Module 01 - Introduction to Ethical Hacking PDF
Document Details
Uploaded by barrejamesteacher
null
EC-COUNCIL
Tags
Summary
This document is a module on the introduction to ethical hacking. It explains information security concepts, hacking methodologies, and different hacker classes, along with the importance of security laws and standards. The document covers the different elements of information security, including confidentiality, integrity, availability, authenticity, and non-repudiation, as well as motives behind information security attacks.
Full Transcript
MODULE 01 INTRODUCTION TO ETHICAL HACKING EC-COUNCIL OFFICIAL CURRICULA Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking...
MODULE 01 INTRODUCTION TO ETHICAL HACKING EC-COUNCIL OFFICIAL CURRICULA Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking LEARNING OBJECTIVES 2 LO#01: Explain Information Security Concepts LO#04: Explain Ethical Hacking Concepts and Scope (1] LO#02: Explain Hacking Methodologies and LO#05: Summarize the Techniques used in Information » 3 Frameworks Security Controls @ LO#03: Explain Hacking Concepts and LO#06: Explain the Importance of Applicable Security Different Hacker Classes (4 2 Laws and Standards Learning Objectives Attackers break into systems for various reasons and purposes. Therefore, it is important to understand how malicious hackers attack and exploit systems and the probable reasons behind these attacks. As Sun Tzu states in the Art of War, “If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat.” System administrators and security professionals must guard their infrastructure against exploits by knowing the enemy—malicious hackers who seek to use the same infrastructure for illegal activities. At the end of this module, you will be able to: = Describe the elements of information security Explain information security attacks and information warfare = Describe various hacking methodologies and frameworks = Describe hacking concepts and hacker classes = Explain ethical hacking concepts and scope = Understand information security controls (information assurance, defense-in-depth, risk management, cyber threat intelligence, threat modeling, incident management process, and artificial intelligence (Al)/machine learning (ML)) = Understand various information security acts and laws Module 01 Page 3 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking LO#01: Explain Information Security Concepts Information Security Overview Information security refers to the protection or safeguarding of information and information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction. Information is a critical asset that organizations must secure. If sensitive information falls into the wrong hands, then the respective organization may suffer huge losses in terms of finances, brand reputation, customers, or in other ways. To provide an understanding of how to secure such critical information resources, this module starts with an overview of information security. This section introduces the elements of information security, classification of attacks, and information warfare. Module 01 Page 4 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Elements of Information Security CEH """‘I"""“" Information security is a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is low or tolerable Confidentiality Assurance that the informationiis accessible only to those authorized to have access Integrity The trustworthiness of data or resources in terms of preventing improper or unauthorized changes Assurance that the systems responsible for delivering, storing, Availability g P accessible when required by the authorized users i Fe andi P processing & informationare Refers to the characteristic of a communication, document, or any data that ensures the quality of BRuthenticity being genuine A guarantee that the sender of a message cannot later deny having sent the message and that the Non-Repudiation recipient cannot deny having received the message Elements of Information Security Information security is “the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable.” It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation. Confidentiality Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs). Integrity Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data). Availability Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered Module 01 Page 5 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking machines, antivirus software to combat malware, and distributed denial-of-service (DDoS) prevention systems. = Authenticity Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents. = Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation. Module 01 Page 6 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Motives, Goals, and Objectives of Information Security Attacks € : EH Attacks = Motive (Goal) + Method + Vuilnerability 'J A motive originates out of the notion that the target system stores or processes something valuable, and this leads to the threat of an attack on the system 4 Attackers try various tools and attack techniques to exploit vulnerabilities in a computer system or its security policy and controls in order to fulfil their motives Motives behind information security attacks @ Disruptingbusiness continuity B Propagatingreligiousor political beliefs @ Stealinginformation