DPS ICA-1

Introduction to Cyber Security PDF Summary/Overview

The document provides a comprehensive overview of cyber security, covering its definition,
purpose, scope, principles, threats, and the importance of protecting digital assets in a
connected world.

Understanding Cyber Security Fundamentals

Cyber Security is essential for protecting digital assets from unauthorized access and attacks.
• Cyber Security protects computer systems, networks, applications, and data from digital
threats.
• It focuses on preventing unauthorized access, damage, disruption, and theft.
• Involves technologies, policies, procedures, and user education.
• Ensures confidentiality, integrity, and availability of information.

Importance and Purpose of Cyber Security

Cyber Security is crucial for safeguarding sensitive data and maintaining business continuity.
• Protects sensitive information such as personal, financial, and proprietary data.
• Prevents financial losses from fraud, ransomware, and theft.
• Ensures compliance with legal and regulatory requirements.
• Preserves customer trust and organizational reputation.

Comprehensive Scope of Cyber Security

Cyber Security encompasses various domains to provide holistic protection.
• Includes Network Security, Endpoint Security, Application Security, and Data Security.
• Covers Cloud Security, Identity and Access Management (IAM), and Operational
Security.
• Involves Disaster Recovery, Business Continuity, and User Awareness Training.
Key Security Truisms for Effective Strategies
Understanding security truisms helps in creating realistic security programs.
• Perfect security is unattainable; risk can only be minimized.
• Security is a continuous process requiring ongoing improvement.
• Humans are often the weakest link in security.
• Defense in depth is essential; no single control guarantees security.
Ethical Principles in Cyber Security
Cyber security professionals must adhere to ethical standards to maintain trust.
• Respect user privacy and confidentiality.
• Ensure honesty and transparency in security practices.
• Follow responsible disclosure protocols for vulnerabilities.
• Balance security measures with civil liberties.

Foundational Principles of Security

Core principles guide the design and implementation of security measures.
• Confidentiality ensures only authorized access to sensitive data.
• Integrity protects data from unauthorized modifications.
• Availability guarantees access to systems and data when needed.
• Authentication and authorization are critical for user access control.

The CIA Triad: Core Security Principles

The CIA Triad is fundamental to understanding security objectives.
• Confidentiality protects data from unauthorized disclosure.
• Integrity maintains data accuracy and completeness.
• Availability ensures systems are accessible when required.

Common Security Threats and Levels

Cyber security faces various threats that require layered defenses.
• Common threats include malware, phishing, insider threats, and APTs.
• Security levels encompass physical, network, application, data, and user security.

Identifying What Needs Protection

Cyber security aims to protect an organization’s entire digital ecosystem.
• Protects data, systems, networks, applications, identities, and processes.
• Critical infrastructure such as energy grids and healthcare systems are also
safeguarded.

Proactive and Reactive Security Approaches

Effective security involves both proactive and reactive strategies.
• Proactive measures include threat modeling, secure software development, and
vulnerability scanning.
• Reactive measures focus on incident response, forensic investigation, and recovery.

Understanding Cyber Activity and Threats

Cyber activity includes both legitimate and malicious actions in cyberspace.
• Malicious activities involve malware delivery, data exfiltration, and denial-of-service
attacks.
• Blended threats combine multiple techniques for greater impact.

Goals and Impact of Cyber Attacks

Cyber attacks aim to steal data, disrupt operations, and undermine trust.
• Common goals include data theft, financial fraud, and sabotage.
• The impact includes financial losses, operational disruption, and reputational damage.

The Critical Need for Cyber Security

Cyber security is vital due to increasing digital reliance and evolving threats.
• Rapid growth in cyber attacks and sensitive data online necessitates robust security.
• Compliance with data protection laws is mandatory for organizations.

Modern Cyber Security Strategies

Contemporary approaches integrate various security measures for effectiveness.
• Defense in depth and Zero Trust models are key strategies.
 • Continuous monitoring and user training enhance security posture.

