Categorize intrusion events

• By security models (see “Cybersecurity investigation techniques”):
  • Cyber kill chain model:
    • Visibility into an attack.
    • Attacker’s tactics, techniques and procedures.

      Stages	Attacks
      (1) Reconnaissance, (2) Weaponization, (3) Delivery	Compromised sites, Phishing, Web scrapping.
      (4) Exploitation	Exploit kits.
      (5) Installation, (6) Command and Control, (7) Actions on Objective	Ransomware, Trojans, Bots…

  • Diamond model of intrusions: “for every intrussion event, exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result”.

        graph LR;
    A(adversary);
    B(capability);
    C(infrastructure);
    D(victim);
    
    subgraph diamond_model
      A
      B
      C
      D
    end
    
    A --- B;
    A --- C;
    A --- D;
    B --- C;
    B --- D;
    C --- D;

    • Core features of every malicious activity:
      • Adversary: attackers and tools.
      • Capability: malware, exploits, web-scrapping, other tools.
      • Infrastructure: network and shares, servers, accounts, services.
      • Victim: IP addresses, domain names, ASN, email addresses.

Source technology and events

• IDPS/IPS:
  • Most frequent attacks.
  • Source and target of attacks.
  • Attack trends.
• Firewalls:
  • Aggregate on 5 tuples (source, destination, source-port, destination-port, protocol).
  • Rules to allow or deny traffic.
  • Incoming and outgoing connections.
• Network Application Control:
  • Applications.
  • Applications usage (user, apps and content).
  • Web traffic, threats, data patterns.
• Proxy logs:
  • User, application and service requests.
  • 5 tuples.
  • Timestamp.
  • HTTP request and reply.
• Antivirus:
  • Detections.
  • Events.
  • Scan results.
  • Blocked.
  • Audit logs.
• Transaction data (netflow):
  • Flow records.
  • North-south (different hierarchy level), east-west (on the same hierarchy level) traffic.
  • Missing firewall rules.
  • Prohibited service usage.

Firewall operations

• Deep packet inspection:
  • Inspect data payload and header of packet.
  • Act based on dat payload.
  • Work at layer 7 (OSI).
  • Most often inspection point is firewall.
• Stateful firewall operation:
  • Monitor connections (flow).
  • Default blocks all inbound traffic.
  • Exception: requested traffic.
• Packet filtering operation (e.g. ACLs):
  • Only inspects the header of each packet.
  • Does not consider the connection.

Traffic analysis techniques

• Inline traffic interrogation (choose depending):
  • Physical device (“tap the phone-line”).
    • 100% copy of data.
    • Does not drop frames.
    • Less vulnerable.
    • No duplicates.
    • Recommended method.
    • No port contention.
    • No configuration.
  • Traffic Monitoring (SPAN, “Switch Port analyzer”, physical device between computer and switch):
    • Switch mechanics, it will drop some layer 1 and layer 2 data (filtered).
    • Configuration necesssary.
    • Port contention.
• Netflow analysis (e.g. Wireshark):
  • Aggregates 5-tuples data.
  • Collects and stores information about the endpoints, communications, applications and users.
  • Can identify malicious activity and users.
• Network traffic analysis:
  • Missconfigurations of network devices.
  • Data exfiltration.
  • Network scans from external source.
  • Denial of Service attacks.
  • Machines that are beaconing.

Extract files from a TCP stream

• Now almost all traffic is encrypted. Wireshark can decrypt:
  1. Look on environment variables for SSLKEYLOGFILE, to locate the log file.
  2. Go to wireshark (edit → preferences → protocol → TLS → pre-master secret log filename) and add the log file address.
  3. Read messages, acting similar to Firepower Management Center.

