Professional Documents
Culture Documents
Summary 22
Summary 22
The Danger
War Stories
Threat actors can hijack banking sessions and other personal information by using
“evil twin” hotspots. Threat actors can target companies, as in the example where
opening a pdf on the company computer can install ransomware. Entire nations can be
targeted. This occurred in the Stuxnet malware attack.
Threat Actors
Threat actors include, but are not limited to, amateurs, hacktivists, organized
crime groups, state sponsored, and terrorist groups. The amateur may have little to
no skill and often use information found on the internet to launch attacks.
Hacktivists are hackers who protest against a variety of political and social
ideas. Much of the hacking activity is motivated by financial gain. Nation states
are interested in using cyberspace for industrial espionage. Theft of intellectual
property can give a country a significant advantage in international trade. As the
Internet of Things (IoT) expands, webcams, routers, and other devices in our homes
are also under attack.
Threat Impact
It is estimated that businesses will lose over $5 trillion annually by 2024 due to
cyberattacks. Personally identifiable information (PII), protected health
information (PHI), and personal security information (PSI) are forms of protected
information that are often stolen. A company can lose its competitive advantage
when this information is stolen, including trade secrets. Also, customers lose
trust in the company’s ability to protect their data. Governments have also been
victims of hacking.
Major elements of the SOC include people, processes, and technologies. Job roles
are rapidly evolving and include tiers based on expertise and experience. These
roles include a Tier 1 Alert Analyst, a Tier 2 Incident Responder, a Tier 3 Threat
hunter, and an SOC Manager. A Tier 1 Analyst will monitor incidents, open tickets,
and perform basic threat mitigation.
SEIM systems are used for collecting and filtering data, detecting and classifying
threats, and analyzing and investigating threats. SEIM and SOAR are often paired
together. SOAR is similar to SIEM. SOAR goes a step further by integrating threat
intelligence and automating incident investigation and response workflows based on
playbooks developed by the security team. Key Performance Indicators (KPI) are
devised to measure different aspects of SOC performance. Common metrics include
Dwell Time, Meant Time to Detect (MTTD), Mean Time to Respond (MTTR), Mean Time to
Contain (MTTC), and Time to Control.
There must be a balance between security and availability of the networks. Security
cannot be so strong that it interferes with employees or business functions.
Becoming a Defender
Windows History
The first computers required a Disk Operating System (DOS) to create and manage
files. Microsoft developed MS-DOS as a command line interface (CLI) to access the
disk drive and load the operating system files. Early versions of Windows consisted
of a Graphical User Interface (GUI) that ran over MS-DOS. However, modern Windows
versions are in direct control of the computer and its hardware and support
multiple user processes. This is much different than the single process, single
user MS-DOS. Since 1993, there have been more than 20 releases of Windows that are
based on the NT operating system. Users use a Windows GUI to work with data files
and software. The GUI has a main area that is known as the Desktop and a Task Bar
situated below the desktop. The Task Bar includes the Start menu, quick launch
icons, and a notification area. Windows has many vulnerabilities. Recommendations
to secure the Windows OS include use of virus or malware protection, use of strong
passwords, use of firewall, and limited use of the administrator account, among
others.
A computer works by storing instructions in RAM until the CPU processes them. Each
process in a 32-bit Windows computer supports a virtual address space that enables
addressing up to 4 gigabytes. Each process in a 64-bit Windows computer supports a
virtual address space of up to 8 terabytes. Windows stores all of the information
about hardware, applications, users, and system settings in a large database known
as the registry. The registry is a hierarchical database where the highest level is
known as a hive, below that there are keys, followed by subkeys. There are five
registry hives that contain data regarding the configuration and operation of
Windows. There are hundreds of keys and subkeys.
Windows Security
Malware can open communication ports to communicate and spread. The Windows netstat
command displays all open communication ports on a computer and can also display
the software processes that are associated with the ports. This enables unknown
potentially malicious software to be identified and shutdown. Windows Event Viewer
provides access to numerous logged events regarding the operation of a computer.
Windows logs Windows events and applications and services events. Logged event
severity levels range through the information, warning, error, or critical levels.
It is very import to keep Windows up to date to guard against new security threats.
Software patches, updates, and service packs address security vulnerabilities as
they are discovered. Windows should be configured to automatically download and
install updates as they become available. Windows can be configured to only install
and restart a computer at specified times of day.
