CISCO Cyberops Associate 2 - Cybersecurity analysis essentials
Attack surface and vulnerability
- Attack surface: all possible exposed attack vectors of an organization.
- Everywhere.
- Known or unknown.
- Secure or vulnerable.
- Vulnerabilities correlation:
- Direct correlation.
- Scale of the network.
- Open source components.
- Legacy system software.
- Reduction:
- Reduce ammount of active code running.
- Reduce access points to unknown users.
- Reduce and condense services needed.
- Visibility (auditing and logging).
tcpdump and NetFlow
Use netstat to find out what is connected.
1
2
3
4# find everything connected
netstat -a
# name resolution, all packages possible, tcp, udp,
netstat -natu | grep 'ESTABLISHED'Use tcpdump to capture packages.
1
2
3
4
5
6# host
sudo tcpdump host 8.8.8.8
# interface, with optional port
sudo tcpdump -i ens160 port 22
# faster: no name resoluction but numbers, whole package, show hexadecimal
sudo tcpdump -i ens160 port -nnSx udp port 9996Router netflow
how
1
2ssh user@10.0.10.207
show running-configwhat
- flow record
# results flow record CYBEROPS_REC # 5 tuple data flow ipv4 source flow ipv4 destination flow ipv4 source-port flow ipv4 destination-port flow ipv4 protocol # type of service flow ipv4 tos flow interface output flow interface input # additional informatio to collect collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name ! flow exporter # where it will be sent to destination 10.0.10.100 # what comes across the interface source GigabytEthernet0/0 # type of information to capture transport udp 9996 template data timeout 60
- flow record
Firewall data
❗ Remember the OSI model:
Type Layer Layer Protocol data unit (PDU) Function Host 7 - Application Data High-level protocols such as for resource sharing or remote file access, e.g. HTTP. Host 6 - Presentation Data Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption Host 5 - Session Data Managing communication sessions, i.e., continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes Host 4 - Transport Segment, Datagram Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing Media 3 - Network Packet Structuring and managing a multi-node network, including addressing, routing and traffic control Media 2 - Data link Frame Transmission of data frames between two nodes connected by a physical layer Media 1 - Physical Bit, Symbol Transmission and reception of raw bit streams over a physical medium
- Stateful:
- Functionality:
- Packet inspection.
- Prevent unauthorized access.
- Separate good and bad traffic.
- Scan control on layers 2 and 4.
- Data:
- Successful and failed log on.
- Allowed traffic, denied traffic.
- Layer 2, layer 3, layer 4 data.
- Functionality:
- Next-Gen Firewall:
- Functionality:
- Everything a stateful firewall does.
- IPS.
- Application awareness.
- Deep packet and malware inspection.
- Decrypt and inspect SSL traffic.
- Data:
- Successful and failed log on.
- Allowed traffic, denied traffic.
- IDS/IPS reports (Intrussion Detection and Prevention Systems).
- Threat reports.
- Functionality:
Content filtering data
- What:
- Websites.
- Emails.
- Executable files.
- Why:
- Phishing websites.
- Phishing emails.
- Data loss.
- Granular control filtering.
Application visibility and control data
- Criteria (filter).
- Control applications (authorized apps).
- SSL decryption (inspection) → Application and Visibility Control (AVC) devices.
- Perform DPI (Deep Packet Inspection).
- Operates at layer 7.
- Inspect content to identify application.
- Application usage on the network:
- Per user application utilization.
- Network capacity.
- Application Priorization QoS (Quality of Service).
Technology impact on data visibility
- Tunneling (data in data 🚇, 📭).
- Encapsulation (wrap it to send it through the tunnel ✉️).
- Encryption (🔒).
- TOR (The Onion Router, hides the source 🧅).
- ACL (Access Control Lists, drop traffic, ✅📄).
- Careful with time, ranges.
- NAT (Network Address Translation) and PAT (Port Address Translation): obfuscation mapping internal and external addresses.
- Load Balancing (split load between nodes).
- P2P (Another network inside of my network).
- Cloud (blind spots, too many tools, collection complexity):
- Types:
- Single cloud.
- Multi-cloud.
- Overcome visibility challenges:
- Performance baselines.
- Glean what you need (active and passive).
- Network mapping.
- Configuration management.
- Plan for the future.
- Types:
Network security data types
- Types:
- Full package capture: exact copy of traffic on the wire.
- Sesion data: record conversation.
- Transaction data: requests and replies exchanges.
- Statistical data: data about activity.
- Metadata: “data about data”.
- Alert data: specific data patterns.
- Uses:
- Detect: find unexpected behaviour.
- Analyze: what went on.
- Escalate: know when you are over your head.
Network attacks
- 3 common:
- Distributed Denial of Service (DDoS, there are also Denial of Service, DoS, non-distributed).
- Definition:
- Protocol based attacks.
- Volumetric attacks.
- Application attacks.
- Detection:
- Dramatic performance drops.
- Volume spam emails.
- Abnormal redirect and flows.
- Innacessibility to site or resource.
- Definition:
- Main in the middle (MITM, now Path attack)
- Definition:
- Rogue access points.
- ARP spoofing (Address Resolution Protocol, false messages on Ethernet, get MAC address, to hijack your machine).
- mDNS (multi-cast) spoofing and DNS spoofing (hijack Domain Name Resolution).
- Detection:
- Active authentication verification.
- Tamper detection.
- Network monitoring.
- Definition:
- Distributed Denial of Service (DDoS, there are also Denial of Service, DoS, non-distributed).
Web application attacks
- SQL injection attacks:
- Add SQL statements to do what the attacker wants.
- Tamper with data.
- Corrupt database.
- Bypass authentication.
- Command injection:
- Vulnerable web application.
- Insufficient input validation.
- Compromise web server and database.
- Cross site scripting:
- Malicious scripots injected to website.
- Script that can access the browser data.
- Stored XSS.
- Reflected XSS.
Social engineering attacks
- Phishing attacks (🎣, basic emotions: greed, fear):
- Attracts attention.
- “urgent”.
- Weird URLs.
- Emails and SMS messages.
- Watering hole (💧):
- Injection attack.
- Target has a trojan installed.
- Zero-day exploits are common.
- Whaling attacks (🐳):
- Phihing attack specific to big target.
- Commercial, executive and government targets.
- Scam email from seemingly “trusted” sender.
- Pretexting (🤥, lies):
- “Fake identity”.
- Attempts to build trust.
- Long game.
- Baiting (🧀):
- Lure (human curiosity).
- e.g. Best offer ever! USB lost in the open.
- Tailgating (not intended) and piggy-backing (intended).
Evasion and obfuscation
- How:
- Bypassing security controls.
- Find backdoors.
- Hide data.
- Evasion techniques:
- Non-detection.
- Flooding.
- Fragmentation.
- Encryption and tunneling.
- Obfuscation:
- Hide malicious activity in executable code.
- Encryption.
- Polymorphic shell code (mix shape the code, add a decoder attached first, and translates and runs in shell on evil form).
Certificate components
- The need:
- Internet.
- Clients and servers.
- Data.
- Digital certificates:
- Data encryption.
- Data integrity.
- Authentication.
- Certificate components:
- Cypher suite: supported algorithms.
- X.509 certificate: standard format.
- Key exchange: 2 partly exchange of cripto keys.
- Protocol version: browser and site security.
- PKCS (Public Key Criptography Standard): certificate file extension.