and manipulatingdata E Achievinga state’s military objectives @ Creatingfear and chaos by disrupting critical | @ Damagingthe reputation ofthe target infrastructures @ Takingrevenge @ Causingfinancial lossto the target L] Demandingransom Motives, Goals, and Objectives of Information Security Attacks Attackers generally have motives (goals), and objectives behind their information security attacks. A motive originates out of the notion that a target system stores or processes something valuable, which leads to the threat of an attack on the system. The purpose of the attack may be to disrupt the target organization’s business operations, to steal valuable information for the sake of curiosity, or even to exact revenge. Therefore, these motives or goals depend on the attacker’s state of mind, their reason for carrying out such an activity, as well as their resources and capabilities. Once the attacker determines their goal, they can employ various tools, attack techniques, and methods to exploit vulnerabilities in a computer system or security policy and controls. Attacks = Motive (Goal) + Method + Vulnerability Motives behind information security attacks = Disrupt business continuity = Propagate religious or political beliefs = Perform information theft = Achieve a state’s military objectives = Manipulating data = Damage the reputation of the target = (Create fear and chaos by disrupting = Take revenge ritical infrastr critica r astructures D [Batondneacs = Bring financial loss to the target Module 01 Page 7 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Classification of Attacks C'E H |--|-—¢—— @ Passive attacksdo not tamper with the data and involve intercepting and monitoring network traffic and Passive Attacks data flow on the target network @ Examples include sniffing and eavesdropping @ Active attacks tamper with the data in transit or disrupt the communication or services between the systems Active Attacks to bypass or break into secured systems @ Examples include DoS, Man-in-the-Middle, session hijacking, and SQL injection @ Close-in attacksare performed when the attacker is in close physical proximity with the target system or Close-in Attacks network in order to gather, modify, or disrupt access to information @ Examples include social engineering such as eavesdropping, shoulder surfing, and dumpster diving @ Insider attacksinvolve using privileged access to violate rules or intentionally cause a threat to the Insider Attacks organization’sinformation or information systems @ Examples include theft of physical devices and planting keyloggers, backdoors, and malware Distribution @ Distribution attacks occur when attackers tamper with hardware or software prior to installation Attacks @ Attackers tamper with the hardware or software at its source or in transit Classification of Attacks According to IATF, security attacks are classified into five categories: passive, active, close-in, insider, and distribution. Passive Attacks Passive attacks involve intercepting and monitoring network traffic and data flow on the target network and do not tamper with the data. Attackers perform reconnaissance on network activities using sniffers. These attacks are very difficult to detect as the attacker has no active interaction with the target system or network. Passive attacks allow attackers to capture the data or files being transmitted in the network without the consent of the user. For example, an attacker can obtain information such as unencrypted data in transit, clear-text credentials, or other sensitive information that is useful in performing active attacks. Examples of passive attacks: o Footprinting o Sniffing and eavesdropping o Network traffic analysis o Decryption of weakly encrypted traffic Active Attacks Active attacks tamper with the data in transit or disrupt communication or services between the systems to bypass or break into secured systems. Attackers launch attacks on the target system or network by sending traffic actively that can be detected. These Module 01 Page 8 Ethical Hacking and Countermeasures Copyright © by EG-Ceuncil All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking attacks are performed on the target network to exploit the information in transit. They penetrate or infect the target’s internal network and gain access to a remote system to compromise the internal network. Examples of active attacks: o Denial-of-service (DoS) attack o Firewall and IDS attack o Bypassing protection mechanisms o Profiling o Malware attacks (such as o Arbitrary code execution viruses, worms, ransomware) o Briidlas esealniion o Modification of information S o Spoofing attacks o Cryptography attacks o Replayattaca o SQLl injection o Password-based attacks o XSS attacks o Session hijacking o Directory traversal attacks o Man-in-the-Middle attack o Exploitation of application and o DNS and ARP poisoning OS software o Compromised-key attack Close-in Attacks Close-in attacks are performed when the attacker is in close physical proximity with the target system or network. The main goal of performing this type of attack is to gather or modify information or disrupt its access. For example, an attacker might shoulder surf user credentials. Attackers gain close proximity through surreptitious entry, open access, or both. Examples of close-in attacks: o Social engineering (Eavesdropping, shoulder surfing, dumpster diving, and other methods) Insider Attacks Insider attacks are performed by trusted persons who have physical access to the critical assets of the target. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. They misuse the organization’s assets to directly affect the confidentiality, integrity, and availability of information systems. These attacks impact the organization’s business operations, reputation, and profit. It is difficult to figure out an insider attack Examples of insider attacks: o Eavesdropping and wiretapping o Theft of physical devices Module 01 Page 9 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking o Social engineering o Planting keyloggers, backdoors, or malware o Data theft and spoliation o Pod slurping = Distribution Attacks Distribution attacks occur when attackers tamper with hardware or software prior to installation. Attackers tamper the hardware or software at its source or when it is in transit. Examples of distribution attacks include backdoors created by software or hardware vendors at the time of manufacture. Attackers leverage these backdoors to gain unauthorized access to the target information, systems, or network. o Modification of software or hardware during production o Modification of software or hardware during distribution Module 01 Page 10 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Information Warfare C :E H ‘4 The term information warfare or InfoWar refers to the use of information and communication technologies (ICT) to gain competitive advantages over an opponent Defensive Information Warfare Offensive Information Warfare ) Refers to all strategiesand actionsdesigned Refers to information warfare thatinvolves to defend againstattacks on ICT assets attacks againstthe ICT assets of an opponent Defensive Warfare g Offensive Warfare P ti 1 I _—_— a evensen : : Web Application Attacks B Deterrence o [ s Web Server Attacks Alerts. ’ Detection 3 b L - Malware Attacks ' R R - Emergency : | ]r MITM Attacks - Preparedness e | ‘q X X System Hacking - = Response - - Information Warfare Source: https.//iwar.org.uk The term information warfare or InfoWar refers to the use of information and communication technologies (ICT) for competitive advantages over an opponent. Examples of information warfare weapons include viruses, worms, Trojan horses, logic bombs, trap doors, nanomachines and microbes, electronic jamming, and penetration exploits and tools. Martin Libicki divided information warfare into the following categories: = Command and control warfare (C2 warfare): In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control. = Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, “intelligence-based warfare” is warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battlespace. = Electronic warfare: According to Libicki, electronic warfare uses radio-electronic and cryptographic techniques to degrade communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information. = Psychological warfare: Psychological warfare is the use of various techniques such as propaganda and terror to demoralize one’s adversary in an attempt to succeed in battle. = Hacker warfare: According to Libicki, the purpose of this type of warfare can vary from the shutdown of systems, data errors, theft of information, theft of services, system Module 01 Page 11 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking monitoring, false messaging, and access to data. Hackers generally use viruses, logic bombs, Trojan horses, and sniffers to perform these attacks. = Economic warfare: Libicki notes that economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world. = Cyberwarfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare. It includes information terrorism, semantic attacks (similar to Hacker warfare, but instead of harming a system, it takes over the system while maintaining the perception that it is operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use). Each form of information warfare mentioned above consists of both defensive and offensive strategies. = Defensive Information Warfare: Involves all strategies and actions to defend against attacks on ICT assets. = Offensive Information Warfare: Involves attacks against the ICT assets of an opponent. Defensive Warfare. Offensive Warfare S e : Sl il Prevention a ': Web Application Attacks a Deterrence o s Web Server Attacks Alerts - ’. Detection (c. P e Malware Attacks ’ R P Emergency 1 MITM Attacks — q Preparedness 0 c. ‘ : System Hacking -, & Response - == Figure 1.1: Block Diagram of Information Warfare Module 01 Page 12 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking CEH At Wader LO#02: Explain Hacking Methodologies and Frameworks Hacking Methodologies and Frameworks Learning the hacking methodologies and frameworks helps ethical hackers understand the phases involved in hacking attempts along with the tactics, techniques, and procedures used by real hackers. This knowledge further helps them in strengthening the security infrastructure of their organization. This section discusses various hacking methodologies such as the Certified Ethical Hacker (CEH) methodology, cyber kill chain methodology, MITRE attack framework, and Diamond Model of Intrusion Analysis. Module 01 Page 13 Ethical Hacking and Countermeasures Copyright © by E@-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking CEH Hacking Methodology (CHM) CEH Footprinting System Hacking N — Gaining Access i Cracking Passwords Scanning ' Vulnerability Exploitation 7 7 7 7 o Escalating Privileges I-. Enumeration o A L ' Executing Applications Escalating Privileges = - T — )l Maintaining Access Executing Applications a—— Defense-in-Depth Layers Figure 1.8: Defense in Depth Module 01 Page 56 Ethical Hacking and Countermeasures Copyright © by E¢-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking What is Risk? Gttt {E!