Intrusion elements from PCAP file

• Components and capture demo:
  • .pcap (Package CAPture file): Wireshark file (monitor).
    1. Select a package you don’t like, right click and follow → TCP stream (you may find a malware upload… Save it!).
  • Metasploitable intentionally vulnerable Linux machine, for exploits demo (target machine).
  • Kali Linux: pentesting (attacking machine).
    • Armitage: graphical cyber attack management tool for Metasploit.
      1. Connect, to select the host to attack.
      2. Right click on machine, scan.
      3. After finished, right click on it and login.
      4. After finished, right click on it and shell.

         1 2 3

         ls -ls # and you may be in mkdir malware

      5. Right click on it and upload (send up some nasty stuff).
• Analysis:
  • Right click and follow → TCP stream.
  • Look for compromised password.
  • Retrieve trace.

Artifact elements from an event

• Firepower Management Center dashboard:
  • Intrussion events tab:
    • Top attackers (by IP addresses).
    • Top targets.
    • Total events by user.
    • Application + protocol (frequency).
  • Analysis tab:
    • Intrussions, Malware events.
      • Same hash = same attack.

Basic regular expressions

Regular expressions: great for checking router logs. We will use grep ( Global Regular Expression Print) on shell.

• Gather interface info:

  1 2 3 4

  enable show ip interface brief # a lot of info, reduce scope show ip interface brief | exclude unassigned

• Gather IP route info:

  1 2 3 4 5

  enable show ip route # a lot of info, reduce scope show ip route | begin Gateway show ip route | include OSPF

• Process huge file

  1 2 3 4 5 6 7 8

  # any single character grep .* HugeFile.txt # Extended version, using OR grep -E 'Potato|Tomato' HugeFile.txt # Find by date on a log file grep ^May\ 04 syslog # Grep can be piped with more grep grep ^May\ 04 syslog | grep systemd

Endpoint-based attacks

• Buffer overflows:
  • Too much data!
  • Know what buffers, access and modify.
  • Know where to look.
  • Know what it can do.
• Command and Control (C2):
  • Establish a control endpoint.
  • Connects to server.
  • Data theft.
  • Shutdown or reboot.
  • Look for unusual outbound activity.
  • Know purpose and role of the endpoint.
  • Visibility.
  • Data analysis of malware.
• Malware:
  • Any malicious intent on software systems.
  • Endpoint antivirus.
  • Regular scans.
  • 2nd opinion.
• Ransomware:
  • Encrypts all data on your systems.
  • Monitor known ransomware extensions.
  • Large volumen of file renames.
  • AI based systems.

Windows 10 components

• Task manager:
  • Check task performance (check volumen, link to resource monitor).
  • Check startup tasks (check injections).
• Performance monitor (better than performance).
• Reliability monitor (critical events).
• Event viewer (postmortema analysis):
  • Logs (application, security, setup, system, forward events from other Windows systems).

Ubuntu components

• Know your machine version:

  1

  uname -a

• Find components on shell

  1 2 3 4 5 6 7 8 9 10

  # go al the way back to root directory cd .. # list ls # look for logs cd var cd log # check content vim auth.log :q! # exit

• KSysGuard:system monitor.
• Htop: resource intensive process monitor.
• Network details: netstat -ano | less .
• Remove process using its id: kill PID.

Attribution in an investigation

• Atribution: who did it?
  • Follow an attack.
  • Cyber attribution.
  • Difficult task, not a lot of physical clues.
• Investigation:
  • Goals to find:
    • Assets compromised.
      • Digital / physical.
      • Hidden and open.
    • Threat actor (who did it).
      • Individual, groups or organizactions.
      • Leverage assets to target attackers.
      • Motibes, capabilities, goals and resources.
  • Evidence:
    • Indicators of compromise:
      • breadcrumbs.
      • Log entires or files.
      • Not easy to detect what happened.
    • Indicators of attack (IOA):
      • Detect what attack is trying to accomplish.
      • What is happening and why?
      • Cyber kill chain:
        1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
        2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
        3. Delivery: Intruder transmits weapon to target (e.g. via e-mail attachments, websites or USB drives).
        4. Exploitation: Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
        5. Installation: Malware weapon installs an access point (e.g. “backdoor”) usable by the intruder.
        6. Command and Control: Malware enables intruder to have “hands on the keyboard” persistent access to the target network.
        7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.
    • Chain of custody:
      • Collection.
      • Examination.
      • Analysis.
      • Reporting.

