baa ms a ey Bites Me asic, Module 01 SHC ROC eee eh tedModule Flow ° gertmeiae 8 etngcaer Information Security Laws and StandardsElements of Information Security Information security isa state of well-being of information and infrastructure in which the possibilty of theft, tampering, and disruption of information and services is low or tolerable | Confidentiality Assurance that the information is acessible only to those authorized to have access ‘The trustworthiness of data or resources in terms of preventing improper or unauthorized changes ‘Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine ‘Aguarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the messageMotives, Goals, and Objectives of Information Security Attacks CEH Attacks = Motive (Goal) + Method + Vulnerability {© A motive originates out of the notion that the target system stores or processes something valuable, and this leads to the threat of an attack on the system {Attackers try various tools and attack techniques to exploit vulnerabilities in a computer system or its security policy and controls in order to fulfil their motives Motives behind information security attacks ‘© Disrupting business continuity Propagating religious or political beliefs ° ‘© Stealing information and manipulating data © Achieving a state's military objectives, © Creating fear and chaos by disrupting critical © Damaging the reputation of the target infrastructures © Taking revenge ° ‘Causing financial loss to the target Demanding ransomClassification of Attacks Passive attacks do not tamper withthe data and involve intercepting and monitoring network traffic and dataflow on the target network Examples include sniffing and eavesdropping Active attacks tamper withthe data in transit or disrupt the communication or services between the systems ‘0 bypass or break into secured systems Examples include DoS, Mar-in-the-Middle, session hijacking, and SQL injection Close-in attacks are performed when the attackers in close physial proximity with the target system or network inorder to gather, modify or dlsrupt access to information Examples include social engineering suchas eavesdropping, shoulder surfing, and dumpster diving Insider attack involve using privileged access to violate rules or intentionally cause a threat tothe organization’ information oF information systems Examples include theft of physical devices and planting keyloggers, backdoors, and malware Distribution attacks occur when attackers tamper with hardware or software prior to installation [Attackers tamper withthe hardware or software atts source orn transit,Information Warfare {@ The term information warfare or InfoWar refers to the use of information and communication technologies (ICT) to gain competitive advantages over an opponent Defensive Information Warfare { Ottensive taformationWarare_} Refers to all strategies and actions designed Refers to information warfare that involves to defend against attacks on ICT assets attacks against the ICT assets of an opponent ao — a @ mam oe oe =Cyber Kill Chain Methodology (© The cyber kil chain methodology is 2 component of intlligence-driven defense forthe identification and prevention of malicious intrusion activities 1@ It provides greater insight into attack phases, which helps security professionals to understand the adversary's tactics, techniques, and procedures beforehand Create a deverable Expot a vloerbitty ‘Create a command and contol malicious payload using by executing code on ‘channel to communieate 2nd anevpiot anda backdoor the wt’ stem pass data back ana forth Weaponization Exploitation Command and Control a Actions on Objectives Gather ana on the target ‘Send weaponzes bund 0 the Insta maware on Perform ations eve to probe for wesk points ‘tim using eral. USB, the target sytem mended objecves/enaeTactics, Techniques, and Procedures (TTPs) ‘The term Tactic, Techniques, and Procedures (TTPs) refers tothe patterns of activities and methods associated with specific threat actors or groups of threat actors ae (© “Tactics” are the guidelines that | “Techniques” are the technical \© "Procedures" are organizational describe the way an attacker ‘methods used by an attacker approaches that threat actors performs the attack from to achieve intermediate results follow to launch an attack beginning to the end during the attack {© The number of actions usually This guideline consists of the Sihaco tcl ques indie differs depending on the various tactis fr information soplatation eeting vn and objectives ofthe procedure and gathering to perform initial enced threat ator group exploitation, privilege escalation, ntl cheortits sccartha the and lateral movement, and to target infrastructure, covering deploy measures for persistent the tracks of data exftraton, access to the system and other and others purposesAdversary Behavioral Identification