‘_l 'J Risk refers to the degree of uncertainty or expectation that an adverse event may cause damage to the system ' Risks are categorized into different levels according to their estimated impact on the system '3 Arisk matrix is used to scale risk by considering the probability, likelihood, and consequence or impact of the risk Risk Levels R.lsk Matxix m“ | Probabilty » Immediate measures should be taken to Insignificant Minor Moderate Major Severe EEes High ||> Comoitis Identify and i controls to reduce 81-100% e Probability Low Medium High Extreme Extreme risk loa reasonauy low level High 61 - 80% '§ Probability Low Medium High High Extreme 7 No urgent action is required £ Equal " - e 41 -60% E Probability Low Medium Medium High High to reduce risk to a reasonably Iow level =1 n ow 21 -40% Probability Low Low Medium Medium High » Take preventive steps to mitigate the Very Low Low TR, 1-20% Pm’.‘,'awiw Low Low Medium Medium High Note: This is an example of a risk matrix. Organizations need to create their own risk matrix based on their business needs What is Risk? Risk refers to the degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or its resources, under specified conditions. Alternatively, risk can also be: * The probability of the occurrence of a threat or an event that will damage, cause loss to, or have other negative impacts on the organization, either from internal or external liabilities. * The possibility of a threat acting upon an internal or external vulnerability and causing harm to a resource. * The product of the likelihood that an event will occur and the impact that the event might have on an information technology asset. The relation between Risk, Threats, Vulnerabilities, and Impact is as follows: RISK = Threats x Vulnerabilities x Impact The impact of an event on an information asset is the product of vulnerability in the asset and the asset’s value to its stakeholders. IT risk can be expanded to RISK = Threat x Vulnerability x Asset Value In fact, the risk is the combination of the following two factors: = The probability of the occurrence of an adverse event = The consequence of the adverse event Module 01 Page 57 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Risk Level Risk level is an assessment of the resulted impact on the network. Various methods exist to differentiate the risk levels depending on the risk frequency and severity. One of the common methods used to classify risks is to develop a two-dimensional matrix. Working out the frequency or probability of an incident happening (likelihood) and its possible consequences is necessary to analyze risks. This is referred to as the level of risk. Risk can be represented and calculated using the following formula: Level of Risk = Consequence x Likelihood Risks are categorized into different levels according to their estimated impact on the system. Primarily, there are four risk levels, which include extreme, high, medium, and low levels. Remember that control measures may decrease the level of a risk, but do not always entirely eliminate the risk. Risk Level | Consequence Action ) » Immediate measures are required to combat the risk Extreme or | Serious or > Identi di | p he risk High Imminent danger | > entify and impose controls to reduce the risk to a reasonably low level » Immediate action is not required, but action should be. implement quickly Medium Moderate danger | ]. » Implement controls as soon as possible to reduce the risk to a reasonably low level Low Negligible danger | > Take preventive steps to mitigate the effects of risk Table 1.1: Risk Levels Risk Matrix The risk matrix scales the risk occurrence or likelihood probability, along with its consequences or impact. It is the graphical representation of risk severity and the extent to which the controls can or will mitigate it. The Risk matrix is one of the simplest processes to use for increased visibility of risk; it contributes to the management’s decision-making capability. The risk matrix defines various levels of risk and categorizes them as the product of negative probability and negative severity. Although there are many standard risk matrices, individual organizations must create their own. Module 01 Page 58 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Insignificant Minor Moderate Major Severe Very High 81-100% Low Medium High Probability High 61 -80% Low Medium High Extreme Probability Equal N. 41 - 60% Probability Low Medium - o Low Low Medi um Medium n Nediuum Medi Probability Low - o 2Li Very Low 1-20% s Low Low Medium Medium Probability \ : Table 1.2: Risk Matrix The above table is the graphical representation of a risk matrix, which is used to visualize and compare risks. It differentiates the two levels of risk and is a simple way of analyzing them. = Likelihood: