Data Exfiltration and Data Loss Prevention (DLP) is one of key topic of our discussion today. One of the ways to detect APT Groups and advanced ransomwares at early stage is by analyzing the outbound traffics. Most of the advanced treats will try to establish a C2 connection. 
Profile 'outbound' traffic data:

• how much data is sent? 
• who usually sends the data?
• where are we sending the data (IP, Port)?
• When it's usually sent?

You can use Flow Logs or NGFW logs to get the insights. Try to see if you can find outliers.
Some outliers can be: 

• 24/7 Outbound Connection (Keep an eye)
• Unauthorized C2 or VPN Connections
• Insiders malicious activities 

Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns: 

• High Bandwidth TLD
• Low Level TLD
• Top 10 TLD By Bandwidth
• Top 10 Second Level Domain by Bandwidth

#Comment if you have additional tips.

I have to build many SOC teams in my professional career. In this post, I’d like to declutter some of the myths about SOC. Let’s start with the basics.

One of the most important questions is why your organization needs a SOC?

Enterprise often collects a large amount of data in the form of logs. Simply storing the data is not valuable. The humongous amount of information needs to be searched for malicious activities. If there is malicious activity, you need a human to respond to it intelligently. SOC team members will do the Detection, Investigation, and Response to the incident. Another critical aspect of the SOC team (often overlooked) is the post-incident reviews. 

What are the sub-team/sub-group in a SOC?

Fully Outsourced SOC: Hiring, Building, and retaining SOC Teams are challenging and expensive. There are not a lot of experienced Cyber Security Analyst and Engineers out there in the market. It’s honestly a new career option. To avoid the hassle, the organization often decide to outsource the security operation fully to Managed Security Service Providers (MSSP).

There are a few advantages and disadvantages of having a fully outsourced SOC. The most significant benefit is the speed; you can have someone start looking at your data/alerts as soon as you sign the contract.In there is any anamoly, MSSP will do the hunt, investigation and escalated it to you pretty quickly.

​The biggest downside is the knowledge gap. All the knowledge/intelligence about your network/endpoint stays with the MSSP. As soon as you cancel the contract, it’s gone. Another significant disadvantage is the MSSP is expensive. You have to pay a lot of money out of your budget  for the SOC. In some cases, the quality of the investigation can be poor too.  

Even after outsourcing your SOC, mitigating a malicious and compliance stays with the organization only. Usually, companies in the early stage will go for this model. MSSP will care more about the SLA’s rather that the quality of the investigation. If you are adopting this model, please ensure to discuss all the norms upfront, including the resume/profiles fo the Analysts.

Hybrid SOC: It’s a combination of the MSSP + In-house SOC team. Usually, the Detection, response, and forensics team will be in-house, and the Tier-1 & 2 Analyst will outsource. The majority of the pros and cons of MSSP mentioned above applies here as well. The benefit is you keep your institutional knowledge. If your want to run your SOC 24/7 and your security team is only in one country this model will be helpful in terms of coverage and control.

In-house SOC: Fully In-house SOC Teams are high, usually big size organizations with big budgets will go for this model. I’d say having a functional in-house SOC is a sign of maturity of an overall cybersecurity program. If your company is global, you may want to have your SOC team in mutiple time zones.

Key Responsibilities of SOC

• Implement, Manage, and Propose Security Tools: SIEM, EDR, SOAR are the primary tools SOC uses, but they responsible for proposing new security gaps and devices to the business as well. If an alert/incident has made to the SIEM application, it must have bypassed specific security controls. SOC Analysts should always think about solutions to reduce the number of alerts/cases. A typical example is proposing an email security tool for reducing the number of phishing alerts.
• Investigate, Respond, Contain, and Remediate Suspicious alerts: The core function of the SOC is to investigate the malicious activity. SOC cannot wholly rely on preventive and detective controls. A successful SOC is always on a Hunt.
• Cyber Security Strategy: SOC is responsible for the overall Cyber Security strategy of the company. SOC should develop playbooks, SOP’s, Policies to respond to certain types of alerts. For example, SOC should develop a Cyber Security Incident Response Plan, Escalating the polity of HR/Legal, etc.

In this blogpost, we will discuss about the high quality Open source NSM Tools. Security Onion is one of the most common and popular NSM distribution. 

