CompTIA+CySA++(CS0-003)+Study+Guide.pdf
Document Details
Uploaded by SeasonedXylophone
Full Transcript
CompTIA CySA+ (CS0-003) (Study Notes) CompTIA CySA+ (CS0-003) Foundation Notes Introduction CompTIA CySA+ is an intermediate level certification for IT professionals T...
CompTIA CySA+ (CS0-003) (Study Notes) CompTIA CySA+ (CS0-003) Foundation Notes Introduction CompTIA CySA+ is an intermediate level certification for IT professionals This certification focuses on your ability to: o Capture, monitor, and respond to network traffic findings o Understand software and application security, automation, threat hunting, and IT regulatory compliance This certification is designed for: o IT or Cybersecurity professionals who already have Network+, Security+, or equivalent o For those with 3-4 years of hands-on experience o For those with hands-on experience with Cybersecurity This course is designed to serve as a full textbook replacement CompTIA CySA+ consists of 4 domains or areas of knowledge: o 33% of Security Operations o 30% of Vulnerability Management o 20% of Incident Response Management o 17% of Reporting and Communication o Questions from each domain and objective are given in random order Certification exam consists of: o Multiple-choice o Performance-based questions (PBQs) 1 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o 75 to 85 questions In order to pass the CYSA+ certification exam, you have to score at least 750 points out of 900 possible points To be able to take the exam, you will have to pay an exam fee by buying an exam voucher o You can purchase the exam voucher in store.comptia.org and buying it directly from the CompTIA store o The voucher costs somewhere around $400 for the Cybersecurity Analyst+ exam o Save 10% off your exam voucher by buying it at DionTraining.com/vouchers o Vouchers last anywhere from 11 to 12 months after purchase 4 tips for success in this course: o Closed captions are available o Control the speed o Join our FB group (facebook.com/groups/diontraining) o Download and print the study guide Exam Tips o There will be no trick questions o Pay close attention to the words in bold, italics, or all uppercase o Answer the questions based on CompTIA CySA+ knowledge ▪ When in doubt, choose the right answer that is correct for the highest number of situations o Try not to fight the exam or the test questions o Do not memorize the terms o You are expected to know the proper syntax and how to use the Nmap tool ▪ Know the tool name ▪ Know the purpose of the tool 2 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Know the output it gives during an assessment or a penetration test You are covered by our 100% Pass Guarantee o All the risk is on us as it should be. You have nothing to lose here. o This course includes videos, study guide, quizzes, hands-on labs, and practice exams ▪ You have to score at least an 80% to pass and mark it as complete ▪ At the end of the course, you will find our practice exams Understand why the answers are right or wrong Explanations are provided for every single question Please don’t try to simply memorize the questions, but take time to understand the why behind them ▪ As you go through the course, make sure that you have watched the videos, took the quizzes, did the labs, and finished the practice. ▪ If you think you’ve done everything and still doesn’t show a 100%, please email us at [email protected] o Once you have the course completion letter, you are eligible for our 60-Day 100% Pass Guarantee o Always remember: ▪ If you have any questions throughout the course or about the content or a concept that you just don’t understand, you can always reach us at [email protected] and we’ll be more than glad to assist 3 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Identify Security Control Types Objective 2.5: Explain concepts related to vulnerability response, handling and management Cybersecurity Roles and Responsibilities o Core Cybersecurity Roles ▪ Cybersecurity Specialist / Technician is the one who will do the hands-on configuration of a system and do things under the direction of a cybersecurity 4 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Cyber Crime Analyst / Investigator is the one who works a lot in the digital forensics’ realm ▪ Incident Analyst / Responder is the one who focuses on responding to a data breach or other type of cyberattack that happens across your organization 5 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Cybersecurity Analyst a large overall encompassing term for a lot of the other areas, as well as a senior position inside most organization ▪ Penetration Tester is somebody who breaks into somebody's systems with their permission to identify their vulnerabilities 6 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Cybersecurity Manager / Administrator is the one responsible for observing all of the operations occurring across the network and managing the infrastructure that facilitates those operations ▪ Cybersecurity Engineer is focused on building tools and techniques and designing the entire system at a big, large level for the organization 7 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Chief Information Security Officer (CISO) is a senior-level executive who oversees an organization's information, cyber, and technology security o Cybersecurity Analyst ▪ A senior position within an organization’s security team with direct responsibility for protecting sensitive information and preventing unauthorized access to electronic data and the systems that protect it ▪ Any device that processes or uses our information is covered by the role of a cybersecurity analyst ▪ Cybersecurity teams contain junior and senior analysts ▪ Analysts are expected to have years of experience working within IT and IT security ▪ Functions of cybersecurity analyst: Implementing and configuring security controls 8 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Working in a SOC or CSIRT Auditing security processes and procedures Conducting risk assessments, vulnerability assessments, and penetration tests Maintaining up-to-date threat intelligence ▪ Problem Solving Security Operations Center (SOC) o Security Operations Center (SOC) ▪ A location where security professionals monitor and protect critical information assets in an organization This is like a security monitoring center This is where junior analysts overseen by senior analysts are trying to find what’s known as indicator of compromise ▪ SOCs usually exist for larger corporations, government agencies, and health care organizations ▪ Things that SOC needs in order for it to be successful: Have the authority to operate Have motivated and skilled professionals Incorporate processes into a single center Equipped to perform incident response Protect itself and the organization at large Can separate the signal from the noise Collaborate with other SOCs for data sharing ▪ The SOC should be the single point of contact for security, monitoring, and incident response 9 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Security Control Categories o We just need a basic understanding of the different security control categories o Security Control ▪ mitigates vulnerabilities and risk to ensure the confidentiality, integrity, availability, nonrepudiation, and authentication of data ▪ Security controls should be selected and deployed in a structured manner using a risk management framework o NIST Special Publication 800-53 Revision 5 ▪ This document is called the security and privacy controls for federal information systems and organizations ▪ For the