Insider Threats: Risks from Within

Insider threats pose significant risks due to authorized access.
• Types include malicious insiders, negligent insiders, and compromised accounts.
• Mitigation strategies involve strict access controls and continuous monitoring.

Types of Malware: Understanding Viruses

Viruses are a common type of malware that attach to legitimate files.
• They require user execution to spread and can perform various malicious actions.
• Types include file infector, macro, boot sector, and polymorphic viruses.

Types of Malware: Exploring Worms

Worms are self-replicating malware that spread without user intervention.
• They exploit vulnerabilities and can deliver harmful payloads.
• Types include internet worms, email worms, and network worms.

Types of Malware: The Trojan Horse

Trojans disguise themselves as legitimate software to trick users.
• They require user interaction for installation and can create backdoors.
• Types include Remote Access Trojans (RATs) and banking Trojans.

Types of Malware: Ransomware Threats

Ransomware encrypts files and demands payment for decryption.
• It has evolved into organized operations targeting various sectors.
• Examples include WannaCry and Ryuk.

Types of Malware: Understanding Spyware

Spyware covertly collects user information and sends it to attackers.
• It can track keystrokes and degrade system performance.
• Examples include Agent Tesla and DarkComet.

Types of Malware: The Role of Adware

Adware delivers advertisements and can track user behavior.
• It may hijack browsers and install other malware.
• Types include popup adware and browser hijackers.

Types of Malware: The Threat of Rootkits

Rootkits maintain privileged access while hiding their presence.
• They modify system files and are difficult to detect.
• Types include user-mode, kernel-mode, and firmware rootkits.

Types of Malware: Botnets Explained

Botnets are networks of compromised devices controlled by attackers.
• They are used for large-scale attacks and can consist of millions of devices.
• Types include centralized, decentralized, and IoT botnets.

Infrastructure Supporting Cyber-Attacks

Cyber-attack infrastructure includes systems set up for malicious activities.
• It enables attackers to automate and manage large-scale campaigns.
• Key components include Command-and-Control (C2) servers for communication.

Key Components of Cyber-Attack Infrastructure

The infrastructure supporting cyber-attacks consists of various components that facilitate the
execution and management of malicious activities.
 • Malware Payload Repositories: Servers host malware files and delivery systems, often
using redundant servers for reliability; Emotet is an example that delivered banking
Trojans.
• Phishing Infrastructure: Comprises email servers and fake websites designed to steal
credentials, such as Office 365 phishing pages.
• Exploit Kits: Web-based tools that exploit browser vulnerabilities, like the Angler Exploit
Kit targeting Flash and Java.
• Bulletproof Hosting Services: Hosting providers that ignore abuse complaints, often
used for C2 servers and phishing sites, particularly in Eastern Europe.
• Domain Infrastructure: Involves domains for phishing and C2, utilizing fast-flux DNS and
Domain Generation Algorithms (DGAs) for resilience; Conficker worm is a notable
example.
• Proxy and VPN Networks: These networks obscure attacker locations and hide traffic,
with attackers sometimes using compromised devices as proxies.
• Botnets: Networks of infected machines used for various malicious activities, such as
the Mirai Botnet, which conducted massive DDoS attacks.
• Payment Systems: Involves cryptocurrency wallets for ransom payments and mixers for
laundering funds, with Bitcoin commonly used in ransomware demands.
• Monitoring and Analytics: Tools for tracking infection rates and managing Ransomware-
as-a-Service (RaaS) operations, providing dashboards for affiliates.

Lifecycle of Cyber-Attack Infrastructure

The lifecycle of cyber-attack infrastructure includes several stages from planning to retirement.
• Planning & Design: Involves selecting target types, choosing hosting and domains, and
defining operational goals.
• Acquisition & Setup: Registration of domains, renting servers, and setting up C2
frameworks are crucial steps.
• Weaponization: Development of malware payloads and testing of delivery methods are
essential for effective attacks.
• Delivery & Launch: Phishing emails and exploit kits are launched to distribute malware
to victims.
• Command-and-Control Operations: Infected systems connect back to C2 for remote
command issuance and additional payload downloads.
• Maintenance and Updates: Regular updates and domain rotations are necessary to
avoid detection and maintain operations.
• Monetization: Ransom demands and selling stolen data are key activities for financial
gain.
• Takedown/Retirement/Reuse: Infrastructure may be abandoned under pressure or
reused for new campaigns after detection.
 Attacks & Vulnerabilities PDF Summary/Overview

The document provides an overview of reconnaissance in cybersecurity, detailing the goals,

techniques, and perspectives of both attackers and defenders during the information-gathering
phase of cyber attacks.