The chance of the risk occurring = Consequence: The severity of a risk event that occurs Note: This is an example of a risk matrix. Organizations must create individual risk matrices based on their business needs. Module 01 Page 59 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Risk Management C :E H ) Risk management is the process of reducing and maintaining risk at an acceptable level by means of a well-defined and actively employed security program Risk Management Phases U Identifies the sources, causes, consequences, and other details of the internal and external Risk Identification risks affecting the security of the organization 1 Assesses the organization’s risk and provides an estimate of the likelihood and impact Risk Assessment ; " P P of the risk Risk Treatment & Selectsand implementsappropriate controls for the identified risks Risk Tracking & Ensures appropriate cc.mtrols arg implementedto handle known risks and calculates the chances of a new risk occurring Risk Review ' Evaluates the performance of the implemented risk management strategies Risk Management Risk management is the process of identifying, assessing, responding to, and implementing the activities that control how the organization manages the potential effects of risk. It has a prominent place throughout the security life cycle and is a continuous and ever-increasing complex process. The types of risks vary from organization to organization, but the act of preparing a risk management plan is common to all organizations. Risk Management Objectives = |dentify potential risks—this is the main objective of risk management = |dentify the impact of risks and help the organization develop better risk management strategies and plans = Prioritize the risks, depending on the impact or severity of the risk, and use established risk management methods, tools, and techniques to assist in this task = Understand and analyze the risks and report identified risk events. = Control the risk and mitigate its effect. = (Create awareness among the security staff and develop strategies and plans for lasting risk management strategies. Risk management is a continuous process performed by achieving goals at every phase. It helps reduce and maintain risk at an acceptable level utilizing a well-defined and actively employed security program. This process is applied in all stages of the organization, for example, to specific network locations in both strategic and operational contexts. Module 01 Page 60 Ethical Hacking and Countermeasures Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking The four key steps commonly termed as risk management phases are: Risk Identification Risk Assessment Risk Treatment Risk Tracking and Review Every organization should follow the above steps while performing the risk management process. Risk Identification The initial step of the risk management plan. Its main aim is to identify the risks— including the sources, causes, and consequences of the internal and external risks affecting the security of the organization before they cause harm. The risk identification process depends on the skill set of the people, and it differs from one organization to another. Risk Assessment This phase assesses the organization’s risks and estimates the likelihood and impact of those risks. Risk assessment is an ongoing iterative process that assigns priorities for risk mitigation and implementation plans, which in turn help to determine the quantitative and qualitative value of risk. Every organization should adopt a risk evaluation process in order to detect, prioritize, and remove risks. The risk assessment determines the kind of risks present, their likelihood and severity, and the priorities and plans for risk control. Organizations perform a risk assessment when they identify a hazard but are not able to control it immediately. A risk assessment is followed by a regular update of all information facilities. Risk Treatment Risk treatment is the process of selecting and implementing appropriate controls on the identified risks in order to modify them. The risk treatment method addresses and treats the risks according to their severity level. Decisions made in this phase are based on the results of a risk assessment. The purpose of this step is to identify treatments for the risks that fall outside the department’s risk tolerance and provide an understanding of the level of risk with controls and treatments. It identifies the priority order in which individual risks should be treated, monitored, and reviewed. The following information is needed before treating the risk: o The appropriate method of treatment o The people responsible for the treatment o The costs involved o The benefits of treatment o The likelihood of success Module 01 Page 61 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking o Ways to measure and assess the treatment = Risk Tracking and Review An effective risk management plan requires a tracking and review structure to ensure effective identification and assessment of the risks as well as the use of appropriate controls and responses. The tracking and review process should determine the measures and procedures adopted and ensure that the information gathered to perform the assessment was appropriate. The review phase evaluates the performance of the implemented risk management strategies. Performing regular inspections of policies and standards, as well as regularly reviewing them, helps to identify the opportunities for improvement. Further, the monitoring process ensures that there are appropriate controls in place for the organization’s activities and that all procedures are understood and followed. Module 01 Page 62 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Cyber Threat Intelligence CEH Types of Threat Intelligence J Cyber ThreatIntelligence (CTl) is defined as A / Strategic \ / Tactical \ the collection and analysis of information ) ) ) i , aboutthreatsand adversariesand the ] * ::i:":e'r::i:'ma""" on » ';;"s""a“"" o atiackacs drawingof patternsthat provide the ability E Eing to make knowledgeable decisions for ] e :!""