Types of evidence based on logs

• Evidence:
  • Basis for factual statements.
  • Collected data to verify the factual statement.
  • Obtained through proper investiagtion.
  • Best evidence = unaltered data.
• Corroborative evidence:
  • Additional evidence to support presented evidence (e.g. attack demo).
• Indirect evidence:
  • Circumstancial evidence.
  • Inferred.

Disk Images

• Perform tests on copy of a disk, to preserve original data as evidence.
  • Use Gnome Disks.
  • Use the shell:

    1 2 3 4 5 6 7 8 9

    # compare disks sdb and sdc sudo fdisk -l /dev/sdb /dev/sdc # generate the hashes and compare them # if it is the same result, you already copied it sudo shasum -a 256 /dev/sdb sudo shasum -a 256 /dev/sdc # copy, if= input-file, of=output-file, status to show output sudo dd if=/dev/sdb of=/dev/sdc status=progress # after this, check shasum again to verify they are copies

Interpret output from a malware analysis tool

Fire Power Management Center: threats dashboard:

• Indications of compromise:
  • Host.
  • User.
  • Security intelligence (follow up url, is it blocked? Commpare it to VirusTotal).
  • Malware (check sha hash is useful to follow up redistribution).

Attack surface and vulnerability

• Attack surface: all possible exposed attack vectors of an organization.
  • Everywhere.
  • Known or unknown.
  • Secure or vulnerable.
• Vulnerabilities correlation:
  • Direct correlation.
  • Scale of the network.
  • Open source components.
  • Legacy system software.
• Reduction:
  • Reduce ammount of active code running.
  • Reduce access points to unknown users.
  • Reduce and condense services needed.
  • Visibility (auditing and logging).

tcpdump and NetFlow

• Use netstat to find out what is connected.

  1 2 3 4

  # find everything connected netstat -a # name resolution, all packages possible, tcp, udp, netstat -natu | grep 'ESTABLISHED'

• Use tcpdump to capture packages.

  1 2 3 4 5 6

  # host sudo tcpdump host 8.8.8.8 # interface, with optional port sudo tcpdump -i ens160 port 22 # faster: no name resoluction but numbers, whole package, show hexadecimal sudo tcpdump -i ens160 port -nnSx udp port 9996

• Router netflow

  • how

    1 2	ssh user@10.0.10.207 show running-config

  • what

    • flow record

      # results
      flow record CYBEROPS_REC 
        # 5 tuple data
        flow ipv4 source
        flow ipv4 destination
        flow ipv4 source-port
        flow ipv4 destination-port
        flow ipv4 protocol
        # type of service
        flow ipv4 tos
        flow interface output
        flow interface input
        # additional informatio to collect
        collect counter bytes
        collect counter packets
        collect timestamp sys-uptime first
        collect timestamp sys-uptime last
        collect application name
      !
      flow exporter
        # where it will be sent to
        destination 10.0.10.100
        # what comes across the interface
        source GigabytEthernet0/0
        # type of information to capture
        transport udp 9996
        template data timeout 60
      

Firewall data

❗ Remember the OSI model:

Type Layer	Layer	Protocol data unit (PDU)	Function
Host	7 - Application	Data	High-level protocols such as for resource sharing or remote file access, e.g. HTTP.
Host	6 - Presentation	Data	Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption
Host	5 - Session	Data	Managing communication sessions, i.e., continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes
Host	4 - Transport	Segment, Datagram	Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing
Media	3 - Network	Packet	Structuring and managing a multi-node network, including addressing, routing and traffic control
Media	2 - Data link	Frame	Transmission of data frames between two nodes connected by a physical layer
Media	1 - Physical	Bit, Symbol	Transmission and reception of raw bit streams over a physical medium