Goals of Reconnaissance from Attackers' Perspective

Reconnaissance is a critical phase for attackers to gather intelligence about a target to exploit
vulnerabilities effectively.
• Mapping the attack surface involves identifying exposed IPs, domains, and open ports.
• Discovering weaknesses includes looking for unpatched software and default
credentials.
• Understanding the technology stack helps attackers learn about the operating systems
and applications in use.
• Profiling human targets aids in crafting phishing attacks by gathering employee
information.
• Studying security measures allows attackers to detect defenses like firewalls and VPNs.
• Prioritizing targets helps attackers focus on the easiest and highest-value systems.
• Staying stealthy is crucial to avoid detection during the reconnaissance phase.
• Customizing the attack involves tailoring payloads to specific systems for better success
rates.
• Minimizing attack costs saves time and resources by targeting known vulnerabilities.

Goals of Reconnaissance from Defenders' Perspective

Defenders aim to detect and mitigate reconnaissance efforts to prevent potential attacks.
• Detecting recon attempts early involves identifying patterns like port scans and DNS
brute-force attacks.
• Preventing exposure requires hardening systems to reveal minimal data to potential
attackers.
• Misleading attackers can be achieved through deception techniques like honeypots.
• Reducing the attack surface involves closing unused ports and restricting information
leakage.
• Understanding attacker behavior helps defenders analyze reconnaissance patterns for
better threat intelligence.
• Monitoring external exposure includes watching public sources for data leaks.
• Enhancing awareness and training reduces the risk of human intel leaks.
• Improving threat modeling anticipates what attackers might look for in the organization.

Types of Reconnaissance Techniques

Reconnaissance techniques can be categorized into passive, active, and semi-passive methods
based on their interaction level with the target.
• Passive reconnaissance involves indirect data collection with very low detection risk,
using methods like Google Dorking and WHOIS lookups.
• Active reconnaissance includes direct interaction with the target, which carries a high
risk of detection through techniques like port scanning and OS fingerprinting.
• Semi-passive reconnaissance is a hybrid approach that interacts via third parties,
presenting a moderate risk of detection.

Passive Reconnaissance Techniques and Tools

Passive reconnaissance focuses on stealthy information gathering without direct interaction
with the target.
• WHOIS lookups reveal domain registrant information and DNS details.
• DNS enumeration collects subdomains and mail servers using tools like dnsenum and
dig.
• Google Dorking utilizes search operators to find hidden files and sensitive information.
• Certificate transparency logs help identify subdomains and wildcard certificates.
 • Social media profiling gathers employee information from platforms like LinkedIn and
Twitter.
• GitHub and code repositories can expose sensitive data like API keys and internal URLs.
• Metadata analysis extracts information from documents to reveal user data and system
details.
• Leaked credentials searches utilize sources like Pastebin to find compromised accounts.
• Public cloud storage discovery identifies unsecured cloud buckets.

Active Reconnaissance Techniques and Risks

Active reconnaissance involves direct interaction with the target, which can lead to detection
and legal risks.
• Ping sweeps identify live hosts in a subnet using tools like Nmap and fping.
• Port scanning detects open TCP/UDP ports and running services with tools like Nmap and
Masscan.
• Service enumeration extracts banner data to learn about software versions.
• OS fingerprinting identifies the operating system based on packet responses.
• Protocol-specific enumeration interacts with services to gather internal details.
• Web server/application recon explores hidden files and detects misconfigurations.
• Vulnerability scanning automates the detection of known vulnerabilities in services.
• Risks include detection by IDS/IPS, behavioral analysis of logs, and potential legal
consequences for unauthorized scans.

