Eversity

Basic of Certified Ethical Hacker | Sushant A

/

What is Information Security?

Information Security refers to protecting Information and information Systems that use, store and Transmit data from Unauthorised access.

Information Security is state of well-being of information and infrastructure in which possibility of theft and tempering of data or information systems kept low or tolerable.

Information Security Element

Confidentiality: The data or information system is accessible by authorise users, no one other can access that Information or systems.

Integrity: The data or the Information must not be change by other one, Data must be same.

Availability: Systems are responsible for storing, Processing and providing data to user when he needs it. Data must be available to user when he wants the data.

Authenticity: Authenticity is characteristic property of Communication; without authenticity you cannot know who is accessing the data. It is way to know the user by using biometrics, Smartcards.

Non-Repudiation: It is way to guarantee that user cannot later deny to receiver that he was not send that message to him.

How Attack Happens?

Attacks = Motive (Goals) + Methods + Vulnerability

Information Security Attacks

Active Attack:  In this attack, we directly communicate with the target and do interaction with data flow, these kinds of attacks are detachable than others attacks.

Passive Attack: In this attack, we indirectly communicate with the target, we monitor network traffic and analysis the data flow in the network.

Clone in Attack: In this attack, we do perform some kinds attack after going near to our target. Like Sholder-surfing

Insider Attack: In this attack, attacker is in the organization and he is using his privileges to harm the organization from inside. Like steeling devices or planting keyloggers

Distribution Attack: In this attack, we tamper with software or hardware at that time when they were in building stage.  

Information Warfare

Information Warfare refers to use of ICT (Information and Communication Technologies) to take competitive advantage over an opponent.

Types of Information Warfare:

Command and Control warfare: The impact happens on system or network after attacker compromising the system.

Intelligence-based warfare: It consists designs and Protection and denial of systems and sufficient knowledge to dominate the battlespace.

Electronic Warfare: Uses of radio-electronic and cryptographic technics to degrade communication.

Economic Warfare: To affect economy of business of individuals or nation by blocking the flow of information.

Psychological warfare: Use of various techniques such as propaganda and terror to demoralize to succeed the battle.  

Hacker Warfare: Use viruses, logic bombs, trojan horse and sniffers to perform these attacks.

Cyber warfare: Use of Information system against the virtual persons of individual or groups.

Certified Ethical Hacker Hacking Methodology

Foot printing: In this phase, we gather as much as possible information about the target.

Scanning: In this phase, we identify active hosts, open ports and unnecessary services enabled on host.

Enumeration: In this phase, we make active connection with target system to gather information such as network user lists, routing tables, security flaws, shared users, groups, applications, and banners.

Vulnerability Analysis: In this phase, we recognize, measures and classify security flaws and vulnerability in computer systems, networks, and communication channels. Attacker perform vulnerability analysis to identify security loopholes in target organization’s network.

System Hacking: In this phase, Hacker uses all the information that he finds in foot printing, scanning, enumeration, and vulnerability analysis to hack the system.

  • Gaining Access: This is the place where actual hacking happens, hacker use all the vulnerability exploitation tools to exploit that vulnerability.
  • Escalating Privileges: After getting access to computer system attack try to escalate his normal user privileges to admin user privileges.
  • Maintaining access: In this phase, attacker can download and upload files to the computer system, as well as he tries to retain his ownership.
  • Clearing Logs: To remain undetachable it is important to for attacker to delete all the evidences of security compromises from the system.

Cyber kill chain methodology

Reconnaissance: Gather data on the target to probe for weak points

Weaponization: Create a deliverable malicious payloads using an exploit and a backdoor.

Delivery: Send weaponized bundle to the victim using email, USB, …

Exploitation: Exploit vulnerability by executing code on the victim’s system.

Installation: Instal malware on the target system.

Command and control: Create a command control channel to communicate and pass data back and forth.

Actions on objectives: Perform actions to achieve intended objectives.

Tactics, Techniques and Procedures (TTP)

Tactics: The guidelines that describe the way an attacker performs the attack from beginning to the end.

Techniques: The technical methods used by an attacker to achieve intermediate result during the attack.

Procedures: The organization approaches thar threat actors follow to launch an attack.

Adversary behaviour Identification

  • Internal Recognisance
  • Use of PowerShell
  • Unspecified proxy Activities
  • Use of CLI
  • HTTP User Agent
  • Command and control server
  • Use of DNS tunnelling
  • Use of web shell
  • Data staging

Indicator of compromise (IoCs)

These are some clues, artifacts, and piece of forensic data that are found on a network or operating system of organization that indicate a potential malicious activity in the organization’s infrastructure.

Categories of Indicator of Compromise

  • Email Indicators
  • Network Indicators
  • Host-based Indicators
  • Behavioural Indicators

Some Indicators of Compromise

  1. Unusual unbound network traffic
  2. Unusual activity trough a privileged user account
  3. Multiple login failure
  4. Large HTML response
  5. Suspicious registry
  6. Unusual DNS request
  7. Unusual patching of system

MITRE ATT&CK Framework

MITRE ATT&CK Framework is globally accessible knowledge base of adversary tactics and technics based on real world observations. It is mainly used for the development of specific threat models and methodologies in the private sector, government and cyber security product and service community.

Tactics in the ATT&CK for Enterprise

  • Reconnaissance
  • Recourse Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defence Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and control
  • Exfiltration
  • Impact

Diamond Model of Intrusion Analysis

Diamond Model offers a framework for identifying the clusters of events that are correlated on any of the systems in the organization

  • Adversary: ab opponent “who” was behind the attack
  • Victim: The target that has been exploited or “where” the attack was performed
  • Capability: The attack strategies or “how” the attack was performed
  • Infrastructure: “What” Adversary used to reach the victim.

Who is Hacker?

Hacker is Skilled individual who has excellent computer skills and who can break into the system without authorization to destroy, still sensitive information or perform malicious activity

What is hacking?

Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized access to system’s resources.

What is Risk?

Risk refers to the potential harm or loss resulting from threats exploiting vulnerabilities in an organization’s information systems, networks, or data.

What is vulnerability?

vulnerability refers to a weakness, flaw, or gap in a system’s design, implementation, configuration, or operation that could potentially be exploited by attackers to compromise the system’s security.

What is Exploit?

Exploit refers to a piece of software, code, or technique that takes advantage of a specific vulnerability or weakness in a computer system, software application, network device, or any other digital asset

What is Payload?

payload refers to the part of malicious code or software that is designed to execute a specific action on a target system after an exploit or malware successfully compromises it.

What is Ethical Hacking?

Ethical hacking refers to using of hacking tools, tricks, techniques to identify system vulnerabilities and ensure system security. Ethical hackers perform security assessments for organization with permission of the authorities.

Types of Hackers

  1. White Hat Hacker
  2. Black Hat Hacker
  3. Grey Hat Hacker
  4. Script kiddies
  5. Suicide Hackers
  6. Cyber Terrorists
  7. State sponsored Hackers
  8. Hacktivist

Why Ethical Hacking?

  • To prevent hackers from gaining access to information systems
  • Find out the system vulnerabilities
  • Analyse strengthens of organization’s Security
  •  Safeguard customer’s data
  • Enhance security awareness
  • To find out who was hacked system or how he did this? Who is behind this attack?  

Scope of Ethical Hacking:

Ethical hacking has a broad scope in the field of cybersecurity. It involves authorized individuals, known as ethical hackers or penetration testers, using their hacking skills to identify vulnerabilities and weaknesses in computer systems, networks, and applications. The scope of ethical hacking includes:

1. Security Assessment: Ethical hackers assess the security posture of organizations by identifying vulnerabilities and potential risks.

2. Penetration Testing: They conduct controlled attacks to exploit vulnerabilities and help organizations understand their security weaknesses.

3. Security Consulting: Ethical hackers offer recommendations and solutions to improve an organization’s overall security.

4. Vulnerability Research: Ethical hackers contribute to finding and reporting security flaws to vendors, promoting software and system security.

5. Cyber Incident Response: They assist in investigating and mitigating security breaches and cyber incidents.

Limitations of Ethical Hacking:

While ethical hacking is valuable and essential for improving cybersecurity, it does have limitations:

1. Legal and Ethical Boundaries: Ethical hackers must operate within legal and ethical guidelines, respecting the boundaries defined by their clients and the law.

2. Scope Limitation: Ethical hacking is usually performed based on predefined scopes, which may not cover all potential vulnerabilities.

3. Time Constraints: Ethical hacking engagements are often time-limited, which may limit the depth of assessment.

4. False Sense of Security: Organizations may develop a false sense of security after an ethical hacking assessment, assuming all vulnerabilities are addressed.

5. Human Factor: Ethical hacking might not fully capture all aspects of human behaviour and social engineering risks.

6. Rapidly Evolving Threats: Ethical hackers may not always be up-to-date with the latest hacking techniques and emerging threats.

Information Assurance

IR refers to assurance that the Confidentiality, Integrity, Availability and Authenticity of Information and Information system is protected during the usage and transmission of information.

Adaptive Security Strategies

The adaptive security strategy describes that continuous prediction, prevention, detection and response action must be taken to ensure computer network defence.

Prediction > Protection > Detection >   Respond

Defence-in-Depth

Defence-in-Depth is a security strategy in which several protection layers are placed in information system.

  • Policies, Procedures and Awareness
  • Physical
  • Perimeter
  • Internal Network
  • Host
  • Application
  • Data

Risk Management

Risk Management is the process of reducing and maintaining risk at an acceptable level by well-defined and actively employed security programs

  • Risk Identification
  • Risk Assessment
  • Risk Treatment
  • Risk Tracking
  • Risk Review

Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) refers to the information collected, analysed, and disseminated about potential and existing cybersecurity threats that pose risks to organizations, systems, networks, or individuals. CTI helps organizations understand the threats they are facing and make informed decisions to protect their assets and mitigate risks effectively.

Strategic Threat Intelligence: This type of CTI focuses on high-level, long-term trends and risks in the cyber landscape. It helps organizations understand the overall threat landscape, including emerging threats, geopolitical influences, and the motivations of threat actors. Strategic CTI is vital for executives and decision-makers to allocate resources and plan security strategies.

Tactical Threat Intelligence: Tactical CTI provides actionable and timely information that assists security teams in identifying and responding to specific threats. It includes details about recent threat actor activities, their tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). This type of intelligence is useful for security analysts and incident response teams.

Operational Threat Intelligence: Operational CTI bridges the gap between strategic and tactical intelligence. It focuses on specific threat campaigns, threat actors, or attack groups. Operational intelligence helps organizations understand the specific threats they face and provides actionable information to improve their security posture.

Technical Threat Intelligence: Technical CTI is highly detailed and focuses on technical aspects of cyber threats. It includes information such as malware analysis, network traffic patterns, vulnerabilities, and specific exploit details. This intelligence is valuable for security teams managing technical aspects of an organization’s defences.

Threat Intelligence Lifecycle

The Threat Intelligence Lifecycle is a structured approach used by organizations to effectively gather, analyse, and act upon cyber threat intelligence. This process helps ensure that intelligence is utilized efficiently to strengthen an organization’s security posture and mitigate potential threats. The lifecycle typically consists of the following stages:

Planning and Direction:

  • This initial phase involves defining the objectives and scope of the threat intelligence program.
  • Identify the stakeholders, including those responsible for collecting, analysing, and acting on intelligence.
  • Set goals and establish a clear direction for the intelligence team.

Collection:

  • In this stage, data is gathered from various sources, such as internal logs, open-source intelligence (OSINT), closed-source intelligence (CSINT), human intelligence (HUMINT), and technical sources.
  • The data collected could include indicators of compromise (IOCs), threat actor profiles, malware samples, vulnerabilities, and other relevant information.

Processing:

  • Once the data is collected, it needs to be processed and validated for accuracy and relevance.
  • Data normalization and enrichment may occur to ensure consistency and improve its usability for analysis.

Analysis:

  • During this phase, the processed data is examined in-depth by security analysts and experts to identify patterns, trends, and potential threats.
  • Analysts may use various methods, such as data correlation, anomaly detection, and behavioural analysis.

Dissemination:

  • After analysis, the relevant and actionable intelligence is disseminated to the appropriate stakeholders.
  • This could include incident response teams, network administrators, executives, or other relevant personnel.

Integration:

  • The disseminated intelligence is integrated into existing security processes and systems.
  • It may be used to update intrusion detection/prevention systems, firewall rules, or other security measures.

Threat Modelling

Threat modelling is a proactive approach used in the field of cybersecurity to identify potential security risks and vulnerabilities in systems, applications, or processes. By understanding the threats and weaknesses, organizations can take appropriate measures to design, develop, and deploy more secure solutions.

Identify Security Objectives: Helps to determine how much effort needs to be put toward subsequent steps.

Application overview: Identify the components, Data Flows, and trust boundaries.

Decompose the Application: Helps to identify more relevant and more detailed threats.

Identify Threats: Identify threats relevant to the control scenario and context using the information obtained in the 2 and 3.

Identify Vulnerabilities: identify weakness related to the threats found using vulnerability categories.

Incident Management:

Incident management is a structured approach used by organizations to respond to and handle cybersecurity incidents effectively. A cybersecurity incident refers to any unauthorized or malicious activity that compromises the confidentiality, integrity, or availability of information systems, data, or services. Incident management aims to minimize the impact of such incidents and restore normal operations as quickly as possible.

Main Motive of Incident Management:

  • Vulnerability analysis
  • Artifacts analysis
  • Security awareness training
  • Intrusion Detection
  • Public or Technology monitoring

Incident Handling and Response

Incident handling and response is the process of taking organized and careful steps when reacting to a security incident.

  1. Preparation
  2. Incident Recording and assignment
  3. Incident triage
  4. Notification
  5. Containment
  6. Evidence Gathering and forensic Analysis
  7. Eradication
  8. Recovery
  9. Post-Incident activities

Role of AI and ML in Cyber Security

Artificial Intelligence (AI) and Machine Learning (ML) play crucial roles in enhancing cybersecurity practices. Their capabilities in analysing large datasets, detecting anomalies, and automating tasks have significantly improved cyber defence measures. Here are some key roles of AI and ML in cybersecurity:

Threat Detection and Prevention: AI and ML algorithms can analyse vast amounts of data from various sources in real-time, enabling them to detect and identify patterns associated with cyber threats. This includes identifying malware, zero-day attacks, phishing attempts, and other malicious activities.

Anomaly Detection: ML models can establish baseline behaviour for users, systems, and networks. When any deviation from the normal behaviour is detected, it can trigger alerts for potential security incidents, allowing for rapid response.

Behavioural Analysis: AI-powered systems can monitor and analyse user behaviour to identify suspicious activities or insider threats. This can help organizations spot unauthorized access attempts or unusual data transfer patterns.

Automated Incident Response: ML can facilitate automated incident response by rapidly identifying and mitigating threats, reducing the time taken to respond to and contain cyber incidents.

Security Analytics: AI-driven security analytics can provide more accurate and actionable insights from security logs and other data sources, helping security analysts focus on critical threats and investigate incidents efficiently.

Enhanced Endpoint Security: AI and ML technologies can enhance endpoint security by detecting and blocking sophisticated malware, advanced persistent threats (APTs), and fileless attacks.

Threat Hunting: ML algorithms can assist threat hunters in identifying potential threats that might have gone undetected by traditional security measures. This can aid in proactively identifying new attack vectors and vulnerabilities.

User Authentication: AI can help in implementing advanced user authentication methods, such as behavioural biometrics, to enhance security and prevent unauthorized access.

Security Patch Management: AI can analyse software vulnerabilities and prioritize the most critical ones, helping organizations efficiently manage their patching process to protect against potential exploits.

Phishing Detection: AI-powered systems can detect and block phishing emails by analysing content, sender reputation, and other characteristics.

Security Operations Optimization: By automating repetitive tasks and providing intelligent insights, AI and ML can optimize the efficiency of security operations centres (SOCs) and incident response teams.

Adaptive Security: ML algorithms can adapt and learn from emerging threats, making it possible to evolve cybersecurity measures continuously.

Applicable Security Laws and standards

  1. Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data and ensure the secure handling of payment card information. The standard was developed and is maintained by the Payment Card Industry Security Standards Council (PCI SSC), which was formed by major payment card brands, including Visa, Mastercard, American Express, Discover, and JCB.

The primary goal of PCI DSS is to prevent cardholder data breaches and fraud by establishing security requirements for businesses that handle, store, process, or transmit cardholder data. Compliance with PCI DSS is mandatory for all organizations that accept, process, or store payment card information. This includes merchants, service providers, financial institutions, and any other entity involved in payment card transactions.

  • ISO/ IEC 27001:2013

ISO/IEC 27001 is an international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. The standard was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to address the growing need for effective information security management in organizations worldwide.

  • Health Insurance Portability and Accountability Act (HIPPA)

HIPAA stands for Health Insurance Portability and Accountability Act. It is a federal law that sets national standards to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge. In the context of cybersecurity, HIPAA is important because it mandates that covered entities (CEs) and their business associates (BAs) implement certain security measures to protect PHI.

  • Sarbanes-Oxley Act (SOX)

SOX aims to improve the overall security and reliability of financial reporting, protect investors, and restore confidence in the financial markets. While it is primarily a financial regulation, it has significant implications for information security practices within organizations, particularly for those that are publicly traded and subject to SOX compliance requirements.

  • Digital Millennium Copyright Act (DMCA)

The Digital Millennium Copyright Act (DMCA) is a federal law that was enacted in 1998 to combat the theft of electronic media such as software, games, photography, videos, or music over the internet.

  • Federal Information Security Management Act (FISMA)

FISMA stands for Federal Information Security Management Act. It is a United States federal law that defines a framework of guidelines and security standards to protect government information and operations. FISMA was enacted as part of the E-Government Act of 2002 and is one of the most important regulations for federal data security standards and guidelines.

The goal of FISMA is to improve the security of federal information and systems by establishing a comprehensive framework for assessing, managing, and reporting on information security risks.

  • General Data protection regulation (GDPR)

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

  • Data Protection Act 2018 (DPA)

The Data Protection Act 2018 (DPA 2018) is a United Kingdom law that sets out the legal requirements for organizations that process personal data. The DPA 2018 is based on the General Data Protection Regulation (GDPR), which is a regulation in EU law on data protection and privacy.

The DPA 2018 applies to all organizations that process personal data, regardless of whether they are located in the UK or not. The DPA 2018 sets out a number of requirements for organizations that process personal data, including:

  • Purpose limitation. Organizations must only process personal data for the purposes for which it was collected.
  • Data minimization. Organizations must only collect the personal data that is necessary for the purposes for which it is being processed.
  • Accuracy. Organizations must ensure that personal data is accurate and up-to-date.
  • Storage limitation. Organizations must only store personal data for as long as is necessary for the purposes for which it is being processed.
  • Integrity and confidentiality. Organizations must take steps to protect personal data from unauthorized access, use, disclosure, alteration, or destruction.
  • Individual rights. Individuals have a number of rights under the DPA 2018, including the right to access their personal data, the right to rectification, the right to erasure, the right to restrict processing, the right to object to processing, the right to data portability, and the right to lodge a complaint with the Information Commissioner’s Office (ICO).
  • Cyber Lawa in INDIA
  • The Patents Act, 1999
  • Trade Marks Act, 1999
  • The Copyright Act, 1957
  • Information Technology Act

That all for now, we will meet soon…..

Leave a Reply

Your email address will not be published. Required fields are marked *