4. Linux Overview
Linux Basics
Linux is a fast, reliable, and small open-source operating system. It requires few
hardware resources to run and is highly customizable. It is designed to be used on
networks. The Linux kernel is distributed by different organizations with different
tools and software packages. A customized version of Linux that is called Security
Onion contains software and tools that are designed for use in network security
monitoring by cybersecurity analysts. Kali Linux is another customized Linux
distribution that has numerous tools that are designed for network security
penetration testing.
In Linux, the user communicates with the operating system through a GUI or a
command-line interface (CLI), or shell. If a GUI is running, the shell is accessed
through at terminal application such as xterm or gnome terminal. Linux commands are
programs that perform a specific task. The man command, followed by a specific
command, provides documentation for that command. It is important to know at least
basic Linux commands, file and directory commands, and commands for working with
text files. In Linux everything is treated is if it were a file, including the
memory, disks, monitor, and directories.
Servers are computers that have software installed that enables them to provide
services to client computers across the network. Some services provide access to
external resources such as files, email, and web pages, to clients upon request.
Other services run internally and perform tasks such as log management, memory
management, or disk scanning. To enable a computer to provide multiple services,
ports are used. A port is a reserved network resource that “listens” for requests
by clients. While the port number that is used by a service can be configured, most
services listen on default “well-known” ports. Client software applications are
designed to communicate with specific types of servers. Web browsers are designed
to communicate with web servers by using the HTTP protocol on port 80. FTP clients
communicate with FTP servers to transfer files.
In Linux, servers are managed by using configuration files. Various settings can be
modified and saved in configuration files. When a service is started, it looks at
its configuration file(s) to know how it should run. There is no rule for the way
configuration files are written. Configuration file formatting depends on the
creator of the server software. Linux devices should be secured by using proven
methods to protect the device and administrative access. This is known as hardening
devices. One way to harden a device is to maintain passwords, configure enhanced
login features, and implement secure remote login with SSH. It is also very
important to keep the operating system up to date. Other ways to harden a device
are to force periodic password changes, enforce strong passwords, and to prevent
reuse of passwords. Finally, Linux clients and servers use logfiles to record the
operation of the system and important events. A number of different logfiles are
maintained including application logs, event logs, service logs, and system logs.
Server logs record activities that are conducted by remote users who access system
services. It is important to know the location of different logs in the Linux file
system so that they can be accessed and monitored for problems.
Linux supports a number of different file systems that vary by speed, flexibility,
security, size, structure, logic, and more. Some of the file systems that are
supported by Linux are ext2, ext3, ext4, NFS, and CDFS. File systems are mounted on
partitions and accessed through mounting points, or directories. Windows drive
letters are examples of mounting points. The mount command can be used to display
details of the file systems that are currently mounted on a Linux computer. The
root file system is represented by the “/” symbol. It contains all of the files in
the computer by default. Linux uses file permissions to control who is permitted to
have different types of access to files and directories. Permissions include read
(r), write (w), and execute (x). Files and directories have permissions that are
assigned for users, groups, and others. The permissions for files and folders are
displayed with the ls -l command. This command also displays the links for a file.
Hard links create another file with a different name that is linked to the same
place in the file system. The owner of the file and the group for the file are also
displayed along with the date and time of the last modification to the file. File
permissions are powerful features of the Linux file system and can’t be violated.
Only the root user can override file permissions. Because of the power of the root
user, root access should be carefully controlled. Hard links are created with the
ln command. Changes to one of the hard-linked files are also made to the original
file. Symbolic links, or symlinks, are similar to hard links in that a change to
the linked file is reflected in the original file. Symbolic links have several
advantages over hard links.
The X Windows, or X11, system is a basic software framework that includes functions
for creating, controlling, and configuring a windows GUI in a point-and-click
interface. Different vendors use the X Windows system to create different windows
manager GUIs for Linux. Examples of windows managers are Gnome and KDE. The Ubuntu
Linux distribution uses Gnome 3 by default. The Gnome 3 desktop consists of the
Apps Menu, Ubuntu Dock, Top Bar, Calendar and System Message tray, the Activities
area, and the Status Menu.