“"f‘“’ "zd"'l"""" @ C::‘:o"::‘ by IT Service preparedness, prevention, and response jg; M:;:;:':‘i:t :d"“nmn::;""' actionsagainstvarious cyber-attacks \ ) \ / -. 8 4 Operational \ 4 Technical % @ Information on a specific @ Information on specific J Cyber threat intelligence helpsthe organization E incoming attack indicators of compromise to identify and mitigate various businessrisks < © Consumed by Security © Consumed by SOC Staff by convertingunknown threatsinto known 5 Managers and Network and IR Teams threats; it helpsinimplementing various i g u \ Defenders / k / advanced and proactive defense strategies \5/ < High-Level | I Low-Level > Cyber Threat Intelligence According to the Oxford dictionary, a threat is defined as “the possibility of a malicious attempt to damage or disrupt a computer network or system.” A threat is a potential occurrence of an undesired event that can eventually damage and interrupt the operational and functional activities of an organization. A threat can affect the integrity and availability factors of an organization. The impact of threats is very great and may affect the state of the physical IT assets in an organization. The existence of threats may be accidental, intentional, or due to the impact of some action. Cyber threat intelligence, usually known as CTI, is the collection and analysis of information about threats and adversaries and the drawing up of patterns that provide an ability to make knowledgeable decisions for preparedness, prevention, and response actions against various cyberattacks. It is the process of recognizing or discovering any “unknown threats” that an organization may face so that necessary defense mechanisms can be applied to avoid such occurrences. It involves collecting, researching, and analyzing trends and technical developments in the field of cyber threats (including cybercrime, hacktivism, and espionage). Any knowledge about threats that results in an organization’s planning and decision-making to handle it is a piece of threat Intelligence. The main aim of CTl is to make the organization aware of existing or emerging threats and prepare them to develop a proactive cybersecurity posture in advance of exploitation. This process, where unknown threats are converted into possibly known ones, helps to anticipate the attack before it can happen, and ultimately results in a better and more secure system. Thus, threat Intelligence is useful in achieving secure data sharing and global transactions among organizations. Threat intelligence processes can be used to identify the risk factors that are responsible for malware attacks, SQL injections, web application attacks, data leaks, phishing, denial-of-service Module 01 Page 63 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking attack, and other attacks. Such risks, after being filtered out, can be put on a checklist and handled appropriately. Threat intelligence is beneficial for an organization to handle cyber threats with effective planning and execution. Along with a thorough analysis of the threat, CTI also strengthens the organization’s defense system, creates awareness about impending risks, and aids in responding against such risks. Types of Threat Intelligence Threat intelligence is contextual information that describes threats and guides organizations in making various business decisions. It is extracted from a huge collection of sources and information. It provides operational insight by looking outside the organization and issuing alerts on evolving threats to the organization. For the better management of information that is collected from different sources, it is important to subdivide threat intelligence into different types. This subdivision is performed based on the consumers and goals of the intelligence. From the perspective of consumption, threat intelligence is divided into four different types. They are, namely, strategic, tactical, operational, and technical threat intelligence. These four types differ in terms of data collection, data analysis, and intelligence consumption. = Strategic Threat Intelligence Strategic threat intelligence provides high-level information regarding cybersecurity posture, threats, details about the financial impact of various cyber activities, attack trends, and the impact of high-level business decisions. This information is consumed by the high-level executives and management of the organization, such as IT management and CISO. It helps the management to identify current cyber risks, unknown future risks, threat groups, and attribution of breaches. The intelligence