exam, you're not expected to actually read this document and learn everything inside of it. But as a cybersecurity professional, you will use this document a lot when you're selecting controls. ▪ This document has 18 families of controls to make it easier to find controls. Examples of families are: Access Control (AC) Accountability (AA) Incident Response (IR) Risk Management (RA) o ISO 27001 ▪ is an international standard and a proprietary framework o Earlier versions of the NIST SP 800-53 used classes of controls (technical, operational, and managerial) 10 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Technical (Logical) Controls A category of security control that is implemented as a system (hardware, software, or firmware) ▪ Operational Controls A category of security control that is implemented primarily by people rather than systems ▪ Managerial Controls A category of security control that provides oversight of the information system o Newer versions of NIST SP 800-53 do not use classes of controls anymore, but these are still used by the CySA+ exam objectives, so they are included here o Exam Tips ▪ You don't need to read the entire 800-53 document, but it is a good thing to use as an on-the-job resource ▪ you don't need to memorize the different family designations, but you should be familiar with the basic concepts are presented inside the 800- 53 document o Security Controls Functional Types ▪ Preventative Control A control that acts to eliminate or reduce the likelihood that an attack can succeed ▪ Detective Control A control that may not prevent or deter access, but will identify and record any attempted or successful intrusion 11 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Corrective Control A control that acts to eliminate or reduce the impact of an intrusion event o No single security control is invulnerable, so the efficiency of a control is instead measured by how long it delays an attack o In addition to preventative detective and corrective controls, there are other control types to take note of: ▪ Physical Control A type of security control that acts against in-person intrusion attempts ▪ Deterrent Control A type of security control that discourages intrusion attempts ▪ Compensating Control A type of security control that acts as a substitute for a principal control Not the top line, but gives you some protection ▪ Responsive Control System that actively monitors for potential vulnerabilities or attacks, and then takes action to mitigate them before they can cause damage o Firewall ▪ a system that monitors all incoming and outgoing network, traffic and blocks o Intrusion Prevention System (IPS) ▪ devices that can monitor network traffic for patterns that indicate an intrusion is occurring such as a repeated failed log on attempt 12 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Selecting Security Controls o How do you select the security controls you want to use? ▪ Make use of Confidentiality, Integrity, and Availability (CIA) to have proper coverage over each of those areas to make sure you're creating security for your system None of these technologies can provide CIA alone, but combined uphold the three tenets of security o How do you decide which security control you're actually going to apply? ▪ It depends on the risk o How can I mitigate this risk? ▪ Use the Confidentiality, Integrity, and Availability (CIA) ask which part or parts do you have controls for and how can you add controls for what you are missing so that you cover all of them or mitigate what can’t be covered. 13 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Threat Intelligence Objective 1.4: Compare and contrast threat-intelligence and threat-hunting concepts. Security and Threat Intelligence o Security Intelligence ▪ The process where data is generated and is then collected, processed, analyzed, and disseminated to provide insights into the security status of information systems o Cyber Threat Intelligence ▪ Investigation, collection, analysis, and dissemination of information about emerging threats and threat sources to provide data about the external threat landscape ▪ 2 forms of cyber threat intelligence Narrative Reports Data Feeds ▪ You don’t use narrative reports or data feeds… you use both! o Most security companies like McAfee, FireEye, Red Canary, and numerous others produce threat intelligence reports 14 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Intelligence Cycle o Security intelligence is a process o Requirements (Planning & Direction) ▪ Sets out the goals for the intelligence gathering effort ▪ What do we want to measure and collect? o Collection (& Processing) ▪ Implemented by software tools to gather data which is then processed for later analysis ▪ The processing part is where we will convert all the data into a standard format o Analysis ▪ Performed against the given use cases from the planning phase and may utilize automated analysis, AI, and machine learning ▪ Sort into three categories Known good Known bad Not sure 15 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Dissemination ▪ Publishes information produced by analysts to consumers who need to act on the insights developed Strategic Operational Tactical o Feedback ▪ Aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs Lessons learned Measurable success Evolving threat issues Intelligence Sources o Factors Used to Evaluate Sources ▪ Timeliness Ensures an intelligence source is up-to-date ▪ Relevancy Ensures an intelligence source matches its intended use case 16 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Accuracy Ensures an intelligence source produces effective results ▪ Confidence Level Ensures an intelligence source produces qualified statements about reliability o Example of a scale: MISP Project codifies the use of the admiralty scale for grading data and estimative language ▪ Looks at reliability of the data and the quality of the information content https://www.misp-project.org/ o There are three general sources of information ▪ Proprietary Threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee 17 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Closed-Source Data derived from the provider's own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers' systems, suitably anonymized ▪ Open-Source Data that’s available without subscription, which may include threat feeds, reputation lists, and malware signature databases Different sources of open-source intelligence o US-CERT o UK’s NCSC o AT&T Security (OTX) o MISP o VirusTotal o Spamhaus o SANS ISC Suspicious Domains Threat feeds o a form of explicit knowledge, but implicit knowledge from experienced practitioners is also useful Open-Source Intelligence (OSINT) o A method of obtaining information about a person or organization through public records, websites, and social media 18 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Information Sharing and Analysis Centers (ISACS) o Information Sharing and Analysis Center (ISAC) ▪ A not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members o Cyber Security Information Sharing Partnership (CISP) ▪ Similar to ISAC, but set up within the UK o ISACS exist in many areas including: ▪ Critical Infrastructure Any physical or virtual infrastructure that is considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these ICS, SCADA, and embedded system threats are a main focus within critical infrastructure ▪ Government Serves non-federal governments in the US, such as state, local, tribal and territorial governments ▪ Healthcare Serves healthcare providers that are targets of criminals seeking blackmail and ransom opportunities by compromising patient data records or interfering with medical devices ▪ Financial Serves the financial sector to prevent fraud and extortion of both the consumer and financial institutions 19 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Aviation Serves the aviation industry to prevent fraud, terrorism, service disruptions, and unsafe operations of air traffic control systems Threat Intelligence Sharing o Risk Management ▪ Identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact o Incident Response ▪ An organized approach to addressing and managing the aftermath of a security breach or cyberattack o Vulnerability Management ▪ The practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities 20 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Detection and Monitoring ▪ The practice of observing activity to identify anomalous patterns for further analysis 21 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Classifying Threats Objectives: 1.3 - Given a scenario, use appropriate tools or techniques to determine malicious activity. 