CEH {© Adversary behavioral identification involves the identification of the common methods or techniques followed by an adversary to launch attacks on or to penetrate an organization's network It gives the security professionals insight into upcoming threats and exploits Adversary Behaviors Internal Reconnaissance Bh vs otconmancuieitrace | | ve ot ons tunstig | HTTP User Agent Use of Web Shell UnspcedPrny Actes | | [J commandandonolserer | | [J] ostsiangIndicators of Compromise (IoCs) & Indicators of Compromise (IoCs) are the clues, artifacts, and pieces of forensic data found on the network ‘or operating system of an organization that indicate a potential intrusion or malicious activity in the organization's infrastructure 1oCs are not intelligence, although they do act as a good source of information regarding the threats that serve as data points in the intelligence process Security professionals need to perform continuous monitoring of loCs to effectively and efficiently detect ‘and respond to evolving cyber threatsCategories of Indicators of Compromise ‘© Understanding loCs helps security professionals to quickly detect the threats against the organization and protect the organization from evolving threats For this purpose, loCs are divided into four categories: Email Indicators Network Indicators Host-Based Indicators Behavioral Indicators © Emallindicators are used © Networkindicators are © ‘Host-based indicators are Behavioral indicators of tosend malicious data to useful for command and found by performing an compromise are used to the target organization or | control, malware delivery, | analysis ofthe infected ‘identify specific behavior individual Identifying the operating | system within the lated to malicious activities system, and other tasks ‘organizational network Examples include the 7 er Examples of behavioral sender’s email address, Examples include URLs, Examplesinclude filenames, | indicators include document email subject, and domain names, and IP file hashes, registry keys, ‘executing PowerShell script, attachments or links addresses DLs, and mutex ‘and remote command executionModule FlowWhat is Hacking? |@ Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system's resources © Itinvolves modifying system or application features to achieve a goal outside of the creator's original purpose 1@ Hacking can be used to steal and redistribute intellectual property, leading to business == loss IWWho is a Hacker? 01 02 ‘An intelligent individual with For some hackers, hacking is a excellent computer skills who hobby to see how many can create and explore computers or networks they computer software and can compromise hardware rily Jaa oo CEH 03 ‘Some hackers’ intentions can either be to gain knowledge (r to probe and do illegal things ‘Some hack with malicious intent such as to steal business data, credit card information, social security numbers, ‘email passwords, and other sensitive dataHacker Classes CEH @ @Q Black Hats White Hats Individuals with extraordinary Individuals who use their computing sks they resort to professed hacking skis for malisous or destructive ‘efensive purposes and ae also acts and ae also known known as security analysts secrackers They have permision from the system owner eG eo Script Kiddies CyberTerrorists ‘An unskled hacker who Individuals with wide range of compromises a system by skills who are motivated by running Script, t00s, nd religous or poltial beliefs to software that were developed create fear through the large- Dy real hackers Scale diseupton of computer networks @Q Gray Hats Individuals who work both ‘offensively and defensively at various times oQ State-Sponsored Hackers Individuals employed by the government to penetrate and {ain top secret information {rom and do damage tothe information systems of other governments Suicide Hackers Inaivcuals who aim to bring ‘down the rtial infrastructure for “ause” and are not worried about facing al terms ‘or any othe kindof punishment Hacktivist Individuals who promote 2 political agenda by hacking, especially by defacing or disabling websitesHacking Phase: Reconnaissance ‘© Reconnaissance refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack | This information could be the future point of return, noted for ease of entry for an attack, when more about the target is known on a broad scale ‘@ The reconnaissance target range may include the target organization's clients, employees, operations, network, and systems Reconnaissance Types Passive Reconnaissance Active Reconnaissance © Passive reconnaissance involves acquiring © Active reconnaissance involves directly information without directly interacting interacting with the target by any means with the target © For example, telephone calls to the target's © For example, searching public records or help desk or technical department news releasesHacking