CISCO Cyberops Associate 1 - Cybersecurity Operations Essentials

In

CIA triad

graph LR;

A[Confidenciality];
B[Integrity];
C[Availability];

A --- B;
B --- C;
C --- A;
  • CIA triad (iron triangle): information focus for attack classification:
    • Vertex:
      • Confidenciality: keep sensitive data private.
        • encryption + public key (crypto).
      • Integrity: data has not been modified.
        • hashing.
        • versioning.
      • Availability: servers “are alive”.
        • Uninterruptible power supply (UPS).
        • Load balancers.
    • Edges: balance them, too much on a side reduces another:
      • solution:
        • Design: be careful to balance the 3 edges.
        • Infrastructure: spend on the hardware you really need (constraint triangle: cost, scope, time).
        • Implementation: apps must be able to work together.
    • Beyond CIA: “The forth vertex”: user focused: non-repudiation (authentication + authorization).
      • Classification and isolation: who, what, where.

Security approaches

  • Defense in depth:
    • Security layers:
      1. Perimeter: firewall, DMZ, edge firewall.
      2. Network: wireless security.
      3. Endpoint: host intrussion prevention system (HIPS).
      4. Application Web Application Firewall (WAF).
      5. Data: classification, encryption.
  • Least priviledge principle:
    • Users (e.g. admins).
    • Applications (e.g. connected apps).
    • Systems (e.g. cloud).
  • Zero trust model: trust no one, trust nothing. Check logs and analytics.
    • Users.
    • Devices.
    • Networks.
    • Workloads.
    • Data.

Security, tools and practices

  • SOC analyst primary duties: detect, analyze and respond.

    1. Threat discovery e.g. (audit logs).
    2. Incident validation and categorization (triage).
    3. Incident analysis.
    4. Containment and remediation.

  • Tools (for steps 3 and 4):

    • Threat Intelligence (TI): saves time, filter noise, speed up triage:
    • Threat Intelligence Platform (TIP): isolate down what it may be.
      • SIEM (SEM, or SEIM).
      • Correlation.
    • Run Book Automation (RBA):
      • Automate workloads (humans skip boring and repetitive tasks).

  • Practices:

    • Threat hunting: assume the attackers are already in.
    • Malware analysis: know behaviour and purpose.
    • Reverse engineering: reproduice what you have seen.
    • Sliding Window Anomal Detection (SWAD): limited to specific amount of time, to avoid excess of info to analyze.

Threat actor types

  • “Triple Threat”:
    • Intent && Ability = Threat
  • Threat Actor types:
    • By goal:
      • Cyberterrorist.
      • Government/state sponsored.
      • Cybercriminal.
      • Hacktivists.
    • By attack chance:
      • Insider
      • Users
      • Oportunistic
  • Know the threat:
    • Person, group or organization?
    • Motivations?
    • Goals?
    • “Enemy” or “bad guy”?

Security concepts

  • Vulnerabilities: existing weakness to danger.
    • Physical (unlocked door).
    • Security policies (sharing passwords).
    • Manufacturing defects
    • Unsecured code (unsigned).
  • Threat: potential danger.
    • Threat actors.
    • Phishing.
    • Ransomware.
    • Social engineering*.
    • Man In The Middle Attack (now called Path attack).
  • Exploits: found weakness to danger.
    • Denial of service.
    • Default passwords.
    • Default configuration.
  • Risks: chance of exposure to danger.
    • Using password and not MFA.
    • All user accounts with admin access.
    • Using Telnet for remote session.

Risk management methods

  • Positive risks / negative risks.
  • Can not ignore it → it will become a vulnerability.
  • It is assessed:
    • Risk scoring: likelihood vs consequences (assets + CIA triangle).
    • Risk mitigation (risks should be monitored):
      • Risk avoidance (usually not practical).
      • Risk sharing (spreading the load).
      • Risk acceptance (worry when it happens).
      • Risk transfer (insurance, or pass it to another person or team).

CVSS terminology

Common Vulnerabilities Scoring System:

  • Open standard, not vendor locked.
  • Priority of response.
  • Measure of severity instead of risk.
    • Metrics:
      • Base metric (always there).
      • Temporal metric (changes over time).
      • Environmental metric (specific scenario).
    • Basic metric helps calculate severity, number assign
      • Explotability metrics:
        • Attack Vector (AV)*.
        • Attack Complexity (AC)*.
        • Privileges Required (PR)*.
        • User Interaction (UI)*.
      • Scope (S)*:
        • Impact Metrics.
        • Confidentiality Impact (C)*.
        • Integrity Impact (I)*.
        • Availability Impact (A)*.