1.4 - Compare and contrast threat-intelligence and threat-hunting concepts. 2.3 - Given a scenario, analyze data to prioritize vulnerabilities. 3.1 - Explain concepts related to attack methodology frameworks. Threat Classification o Known Threats ▪ A threat that can be identified using basic signature or pattern matching o Malware ▪ Any software intentionally designed to cause damage to a computer, server, client, or computer network o Documented Exploits ▪ A piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data o Unknown Threats ▪ A threat that cannot be identified using basic signature or pattern matching o Zero-day Exploit ▪ An unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong 22 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Obfuscated Malware Code ▪ Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware o Behavior-based Detection ▪ A malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior o Recycled Threats ▪ Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning o Known Unknowns ▪ A classification of malware that contains obfuscation techniques to circumvent signature-matching and detection o Unknown Unknowns ▪ A classification of malware that contains completely new attack vectors and exploits Threat Actors o Threat Actors ▪ those who wish to harm networks or steal secure data o Hacker vs. Cracker in the media ▪ Crackers were hackers with malicious intent ▪ Hackers was the term hacker for computer enthusiast, but now media portrays them as having malicious intent as well 23 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Hat based categories ▪ Black Hat Hacker an unauthorized hacker – criminals ▪ White Hat Hacker an ethical or authorized hacker ▪ Gray Hat Hacker a semi-authorized hacker where it sometimes acts as a good or bad folk o Basic activities that hackers perform ▪ Social Media Profiling ▪ Social Engineering ▪ Network Scanning ▪ Fingerprinting ▪ Service Discovery ▪ Packet Capture o 8 main types of threat actors ▪ Script Kiddie Uses other people’s tools to conduct their attacks as they do not have the skills to make their own tools Script kiddies often don’t understand what they’re doing ▪ Insider Threat People who have authorized access to an organization’s network, policies, procedures, and business practices To prevent an insider threat, organizations need to have policies and enforcement technologies such as Data Loss Prevention 24 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Internal Defenses SIEM Search 2 different types of insider threats Intentional ▪ An actor who deliberately seeks to cause harm Unintentional ▪ An actor who causes harm because of carelessness Solid cybersecurity strategy to counter Insider Threats include Employee Education and Training Access Controls Incident Response Plans Regular Monitoring ▪ Competitor A rogue business attempting to conduct cyber espionage against an organization ▪ Organized Crime Focused on hacking and computer fraud to achieve financial gains ▪ Hacktivist Politically-motivated hacker who targets governments or individuals to advance their political ideologies ▪ Nation-State A group of attackers with exceptional capability, funding, and organization with an intent to hack a network or system Conducts highly covert hacks over long periods of time Not all APT are nation-states, but almost all nation-states are going to be considered an APT 25 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) They’re going to be inside of a victimized network for six to nine months Many nation-states tried to present themselves as a threat actor inside of the other groups, so they can maintain a plausible deniability A nation-state actor refers to a government or government affiliated group that conducts cyber attacks ▪ Advanced Persistent Threat (APT) An attacker that establishes a long-term presence on a network in order to gather sensitive information The main goal of an APT is to harvest sensitive data, intellectual property, and other sensitive information ▪ Supply Chain Threats o Key difference between Nation-state and APT threat actors ▪ Nation-state is affiliated with the government ▪ APT is a generic type of cyber attack that establishes long-term presence Malware o Commodity Malware ▪ Malicious software applications that are widely available for sale or easily obtainable and usable ▪ Targeted or custom malware is developed and deployed with a target in mind ▪ Identifying if the malware is commodity or targeted can help determine the severity of an incident 26 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Zero-day Vulnerability ▪ A vulnerability that is discovered or exploited before the vendor can issue a patch to fix it ▪ Zero-day is usually applied to the vulnerability itself but can also refer to an attack or malware that exploits it ▪ Most adversaries will only use a zero-day vulnerability for high value attacks o Advanced Persistent Threat (APT) ▪ An attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware ▪ APTs are considered a known unknown threat o Command and Control (C2) ▪ An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets o APTs often target financial institutions, healthcare companies, and governments to get large PII data sets o Persistence ▪ The ability of a threat actor to maintain covert access to a target host or network Threat Research o Reputation Data ▪ Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains 27 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Indicator of Compromise (IoC) ▪ A residual sign that an asset or network has been successfully attacked or is continuing to be attacked ▪ Other Indicators of Compromise Unauthorized software and files Suspicious emails Suspicious registry and file system changes Unknown port and protocol usage Excessive bandwidth usage Rogue hardware Service disruption and defacement Suspicious or unauthorized account usage ▪ An IoC is evidence that an attack was successful ▪ Indicator of Attack (IoA) A term used for evidence of an intrusion attempt that is in progress o Behavioral Threat Research ▪ A term that refers to the correlation of IoCs into attack patterns ▪ Tactics, Techniques, and Procedures (TTP) Behavior patterns that were used in historical cyberattacks and adversary actions o DDoS o Viruses or Worms o Network Reconnaissance o APTs o Data Exfiltration 28 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Port Hopping An APT’s C2 application might use any port to communicate and may jump between different ports ▪ Fast Flux DNS A technique rapidly changes the IP address associated with a domain ▪ Data Exfiltration The unauthorized transfer of data from a computer or other device Attack Frameworks o 3 different attack frameworks ▪ Lockheed Martin Kill Chain ▪ MITRE ATT&CK Framework ▪ Diamond Model of Intrusion Analysis o Lockheed Marin Kill Chain ▪ Describes the stages by which a threat actor progresses a network intrusion ▪ Steps Reconnaissance o The attacker determines what methods to use to complete the phases of the attack Weaponization o The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system 29 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Delivery o The attacker identifies a vector by which to transmit the weaponized code to the target environment Exploitation o The weaponized code is executed on the target system Installation o This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system Command & Control (C2) o The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack Actions on Objectives o The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives ▪ Kill Chain Analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage o MITRE ATT&CK Framework ▪ A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org) 30 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ The pre-ATT&CK tactics matrix an additional matrix aligns to the reconnaissance and weaponization phases of the kill chain o Diamond Model of Intrusion Analysis ▪ A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim 31 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Basic view of the Diamond Model Details of how the Diamond Model can be used 32 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) View of a tuple View of how the three models can be used individually or combined 33 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Indicator Management o Structured Threat Information eXpression (STIX) ▪ A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework ▪ STIX is expressed in JavaScript Object Notation (JSON) format that consists of attribute: value pairs ▪ STIX is built from high-level STIX domain objects (SDO) that contain multiple attributes and values Observed Data Indicator Attack Pattern Campaign and Threat Actors Course of Action (COA) ▪ Exam Tip: STIX v1 used an XML-based format, but the exam only covers STIX v2 o Trusted Automated eXchange of Indicator Information (TAXII) ▪ A protocol for supplying codified information to automate incident detection and analysis 34 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Subscribers obtain updates to the data for their analysis tools using TAXII o OpenIOC ▪ A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis o Malware Information Sharing Project (MISP) ▪ MISP provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII 35 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Threat Hunting Objectives: 1.3 - Given a scenario, use appropriate tools or techniques to determine malicious activity. 1.4 - Compare and contrast threat-intelligence and threat-hunting concepts. 2.5 - Explain concepts related to vulnerability response, handling, and management. Threat Modeling o Things to consider when determining what level of risk exists ▪ How can the attack be performed? ▪ What is the potential impact to the confidentiality, integrity, and availability of the data? ▪ How likely is the risk to occur? ▪ What mitigations are in place? o Threat Modeling ▪ the process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system ▪ You need to consider both the defender’s point of view and the attacker’s point of view ▪ Threat modeling can be used against corporate networks in general at a large scale 36 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Main Areas to consider ▪ Adversary Capability a formal classification of the resources and expertise available to a threat actor Types of capabilities o Acquired and augmented o Developed o Advanced o Integrated ▪ Attack Surface the point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor Areas to consider when modeling your attack surfaces o The holistic network o Websites or cloud-services o Custom software applications ▪ Attack Vector a specific path by which a threat actor gains unauthorized access to a system Types of Attack Vectors o Cyber o Human o Physical 37 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Additional considerations ▪ Likelihood is the chance of a threat being realized which is usually expressed as a percentage ▪ Impact is the cost of a security incident or disaster scenario which is usually expressed in cost (dollars) Threat Hunting o Threat Hunting ▪ A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring ▪ It is potentially less disruptive than penetration testing o Steps ▪ Hypothesis derived from the threat modeling and is based on potential events with higher likelihood and higher impact ▪ Profiling Threat Actors and Activities Involves the creation of scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be o Threat hunting relies on the use of the tools developed for regular security monitoring and incident response o You need to assume that these existing rules have failed when you are threat hunting o Example of a process for threat hunting ▪ Analyze network traffic ▪ Analyze the executable process list 38 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Analyze other infected hosts ▪ Identify how the malicious process was executed o Threat hunting consumes a lot of resources and time to conduct, but can yield a lot of benefits, like: ▪ Improve detection capabilities ▪ Integrate intelligence ▪ Reduce attack surface ▪ Block attack vectors ▪ Identify critical assets Open-Source Intelligence (OSINT) o Open-Source Intelligence (OSINT) ▪ Publicly available information plus the tools used to aggregate and search it o OSINT can allow an attacker to develop any number of strategies for compromising a target ▪ Publicly Available Information ▪ Social Media ▪ Dating Sites ▪ HTML Code ▪ Metadata Google Hacking o Google Hacking ▪ Open-source intelligence techniques that uses Google search operators to locate vulnerable web servers and applications 39 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Methods ▪ Quotes “ ” Use double quotes to specify an exact phrase and make a search more precise ▪ NOT Use the minus sign in front of a word or quoted phrase to exclude results that contain that string ▪ AND/OR Use these logical operators to require both search terms (AND) or to require either search term (OR) ▪ Scope Different keywords that can be used to select the scope of the search, such as site, filetype, related, allintitle, allinurl, or allinanchor ▪ URL Modifier Modifiers that can be added to the results page to affect the results, such as &pws=0, &filter=0, and &tbs=li:1 o The Google Hacking Database (GHDB) provides a database of search strings optimized for locating vulnerable websites and services o Shodan (shodan.io) ▪ a search engine optimized for identifying vulnerable Internet-attached devices 40 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Profiling Techniques o Email Harvesting ▪ An Open-Source Intelligence (OSINT) technique used to gather email addresses for a domain o Once a list has been created, it can be used in social engineering attempts ▪ Pipl.com ▪ Peekyou.com ▪ Echosec.net o The Harvester ▪ a command line tool used by penetration testers Harvesting Techniques o whois ▪ A public listing of all registered domains and their registered administrators o DNS Zone Transfer ▪ a method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack ▪ If your DNS