• Stateful:
  • Functionality:
    • Packet inspection.
    • Prevent unauthorized access.
    • Separate good and bad traffic.
    • Scan control on layers 2 and 4.
  • Data:
    • Successful and failed log on.
    • Allowed traffic, denied traffic.
    • Layer 2, layer 3, layer 4 data.
• Next-Gen Firewall:
  • Functionality:
    • Everything a stateful firewall does.
    • IPS.
    • Application awareness.
    • Deep packet and malware inspection.
    • Decrypt and inspect SSL traffic.
  • Data:
    • Successful and failed log on.
    • Allowed traffic, denied traffic.
    • IDS/IPS reports (Intrussion Detection and Prevention Systems).
    • Threat reports.

Content filtering data

• What:
  • Websites.
  • Emails.
  • Executable files.
• Why:
  • Phishing websites.
  • Phishing emails.
  • Data loss.
  • Granular control filtering.

Application visibility and control data

• Criteria (filter).
• Control applications (authorized apps).
• SSL decryption (inspection) → Application and Visibility Control (AVC) devices.
  • Perform DPI (Deep Packet Inspection).
  • Operates at layer 7.
  • Inspect content to identify application.
• Application usage on the network:
  • Per user application utilization.
  • Network capacity.
  • Application Priorization QoS (Quality of Service).

Technology impact on data visibility

• Tunneling (data in data 🚇, 📭).
• Encapsulation (wrap it to send it through the tunnel ✉️).
• Encryption (🔒).
• TOR (The Onion Router, hides the source 🧅).
• ACL (Access Control Lists, drop traffic, ✅📄).
  • Careful with time, ranges.
• NAT (Network Address Translation) and PAT (Port Address Translation): obfuscation mapping internal and external addresses.
• Load Balancing (split load between nodes).
• P2P (Another network inside of my network).
• Cloud (blind spots, too many tools, collection complexity):
  • Types:
    • Single cloud.
    • Multi-cloud.
  • Overcome visibility challenges:
    • Performance baselines.
    • Glean what you need (active and passive).
    • Network mapping.
    • Configuration management.
    • Plan for the future.

Network security data types

• Types:
  • Full package capture: exact copy of traffic on the wire.
  • Sesion data: record conversation.
  • Transaction data: requests and replies exchanges.
  • Statistical data: data about activity.
  • Metadata: “data about data”.
  • Alert data: specific data patterns.
• Uses:
  • Detect: find unexpected behaviour.
  • Analyze: what went on.
  • Escalate: know when you are over your head.

Network attacks

• 3 common:
  • Distributed Denial of Service (DDoS, there are also Denial of Service, DoS, non-distributed).
    • Definition:
      • Protocol based attacks.
      • Volumetric attacks.
      • Application attacks.
    • Detection:
      • Dramatic performance drops.
      • Volume spam emails.
      • Abnormal redirect and flows.
      • Innacessibility to site or resource.
  • Main in the middle (MITM, now Path attack)
    • Definition:
      • Rogue access points.
      • ARP spoofing (Address Resolution Protocol, false messages on Ethernet, get MAC address, to hijack your machine).
      • mDNS (multi-cast) spoofing and DNS spoofing (hijack Domain Name Resolution).
    • Detection:
      • Active authentication verification.
      • Tamper detection.
      • Network monitoring.

Web application attacks

• SQL injection attacks:
  • Add SQL statements to do what the attacker wants.
  • Tamper with data.
  • Corrupt database.
  • Bypass authentication.
• Command injection:
  • Vulnerable web application.
  • Insufficient input validation.
  • Compromise web server and database.
• Cross site scripting:
  • Malicious scripots injected to website.
  • Script that can access the browser data.
  • Stored XSS.
  • Reflected XSS.

