicious and compliance stays with the organization only. Usually, companies in the early stage will go for this model. MSSP will care more about the SLA’s rather that the quality of the investigation. If you are adopting this model, please ensure to discuss all the norms upfront, including the resume/profiles fo the Analysts.

Hybrid SOC: It’s a combination of the MSSP + In-house SOC team. Usually, the Detection, response, and forensics team will be in-house, and the Tier-1 & 2 Analyst will outsource. The majority of the pros and cons of MSSP mentioned above applies here as well. The benefit is you keep your institutional knowledge. If your want to run your SOC 24/7 and your security team is only in one country this model will be helpful in terms of coverage and control.

In-house SOC: Fully In-house SOC Teams are high, usually big size organizations with big budgets will go for this model. I’d say having a functional in-house SOC is a sign of maturity of an overall cybersecurity program. If your company is global, you may want to have your SOC team in mutiple time zones.

Key Responsibilities of SOC


  • Implement, Manage, and Propose Security Tools: SIEM, EDR, SOAR are the primary tools SOC uses, but they responsible for proposing new security gaps and devices to the business as well. If an alert/incident has made to the SIEM application, it must have bypassed specific security controls. SOC Analysts should always think about solutions to reduce the number of alerts/cases. A typical example is proposing an email security tool for reducing the number of phishing alerts.
  • Investigate, Respond, Contain, and Remediate Suspicious alerts: The core function of the SOC is to investigate the malicious activity. SOC cannot wholly rely on preventive and detective controls. A successful SOC is always on a Hunt.
  • Cyber Security Strategy: SOC is responsible for the overall Cyber Security strategy of the company. SOC should develop playbooks, SOP’s, Policies to respond to certain types of alerts. For example, SOC should develop a Cyber Security Incident Response Plan, Escalating the polity of HR/Legal, etc.


NSM Tools

6/17/2020

 
In this blogpost, we will discuss about the high quality Open source NSM Tools. Security Onion is one of the most common and popular NSM distribution. 

Security Onion has Ubuntu based Linux distribution. It comes with a bunch of softwares:
  • NIDS - Snort, Suricata
  • Asset Data - PRADS
  • Full Packet Capture - netsniff-ng
  • SIEM - ELK
  • Additional tools - Wireshark, Nmap 

What is Session Hijacking?

4/27/2020

 
Web Sessions are usually managed by a "Session Token". Session hijacking is a way of exploiting the web session control mechanism.It's a way to get an unauthorized access to the web-server by stealing a valid token.

Session Hijacking is a type of attack and it can use accomplished by using various techniques like Session Sniffing, Clint Side Attacks like XSS, Man in the middle/browser type of attacks.




Threat Modeling Fundamentals

4/18/2020

 
Goal: The goal of the treat modeling is to redure the risk as can be applied as a repeatable process. It has numerous benefits. In this post, we will learn to answer following questions:
  • What is Threat Modeling?
  • Why you should Threat Model?
  • Who should Threat Model?
  • When to Threat Model?
 
What is Threat Modelling?
You have build a Web App which allows visitors to subscribers to a mailing list and a sign-up for the account. When you list down systematically all the potential ways one can attack your application. That is Threat Modelling in a Nut Shell. Remember Two Key Terms - "Systematic Approach". Threat modelling should be a repeatable process in the SDLC. Second Important key term is "Abuse". You are constantly looking at the Attacks in order to find vulnerability. Another apporach is to develop a probable threat scenarios and list of threats. It's an holistic approach to reduce the risk of an application.

Bug - Software Defects
Vulnerability - Weakness that can be exploited
Attack/Incident - Needs a Target, Need a Threat Vector (Path an attacker can take to exploit the vulnerability) and a Threat Actor.
Threat Surface- Anything that can be obtainer, user or attacked by a threat actor
Risk - Risk = Impact * Liklihood

Why you should do Threat Modelling?
Remember the goal is to Risk Reduction. There are other methodology to serve the same purpose as well for example Penetration Testing, Source Code Analysis, Architectural Risk Analysis, Vulnerability Scanning. Lets discuss about the reasons to use Threat Modelling
  • Pro-active Approach (Security Upfront)
  • Efficient - It's a cost effecttive method. This apprach can save a lot of $$.
  • Prioritize Bugs
  • Better understanding
 Outputs of Threat Modeling
  • Over all Diagrams
  • Clear Security Requirements
  • List of Threat and Vulnerabilities
* Allows security to be injected in the SDLC

Who Should Theat Model?
  • System Architect - Knows the design of the application and data flows
  • Developer - Details of the application build
  • Tester - Knows the requirements and what it's suppose to do.
  • Security Professional​ - Know the attack vectors and think like an attacker