Security Onion has Ubuntu based Linux distribution. It comes with a bunch of softwares:

• NIDS - Snort, Suricata
• Asset Data - PRADS
• Full Packet Capture - netsniff-ng
• SIEM - ELK
• Additional tools - Wireshark, Nmap 

Web Sessions are usually managed by a "Session Token". Session hijacking is a way of exploiting the web session control mechanism.It's a way to get an unauthorized access to the web-server by stealing a valid token.

Session Hijacking is a type of attack and it can use accomplished by using various techniques like Session Sniffing, Clint Side Attacks like XSS, Man in the middle/browser type of attacks.

Goal: The goal of the treat modeling is to redure the risk as can be applied as a repeatable process. It has numerous benefits. In this post, we will learn to answer following questions:

• What is Threat Modeling?
• Why you should Threat Model?
• Who should Threat Model?
• When to Threat Model?

 
What is Threat Modelling?
You have build a Web App which allows visitors to subscribers to a mailing list and a sign-up for the account. When you list down systematically all the potential ways one can attack your application. That is Threat Modelling in a Nut Shell. Remember Two Key Terms - "Systematic Approach". Threat modelling should be a repeatable process in the SDLC. Second Important key term is "Abuse". You are constantly looking at the Attacks in order to find vulnerability. Another apporach is to develop a probable threat scenarios and list of threats. It's an holistic approach to reduce the risk of an application.

Bug - Software Defects
Vulnerability - Weakness that can be exploited
Attack/Incident - Needs a Target, Need a Threat Vector (Path an attacker can take to exploit the vulnerability) and a Threat Actor.
Threat Surface- Anything that can be obtainer, user or attacked by a threat actor
Risk - Risk = Impact * Liklihood

Why you should do Threat Modelling?
Remember the goal is to Risk Reduction. There are other methodology to serve the same purpose as well for example Penetration Testing, Source Code Analysis, Architectural Risk Analysis, Vulnerability Scanning. Lets discuss about the reasons to use Threat Modelling

• Pro-active Approach (Security Upfront)
• Efficient - It's a cost effecttive method. This apprach can save a lot of $$.
• Prioritize Bugs
• Better understanding

 Outputs of Threat Modeling

• Over all Diagrams
• Clear Security Requirements
• List of Threat and Vulnerabilities

* Allows security to be injected in the SDLC

Who Should Theat Model?

• System Architect - Knows the design of the application and data flows
• Developer - Details of the application build
• Tester - Knows the requirements and what it's suppose to do.
• Security Professional​ - Know the attack vectors and think like an attacker

When to perform Theat modelling?

• As early as possible - Earlier is better
• Requirement Phase &  Design Phase
• In Agile - It should be done in each sprint and generate seperate security stories

Threat Modeling Approachs 
We will discuss about the following approaches of Threat Modeling. The End goal will be to Generate a list of Threats.
Example Scenario - A simple webapplication. Anonomayos users can visit the website. Sites runs a Content Management System and only authorized users can access it. Mailing Componenet to send out web mails

Asset-Centric/Risk Approach: In this approach we focus on the things you want to protect for example: Example : Databases, Email accounts, Account Credentials, Servers

• Step -1  Create a list of asset
• Step -2  Draw assets, Components and data flows
• Step -3  For each element, check for threats

​Advantages: 

1. Centered around assets
2. Forcused towards on the business impact 
3. Best suited when doing Risk assement for auditers
4. Exmaple - PASTA, TRIKE

Disadvantages: 

1. Not Centered around the application
2. Mapping assets to therats is difficult 

Attacker-Centric/Security Approach:This apporach is preferred by Pentesters. You'll need a team of highly qualified Security Engineers to succeed in the approach.

1. ​Create a list of theat actors
   1. ​Threat Actor - Competitor
   2. Motive - Example: Getting your business
   3. Means - Example:Financial and Technical means: Limited/Unlimited
   4. Opportunity - Example: Exploting a vulnerability 
2. Create a list of threats

​Advantage: 

• Make threats and attack are visible

Disadvantage:

• Easy to miss technical Threats
• Unrealistic Threat
• Biased results

​
​Application-Centric Approach: Think about the Application and get famalier with the application. User Step 1: Draw a diagram of the application. For example: Data Flow Diagram
Step 2: List threts for each eleements. STRIDE (Threat Classification Model), OWASP Top 10
Step 3: Rank Threat using classification model

Advantages:

• Common understanding of the application
• Spread of the knowledge

Disadvanatge: 

• Documentation is necessary 
• Difficul to see 'own' vulnerability 
• Threats may sound abstracy

Threat Modeling Methodologies

In this section, we will discuss about the approaches for threat modeling focused towards the asset centric and application centric approach.