Social engineering attacks

• Phishing attacks (🎣, basic emotions: greed, fear):
  • Attracts attention.
  • “urgent”.
  • Weird URLs.
  • Emails and SMS messages.
• Watering hole (💧):
  • Injection attack.
  • Target has a trojan installed.
  • Zero-day exploits are common.
• Whaling attacks (🐳):
  • Phihing attack specific to big target.
  • Commercial, executive and government targets.
  • Scam email from seemingly “trusted” sender.
• Pretexting (🤥, lies):
  • “Fake identity”.
  • Attempts to build trust.
  • Long game.
• Baiting (🧀):
  • Lure (human curiosity).
  • e.g. Best offer ever! USB lost in the open.
• Tailgating (not intended) and piggy-backing (intended).

Evasion and obfuscation

• How:
  • Bypassing security controls.
  • Find backdoors.
  • Hide data.
• Evasion techniques:
  • Non-detection.
  • Flooding.
  • Fragmentation.
  • Encryption and tunneling.
• Obfuscation:
  • Hide malicious activity in executable code.
  • Encryption.
  • Polymorphic shell code (mix shape the code, add a decoder attached first, and translates and runs in shell on evil form).

Certificate components

• The need:
  • Internet.
  • Clients and servers.
  • Data.
• Digital certificates:
  • Data encryption.
  • Data integrity.
  • Authentication.
• Certificate components:
  • Cypher suite: supported algorithms.
  • X.509 certificate: standard format.
  • Key exchange: 2 partly exchange of cripto keys.
  • Protocol version: browser and site security.
  • PKCS (Public Key Criptography Standard): certificate file extension.

CIA triad

graph LR;

A[Confidenciality];
B[Integrity];
C[Availability];

A --- B;
B --- C;
C --- A;

• CIA triad (iron triangle): information focus for attack classification:
  • Vertex:
    • Confidenciality: keep sensitive data private.
      • encryption + public key (crypto).
    • Integrity: data has not been modified.
      • hashing.
      • versioning.
    • Availability: servers “are alive”.
      • Uninterruptible power supply (UPS).
      • Load balancers.
  • Edges: balance them, too much on a side reduces another:
    • solution:
      • Design: be careful to balance the 3 edges.
      • Infrastructure: spend on the hardware you really need (constraint triangle: cost, scope, time).
      • Implementation: apps must be able to work together.
  • Beyond CIA: “The forth vertex”: user focused: non-repudiation (authentication + authorization).
    • Classification and isolation: who, what, where.

Security approaches

• Defense in depth:
  • Security layers:
    1. Perimeter: firewall, DMZ, edge firewall.
    2. Network: wireless security.
    3. Endpoint: host intrussion prevention system (HIPS).
    4. Application Web Application Firewall (WAF).
    5. Data: classification, encryption.
• Least priviledge principle:
  • Users (e.g. admins).
  • Applications (e.g. connected apps).
  • Systems (e.g. cloud).
• Zero trust model: trust no one, trust nothing. Check logs and analytics.
  • Users.
  • Devices.
  • Networks.
  • Workloads.
  • Data.

Security, tools and practices

• SOC analyst primary duties: detect, analyze and respond.

  1. Threat discovery e.g. (audit logs).
  2. Incident validation and categorization (triage).
  3. Incident analysis.
  4. Containment and remediation.

• Tools (for steps 3 and 4):

  • Threat Intelligence (TI): saves time, filter noise, speed up triage:
  • Threat Intelligence Platform (TIP): isolate down what it may be.
    • SIEM (SEM, or SEIM).
    • Correlation.
  • Run Book Automation (RBA):
    • Automate workloads (humans skip boring and repetitive tasks).

• Practices:

  • Threat hunting: assume the attackers are already in.
  • Malware analysis: know behaviour and purpose.
  • Reverse engineering: reproduice what you have seen.
  • Sliding Window Anomal Detection (SWAD): limited to specific amount of time, to avoid excess of info to analyze.