5. Network Protocols
Network Communications
Networks come in all sizes and can be found in homes, businesses, and other
organizations. The internet is the largest network in existence . All computers
that connect to a network are known as hosts or end devices. Much of the
interaction between hosts is client-server traffic. Hosts can operate as clients or
servers or both clients and servers in peer-to-peer networks. Servers are hosts
that use specialized software to enable them to respond to requests for different
types of data from clients. Clients are hosts that use software applications such
as web browsers, email clients, or file transfer applications to request data from
servers. When we use the internet, we use a combination of copper and fiber optic
cables or wireless and satellite communications to carry our data traffic.
Connections to the internet are through internet service providers that connect to
each other using global Tier 1 and Tier 2 ISPs that connect to each other through
Internet Exchange Points (IXP). Larger businesses may connect to Tier 2 ISPs
through a Point of Presence (POP). Tier 3 ISPs connect homes and businesses to the
internet. Traffic between a computer and an internet server can take many different
paths. Some paths can be very direct, but others may seem to go out of the way. In
addition, data that is sent between a computer and server may be sent on a
different path from that on which it is received.
Communications Protocols
Data communications requires more than just connections. Devices must know how to
communicate. For this devices use communications rules or protocols, just as face-
to-face communications between people use rules. Network protocols specify many
features of network communication such as message encoding, message formatting and
encapsulation, message size, message timing, and delivery options. Examples of
networking protocols include Hypertext Transfer Protocol (HTTP), Transmission
Control Protocol (TC), and Internet Protocol (IP). It is very important that a
cybersecurity analyst know the structure of protocol data and how protocols
function on the network. Protocols specify how messages are structured and the way
that networking devices share information about pathways to other networks. They
also specify how and when error and system messages are passed between devices. In
addition, protocols specify how data transfer sessions are setup and terminated.
The TCP/IP protocol suite is used by the internet and data networks in homes,
businesses, and other organizations. The TCP/IP suite is a family of protocols that
conform to freely available open-source standards that are endorsed by the
networking industry and approved by standards organizations. This enables devices
from different manufacturers to work together. The TCP/IP protocol suite has four
layers of protocols that work together when messages are sent and received. Common
protocols at the application layer of the suite are DNS, DHCP, POP3, and HTTPS,
among others. Transport layer protocols are TCP and UDP. Examples of internet layer
protocols are IPv4, IPv6, ICMP, and EIGRP. Messages are formatted to conform to
protocols standards. Protocol data is encapsulated by putting higher layer data
within lower layer data when the data is sent. The reverse process occurs when the
data is received. Protocol standards specify the size of messages and how the
messages are encoded to be sent over network connections as radio waves, pulses of
light, or electrical signals. The receiving host decodes the messages. Protocol
standards also specify the rate at which data is sent (flow control), the time that
a host waits to receive a response from the destination (response timeout), and the
way in which hosts determine when they can send data on a shared-media network
(access method). Unicast messages are sent to one destination host. Multicast
messages are sent to a group of hosts. Broadcasts are sent to all hosts in the same
area of the network. Layered communication models have a number of benefits. Models
assist in protocol and device design. They also increase competition between
manufacturers because devices must work together. Finally, models prevent changes
at one layer from impacting other layers and provide a common way to describe
network operation. Two models are the OSI and TCP/IP reference models. The OSI
model has seven layers. The different layers have different functions. The TCP/IP
model has four layers.
Data Encapsulation
Messages that consist of large amounts of data can not be sent across the network
as one massive stream of bits. This is because other people would need to wait for
the entire communication to complete before they could use the network, and if the
communication failed, the entire message would need to be sent again. Instead, data
is broken into a series of smaller pieces and sent over the network. This is called
segmentation. Segmentation is required by the TCP/IP protocol suite. Data is sent
as packets. Each packet is separately addressed and can take different paths
through a network to reach the destination. Segmentation increases the speed and
efficiency of data networks. Increased speed is gained because many data
conversations can happen at the same time on the network. This is called
multiplexing. Efficiency is gained because only data that is not received by a
destination needs to be re-sent. Messages are segmented to be sent, and must be
recombined when they are received. As data is passed down the protocol stack to be
sent, different information is added by each layer. This process is called
encapsulation. The form that data takes at different layer is called a protocol
data unit (PDU). During encapsulation, the PDUs are encapsulated within PDUs in the
next layer down the stack when the data is sent. The reverse process occurs when
the data is received. At the OSI application layer, the PDU is generally referred
to simply as data. The data is encapsulated into segments or datagrams at the
transport layer. The network layer PDU is called a packet, it encapsulates
segments. The data link layer encapsulates packets into frames. Finally, the
physical layer transmits bits across the network. The OSI transport, network, and
data link layers all use addressing. The transport layer uses protocol addresses in
the form of port numbers. The network layer uses IP addresses to identify hosts and
networks, Finally, the data link layer uses hardware addresses to identify which
hosts on the local network should handle frames. These addresses identify the
source of the data and the destination of the data. After the data is received, it
is de-encapsulated so that the data can be used by the client applications that
requested it.