obtained provides a risk- based view that mainly focuses on high-level concepts of risks and their probability. It mainly deals with long-term issues and provides real-time alerts for threats to the organization’s critical assets, such as IT infrastructure, employees, customers, and applications. This intelligence is used by the management to make strategic business decisions and to analyze their effect. Based on the analysis, the management can allocate sufficient budget and staff to protect critical IT assets and business processes. Strategic threat intelligence is generally in the form of a report that mainly focuses on high-level business strategies. Since the characteristic of strategic threat intelligence is preeminent, the data collection also relates to high-level sources and requires highly skilled professionals to extract information. This intelligence is collected from sources such as OSINT, CTI vendors, and ISAOs and ISACs. The strategic threat intelligence helps organizations identify any similar past incidents, their intentions, and any attributes that might identify the attacking adversaries, why the organization is within the scope of the attack, major attack trends, and how to reduce the risk level. Generally, strategic threat intelligence includes the following information: o The financial impact of cyber activity o Attribution for intrusions and data breaches Module 01 Page 64 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking o Threat actors and attack trends o The threat landscape for various industry sectors o Statistical information on data breaches, data theft, and malware o Geopolitical conflicts involving various cyberattacks o Information on how adversary TTPs change over time o Industry sectors that might impact due to high-level business decisions = Tactical Threat Intelligence Tactical threat intelligence plays a major role in protecting the resources of the organization. It provides information related to the TTPs used by threat actors (attackers) to perform attacks. Tactical threat intelligence is consumed by cybersecurity professionals such as IT service managers, security operations managers, network operations center (NOC) staff, administrators, and architects. It helps the cybersecurity professionals understand how the adversaries are expected to perform their attack on the organization, identify the information leakage from the organization, and assess the technical capabilities and goals of the attackers along with the attack vectors. Using tactical threat intelligence, security personnel develop detection and mitigation strategies beforehand through procedures such as updating security products with identified indicators and patching vulnerable systems. The collection sources for tactical threat intelligence include campaign reports, malware, incident reports, attack group reports, and human intelligence, among other information. This intelligence is generally obtained by reading white or technical papers, communicating with other organizations, or purchasing intelligence from third parties. It includes highly technical information on topics such as malware, campaigns, techniques, and tools in the form of forensic reports. Tactical threat intelligence provides day-to-day operational support by helping analysts assess various security incidents related to events, investigations, and other activities. It also guides the high-level executives of the organizations in making strategic business decisions. = Operational Threat Intelligence Operational threat intelligence provides information about specific threats against the organization. It provides contextual information about security events and incidents that help defenders disclose potential risks, provide greater insight into attacker methodologies, identify past malicious activities, and perform investigations on malicious activity in a more efficient way. It is consumed by security managers or heads of incident response, network defenders, security forensics, and fraud detection teams. It helps organizations to understand the possible threat actors and their intention, capability, and opportunity to attack vulnerable IT assets and the impact of a successful attack. In many cases, only government organizations can collect this type of intelligence. However, doing so helps IR and forensic teams to deploy security assets to Module 01 Page 65 Ethical Hacking and Countermeasures Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking identify and stop upcoming attacks, improve early-stage attack detecting capability, and reduce an attack’s damage to IT assets. Operational threat intelligence is generally collected from sources such as humans, social media, and chat rooms; it may and also be collected from the real-world activities and events that result in cyberattacks. Operational threat intelligence is obtained by analyzing human behavior, threat groups, and by similar means. This information helps to predict future attacks and thus enhances incident response plans and mitigation strategies. Operational threat intelligence generally appears as a report that contains identified malicious activities, recommended courses of action, and warnings of emerging attacks. = Technical Threat Intelligence Technical threat intelligence provides information about resources an attacker uses to perform an