service is misconfigured, a DNS zone transfer could be allowed o DNS Harvesting ▪ Using Open-Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on 41 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Website Harvesting ▪ A technique used to copy the source code of website files to analyze for information and vulnerabilities AbuseIPDB o AbuseIPDB ▪ a community-driven database that keeps track of IP addresses reported for abusive behavior o Benefits for organizations ▪ It enables the organization to take a proactive approach to its cybersecurity ▪ The database is constantly being updated with new information from a global community of users ▪ The organization can also use the AbuseIPDB to monitor their logs for any suspicious activity ▪ Individuals can also benefit by using this database o The information in the AbuseIPDB is not considered to be 100% reliable ▪ It’s important that you use the AbuseIPDB and combine it with other security measures ▪ This database is constantly being updated with new information Deep Web and Dark Web o The deep web and the dark web are both parts of the Internet that are not easily accessible through traditional search engines 42 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Deep Web ▪ Portion of the Internet not indexed by search engines, which includes private databases, subscription-based websites, and other content that is not publicly accessible Medical and Scientific Research University Libraries Government Databases ▪ The deep web can contain sensitive information that is not meant to be searchable by the general public ▪ Can be used as a source of information to gather intelligence on potential threat ▪ Helps gather intelligence on potential threats o Dark Web ▪ Refers to a specific part of the deep web that's used for illegal activities, such as the buying and selling of drugs, weapons, and stolen personal information, such as credit card data ▪ The dark web is considered a criminal haven and a high-risk area where hacking and illicit activities occur ▪ Accessing the dark web without proper knowledge and precautions can put the user at risk of encountering illegal activities, malware, or being targeted by cyber criminals ▪ Can be used to monitor stolen data or information related to the organization ▪ Can also be used to track the activities of known or suspected cybercriminal groups, to identify any patterns or trends in their methods and techniques 43 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Can also track the prices and availability of tools and services commonly used in cyber attacks ▪ Monitors for stolen data and tracks the activities of cybercriminals Bug Bounty o Bug Bounty ▪ a way for companies to crowdsource security testing of their software services and applications to identify and address potential security issues o Ways to participate ▪ You can participate in your own company by finding and reporting problems in your own systems ▪ You can use bug bounty to show your skills and gain recognition in the cyber security community o You should approach testing in a responsible and ethical manner, avoid causing harm or disruption to systems, applications, or services ▪ Obtain necessary permissions (legal agreements like NDAs), and use a robust system for tracking, triaging, and remediating vulnerabilities ▪ Register with the company ahead of time, otherwise you could be considered a malicious hacker 44 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Network Forensics Objective 1.3: Given a scenario, use appropriate tools or techniques to determine malicious activity. Network Forensics Tools o Network traffic must be captured and its data frames decoded before it can be analyzed o Switched Port Analyzer (SPAN) ▪ Allows for the copying of ingress and/or egress communications from one or more switch ports to another o Packet Sniffer ▪ A piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or tap device o A network sniffer should be placed inside a firewall or close to an important server o tcpdump ▪ A data-network packet analyzer computer program that runs under a command line interface ▪ It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached o Wireshark ▪ A free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education 45 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Flow Analysis o Full Packet Capture (FPC) ▪ Captures the entire packet including the header and the payload for all traffic entering and leaving a network o Flow Collector ▪ A means of recording metadata and statistics about network traffic rather than recording each frame o Flow analysis tools provides network traffic statistics sampled by a collector ▪ NetFlow A Cisco-developed means of reporting network flow information to structured database Gathers: Network protocol interface Version and type of IP Source and destination IP Source and destination port IPs type of service NetFlow provides metadata while packet captures provide a complete record of what occurred ▪ Zeek (Bro) a hybrid tool that passively monitors a network like a sniffer and only logs data of potential interest Zeek performs normalization on the data stores data as tab-delimited or Java Script Object Notation (JSON) formatted text files 46 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Multi Router Traffic Grapher (MRTG) is a tool used to create graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using the Simple Network Management Protocol (SNMP) IP and DNS Analysis o Malware is used to be configured to contact a specific static IP or DNS name as part of its code o Known-bad IP Addresses ▪ an IP address or range of addresses that appears on one or more blacklists ▪ Reputation-based risk intelligence is used to create IP/URL block lists ▪ Attackers now use domain generation algorithms to overcome block lists o Domain Generation Algorithm (DGA) ▪ a method used by malware to evade block lists by dynamically generating domain names for C2 networks ▪ 5 Steps attackers use Attacker sets up one or more dynamic DNS (DDNS) services Malware code implements a DGA to create a list of new domain names A parallel DGA is used to create name records on the DDNS service The malware tries a selection of the domains it has created to connect to C2 C&C server communicates with a new seed for the DGA to prevent being blocked 47 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Fast Flux Network is a method used by malware to hide the presence of C&C networks by continually changing the host IP addresses in domain records using domain generation algorithms ▪ If you get a high rate of NXDOMAIN errors when resolving the DNS, it could be an indicator of a DGA o Secure Recursive DNS Resolver ▪ occurs when one trusted DNS server communicates with several other trusted DNS servers to hunt down an IP address and returns it to the client URL Analysis o URL Analysis ▪ an activity that is performed to identify whether a link is already flagged on an existing reputation list, and if not, to identify what malicious script or activity might be coded within it ▪ Use tools for Resolving percent encoding Assessing redirection of the URL Showing source code for scripts in URL o HTTP Method ▪ A set of request methods to indicate the desired action to be performed for a given resource ▪ A request contains a method, a resource, a version number, the header, and the body of the request 48 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ HTTP Methods GET o The principal method used with HTTP and is used to retrieve a resource POST o Used to send data to the server for processing by the requested resource PUT o Creates or replaces the requested resource DELETE o Used to remove the requested resource HEAD o Retrieves the headers for a resource only and ignores the body o Characters ▪ Data submitted via a URL is delimited by the ‘?’ character ▪ Query parameters are usually formatted as one or more name=value pairs with ampersands (&) delimiting each pair ▪ A ‘#’ is used to indicate a fragment or anchor ID and it not processed by the webserver http://diontraining.com/upload.php?post=%3Cscript%3E %27http%3A%2F%2Fabc123.com%2Frat%2Ejs o HTTP Response Codes ▪ The header value returned by a server when a client requests a URL 49 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Common HTTP Response Codes 200 o Indicates a successful GET or POST request (OK) 201 o Indicates where a PUT request has succeeded in creating a resource 3xx o Any code in this range indicates that a redirect has occurred by the server 4xx o Any code in this range indicates an error in the client request 400 o Indicates that a request could not be parsed by the server 401 o Indicates that a request did not supply authentication credentials 403 o Indicates that a request did not have sufficient permissions 404 o Indicates that a client is requested a non-existent resource 5xx o Any code in this range indicates a server-side issue 50 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) 500 o Indicates a general error on the server-side of the application 502 o Indicates a bad gateway has occurred when the server is acting as a proxy 503 o Indicates an overloading of the server is causing service unavailability 504 o Indicates a gateway timeout means an issue with the upstream server o Percent Encoding ▪ A mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding ▪ A URL can contain only unreserved and reserved characters from the ASCII set ▪ Unreserved Characters a-z A-Z 0-9 -. _ ~ ▪ Reserved Characters :/?#[]@!$&'()*+,;= ▪ A URL cannot contain unsafe characters Null string termination, carriage return, line feed, end of file, tab, space, and \ < > { } ▪ Percent encoding allows a user-agent to submit any safe or unsafe character (or binary data) to the server within the URL 51 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o WARNING ▪ Percent encoding can be misused to obfuscate the nature of a URL (encoding unreserved characters) and submit malicious input as a script or binary or to perform directory traversal ▪ Some really tricky attackers may double-encode the URL by encoding the percent sign, too! http://diontraining.com/upload.php?post=%3Cscript%3E %27http%3A%2F%2Fabc123.com%2Frat%2Ejs 52 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Appliance Monitoring Objectives: 1.1 - Explain the importance of system and network concepts in security operations. 1.3 - Given a scenario, use appropriate tools or techniques to determine malicious activity. Firewall Logs o Access Control List (ACL) ▪ a list of permitted and denied network connections based on either IP addresses, ports, or applications in use o Firewall logs can provide you with four types of useful security data ▪ Connections that are permitted or denied ▪ Port and protocol usage in the network ▪ Bandwidth utilization with the duration and volume of usage ▪ An audit log of the address translations (NAT/PAT) that occurred o Firewall log formats are usually vendor specific o Most common tools ▪ iptables a Linux-based firewall that uses the syslog file format for its logs ▪ Windows Firewall a Windows-based firewall that uses the W3C Extended Log File Format o You should employ a log collection tool to gather the large volume of firewall logs for later analysis 53 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Blinding Attack ▪ a condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed o Log retention is determined by the number of events generated and available storage capacity Firewall Configurations o Firewalls are an essential part of a layered defense strategy o Screened Subnet ▪ a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network like the Internet o ACLs are processed from top-to-bottom with the most specific rules are the top 54 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Basic principles for configuring firewall ACLs ▪ Block incoming requests from internal or private, loopback, and multicast IP address ranges ▪ Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc) ▪ Configure IPv6 to either block all IPv6 traffic or allow it to authorized hosts and ports only o Drop Versus Reject ▪ A deny rule can either drop a packet or explicitly reject it by sending a TCP RST or an ICMP port/protocol unreachable to the requester ▪ Dropping traffic makes it harder for an adversary to identify port states accurately o Firewalking ▪ Reconnaissance technique to enumerate firewall configuration and attempt to probe hosts behind it ▪ Firewalking occurs when an attacker can find an open port on the firewall, then sends a packet with a TTL of one past the firewall to find its hosts ▪ Block outgoing ICMP status messages to prevent firewalking o Egress Filtering ▪ ACL rules that are applied to traffic leaving a network to prevent malware from communicating to Command-and-Control servers o Best practices for configuring egress filters ▪ Only allow whitelisted application ports and destination addresses ▪ Restrict DNS lookups to trusted and authorized DNS services 55 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Block access to known bad IP address ranges (Block List) ▪ Block all internet access from host subnets that don’t use it (e.g., ICS/SCADA) o While all these best practices will help, they cannot eliminate all malware C2 since many operate over social media and cloud-based HTTPS connections o Black Hole ▪ A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic ▪ Blackholing can be used to stop a DDoS attack at the routing layer by sending traffic to the null interface ▪ Blackholing consumes less resources than an ACL but can cause collateral damage for legitimate users o Dark Nets ▪ Unused physical network ports or unused IP address space within a local network often used by attackers ▪ Redirect all dark nets to a black hole until they are needed for business operations o Sinkhole ▪ A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis ▪ Sinkholing is better than blackholing if you want to determine the cause of the DDoS attack 56 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Proxy Logs o Forward Proxy ▪ A server that mediates the communications between a client and another server, ▪ can filter or modify communications, and provides caching services to improve performance o Nontransparent Proxy ▪ A server that redirects requests and responses for clients configured with the proxy address and port o Transparent Proxy (Forced or Intercepting Proxy) ▪ A server that redirects requests and responses without the client being explicitly configured to use it o Analysis of proxy logs can reveal the exact nature of HTTP requests including ▪ the websites that users visit and the contents of each request o Proxies that are set up to intercept or block traffic can record the rule that a request matched to determine an employee's intent o Reverse Proxy ▪ A type of proxy server that protects servers from direct contact with client requests ▪ Logs from a reverse proxy can be analyzed for indicators of attack or compromise, such as malicious code in HTTP request headers and URLs Web Application Firewall Logs o Web Application Firewall (WAF) ▪ A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks 57 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Web