Phase: Scanning Scanning refers to the pre-attack phase when the attacker scans the network for specific information based on information gathered during reconnaissance Scanning can include the use of dialers, port scanners, network mappers, ping tools, and vulnerability scanners Attackers extract information such as live machines, port, port status, OS details, device type, and system uptime to launch attackHacking Phase: Gaining Access ¢ Gaining access refers to the point where the The attacker can escalate privileges to obtain Bp tees tae se cents complete control of the system. In this process, or applications on the target computer or BA the target's connected intermediate systems network are also compromised a | Examples include password cracking, buffer overflows, denial of service, and session hijacking —EeE———————e OE By The attacker can gain access at the operating mn £4 system, application, or network levels LiHacking Phase: Maintaining Access CEH Maintaining access refers to the phase when the attacker tries to retain their ownership of the system ‘Attackers may prevent the system from being owned by other attackers by securing their exclusive access with backdoors, rootkits, or trojans, Attackers can upload, download, or manipulate data, applications, and configurations on the owned system ‘Attackers use the compromised system to launch further attacksHacking Phase: Clearing Tracks Clearing tracks refers to the activities carried out by an attacker to hide malicious acts & ‘The attacker's intentions include ‘obtaining continuing access to the victim's system, remaining unnoticed and uncaught, and deleting evidence that might lead to their prosecution The attacker overwrites the server, system, and application logs to avoid suspicion & Attackers always cover their tracks to hide their identityModule Flow @ information security @ qeerninichata Overview Concepts @ _ Information Security @ _tsermation Security LEQ eyWhat is Ethical Hacking? {© Ethical hacking involves the use of hacking tools, tricks, and techniques to identify vulnerabilities ‘and ensure system security © It focuses on simulating the techniques used by attackers to verify the existence of exploitable ‘vulnerabilities in a system's security | Ethical hackers perform security assessments for an organization with the permission of concerned authoritiesWhy Ethical Hacking is Necessary To beat a hacker, you need to think like one! Ethical hacking is necessary as it allows for counter attacks against malicious hackers through anticipating the methods used to break into the system Reasons why organizations recruit ethical hackers ‘To prevent hackers from gaining access to the To provide adequate preventive measures in order to ‘organization’ information ystems avoid security breaches ‘To help safeguard customer data ‘To uncover vulnerabilities in systems and explore their potential as a security risk posture, including policies, network protection infrastructure, and end-user practices ‘To enhance security awareness at all levels in a business ‘To analyze and strengthen an organization's security |Why Ethical Hacking is Necessary (Cont'd) Ethical Hackers Try to Answer the Following Questions What can an intruder see on the target system? (Reconnaissance and Scanning phases) ‘What can an intruder do with that information? (Gaining Access and Maintaining Access phases) Does anyone at the target organization notice the intruders’ attempts or successes? (Reconnaissance and Covering Tracks phases) Are all components of the information system adequately protected, updated, and patched? How much time, effort, and money are required to obtain adequate protection? ‘Are the information security measures in compliance with legal and industry standards?Scope and Limitations of Ethical Hacking CEH Scope ‘© Ethical hacking is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices Itis used to identify risks and highlight remedial actions. It also reduces ICT costs by resolving vulnerabilities Limitations @ Unless the businesses already know what they are looking for and why they are hiring an ‘outside vendor to hack systems in the first place, chances are there would not be much to gain from the experience ‘An ethical hacker can only help the organization to better understand its security system; itis up to the organization to place the right safeguards on the network Clete)Skills of an Ethical Hacker Technical Skills {In-depth knowledge of major operating environments such as Windows, Unix, Linux, and Macintosh In-depth knowledge of networking concepts, technologies, and related hardware and software ‘Acomputer expert adept at technical domains Knowledgeable about security areas and related issues “High technical” knowledge for launching sophisticated attacks 2 Non-Technical Skills © The ability to learn and adopt new technologies quickly © Strong work ethics and good problem solving and communication skills @ Committed to the organization's security policies © An awareness of local standards and lawsModule Flow e © tecring Concepts © _ nfermation security Laws and Standards amInformation Assurance (IA) c\EH © lArefers to the assurance that the integrity, availability, confidentiality, and authenticity of information and information systems is protected during the usage, processing, storage, and transmission of information {© Some of the processes that hep in achieving information sssurance include Developing local policy, process, and guidance @ cresting pins or identi resource requirements Designing network and user authentication strategies | @)_ Applying appropriate normaton assurance controls ‘dentitying network vulnerabilities and threats Performing certification and accreditation |dentitying problem and resource requirements Providing information assurance tDefense-in-Depth © Defense-in-depth is a security strategy in which several protection layers are placed throughout an information system Ithelps to prevent direct attacks against. the system and its data because a break in one layer only leads the attacker to the next layer at Defense-in-Depth Layers Defense-in-Depth LayersWhat is Risk? \@ Risk refers to the degree of uncertainty or expectation that an adverse event may cause damage to the system 1G Risks are categorized into different levels according to their estimated impact on the system (@ Arisk matrixis used to scale risk by considering the probability likelihood, and consequence or impact of the risk Nery Hh rovality eh reas No uren scons equtes a melee contro 80m 3 pose rotaity tovetice it to reason ow tel = =_ low Mesum Medium Hah Tate revere eps to mia the oz ties ea tow tow Mesum Meum HahRisk Management CEH {© Risk management is the process of reducing and maintaining risk at an acceptable level by means of a well-defined and actively employed security program Risk Management Phases Risk Identification © '“tfies the sources, causes, consequences, and other details of the internal and external risks affecting the security of the organization ‘Assesses the organization's risk and provides an estimate of the likelihood and impact, Risk Assessment eee Risk Treatment Selects and implements appropriate controls forthe identified risks Ensures appropriate controls are implemented to handle known risks and calculates, Risk Tracking the chances ofa new risk occurring Risk Review Evaluates the performance of the implemented risk management strategiesCyber Threat Intelligence ‘Types of Threat Intelligence ? ‘© Cyber Threat intelligence (CT) is defined as Strategic Tactical the collection and analysis of information about threats and adversaries and the drawing of patterns that provide the ability to make knowledgeable decisions for preparedness, prevention, and response actions against various cyber-attacks \ © Hightevel information on Information on attacker changing sks Tes © Consumed by high-level ‘Consumed by Service Executives and ‘and SOC Managers, ‘Management ‘Administrators Longeterm Use Operational ( ‘Technical © Information on a spectc Infomation on spec incoming tack indoors of compromise © Consumed by Security Consumed by SOC Stat Managers and Netwerk andi oars Detenders Cyber threat intelligence helps the organization to identify and mitigate various business risks by converting unknown threats into known threats; it helps in implementing various ‘advanced and proactive defense strategies term/immediate UseThreat Modeling CEH ‘Threat modeling is a risk assessment approach for analyzing the security of an application by capturing, organizing, and analyzing all the information that affects the security of an application Threat Modeling Process Helps to determine how much effort needs to be put toward subsequent steps. Identify the components, data flows, and trust boundaries Helps to find more relevant and more detailed threats Identify threats relevant to the control scenario and context using the information obtained in steps 2 and 3 Identity weaknesses related to the threats found using vulnerability categoriesIncident Management CEH © Incident management isa set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future recurrence of the incident Incident Management Incident HandlingIncident Handling and Response ‘© Incident handling and response (IH&R) is the process of taking organized and careful steps when reacting toa security incident or cyberattack Steps involved in the TH&R process: |e Preparation i) Incident Recording and Assignment le Incident Triage |e Notification | © containment | @ Evidence Gathering and Forensic Analysis @ Exadication © Recovery © Post-incident Activities © Incdent Documentation 1 Incident impact Assessment Review and Revise Policies Close the investigation Incident Disclosure