Ethernet
Ethernet and wireless LANs (WLANs) are the two most popular LAN technologies.
Ethernet operates at the physical and data link layers of the OSI model and are
defined in the IEEE 802.2 and 802.3 standards. Ethernet supports bandwidths from 10
Mbps to 100,000 Mbps. It is important to know the Ethernet frame fields. An
Ethernet MAC address is a 48-bit binary value expressed as 12 hexadecimal digits (4
bits per hexadecimal digit). The MAC address can be represented using dashes,
colons, or periods between the groups of digits.
IPv4
Network layer protocols allow end devices to exchange data across networks and the
internet. IP version 4 (IPv4) and IP version 6 (IPv6) are the principle network
layer communication protocols. To accomplish end-to-end communications across
network boundaries, network layer protocols perform four basic operations:
addressing end devices, encapsulation, routing, and de-encapsulation. IP
encapsulates the transport layer segment by adding an IP header which is used to
deliver the packet, which is examined by Layer 3 devices (i.e., routers and Layer 3
switches), to reach the destination host. IP is connectionless, best effort, and
media Independent. It is important to be familiar with the structure of the IP
packet.
IP Addressing Basics
Whether a packet is destined for a local host or a remote host is determined by the
source end device. In IPv4 networks, the source device uses its own subnet mask
along with its own IPv4 address and the destination IPv4 address to make this
determination. In an IPv6 network, the local router advertises the local network
address (prefix) to all devices on the network. The router that is connected to the
local network segment is referred to as the default gateway. It has a local IP
address in the same address range as other hosts on the local network. It can
accept data into the local network and forward data out of the local network. It
also routes traffic to other networks. A default route is the route or pathway your
computer will take when it tries to contact a remote network. On a Windows host,
the route print or netstat -r command can be used to display the host routing
table.
IPv6
7. Connectivity Verification
ICMP
The TCP/IP suite sends ICMP messages when IP packets encounter forwarding problems.
However, ICMP messages are not required and are often not allowed within a network
for security reasons. ICMPv4 is the messaging protocol for IPv4, while ICMPv6
provides these same services for IPv6 and includes additional functionality. ICMP
messages that are common to both ICMPv4 and ICMPv6 include host confirmation,
destination or service unreachable, time exceeded, and route redirection. ICMPv6
includes the additional four ICMPv6 messages for the Neighbor Discovery Protocol
(NDP). These messages are router solicitation (RS) and router advertisements (RA)
messages that are sent between IPv6 routers and IPv6 hosts, and neighbor
solicitation (NS) and neighbor advertisement (NA) messages that are sent between
IPv6 devices.
Ping is an IPv4 and IPv6 testing utility that uses ICMP echo request and echo reply
messages to test connectivity between hosts. Some of the types of connectivity
tests that are performed with ping include pinging the local loopback, pinging the
default gateway, and pinging a remote host. Traceroute (tracert) is a utility that
generates a list of the router hops that were successfully reached along a path.
This provides important verification and troubleshooting information. Traceroute
makes use of a function of the TTL field in IPv4 and the Hop Limit field in the
IPv6 Layer 3 headers, along with the ICMP Time Exceeded message. ICMP is
encapsulated directly into IP packets as the data payload. The ICMP data payload
contains special header data fields.
MAC and IP
There are two primary addresses that are assigned to a device on an Ethernet LAN;
the IP address, which is logically assigned, and the MAC address which is
physically assigned and is unique to the network interface. IP addresses are used
to identify the address of the original source device and the final destination
device. The destination IP address may be on the same IP network as the source or
may be on a remote network. Layer 2 or physical addresses, such as Ethernet MAC
addresses, have a different purpose. These addresses are used to deliver the data
link frame with the encapsulated IP packet from one NIC to another NIC on the same
network. If the destination IP address is on the same network, the destination MAC
address will be that of the destination device.
ARP
When using IPv4 for network communication, ARP is used to map the logical IPv4
address with the Layer 2 MAC address. In order to build an Ethernet frame, the
destination MAC address must be known. When the destination IPv4 address is on the
same network as the source, the ARP process sends the IPv4 address to all hosts on
the network so that the host with the matching IPv4 address can reply with the
corresponding MAC address. The sending device now has all of the information that
is necessary to build the Layer 2 Ethernet frame. ARP provides two basic functions:
resolving IPv4 addresses to MAC addresses and maintaining a table of IPv4 to MAC
address mappings. The sending device will search its ARP table for a destination
IPv4 address and a corresponding MAC address. If the packet’s destination IPv4
address is on the same network as the source IPv4 address, the device will search
the ARP table for the destination IPv4 address. If it does not have an entry for
the IPv4 address in its ARP table, the sending device sends out an ARP request to
determine the destination MAC address. Only the device with the target IPv4 address
associated with the ARP request will respond with an ARP reply. The ARP reply is
encapsulated in an Ethernet frame using the following header information: the
destination MAC address of the requesting host, the source MAC address of the
replying host, and the type, which is a code that identifies the data as being for
the ARP process. ARP messages have a type field value of 0x806. If the destination
IPv4 address is on a different network than the source IPv4 address, the device
will search the ARP table for the IPv4 address of the default gateway. IPv6 uses a
similar process to ARP in IPv4. It is known as ICMPv6 Neighbor Discovery (ND). IPv6
uses neighbor solicitation and neighbor advertisement messages, similar to IPv4 ARP
requests and ARP replies.
ARP Issues
MAC and IP
There are two primary addresses that are assigned to a device on an Ethernet LAN;
the IP address, which is logically assigned, and the MAC address which is
physically assigned and is unique to the network interface. IP addresses are used
to identify the address of the original source device and the final destination
device. The destination IP address may be on the same IP network as the source or
may be on a remote network. Layer 2 or physical addresses, such as Ethernet MAC
addresses, have a different purpose. These addresses are used to deliver the data
link frame with the encapsulated IP packet from one NIC to another NIC on the same
network. If the destination IP address is on the same network, the destination MAC
address will be that of the destination device.
ARP
When using IPv4 for network communication, ARP is used to map the logical IPv4
address with the Layer 2 MAC address. In order to build an Ethernet frame, the
destination MAC address must be known. When the destination IPv4 address is on the
same network as the source, the ARP process sends the IPv4 address to all hosts on
the network so that the host with the matching IPv4 address can reply with the
corresponding MAC address. The sending device now has all of the information that
is necessary to build the Layer 2 Ethernet frame. ARP provides two basic functions:
resolving IPv4 addresses to MAC addresses and maintaining a table of IPv4 to MAC
address mappings. The sending device will search its ARP table for a destination
IPv4 address and a corresponding MAC address. If the packet’s destination IPv4
address is on the same network as the source IPv4 address, the device will search
the ARP table for the destination IPv4 address. If it does not have an entry for
the IPv4 address in its ARP table, the sending device sends out an ARP request to
determine the destination MAC address. Only the device with the target IPv4 address
associated with the ARP request will respond with an ARP reply. The ARP reply is
encapsulated in an Ethernet frame using the following header information: the
destination MAC address of the requesting host, the source MAC address of the
replying host, and the type, which is a code that identifies the data as being for
the ARP process. ARP messages have a type field value of 0x806. If the destination
IPv4 address is on a different network than the source IPv4 address, the device
will search the ARP table for the IPv4 address of the default gateway. IPv6 uses a
similar process to ARP in IPv4. It is known as ICMPv6 Neighbor Discovery (ND). IPv6
uses neighadcasts would probably have minimal impact on network performance. If a
large number of devices were to be powered up and all start accessing network
services at the same time, there could be some reduction in performance for a short
period of time. After the devices send out the initial ARP broadcasts and have
learned the necessary MAC addresses, any impact on the network will be minimized.
Since the ARP request is a broadcast there is are potential security risks imposed.
A threat actor can use ARP spoofing to perform an ARP poisoning attack by replying
to an ARP request for an IPv4 address belonging to another device, such as the
default gateway. The receiver of the ARP reply will add the wrong MAC address to
its ARP table and send these packets to the threat actor.