application firewalls are used to prevent web-based exploits and vulnerabilities like SQL injection, XML injection, and cross-site scripting (XSS) attacks o Many web application firewalls use JavaScript Object Notation (JSON) format to store their logs ▪ Time of the event ▪ Severity of event ▪ URL parameters ▪ HTTP method used ▪ Context for the rule IDS and IPS Configuration o Intrusion Detection System (IDS) ▪ a software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress 58 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o What is the difference between an IDS and IPS? ▪ An IPS is an IDS that can actively block an attack o Intrusion Prevention System (IPS) ▪ a software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress and can actively block the attacks o Common IPSs ▪ Snort (snort.org) An open-source software available for Windows and selected Linux distributions that can operate as an IDS or IPS mode Oinkcode o Gives you all the latest security threats 59 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Zeek (zeek.org) An open-source IDS for UNIX/Linux platforms that contains a scripting engine which can be used to act on significant events (notices) by generating an alert or implementing some sort of shunning mechanism ▪ Security Onion (securityonion.net) An open-source Linux-based platform for security monitoring, incident response, and threat hunting that It bundles Snort, Suricata, Zeek, Wireshark, and NetworkMiner with log management and incident management tools IDS and IPS Logs o A log entry is created every time a rule is matched in an IDS or IPS o IDS/IPS software provides many options for outputting log entries ▪ Snort provide formats Unified output Syslog Comma Separated Values (CSV) Tcpdump (pcap) Input into a SIEM o Alerts should be monitored in real time to determine if an incident occurred o An IDS/IPS uses predefined rule signatures to match traffic that security experts have identified as malicious ▪ Analysts may create custom rules for their specific organizational needs 60 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Snort Rule Format ▪ Action Protocol SourceIP SourcePort Direction DestinationIP DestinationPort (RuleOption; RuleOption;...) ▪ Action field is usually set to alert, but other options include log, pass (ignore), drop, and reject ▪ Source and destination address and ports are usually set to a keyword (any) or variable ($EXTERNAL_NET or %HOME_NET) but can also be a static value ▪ Direction can be unidirectional (-> or $HOME_NET 143 (msg:"PROTOCOL- IMAP logon brute force attempt"; flow:to_server,established,no_stream; content:"LOGON"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service imap; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious- logon; sid:2273; rev:12;) 61 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Port Security Configuration o Port Security ▪ the blocking of unauthorized application service ports on hosts and firewalls, or the physical and remote access ports used to allow a host to communicate on the local network o Appliances such as switches, routers, and firewalls are subject to software vulnerabilities and patching shortfalls in the same way as servers ▪ Many network appliances are still running vulnerable, outdated, or unpatched versions of the Linux kernel ▪ Disable web administrative interfaces and use SSH shells instead for increase security o Best practices to secure network appliances ▪ Use ACLs to restrict access to designated host devices ▪ Monitor the number of designated interfaces ▪ Deny internet access to remote management o If rogue devices are found on your network, enforce port security o Types of Port Security ▪ Physical Port Security Physical access to the switch ports and switch hardware should be restricted to authorized staff ▪ MAC Filtering Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it 62 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Network Access Control (NAC) a general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level NAC Configuration o Network Access Control (NAC) ▪ provides the means to authenticate users and evaluate device integrity before a network connection is permitted o 802.1X ▪ A standard for encapsulating EAP (Extensible Authentication Protocol) communications over a LAN or wireless LAN ▪ provides port-based authentication o Port-based NAC ▪ A switch (or router) that performs some sort of authentication of the attached device before activating the port 63 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ A broader NAC solution allows administrators to devise policies or profiles describing a minimum-security configuration that devices must meet before being granted network access o Key Features of a NAC solution ▪ Posture Assessment The process of assessing the endpoint for compliance with the health policy ▪ Remediation The process and procedures that occur is a device does not meet the minimum-security profile ▪ Pre- and Post-admission Control The point at which client devices are granted or denied access based on their compliance with a health policy An endpoint health policy is just one of the rule-based methods of granting or denying access o Other features that can be used ▪ Time-based Defines access periods for given hosts using a time-based ACL ▪ Location-based Evaluates the location of the endpoint requesting access using geolocation of its IP, GPS, or other mechanisms ▪ Role-based NAC method that re-evaluates a device's authorization when it is used to do something (also called adaptive NAC) 64 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ Rule-based A complex admission policy that enforces a series of rules which are written as logical statements (IF.... AND.... OR) 65 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Endpoint Monitoring Objectives: 1.1 - Explain the importance of system and network concepts in security operations. 1.3 - Given a scenario, use appropriate tools or techniques to determine malicious activity. Endpoint Analysis o Antivirus (AV) ▪ Software capable of detecting and removing virus infections and (in most cases) other types of malwares, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and others o Host-based IDS/IPS (HIDS/HIPS) ▪ A type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the system's state on an endpoint o Endpoint Protection Platform (EPP) ▪ A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption o Endpoint Detection and Response (EDR) ▪ A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats o User and Entity Behavior Analytics (UEBA) ▪ A system that can provide automated identification of suspicious activity by user accounts and computer hosts ▪ UEBA solutions are heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning (ML) 66 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Many companies are now marketing advanced threat protection (ATP), advanced endpoint protection (AEP), and NextGen AV (NGAV) which is a hybrid of EPP, EDR, and UEBA Sandboxing o Sandboxing ▪ a computing environment isolated from a host system to guarantee that the environment runs in a controlled, secure fashion and that communication links between the sandbox and the host are usually completely prohibited ▪ Used to Determine if the file is malicious Determine effects on the system Identify dependencies o Sandboxing allows you to quickly test malware in multiple environments o Features of sandboxing tools ▪ Monitor system changes ▪ Execute known malware ▪ Identify process changes ▪ Monitor network activity ▪ Monitor system calls ▪ Create snapshots ▪ Record file creation/deletion ▪ Dump virtual machine’s memory o The sandbox host (virtual machine) should not be used for any other purpose except malware analysis 67 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Common Sandbox Tools ▪ FLARE VM Allows you to run a Windows binary on the system and see what the status is and all the different changes the malware is doing ▪ Cuckoo Allows you to automatically run different malware samples and see what they do inside of a Linux, Windows, or a Mac environment ▪ Joe Sandbox Allows a security research or cybersecurity analyst to analyze and understand the behavior of malware samples in a safe and controlled environment Joe Sandbox emulates the environment of a real computer and allows malware samples to be run and analyzed in a safe and isolated environment One of the key features of Joe Sandbox is its ability to detect and analyze malware across multiple platforms, including Windows, Mac OS, Linux, and Android Joe Sandbox provides a user-friendly interface to easily view and analyze collected data from these malware samples Another important feature of Joe Sandbox is the ability to automatically classify malware based on its behavior o For complex analysis, you may need to create a honeypot lab with multiple sandboxed machines and Internet access to study malware and its C2 68 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Reverse Engineering o Reverse Engineering ▪ the process of analyzing the structure of hardware or software to reveal more about how it functions o A malware reverse engineer can determine who actually wrote the code by learning their patterns ▪ Malware writers often obfuscate the code before it is assembled or compiled to prevent analysis o Disassembler ▪ a computer program that translates machine language into assembly language ▪ Machine Code the binary code executed by the processor, typically represented as 2 hex digits for each byte ▪ File Signature (or Magic Number) the first two bytes of a binary header that indicates it file type the first two bytes of a Windows portable executable file (EXE, DLL, SYS, DRV, or COM), it will always start with 4D 5A in HEX, MZ in ASCII, or TV in Base64 encoding ▪ Assembly Code the native processor instructions used to implement the program o Decompiler ▪ a software that translate a binary or low-level machine language code into higher level code 69 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ High-level Code Real or pseudocode in human readable form that makes it easier to identify functions, variables, and programming logic used in the code o Reverse engineers attempt to identify malware by finding strings to use as a signature for rule-based detection ▪ Strings Any sequence of encoded characters that appears within the executable file If the malware contains a string with a function called InternetOpenUrl and another string that is a URL, you can reasonably guess that it probably attempts to download something from that web address The Strings tool will dump all strings with over three characters in ASCII or Unicode encoding o Program Packer ▪ A method of compression in which an executable is mostly compressed and the part that isn’t compressed contains the code to decompress the executable ▪ A packed program is a type of self-extracting archive o REMEMBER: Just because a program is packed, that doesn’t mean it is malicious since many proprietary software also uses packing to deter theft and piracy o Until it is unpacked, packed malware can mask string literals and effectively modify its signatures to avoid triggering signature-based scanners 70 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) Malware Exploitation o Exploit Technique ▪ Describes the specific method by which malware code infects a target host o Most modern malware uses fileless techniques to avoid detection by signature- based security software o How does an APT use modern malware to operate? ▪ Dropper or downloader ▪ Maintain access ▪ Strengthen access ▪ Actions on objectives ▪ Concealment o Dropper ▪ Malware designed to install or run other types of malwares embedded in a payload on an infected host o Downloader ▪ A piece of code that connect to the Internet to retrieve additional tools after the initial infection by a dropper o Shellcode ▪ Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code o EXAM TIP ▪ Shellcode originally referred to malware code that would give the attacker a shell (command prompt) on the target system, but for the exam use the more generic definition provided previously 71 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) o Code Injection ▪ Exploit technique that runs malicious code with the identification number of a legitimate process ▪ Other techniques Masquerading DLL Injection DLL Sideloading Process Hollowing o Droppers are likely to implement anti-forensics techniques to prevent detection and analysis o Living Off the Land ▪ Exploit techniques that use standard system tools and packages to perform intrusions ▪ Detection of an adversary is more difficulty when they are executing malware code within standard tools and processes Behavioral Analysis o Threat hunting and security monitoring must use behavioral-based techniques to identify infections o Sysinternals ▪ A suite of tools designed to assist with troubleshooting issues with Windows, and many of the tools are suited to investigating security issues ▪ Process Explorer can filter out legitimate activity (known-good) to look for signs of anomalous behavior 72 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ You must first understand what legitimate processes are used by a system to identify the suspicious ones o Legitimate processes ▪ System Idle (PID 0) and System (PID 4) kernel-level binaries that is the parent of the first user-mode process (Session Manager SubSystem – smss.exe) ▪ Client Server Runtime SubSystem (csrss.exe) Manages low-level Windows functions and it is normal to see several of these running (as long as they are launched from %SystemRoot%\System32 and have no parent) ▪ WININIT (wininit.exe) Manages drivers and services and should only have a single instance running as a process ▪ Services.exe Hosts nonboot drivers and background services, this process should only have one instance of services.exe running as a child of wininit.exe, with other service processes showing a child of services.exe or svchost.exe Services will be started by the SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts 3. ▪ Local Security Authority SubSystem (lsass.exe) Handles authentication and authorization services for the system, and should have a single instance running as a child of wininit.exe 73 https://www.DionTraining.com CompTIA CySA+ (CS0-003) (Study Notes) ▪ WINLOGON (winlogon.exe) Manages access to the user desktop and should have only one instance for each user session with the Desktop Window Manager (dwm.exe) as a child process in modern versions of Windows ▪ USERINIT (userinit.exe) Sets up the shell (typically explorer.exe) and then quits, so you should only see this process briefly after log-on ▪ Explorer (explorer.exe) This is the typical user shell, launched with the user's account privileges rather than SYSTEM's, and is likely to be the parent for all processes started by the logged-on user o What might make a process look suspicious? ▪ Any process name that you do not recognize ▪ Any process name that is similar to a legitimate system process (e.g., scvhost) ▪ Processes that appear without an icon, version information, description or company name ▪ Processes that are unsigned, especially if from a well-known company like Microsoft ?