Threat actor types

• “Triple Threat”:
  • Intent && Ability = Threat
• Threat Actor types:
  • By goal:
    • Cyberterrorist.
    • Government/state sponsored.
    • Cybercriminal.
    • Hacktivists.
  • By attack chance:
    • Insider
    • Users
    • Oportunistic
• Know the threat:
  • Person, group or organization?
  • Motivations?
  • Goals?
  • “Enemy” or “bad guy”?

Security concepts

• Vulnerabilities: existing weakness to danger.
  • Physical (unlocked door).
  • Security policies (sharing passwords).
  • Manufacturing defects
  • Unsecured code (unsigned).
• Threat: potential danger.
  • Threat actors.
  • Phishing.
  • Ransomware.
  • Social engineering*.
  • Man In The Middle Attack (now called Path attack).
• Exploits: found weakness to danger.
  • Denial of service.
  • Default passwords.
  • Default configuration.
• Risks: chance of exposure to danger.
  • Using password and not MFA.
  • All user accounts with admin access.
  • Using Telnet for remote session.

Risk management methods

• Positive risks / negative risks.
• Can not ignore it → it will become a vulnerability.
• It is assessed:
  • Risk scoring: likelihood vs consequences (assets + CIA triangle).
  • Risk mitigation (risks should be monitored):
    • Risk avoidance (usually not practical).
    • Risk sharing (spreading the load).
    • Risk acceptance (worry when it happens).
    • Risk transfer (insurance, or pass it to another person or team).

CVSS terminology

Common Vulnerabilities Scoring System:

• Open standard, not vendor locked.
• Priority of response.
• Measure of severity instead of risk.
  • Metrics:
    • Base metric (always there).
    • Temporal metric (changes over time).
    • Environmental metric (specific scenario).
  • Basic metric helps calculate severity, number assign
    • Explotability metrics:
      • Attack Vector (AV)*.
      • Attack Complexity (AC)*.
      • Privileges Required (PR)*.
      • User Interaction (UI)*.
    • Scope (S)*:
      • Impact Metrics.
      • Confidentiality Impact (C)*.
      • Integrity Impact (I)*.
      • Availability Impact (A)*.

Security deployments

• Security implementations:
  • Defense in depth.
  • Network security.
  • Endpoint security.
  • Application security.
• Agent vs Agentless security
  • Agent based: software installed on a system.
  • Agentless: industry standards, management protocols (poll info).
• Antimalware
  • Antivirus: detects known malware.
  • Antimalware: detects unknown malware.
    • SIEM (Security Information and Event Management): threat intelligence + needs tuning.
    • SOAR (Security Orchestrator Automation and Response): correlation from SIEM.
    • Log management: logs aggregator, find history.

Access Control models

• Types:
  • Descretionary (scaling issues):
    • Access is decided by the resource owner for each user.
    • Access control point has a list of authorized users.
  • Mandatory (non descretionary):
    • Top secret, Secret, Classified, Unclassified.
    • Not by owner: each resource has a tag, depending on the user permissions, they can see it.
  • Role-based:
    • Access dependent on your role in your organization.
    • Efficient for otganizations and users.
      • Users added to (or removed from) multiple groups.
  • Attribute-based:
    • Access based on user, enviromental, or resource attributes.
    • Very granular controls.
    • Subtypes:
      • Rule based: access set by an administrator who creates the rules (e.g. add time-based elements to access, like working hours).
  • AAA:
    • Authentication (e.g. Cisco Identity Service Engine): who you are.
    • Autorization: what you are allowed to do.
    • Accounting: logging.

Identify data visibility challenges

• Data visibility challenged:
  • what, where, how, why.
• Data visibility challenges on network:
  • Lack of realtime security.
  • Logs (historical).
  • Lack of stuff and tools.
  • Lack of information.
• Data visibility challenges on the cloud:
  • Assets are short-lived.
  • Complexity and scale.
  • Difficulty only 2nd to missconfigurations.
• Data visibility challenges on the host:
  • Determined adversary.
  • Security fails silently.
  • Gathering of data.
  • Searching of data.
  • Data correlation.