When to perform Theat modelling?
  • As early as possible - Earlier is better
  • Requirement Phase &  Design Phase
  • In Agile - It should be done in each sprint and generate seperate security stories

Threat Modeling Approachs 
We will discuss about the following approaches of Threat Modeling. The End goal will be to Generate a list of Threats.
Example Scenario - A simple webapplication. Anonomayos users can visit the website. Sites runs a Content Management System and only authorized users can access it. Mailing Componenet to send out web mails


Asset-Centric/Risk Approach: In this approach we focus on the things you want to protect for example: Example : Databases, Email accounts, Account Credentials, Servers
  • Step -1  Create a list of asset
  • Step -2  Draw assets, Components and data flows
  • Step -3  For each element, check for threats

​Advantages: 
  1. Centered around assets
  2. Forcused towards on the business impact 
  3. Best suited when doing Risk assement for auditers
  4. Exmaple - PASTA, TRIKE
Disadvantages: 
  1. Not Centered around the application
  2. Mapping assets to therats is difficult 

Attacker-Centric/Security Approach:This apporach is preferred by Pentesters. You'll need a team of highly qualified Security Engineers to succeed in the approach.
  1. ​Create a list of theat actors
    1. ​Threat Actor - Competitor
    2. Motive - Example: Getting your business
    3. Means - Example:Financial and Technical means: Limited/Unlimited
    4. Opportunity - Example: Exploting a vulnerability 
  2. Create a list of threats

​Advantage: 
  • Make threats and attack are visible
Disadvantage:
  • Easy to miss technical Threats
  • Unrealistic Threat
  • Biased results
​
​Application-Centric Approach: Think about the Application and get famalier with the application. User Step 1: Draw a diagram of the application. For example: Data Flow Diagram
Step 2: List threts for each eleements. STRIDE (Threat Classification Model), OWASP Top 10
Step 3: Rank Threat using classification model

Advantages:
  • Common understanding of the application
  • Spread of the knowledge
Disadvanatge: 
  • Documentation is necessary 
  • Difficul to see 'own' vulnerability 
  • Threats may sound abstracy
Threat Modeling Methodologies

In this section, we will discuss about the approaches for threat modeling focused towards the asset centric and application centric approach.

PASTA - Process for Attack Simulation and Threat Analysis
This is a threat modeling and threat analysis process. It's an asset centric approach with 7 Stages
  • Define Business Objectives
  • Define Technical Scope
  • Decompose Application - Data Flow Diagram
  • Analyze Threats - Threat Intelligence
  • Indentify Vulnerabilities
  • Enumerate Attacks
  • Perform Impact Analysis
Key Element
  • Useful for Medium to Large Size Companies
  • Mature Companies
  • Having Security Knowledge

Advantages:
  • Great for business Integration
  • Mature and well document Process
  • Lots of documentation
  • Tooling Available 
Disvantages 
  • Sepecialized Input necessary for example threat intelligence needs to obtain or acquired
  • Time Consuming Procerss
  • Each step generates output
  • Output depends on Dynamic Input
Microsoft Threat Modeling

It's a Threat Modeling Framework. Focuses on Technical risk, It's a developer driven approach.
  • Identify Assets
  • Create Architecture Overview
  • Decompose Application
  • Indetify Threats
  • Document Threats
  • Rate Threats - Use Risk Classification System like DREAD, OWASP, CVSS

Advantage:
  • Output is a document
  • Targeted towerds development. teams
  • Practical apporach
  • Plain language
  • Integrated in SDLC
Disadvantage:
  • More Practical than academic
  • STRIDE Classification is redundant

Octave - Operationally Critical Threat, Asset and Vulnerability Evaluation
  • Risk Analysis Framework
  • Evaluated at Organization Level
  • Longest and Complicate
  • Focus on security practices
  • Flexible, Self Direction
Advantage
  • Improves risk-aware corporate culture
  • In-depth
  • Flexible​
Disadvantage 
  • Large and complex
  • Lots of paperwork
  • Require 'Investment'


Trike
  • Methodology as well as tool
  • High Level of Automation is possible
  • Asset-centric approach
  • Focus on defensive side

Process
  • Model System - System Analysis
  • Identifying Threats
  • Investigate Trreats
  • Identify Mitigations

Advantage:
  • Automatically generates threats
  • Consistent Results
  • Build-in Tool

Disadavantage
  • Does not Scale
  • Not maintained anymore

VAST

Visual Agile Simple Threat Modeling
Two Threat Model Types
  • Application Threat model
  • Operational Threat Model
User process flow diagram
Good for companies following Agile

Advantages:
  • Flexible
  • Scalable
  • Process flow diagram is easy 

Disadvantage:
  • Not an Open Methodology
  • No Documentation of Guidance

What is the best methodology?
​

Choose a methodology based on team, organization and objective.