Reconnaissance Process and Workflow

The reconnaissance process involves several phases to gather comprehensive information
about the target.
• Target identification begins with choosing a domain or organization for investigation.
• Footprinting collects open-source intelligence (OSINT) using tools like WHOIS and
Shodan.
• Infrastructure mapping involves DNS and port scans to understand the target's network.
• Service discovery determines open services using tools like Netcat and Nmap.
• OS/version detection employs active fingerprinting to identify the operating system.
• Vulnerability mapping matches discovered services with known CVEs for potential
exploits.
• Personnel recon identifies users for phishing attacks using tools like Hunter.io.
• Staging for attack involves crafting phishing or exploit payloads for execution.

Countermeasures to Reconnaissance
Defensive measures aim to limit exposure and detect reconnaissance activities effectively.
• Perimeter hardening includes disabling unused ports and restricting ICMP replies.
• Firewall rules should drop unexpected packets to prevent unauthorized access.
• IDS/IPS systems can detect scanning behavior and known user-agents.
• Web Application Firewalls (WAF) block reconnaissance attempts on web applications.
• Security headers should be configured to remove unnecessary information.
• Disabling banners prevents the disclosure of software version information.
• Deception technologies like honeypots can mislead attackers during reconnaissance.
• Monitoring paste sites helps track leaks related to domain-linked emails.
• Threat intelligence feeds can blacklist known scanners and bots.

Nascent Vulnerabilities Overview

Nascent vulnerabilities are newly discovered flaws that can be exploited before patches are
available.
• They include recently disclosed CVEs and zero-day vulnerabilities that are publicly
unknown.
• These vulnerabilities often arise from misconfigurations or updates in software and
networks.
 • Discovery methods include security research, fuzzing, reverse engineering, bug bounty
programs, and post-breach forensics.

Common Vulnerabilities in Network Infrastructure

Network infrastructure vulnerabilities are critical targets for attackers due to their essential
roles.
• Default or weak credentials often remain unchanged, posing security risks.
• Unpatched firmware leaves devices vulnerable to known CVEs.
• SNMP misconfigurations can expose sensitive device configurations.
• Open management interfaces allow unauthorized remote access to devices.
• Improper ACLs can lead to unauthorized access through inadequate firewall rules.
• DHCP snooping bypasses can enable man-in-the-middle attacks.
• Routing protocol vulnerabilities can lead to traffic manipulation and hijacking.

Common Vulnerabilities in Web Applications

Web applications are frequently targeted due to their public accessibility and dynamic content.
• Input validation flaws can lead to injection attacks like SQLi and XSS.
• Broken access control allows unauthorized access to sensitive resources.
• Security misconfigurations expose applications to various risks, such as directory listing.
• Outdated components with known CVEs can be exploited by attackers.
• Insecure deserialization can lead to remote code execution vulnerabilities.
• Insecure direct object references (IDOR) expose private data through predictable URLs.
• Insufficient rate limiting can make APIs and logins vulnerable to brute-force attacks.

Common Vulnerabilities in Native Code

Native code vulnerabilities pose significant risks due to manual memory management and lack
of safety checks.
• Buffer overflows can lead to memory corruption and remote code execution.
• Use-after-free vulnerabilities allow access to freed memory, leading to potential
exploits.
• Integer overflows can bypass bounds checks, causing incorrect memory allocation.
• Format string vulnerabilities can expose sensitive memory data.
• Race conditions can be exploited between check and use scenarios.
• DLL hijacking allows attackers to load malicious DLLs into vulnerable applications.
• Uninitialized memory access can lead to data leakage or application crashes.
 Cyber Threat Hunting PDF Summary/Overview

The document provides a comprehensive overview of cyber threat hunting, including its
importance, processes, types, tools, metrics, and challenges in identifying and mitigating
advanced threats that evade traditional security measures.

