Elements of Information Security
Attacks Classification
Passive attacks
Attive Attacks
Sniffing and eavesdropping
Network traffic analysis
Decryption of weakly encrypted traffic
Bypassing protection mechanisms
Malware Attacks (virus, wormes.. )
Spoofing attacks
Insider attacks
Social Engineering
Soulder surfing
Dumpster diving
Theft of physical devices
Pod splurping
Planting keyloggers, backdoors or malware
Distribution Attacks
Modification of software or hardware during production
Modification of software or hardware during distribution
Information Warfare
Command and control warfare ( C2 Warfare )
Intelligence-based warfare
Electronic warfare
Psychological warfare
Hacker warfare
Economic warfare
Defensive Information warfare
Offensive Information warfare
Defensive Information warfare
Offensive Information warfare
Defensive Information warfare
Offensive Information warfare
Defensive Information warfare
Offensive Information warfare
Defensive Information warfare
Offensive Information warfare
Defensive Information warfare
Offensive Information warfare
Defensive Information warfare
Offensive Information warfare
Cyber Kill Chain Concepts
C2 - Command and Control
Actions and Objectives
Gathering information
Performing analysis of various online activities - OSINT
Performing Whois, DNS footprinting
Scannings ( shodan.. )
Identifying appropriate malware payload based on the analysis
Creating a malware payload or reusing available online
Creating a phishing email campaign
Sending phishing emails to employees of targeted org
Performing attacks such as watering hole on the compromised website
Distribuiting usb devices containing malicious payload to employees of target organization
Exploiting software or hardware vulnerabilities to gain remote access to the target system
Downloading and installing malicious software such as backdoors
Gaining remote access to the target system
Levereging various methods to keep backdoor hidden and running
Maintaining access to the target system
Establishing a two-way communication channel between the victim's system and the adversary-controlled server
Levereging channels such as web traffic, email communication and DNS messages
Applying privilege escalation techniques
Hiding any evidence of compromise using techniques such as encryption
The adversary controls the victim's machine and can do whatever he wanted do
Pivot to others..
Tactics, Techniques and Procedures ( TTPs )
Refer to the patterns of activities and methods associated with specific threat or actors or groups of threat actors. TTPs are helpful in analyzing threats and profiling threat actors and can further be used to strengthen the security infrastructures of an organization.
Describe the way the threat actor operates during different phases of an attack. It consists of the various tactics used to gather information for the initial exploitation, perform priv esc and lateral mov, and deploy measures for persistance access to the system. They can vary, but they are mostly similar and can be used for profiling
Initial exploitation
Setting up C2 channel
Accessing the target infrastructure
Covering the tracks of data exfiltration
Involve a sequence of actions performed by the threat actors to execute different steps of an attack life cycle. The number of actions usually differs depending upon the objectives of the procedure and the APT group.
Set of tools and the way they are used to obtain intermediate results during an attack campaign. To lunch an attack successfully, threat actors use several techniques during its execution. These techniques include :
Atomic Indicator - those that cannot be segmented into smaller parts, and whose meaning is not changed in the context of an intrusion.
Computed Indicator - are obtained from the data extracted from a security incident
Behavioral Indicators - refer to a grouping of both atomic and computed indicators, combined on the basis of some logic
Ip addresses
Email addresses
Hash values
Regex used
Email Indicators
Network indicators
Host-based indicators
Behavioural indicators
sender's email address
email subject
Domain names
IP addresses
File hashes
Registry keys
Document executing PowerShell script
Remote command execution
Common IoC
Unusual outbound network traffic
Unusual activity through privileged user account
Geographical anomalies
Multiple login failure
Large HTML response size
Unusual DNS requests
Signs of DDoS activity
Web traffic superhuman behaviour
These solutions monitor networks or systems for harmful activities, mitigate them, and report the results to the system administrator.
The Intrusion Detection System's goal is detecting, record-keeping of attacks, and alerting the administrator. IDS compares network traffic to threats database and flags network attacks, unsuccessful authentication, and privilege escalation attempts. To block malicious actions, the system administrator has to reconfigure the firewall by themselves.
The Intrusion Prevention Systems are extensions of IDS solutions. IPSs are capable of autonomously reconfiguring the firewall and reset sessions based on real-time threats.
Detection Methods
network-based IDSs (NIDS)
NIDS scans huge volumes of network activity on the router level and flags suspicious transmissions, such as IP Spoofing, DoS attacks, ARP cache poisoning, DNS name corruption, and man-in-the-middle attacks.
host-based IDSs (HIDS)
HIDS monitors multiple log files on the host (kernel, system, network, firewall) to identify misuse or intrusion. Additionally, HIDS assures the integrity of critical data on the host by validation of files' checksums (md5 or sha1). When checksums do not match, HIDS notifies the administrator.