Identify data loss from traffic profiles

• Types of data loss on enterprises:
  • Unauthorized loss of critical business data.
  • “Unintentionally undetectable”.
  • Direct data loss.
  • Colateral loss.
• Data loss risks:
  • Breach of customer data.
  • Loss of confidence.
  • Maybe not ever knowing it happened or its extent.
• Traffic profile loss:
  • Asymmetrical outboind flow: communication traffic is “bigger” in one direction.
    • CISCO Firepower Threat Defense system retrieves data for this case.
    • Package analysis with Wireshark.

graph LR;

A[fa:fa-computer Computer];
B[fa:fa-computer Computer];
C[fa:fa-computer Wireshark];
D(fa:fa-toggle-on Switch);
E[fa:fa-route Router]
F[fa:fa-cloud Cloud - FTD]
G[fa:fa-laptop Laptop]

A --- D;
B --- D;
C --- D;
D --- E;
E --- F;
F --- G;

A --> G;
G .-> A;

5-tuple approach to isolate a host

• 5 sets of different values that identifies a TcP/IP connection:
  • Source IP address.
  • Source port number.
  • Destination IP address.
  • Destination port number.
  • Protocol.
• Valuable to network and cybersecurity:
  • Identifies TCP/IP connection.
  • Immutable.
  • Trackable.
  • Key requirements for a secure connection.

Detection Methodologies

• Issues:
  • Networks are messy (bad tagging).
  • Staff is not fully ready (⏰).
  • Visibility (🌊🧊).
  • True or False? (false positives).
  • Attackers (😈).
• Types:
  • Rule-based (🔙, 🔜).
    • IPS compares traffic to set of rules, to verify and match.
    • e.g. Snort blocks, firewalls, IPS.
    • What about traffic that does not match a rule? Permissive approach?
  • Behaviour-based (😇, 😈).
    • Detection based on what attackers do.
    • e.g. unusual download volume, streaming analytics, NGAVs (Next Generation AntiVirus).
    • Inconclusive: false positives must be investigated.
  • Statistical-based (📈).
    • Builds a distributed model for normal behaviour.
    • Low probability events flagged.
    • Usually added to signature-based detections.
    • HIDS (Host-based intrusion detection system), Snort (intrusion detection) and Zeek (network analysis network).

Password security

• Long (11 chars with upper case + 2 digits + 1 special character)
  • You may use a passphrase, getting the initials of each word.
• Limit password retry and reuse.
• Avoid patterns.

Social engineering

• physical person (be careful about tailgating).
• remote person: phishing (+ spear phishing + whaling) → use “hover to discover”.

Physical security

• Shoulder surfing → use screen filer.
• Lock computer → have lock on inactivity + password or pin.
• Physically block movement of computer → use Kensington lock.
• Locate my device software in case it goes missing → use remote wipe in case of theft.
• Clean workspace criteria.

Data disposal

• Keep data it while it is relevant (retention period), or in case of litigation.
• Eliminate data when it is no longer relevant, permanent way, to avoid liability.
  • Document shredders → locked cans (and then 🔥).
  • Secure hard drives → purge hard drives (write a lot of times over it, with DBAN… or use mechanical shredder).
    • Recovery tools for not purged (Foremost, Scalpel).

Safe Networks

• Check package root: Do you know the nodes?

  1	traceroute www.wikipedia.org

• Careful with free wifi (e.g. airports), which can be compromised hotspots (there may be several networks with the same name).
  • Monitor antennas.

    1	sudo wavemon

  • Use certificates in ofice.
• Careful with celullar networks (they are way more expensive to fake).
  • VPN: convert untrusted network into a reliable one via tunneling:
    • generate encrypted data.
    • hide IP.

Malicious software

• Run antimalware software (check Virustotal).