Cyber Threat Hunting Overview

Cyber Threat Hunting is a proactive security practice aimed at identifying advanced threats that
evade traditional security measures.
• Involves skilled analysts searching for signs of malicious activity.
• Focuses on hypothesis-driven questions and data analysis.
• Aims to detect stealthy attackers before they cause damage.
• Emphasizes the importance of human intuition in threat detection.

Importance of Threat Hunting

Threat hunting is crucial for identifying advanced persistent threats (APTs) that automated tools
may miss.
• APTs often use techniques like living-off-the-land and fileless malware.
• Traditional security tools may not detect low-signal, high-impact activities.
• Human analysis adds intuition and pattern recognition to threat detection.

Types of Threat Hunting Approaches

There are three main types of threat hunting methodologies.
• Structured (Hypothesis-Driven): Based on threat intelligence or specific tactics.
• Unstructured (Exploratory): Data-driven analysis focusing on observed anomalies.
• Situational / IOC-Based: Hunting for known indicators of compromise.

Threat Hunting Lifecycle Stages

The threat hunting process consists of several key stages.
• Preparation: Understand normal behavior and gather threat intelligence.
• Hypothesis Creation: Formulate testable theories based on intelligence.
• Data Collection: Gather relevant logs and telemetry from various sources.
• Analysis & Hunting: Investigate findings and report confirmed threats.
• Response: Contain threats and take necessary actions.
• Feedback & Enrichment: Update detection rules and improve hunting strategies.

Data Sources for Effective Threat Hunting

Various data sources provide insights for effective threat hunting.
• SIEM Logs: Correlate login, process, and system activity.
• EDR Telemetry: Offers detailed endpoint behavior.
• DNS Logs: Helps detect command and control activities.
• Firewall Logs: Monitors network behavior and lateral movement.
• Authentication Logs: Identifies privilege escalation and login anomalies.

Tools Utilized in Threat Hunting

A range of tools supports the threat hunting process.
• SIEM: For log aggregation and search capabilities.
• EDR: Provides endpoint telemetry and hunting interfaces.
• ELK Stack: Custom log storage and visual hunting.
• YARA: Detects file-based threats using patterns.
• MITRE ATT&CK Navigator: Maps adversarial techniques for better hunting.

Key Metrics for Threat Hunting Success

Metrics are essential for evaluating the effectiveness of threat hunting programs.
• Time to Detect (TTD): Measures the speed of identifying threats.
• Number of Hypotheses Tested: Reflects the level of hunting activity.
 • Confirmed Detections: Valid findings that lead to actionable responses.
• False Positives Rate: Indicates the quality of tuning in detection systems.

Frameworks Supporting Threat Hunting Practices

Frameworks like MITRE ATT&CK and THMM guide threat hunting efforts.
• MITRE ATT&CK: Maps attacker tactics, techniques, and procedures.
• Threat Hunting Maturity Model (THMM): Ranges from no hunting (Level 0) to real-time
behavioral hunts with AI support (Level 4).

Key Techniques and Strategies for Threat Hunting

Various techniques enhance the effectiveness of threat hunting.
• Living off the Land (LOTL) Detection: Identifies abuse of legitimate tools.
• Abnormal Behavior Detection: Looks for anomalies in user behavior.
• Beaconing Activity: Monitors for unusual DNS check-ins.
• Lateral Movement Patterns: Detects SMB connections between endpoints.

Challenges Faced in Threat Hunting

Threat hunting presents several challenges that need to be addressed.
• Data Overload: Managing excessive logs can be overwhelming.
• Skill Requirement: Requires deep knowledge of attacker behavior.
• False Positives: Not all anomalies indicate threats.
• Tool Complexity: EDRs and SIEMs require careful tuning for effectiveness.

Summary of Cyber Threat Hunting

Cyber Threat Hunting is a proactive approach to uncover hidden threats that automated tools
may miss.
• It aims to discover attacker presence and improve overall security posture.
• Utilizes structured or exploratory approaches with various tools and frameworks.
• The outcome includes enhanced detection capabilities and faster incident response.