Network IPS (NIPS) is placed on a router. It inspects transit traffic before it is allowed through the network. As NIPS solutions work with the network traffic, they don't need operation system (OS) compatibility with each host on the net.
Host IPS (HIPS) monitors suspicious activity within the host on which it is installed. It intercepts the operating system and application calls for system resources, validates the call against the policy, and decides to allow or deny the request. Encrypted traffic is not an issue for HIPS, as it has access to its unencrypted form on the host. Additionally, HIPS analyzes the log files for post-factum suspicious activity.
For greater results, HIPS has to be deployed on each host in the network. Without prior verification, this may cause compatibility issues with different OS types over the network. (Products: CrowdStrike Falcon, OSSEC, Fail2Ban.)
Un infrastruttura ha bisogno di entrambi a lavorare assieme. Per questo molti prodotti escono con entrambi integrati es: AT&T Cybersecurity AlienVault USM, Cisco's Next-Generation Intrusion Prevention System (NGIPS), and Darktrace
inline mode
In the inline mode, NIPS works as a network bridge and after detecting an attack, it can block its expansion within a few seconds. Inline NIPS instances do not have their own MAC or IP address, which makes them invisible and inaccessible for the attackers.
promiscuous mode
In the promiscuous mode, NIPS is placed on the Switched Port Analyzer (SPAN), which sends a copy of network packets from multiple ports to NIPS. In the promiscuous mode, NIPS works with a copy of traffic, so it can not block the attackers on the fly.
Encrypted or fragmented traffic may challenge NIPS solutions, as the difficulty of the analysis increases. Also, high-bandwidth networks may require costly deployment of more NIPS sensors. (Product: SolarWinds Security Event Manager)
Hacking phases
Gaining access
Maintaining access
Clearing tracks
Tools like : PsTools, Netcat or trojan to erase their footprints
Information Security Controls
Information security controls prevent the occurrence of unwanted events and reduce risk to the organization's information assets.
The basic security concept critical for information are the CIA.
Information assurance (IA)
refer to the assurance of the CIA and authenticity of information and information system during usage, processing, storage and transmission of information.
Processes that help in achieving IA are :
Develop local policy, process and guidance in such a way to maintain the information system at an optimum security level
Design network and user authentication strategy
Identify network vulnerabilities and threats
Identity problems and resource requirements
Create a plan for identify resource requirements
Apply appropriate IA controls
Performing the Certification and Accreditation ( C&A ) process to information system help to trace vulnerabilities and implement safety measures to nullify them.
Provide IA training to all personnel in federal and private organizations for IT awareness
Is a security strategy in which security professional use several protection layers throughout an information system. Use the military principle that is more difficult for an enemy to defeat a complex and multi-layered defence system than to penetrate a single barrier
Risk Management
Cyber Threat Intellingence
Threat Modeling
Incident Management
AI and ML concepts
What is a RISK?
RISK = Threats x Vulnerability x Impact
IT risk
RISK = Threat x Vulnerability x Asset Value
Risk Level : Consequence x likelihood
Probability of the occurrence of a threat or an event that will damage, cause loss to or have negative impacts to an organization, internally or externally
The possibility of a threat acting upon an internal or external vulnerability and causing harm to a resource.
The product of the likelihood that an event will occur and the impact that the event might have on an information technology asset
Identify potential risks
Identify the impact of risks
Prioritize the risks
Create awareness among the security staff and develop strategies and plans for lasting risk management strategies
Undestand and analyze the risks and report identified risk events
Control the risk and mitigate its effect
Risk Identification
Risk Assessment
Risk Treatment
Risk Tracking and Review
main aim : identify the risks, including the sources, causes and consequences of the internal or external risks affecting the security of the organization BEFORE they cause harm
This phase assess the organization's risk and estimates the likelihood and impact of those risks. It's an ongoing iterative process that assign priorities for risk mitigation and implementation plans
Is the process of selecting and implementing appropriate controls on the identified risks in order to modify them. Address them based on the severity level. Decision made in this phase are based on the results of a risk assessment.
Information needed BEFORE treating the risk:
Appropriate method of treatment
People responsible for the treatment
Costs involved
Likelihood of success
Benefits of treatment
Way to measure and assess the treatment
Evaluate the performance of the implemented risk management strategies
THREAT : the possibility of a malicious attempt to damage or disrupt a computer network or system
Cyber Threat Intelligence or CTI is the collection and analysis of information about threats and adversaries and the drawing up of patterns that provide an ability to make knowledgeable decisions and preparedness, prevention and response actions against various cyberattacks.
Main aim : make the organization aware of existing and emerging threats and prepare them to develop a proactive cybersecurity posture in advance of exploitation.