Security deployments

  • Security implementations:
    • Defense in depth.
    • Network security.
    • Endpoint security.
    • Application security.
  • Agent vs Agentless security
    • Agent based: software installed on a system.
    • Agentless: industry standards, management protocols (poll info).
  • Antimalware
    • Antivirus: detects known malware.
    • Antimalware: detects unknown malware.
      • SIEM (Security Information and Event Management): threat intelligence + needs tuning.
      • SOAR (Security Orchestrator Automation and Response): correlation from SIEM.
      • Log management: logs aggregator, find history.

Access Control models

  • Types:
    • Descretionary (scaling issues):
      • Access is decided by the resource owner for each user.
      • Access control point has a list of authorized users.
    • Mandatory (non descretionary):
      • Top secret, Secret, Classified, Unclassified.
      • Not by owner: each resource has a tag, depending on the user permissions, they can see it.
    • Role-based:
      • Access dependent on your role in your organization.
      • Efficient for otganizations and users.
        • Users added to (or removed from) multiple groups.
    • Attribute-based:
      • Access based on user, enviromental, or resource attributes.
      • Very granular controls.
      • Subtypes:
        • Rule based: access set by an administrator who creates the rules (e.g. add time-based elements to access, like working hours).
    • AAA:
      • Authentication (e.g. Cisco Identity Service Engine): who you are.
      • Autorization: what you are allowed to do.
      • Accounting: logging.

Identify data visibility challenges

  • Data visibility challenged:
    • what, where, how, why.
  • Data visibility challenges on network:
    • Lack of realtime security.
    • Logs (historical).
    • Lack of stuff and tools.
    • Lack of information.
  • Data visibility challenges on the cloud:
    • Assets are short-lived.
    • Complexity and scale.
    • Difficulty only 2nd to missconfigurations.
  • Data visibility challenges on the host:
    • Determined adversary.
    • Security fails silently.
    • Gathering of data.
    • Searching of data.
    • Data correlation.

Identify data loss from traffic profiles

  • Types of data loss on enterprises:
    • Unauthorized loss of critical business data.
    • “Unintentionally undetectable”.
    • Direct data loss.
    • Colateral loss.
  • Data loss risks:
    • Breach of customer data.
    • Loss of confidence.
    • Maybe not ever knowing it happened or its extent.
  • Traffic profile loss:
    • Asymmetrical outboind flow: communication traffic is “bigger” in one direction.
      • CISCO Firepower Threat Defense system retrieves data for this case.
      • Package analysis with Wireshark.
graph LR;

A[fa:fa-computer Computer];
B[fa:fa-computer Computer];
C[fa:fa-computer Wireshark];
D(fa:fa-toggle-on Switch);
E[fa:fa-route Router]
F[fa:fa-cloud Cloud - FTD]
G[fa:fa-laptop Laptop]

A --- D;
B --- D;
C --- D;
D --- E;
E --- F;
F --- G;

A --> G;
G .-> A;

5-tuple approach to isolate a host

  • 5 sets of different values that identifies a TcP/IP connection:
    • Source IP address.
    • Source port number.
    • Destination IP address.
    • Destination port number.
    • Protocol.
  • Valuable to network and cybersecurity:
    • Identifies TCP/IP connection.
    • Immutable.
    • Trackable.
    • Key requirements for a secure connection.

Detection Methodologies

  • Issues:
    • Networks are messy (bad tagging).
    • Staff is not fully ready (⏰).
    • Visibility (🌊🧊).
    • True or False? (false positives).
    • Attackers (😈).
  • Types:
    • Rule-based (🔙, 🔜).
      • IPS compares traffic to set of rules, to verify and match.
      • e.g. Snort blocks, firewalls, IPS.
      • What about traffic that does not match a rule? Permissive approach?
    • Behaviour-based (😇, 😈).
      • Detection based on what attackers do.
      • e.g. unusual download volume, streaming analytics, NGAVs (Next Generation AntiVirus).
      • Inconclusive: false positives must be investigated.
    • Statistical-based (📈).
      • Builds a distributed model for normal behaviour.
      • Low probability events flagged.
      • Usually added to signature-based detections.
      • HIDS (Host-based intrusion detection system), Snort (intrusion detection) and Zeek (network analysis network).