PASTA - Process for Attack Simulation and Threat Analysis
This is a threat modeling and threat analysis process. It's an asset centric approach with 7 Stages

• Define Business Objectives
• Define Technical Scope
• Decompose Application - Data Flow Diagram
• Analyze Threats - Threat Intelligence
• Indentify Vulnerabilities
• Enumerate Attacks
• Perform Impact Analysis

Key Element

• Useful for Medium to Large Size Companies
• Mature Companies
• Having Security Knowledge

Advantages:

• Great for business Integration
• Mature and well document Process
• Lots of documentation
• Tooling Available 

Disvantages 

• Sepecialized Input necessary for example threat intelligence needs to obtain or acquired
• Time Consuming Procerss
• Each step generates output
  
• Output depends on Dynamic Input

If you are working in the DFIR, you might have encountered Base64 Code many times. In this blog post, we will talk about the basics of base64 encoding.

ASCII Data - Each Character turns into one byte
A = 65 (Binary 0b01000001)
B = 66 (Binary 0b01000010)
C = 67 (Binary 0b01000011)

The 3 Letter String = 24 Bit
ABC = 0b010000010100001001000011
For base64 - we'll need ot break it in the group of 6 bits. 6 Bits will have 64 Combination and will need 64 Characters to encode it.

Characters used are as follows:
ABC...Z = 0-25
abc...z =26-51
0123..9 = 52-61
+,/ = 62,63

I am going to use spaces for the ease of reading
ABC  = 0b01000001 01000010 01000011
6-bit Groups = 0b010000 010100 001001 000011
Decimal = 16 20 9 3
base64 = Q U J D

In this post, I am going to talk about the basic fundamental and concepts of Cryptography. Let's start with Obfuscation and Encryption. In layman's language, encryption techniques are used to hide data or make is difficult to read. The term 'Crypto' become super popular because of the introduction of the currencies like Bitcoin, Litecoin, Ethereum etc. For us, it's just a form of protection, our focus will be on the cryptography applied to the communication, storage, messages etc. We will be using Python for the code nuggets. Lets start with the 'Caesar Cipher' and 'ROT13'

Caesar Cipher: It's an old trick where you just move every letter forward three character in the alphabet.

Plain Text - abcdefghijklmnopqrstuvwxyz
Cipher Text - defghijklmnopqrstuvwxyzabc

For example:
hello = khoor

Lets implement this in python!

ROT13 will do the shift by '13' instead of '3'

In the Mobile Application Penetration Testing, the end user is in the control of the device.There are usually four phases

• Discovery
  • Understanding the platform
    
  • OSINT
  • Client Side and Server Side Scenarios - Native, Hybrid or Web
• Assessment/Analysis
  • Static Analysis - Analysis is performed without executing the application or just looking at the source code of the application.
    
  • Dynamic Analysis - Dynamic analysis is performed while the application is running on the device. This includes forensic analysis of the local filesystem, network traffic between the application and server, and assessment of the app's local inter-process communication (IPC) surface.
  • Achieve Analysis - Review of the files that have not been compiled into a binary
  • Local File Analysis - Files Accessed by the application and files used during the application execution
  • Network & Web Traffic - The device will be configured to route their connection to the server through a test proxy controlled by the security tester. This will enable web traffic to be intercepted, viewed, and modified. It will also reveal the communication endpoints between the application and the server so that they can be tested. Network traffic that is not traversing the Web and is happening at a lower layer in the TCP/IP protocol stack, such as TCP and UDP packets, will also be intercepted and analyzed.
  • Reverse Engineering - Complied Code into Human readable format 
    
  • Interprocess Communication
• Exploitation
  • Attempt to Exploit the Vulnerability -  Discovered vulnerabilities to gain sensitive information or perform malicious activities.
    
  • Privilege Escalation
• Reporting 
  • Risk Assessment - Analyze business criticality of the application and the security risk posture and categorize the overall risk rating of the assessed application
    
  • Final Reporting