Strategic Threat Intelligence
Tactical Threat Intellingence
Operational Threat Intelligence
Technical Threat Intelligence
Financial impact of cyber activities
Attribution for intrusions and data breaches
Threat actors and attack trends
The threat landscape for various industry sectors
Statistical informations for data breaches, data theft and malware
Geopolitical conflicts involving various cyberattacks
Information on how adversary TTPs change over time
Industry sectors that might impact due to the high-level business decisions
resources that an attacker uses to perform an attack
provides information about specific threats against the organization
provides information related to the TTPs used by attackers to perform attacks
what is?
Risk assessment approach for analyzing the security of an application by capturing, organizing and analyzing all the information that affects the security of an application
help to
Identify relevant threats to a particular application scenario
Identify key vulnerabilities in an application design
Improve security design
5 Steps
Identify security objectives
Application overview
Identify roles
Identify key usage scenarious
Identify technologies
people and the roles and actions they can perform within the application
Os, web server software, database server software etc..
Identify application security mechanisms
Decompose the application
Identify trust bundaries
Identify data flows
Identify entry points
Identify Threats
Identify Vulnerabilities
What is
IM is a set of defined processes to identify, analyze, prioritize and resolve security incidents to restore the system to normal service operations asap and prevent recurrence
Vulnerability handling
Artifact handling
Security awareness training
Intrusion detection
Public or technology monitoring
Is designed to:
Improve service quality
Resolve problems proactively
Reduce the impact of incidents on an organization or its business
Meet service availability requirements
Increase staff efficiency and productivity
Improve user and customer satisfaction
Assist in handling future incidents
Incident Handling and Response (IH&R)
what is
Is the process of taking organized and careful steps when reacting to a security incident or cyberattack. It is a SET OF PROCEDURES, ACTIONS and MEASURES taken against an unexpected event occurrence.
steps involved :
Step 1 : Preparation
Step 2 : Incident Recording and Assignment
Step 3 : Incident Triage
Step 4 : Notification
Step 5 : Containment
Step 6 : Evidence Gathering and Forensic Analysis
Step 7 : Eradication
Perform an audit of resources and assets to determine the purpose of security
Define the rules, policies and procedures that drive the IH&R process
Build and train an incident response team
Define incident readiness procedures
Gather required tools
Train employees to secure their systems and accounts
This phase handles identifying an incident and defining proper incident communication plans for the employees and also to the IT submitting a ticket.
The incident is analyzed, validated and prioritized. The IH&R team further analyzes the compromised device to find incident details such : source of attack, severity, target, impact, method of propagation and vulnerability exploited
Step 8 : Recovery
Step 9 : Post-incident Activities
In this phase the IH&R team inform various stakeholders, including management, third-party vendors and clients about the identified incident.
Help to prevent the spread of infection to other assets
The team gather all possible evidence and submit them to the forensic department for investigations
The IH&R removes or eliminates the root cause of the incident and closes all the attack vectors to prevent similar incident in the future
The IH&R restore the affected system, services and resources. It's them the duty of maintaining the service up and running
Final review :
Incident Documentation
Incident Impact Assessment
Reviewing and revising policies
Closing the investigation
Incident Disclosure
what are AI and ML ?
AI is the only solution to defend networks against various attacks that an antivirus scan cannot detect. A huge amount of data is fed into the AI, which processes and analyzes it to undestand its details and trends.
ML is a branch of artificial intellingence that gives the systems the ability to self-learn without any explicit programs.
2 types of ML
Supervised Learning
Unsupervised Learning
How they help prevent cyber attacks?
Password Protection and Authentication
Phishing detection and Prevention
Threat Detection
Vulnerability Management
Fraud Detection
Behavioral Analytics
Network Security
AI-based Antivirus
Botnet Detection
AI to combat AI threats
Laws and Standards
ISO/IEC 27001:2013
HIPAA [1996]
SOX - Sarbanes Oxley Act [2002]
Specify the requirements for establishing, implementing, maintaining and continually improving an information security management system withing the context of the organization : EMII per ricordare
different uses:
Use within an organization to formulate security requirements and objectives
Use within an organization as a way to ensure that security risks are cost-effectively managed
To ensure compliance with laws and regulations
Defining new information security management processes
Use to provide relevant information about information security to customers
Privacy Rule
Security Rule
Establish national standards to protect individuals' electronic phi that is created, received, used or maintained by a covered entity. It requires appropriate ADMINISTRATIVE, PHISICAL and TECHNICAL safeguards, to ensure the confidentiality, integrity and security of electronically PHI ( ePHI)
It sets limits and conditions on the uses and disclosures that may be made of such information ( PHI ) without patient authorization. The rule also gives patients rights over their health information, including the right to examine and obtain a copy of their health records and to request corrections.
NPI - National Provider Identifier, 10-position intelligence free number that HAVE TO be used for financial and administrative transactions adopted under HIPAA
Protect investors and the public by increasing the accuracy and reliability of corporate disclosures
DMCA - Digital Millennium Copyright Act
FISMA - Federal Information Security Management Act