Data Exfiltration and Data Loss Prevention (DLP) is one of key topic of our discussion today. One of the ways to detect APT Groups and advanced ransomwares at early stage is by analyzing the outbound traffics. Most of the advanced treats will try to establish a C2 connection.
Profile 'outbound' traffic data:
Some outliers can be:
Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns:
#Comment if you have additional tips.
I have to build many SOC teams in my professional career. In this post, I’d like to declutter some of the myths about SOC. Let’s start with the basics.
One of the most important questions is why your organization needs a SOC?
Enterprise often collects a large amount of data in the form of logs. Simply storing the data is not valuable. The humongous amount of information needs to be searched for malicious activities. If there is malicious activity, you need a human to respond to it intelligently. SOC team members will do the Detection, Investigation, and Response to the incident. Another critical aspect of the SOC team (often overlooked) is the post-incident reviews.
What are the sub-team/sub-group in a SOC?
Key Roles in a SOC Team?
Types of Security Operation Center (SOC)
Fully Outsourced SOC: Hiring, Building, and retaining SOC Teams are challenging and expensive. There are not a lot of experienced Cyber Security Analyst and Engineers out there in the market. It’s honestly a new career option. To avoid the hassle, the organization often decide to outsource the security operation fully to Managed Security Service Providers (MSSP).
There are a few advantages and disadvantages of having a fully outsourced SOC. The most significant benefit is the speed; you can have someone start looking at your data/alerts as soon as you sign the contract.In there is any anamoly, MSSP will do the hunt, investigation and escalated it to you pretty quickly.
The biggest downside is the knowledge gap. All the knowledge/intelligence about your network/endpoint stays with the MSSP. As soon as you cancel the contract, it’s gone. Another significant disadvantage is the MSSP is expensive. You have to pay a lot of money out of your budget for the SOC. In some cases, the quality of the investigation can be poor too.
Even after outsourcing your SOC, mitigating a malicious and compliance stays with the organization only. Usually, companies in the early stage will go for this model. MSSP will care more about the SLA’s rather that the quality of the investigation. If you are adopting this model, please ensure to discuss all the norms upfront, including the resume/profiles fo the Analysts.
Hybrid SOC: It’s a combination of the MSSP + In-house SOC team. Usually, the Detection, response, and forensics team will be in-house, and the Tier-1 & 2 Analyst will outsource. The majority of the pros and cons of MSSP mentioned above applies here as well. The benefit is you keep your institutional knowledge. If your want to run your SOC 24/7 and your security team is only in one country this model will be helpful in terms of coverage and control.
In-house SOC: Fully In-house SOC Teams are high, usually big size organizations with big budgets will go for this model. I’d say having a functional in-house SOC is a sign of maturity of an overall cybersecurity program. If your company is global, you may want to have your SOC team in mutiple time zones.
Key Responsibilities of SOC
In this blogpost, we will discuss about the high quality Open source NSM Tools. Security Onion is one of the most common and popular NSM distribution.
Security Onion has Ubuntu based Linux distribution. It comes with a bunch of softwares:
Web Sessions are usually managed by a "Session Token". Session hijacking is a way of exploiting the web session control mechanism.It's a way to get an unauthorized access to the web-server by stealing a valid token.
Session Hijacking is a type of attack and it can use accomplished by using various techniques like Session Sniffing, Clint Side Attacks like XSS, Man in the middle/browser type of attacks.
Goal: The goal of the treat modeling is to redure the risk as can be applied as a repeatable process. It has numerous benefits. In this post, we will learn to answer following questions:
What is Threat Modelling?
You have build a Web App which allows visitors to subscribers to a mailing list and a sign-up for the account. When you list down systematically all the potential ways one can attack your application. That is Threat Modelling in a Nut Shell. Remember Two Key Terms - "Systematic Approach". Threat modelling should be a repeatable process in the SDLC. Second Important key term is "Abuse". You are constantly looking at the Attacks in order to find vulnerability. Another apporach is to develop a probable threat scenarios and list of threats. It's an holistic approach to reduce the risk of an application.