Recommendations
Asset Centric - PASTA
Application Centric - Microsoft Threat Modeling


Base 64 Encoding

4/11/2020

 
If you are working in the DFIR, you might have encountered Base64 Code many times. In this blog post, we will talk about the basics of base64 encoding.

ASCII Data - Each Character turns into one byte
A = 65 (Binary 0b01000001)
B = 66 (Binary 0b01000010)
C = 67 (Binary 0b01000011)

The 3 Letter String = 24 Bit
ABC = 0b010000010100001001000011
For base64 - we'll need ot break it in the group of 6 bits. 6 Bits will have 64 Combination and will need 64 Characters to encode it.

Characters used are as follows:
ABC...Z = 0-25
abc...z =26-51
0123..9 = 52-61
+,/ = 62,63

I am going to use spaces for the ease of reading
ABC  = 0b01000001 01000010 01000011
6-bit Groups = 0b010000 010100 001001 000011
Decimal = 16 20 9 3
base64 = Q U J D


Picture

Cryptography Ceasar Ciper and ROT 13 (Shift by 3 and 13)

4/11/2020

 
In this post, I am going to talk about the basic fundamental and concepts of Cryptography. Let's start with Obfuscation and Encryption. In layman's language, encryption techniques are used to hide data or make is difficult to read. The term 'Crypto' become super popular because of the introduction of the currencies like Bitcoin, Litecoin, Ethereum etc. For us, it's just a form of protection, our focus will be on the cryptography applied to the communication, storage, messages etc. We will be using Python for the code nuggets. Lets start with the 'Caesar Cipher' and 'ROT13'

Caesar Cipher: It's an old trick where you just move every letter forward three character in the alphabet.

Plain Text - abcdefghijklmnopqrstuvwxyz
Cipher Text - defghijklmnopqrstuvwxyzabc

For example:
hello = khoor

Lets implement this in python!


beta = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
#GETTING User Input
user_input = raw_input("Enter a message in Capital Letters")
#Calculating String Length
n = len(user_input)
str_out = ""

for i in range(n):
        c = user_input[i]
        loc = beta.find(c)
        print i ,c,loc,
        newloc = loc +3
        str_out += beta[newloc]
        print newloc, str_out

print "Obfuscated Version:", str_out



Picture
ROT13 will do the shift by '13' instead of '3'

Mobile App Risks

4/5/2020

 
  • Weak Server Side Control
  • Insecure Data Storage
  • Insufficient Transport Layer Protection 
  • Unintended Data Leakage
  • Insecure Authorization and Authentication
  • Insufficient Cryptography
  • Client Side Injection
  • Security Decisions via Untrusted Inputs
  • Improper Session Handling 
  • Lack of Binary Protection
  • Improper Platform Usage
  • Insecure Communication
  • Code Tempering 
  • Reverse Engineering 
  • Extraneous Functionality 

Pentesting Methodology of a Mobile App

4/5/2020

 
In the Mobile Application Penetration Testing, the end user is in the control of the device.There are usually four phases
  • Discovery
    • Understanding the platform
    • OSINT
    • Client Side and Server Side Scenarios - Native, Hybrid or Web
  • Assessment/Analysis
    • Static Analysis - Analysis is performed without executing the application or just looking at the source code of the application.
    • Dynamic Analysis - Dynamic analysis is performed while the application is running on the device. This includes forensic analysis of the local filesystem, network traffic between the application and server, and assessment of the app's local inter-process communication (IPC) surface.
    • Achieve Analysis - Review of the files that have not been compiled into a binary
    • Local File Analysis - Files Accessed by the application and files used during the application execution
    • Network & Web Traffic - The device will be configured to route their connection to the server through a test proxy controlled by the security tester. This will enable web traffic to be intercepted, viewed, and modified. It will also reveal the communication endpoints between the application and the server so that they can be tested. Network traffic that is not traversing the Web and is happening at a lower layer in the TCP/IP protocol stack, such as TCP and UDP packets, will also be intercepted and analyzed.
    • Reverse Engineering - Complied Code into Human readable format 
    • Interprocess Communication
  • Exploitation
    • Attempt to Exploit the Vulnerability -  Discovered vulnerabilities to gain sensitive information or perform malicious activities.
    • Privilege Escalation
  • Reporting 
    • Risk Assessment - Analyze business criticality of the application and the security risk posture and categorize the overall risk rating of the assessed application
    • Final Reporting
<<Previous

    Categories

    All
    Chapter-1
    CISSP
    SOC
    Threat Detection
    Threat Hunting
    Threat Modelling

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity