Infosec.Cysa+
Contents
Security Operations
Threat Hunting Concepts/Tools
Windows Event Logging with PowerShell Script
Process Improvement and Vulnerability Methods
Documentation, Adherence (ISO/IEC 27001), and Uniform Protocols
Streamlining Operations
Automation, Integration (consolidation), and Optimization (preplanning)
Threat Intelligence Cycle
- Planning and Direction
- Collection and Processing
- Analysis
- Report Production
- Dissemination/Feedback
Single Pane of GLass: The consolidation of information/controls into a single dashboard.
Assets:
- Identification
- Scoping Scan
- Asset Prioritization
- Scan Execution
- Detection
- Asset Management Integration
- Remediation Planning
- Continuous Monitoring
Management and Criticality: Cataloguing assets and identifying critical assets aid in creating a defensive plan. Tagging assets and managing it via database can allow for more security control.
Vulnerability Scanning
Scope establishes allowable actions
Some Vulnerability databases include:
- NIST National Vulnerability Database
- Common Platform Enumeration (CPE)
- Common Weakness Enumeration (CWE)
- Common Vulnerabilities and Exposures (CVE)
CVE: https://cve.mitre.org/cve/data_feeds.html
NIST: https://nvd.nist.gov/
Internal, External, Credentialed, non-Credentialed, Active, and Passive Scans
External and Internal mirror respective perspectives of outside attackers and insiders.
Common credentialed vulnerabilities:
- URL Parameter Pollution
- weak configurations
- missing patches.
Common non-credentialed (user) vulnerabilities
- Cross Site Scripting (XXS)
- SQL Injection
- Cross Site Request Forgery (CSRF)
Active/Passive Scans
Active: Creates noise due to sending packets for servers or Wi-Fi
- TCP SYN: Sends a SYN packet to a server, and listens for a SYN ACK to determine information. If unable to get through, a RST is sent to scan the next port
Passive: Listens for surrounding or incoming packets instead of querying
Code Analysis: Static/Dynamic
Static, or source code analysis, analyzes code before compilation using Static Analysis Security Tools (SAST). Ran during SDLC (Software Development Life Cycle?).
Web App Vulnerability Scanning: Nikto can be used to analyze a published environment
Fuzzing: examining for defects/vulnerabilities
Interception Proxy: Man-in-the-Middle attack which crawls application
Tools: Nmap, Zenmap, Nessus, OSWAP Zap, Metasploit