Bug - Software Defects
Vulnerability - Weakness that can be exploited
Attack/Incident - Needs a Target, Need a Threat Vector (Path an attacker can take to exploit the vulnerability) and a Threat Actor.
Threat Surface- Anything that can be obtainer, user or attacked by a threat actor
Risk - Risk = Impact * Liklihood
Why you should do Threat Modelling?
Remember the goal is to Risk Reduction. There are other methodology to serve the same purpose as well for example Penetration Testing, Source Code Analysis, Architectural Risk Analysis, Vulnerability Scanning. Lets discuss about the reasons to use Threat Modelling
Who Should Theat Model?
When to perform Theat modelling?
Threat Modeling Approachs
We will discuss about the following approaches of Threat Modeling. The End goal will be to Generate a list of Threats.
Example Scenario - A simple webapplication. Anonomayos users can visit the website. Sites runs a Content Management System and only authorized users can access it. Mailing Componenet to send out web mails
Asset-Centric/Risk Approach: In this approach we focus on the things you want to protect for example: Example : Databases, Email accounts, Account Credentials, Servers
Attacker-Centric/Security Approach:This apporach is preferred by Pentesters. You'll need a team of highly qualified Security Engineers to succeed in the approach.
Application-Centric Approach: Think about the Application and get famalier with the application. User Step 1: Draw a diagram of the application. For example: Data Flow Diagram
Step 2: List threts for each eleements. STRIDE (Threat Classification Model), OWASP Top 10
Step 3: Rank Threat using classification model
Threat Modeling Methodologies
In this section, we will discuss about the approaches for threat modeling focused towards the asset centric and application centric approach.
PASTA - Process for Attack Simulation and Threat Analysis
This is a threat modeling and threat analysis process. It's an asset centric approach with 7 Stages
Microsoft Threat Modeling
It's a Threat Modeling Framework. Focuses on Technical risk, It's a developer driven approach.
Octave - Operationally Critical Threat, Asset and Vulnerability Evaluation
Visual Agile Simple Threat Modeling
Two Threat Model Types
Good for companies following Agile
What is the best methodology?
Choose a methodology based on team, organization and objective.
Asset Centric - PASTA
Application Centric - Microsoft Threat Modeling
If you are working in the DFIR, you might have encountered Base64 Code many times. In this blog post, we will talk about the basics of base64 encoding.
ASCII Data - Each Character turns into one byte
A = 65 (Binary 0b01000001)
B = 66 (Binary 0b01000010)
C = 67 (Binary 0b01000011)
The 3 Letter String = 24 Bit
ABC = 0b010000010100001001000011
For base64 - we'll need ot break it in the group of 6 bits. 6 Bits will have 64 Combination and will need 64 Characters to encode it.
Characters used are as follows:
ABC...Z = 0-25
0123..9 = 52-61
+,/ = 62,63
I am going to use spaces for the ease of reading
ABC = 0b01000001 01000010 01000011
6-bit Groups = 0b010000 010100 001001 000011
Decimal = 16 20 9 3
base64 = Q U J D
In this post, I am going to talk about the basic fundamental and concepts of Cryptography. Let's start with Obfuscation and Encryption. In layman's language, encryption techniques are used to hide data or make is difficult to read. The term 'Crypto' become super popular because of the introduction of the currencies like Bitcoin, Litecoin, Ethereum etc. For us, it's just a form of protection, our focus will be on the cryptography applied to the communication, storage, messages etc. We will be using Python for the code nuggets. Lets start with the 'Caesar Cipher' and 'ROT13'
Caesar Cipher: It's an old trick where you just move every letter forward three character in the alphabet.
Plain Text - abcdefghijklmnopqrstuvwxyz
Cipher Text - defghijklmnopqrstuvwxyzabc
hello = khoor
Lets implement this in python!
beta = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
ROT13 will do the shift by '13' instead of '3'
In the Mobile Application Penetration Testing, the end user is in the control of the device.There are usually four phases
Vulnerability in mobile apps can occur due to several reason like misconfiguration in code level bugs. There is a huge need to perform a penetration test and security analysis before releasing a mobile application. If you think in terms of data, there are four layers usually a mobile app will have some data
Another way to think about the data in Mobile Apps are: