Elements of Information Security – CIA
| Confidentiality | Assurance that the information only to those authorized to have access |
| Integrity | The trustworthiness of data and resources in terms of preventing improper or unauthorized changes |
| Availability | Assurance that the systems reponsible for delivering, storing and procress information are accessible when required by the authorized users |
| Authenticity | Refers to the characteristic of a communication, document or any data that ensures the quality of being genuine |
| Non-Repudiation | A guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message |
Classification of Attacks
| Passive | – do not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network – Sniffing and eavesdropping |
| Active | – tamper with data in transit or disrupt the communication or services between the systems to bypass or break into secured systems – DoS, Man in middle, session hijacking, SQL injection |
| Close in | – performed when attacker is in close physical proximity with the target systems or network in order to gather, modify or disrupt access to information – eavesdropping, shoulder surfing, dumper diving |
| Insider | – using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems – theft of physical devices, planting keyloggers, back door and malware |
| Distribution | – tamper with hardware or software prior to installation – tamper hardware or software at its source or in transit |
Information Warfare
| C2 | possess a compromised systems or network |
| Intelligence-based | sensor-based |
| Electronic | radio-electronic and cryptographic techniques |
| Psychological | Propaganda and terror to demoralize |
| Hacker | shutdown systems, data errors, theft of services, false messaging, system monitoring access to data – used virus, logic bombs, Trojan horses, and sniffers to perform these attacks |
| Economic | affect economy of a business by blocking flow of information |
| Cyber | use of information systems against the virtual personas of individuals or groups |
CEH Hacking Methodology (CHM)
Cyber Kill Chain Methodology
Tactics, Techniques, and Procedures (TTPs)
| Tactics | Techniques | Procedures |
| way an attacker preforms the attack | technical methods used by an attacker | organizational approaches that threat actors follow |
| tactics for information gathering to perform initial exploitation, privilege escalation, and lateral movement, and to deploy measures for persistent access to the system and other purposes | Initial exploitation, setting up and maintaining command and control channels, accessing the target infra, covering tracks of data exfiltration | the number of actions usually differs depending on the objectives of the procedure and threat actor group |
Adversary Behavioral Identification
| Internal Reconaissance | enumeration of systems, hosts, processes, execute commands to get local user context, system config, hostname, IP address, active remote systems and programs running. |
| Use of powershell | automating data exfiltration and launching further attacks. |
| Unspecified proxy activities | adversary create and configure multiple domains pointing to the same host, allowing them to switch quickly between domains to avoid detection |
| Use of Command line interface | interact with the target system, browse files, read file content, modify files, create new users, connect to remote systems, download and install malicious code. |
| HTTP User Agent | The server identifies the connected HTTP client using the user agent field. Adversary can modify the content of the HTTP user agent field to communicate with the compromised system and to carry further attacks. |
| Command and control server | communicate remotely with compromised system through encrypted session. Using this encrypted channels to steal data, delete data and launch further attacks |
| Use of DNS tunneling | Use to obfuscate malicious traffic in the legit traffic carried by common protocols. Use for communication with c2 server, bypass security controls and perform data exfiltration |
| Use of web shell | manipulate the webserver by creating a shell within a website. Use to gain remote access to functionalities of a server, data exfiltration, file transfer and uploads. |
| Data staging | techniques to collect and combine as much data possible. |
Indicators of Compromise (IoCs)
| email service to send malicious data | |
| Network | C2, malware delivery and identifying details of the OS, browser type and other computer specific information |
| Host-Based | filenames, file hashes, registry keys, DLLs and mutex |
| Behavioral | identify specific behavior related to malicious activities such as code injection into the memory or running the scripts of an application. |
MITRE ATT&CK Framework
Diamond Model of Intrusion Analysis
Additional Event Meta-Features
| Adversary | Hacker |
| Victim | Target |
| Capability | strategy, methods, procedure, malware, tools |
| Infrastructure | hardware and software connection |
| Timestamp | time and date of the event |
| Phase | progress of the attack |
| Result | outcome of the event |
| Direction | direction of the attack, route to victim |
| Methodology | techniques used to perform the attack |
| Resource | tools/ technology used to perform the attack |
| Socio-political | relationship between the adversary and victim |
| Technology | relationship between infra and capability |
Continual/ Adaptive Security Strategy
Defense-in-Depth
Risk Level
| Risk level | Consequence | Action |
| Extreme or High | Serious or imminent danger | – immediate measures are required – identify and impose controls to reduce the risk to a reasonably low level |
| Medium | moderate danger | – immediate action is not required but action should be implement quickly – identify and impose controls to reduce the risk to a reasonably low level |
| Low | Negligible | – Take preventive steps to mitigate the effects of the risk |
Risk Matrix
Risk Management
| Risk Identification | identifies the sources |
| Risk Assessment | Assess the organization’s risk |
| Risk Treatment | Selects and implements appropriate controls |
| Risk Tracking | Ensures appropriate controls are implemented |
| Risk Review | Evaluates the performance |
Cyber Threat Intelligence
| Strategic | High-level information on changing risks | High level executives and management |
| Tactical | Information on attackers TTP | IT service and SOC managers and Administrators |
| Operational | information on specific incoming attack | Consumed by Security managers and network defenders |
| Technical | information on specific indicators of compromise | SOC staff and IR team |
Threat Intelligence Lifecycle
Threat Modeling
Incident Management
Incident Handling and Response
Role of AI and ML in Cyber Security
Information Security Laws and Standards
| Payment Card Industry Data Security Standard (PCI DSS) | – Information security standard for organization – applies to all entitles involved in payment card processing |
| 1S0/IEC 27001:2013 | – establishing, implementing, maintaining information security management system – many types of use |
| Health Insurance Portability and Accountability Act (HIPAA) | – use the same health care transactions, code sets and identifiers – federal protections for the personal health information – confidentiality, integrity, and availability of electronically protected health information – standard transaction – administration simplification rules |
| Sarbanes Oxley Act (SOX) | protect investors and the public -1 public company accounting oversight board -2 auditor independence -3 corporate responsibility -4 enhanced financial disclosures -5 analyst conflict of interest -6 commission resources and authority -7 studies and reports -8 corporate and criminal fraud accountability -9 white collar crime penalty enhancement -10 corporate tax returns -11 corporate farud accountability |
| The Digital Millennium Copyright Act (DMCA) and the Federal | – World intellectual property organization – defines the legal prohibitions |
| Information Security Management Act (FISMA) | – effectiveness of information security controls |
| General Data Protection Regulation (GDPR) | – data privacy and security standard especially on cloud |
| Data Protection Act 2018 (DPA) | – protects individuals – personal data to be processed lawfully – conferring rights to obtain and process and to require inaccurate personal data to be rectified – conferring functions on the commissioner, giving holder of that office responsibility to monitor and enforce their provisions |
CY - Technical Memory extension 