attack; this includes command and control channels, tools, and other items. It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific loC. It provides rapid distribution and response to threats. For example, a piece of malware used to perform an attack is tactical threat intelligence, whereas the details related to the specific implementation of the malware come under technical threat intelligence. Other examples of technical threat intelligence include the specific IP addresses and domains used by malicious endpoints, phishing email headers, and hash checksums of malware, among others. Technical threat intelligence is consumed by SOC staff and IR teams. The indicators of technical threat intelligence are collected from active campaigns, attacks that are performed on other organizations, or data feeds provided by external third parties. These indicators are generally collected as part of investigations of attacks performed on various organizations. This information helps security professionals add the identified indicators to the defensive systems such as IDS and IPS, firewalls, and endpoint security systems, thereby enhancing the detection mechanisms used to identify the attacks at an early stage. It also helps them identify malicious traffic and IP addresses suspected of spreading malware and spam emails. This intelligence is directly fed into the security devices in digital format to block and identify inbound and outbound malicious traffic entering the organization’s network. Module 01 Page 66 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Threat Intelligence Lifecycle CEH Coted | Dl Sacher 5. Dissemination and Integration 1. Planning and Direction * Deliver the intelligence to the intended J—— = Define intelligence requirements consumers at different levels ~ N. Make a collection plan Strategic (High-Level Business Strategies) \ * Form an intelligence team Tactical (TTPs) 5 1 A * Send requests for data collection Operational (Specific Threats) * Plan and set requirements for other phases Technical (10Cs) \ Threat 4. Analysis and Production Intelligence 2 2. Collection * Combine information from phase 3 4 Lifecycle * Collect required data that satisfies into a single entity intelligence goals * Include facts, findings, and forecasts * Collection sources include = Analysis should be 3 OSINT Objective N HUMINT Timely - IMINT Accurate MASINT, etc. 3. Processing and Exploitation Actionable = Process raw data for exploitation Perform confidence-based analysis = Convert processed data into usable format for data analysis Threat Intelligence Lifecycle The threat intelligence lifecycle is a continuous process of developing intelligence from raw data that supports organizations to develop defensive mechanisms to thwart emerging risks and threats. The higher-level executives of the organization will provide continuous support to the intelligence team by evaluating and giving feedback at every stage. The threat intelligence lifecycle consists of five phases: planning and direction, collection, processing and exploitation, analysis and production, and dissemination and integration. = Planning and Direction In this phase, proper plan is developed based on the strategic intelligence requirement, for example, what are the requirements for developing the threat intelligence, which intelligence information should be given priority, etc. This phase defines the entire intelligence program from data collection to delivery of final intelligence product and acts as a basis for the complete intelligence process. It also includes identifying the requirements of data, methods to be used to collect data, and establishing a collection plan. The requirements are set in such a way that effective and genuine intelligence data can be gathered using the constant number of resources from various open sources of intelligence (OSINT). Along with the requirements, requests are sent to collect data from various internal and external sources. During this phase, an intelligence team is formed, and their key roles and responsibilities are also formulated. Also, the planning and requirements are set for the later stages of the cycle to provide proper support for its functioning. Module 01 Page 67 Ethical Hacking and Countermeasures Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Collection In this phase, we need to focus more on collecting the desired intelligence that is defined in phase one. The data can be collected in different ways through either technical or human means. The collection of the information can be performed directly or secretly based on the confidentiality of the information. The intelligence is collected through sources like human intelligence (HUMINT), imagery intelligence (IMINT), measurement and signature intelligence (MASINT), signal intelligence (SIGNT), open source intelligence (OSINT), and loCs, and other third parties. This includes collecting data from critical applications, network infrastructure, security infrastructure, etc. Once the collection process is done, the data is transferred for processing in the next stage. Processing and Exploitation Until this phase, the data is not in a proper format, and it is in the form of raw data. The data obtained from previous phases is processed for exploitation and transformed into useful information that could be understood by the consumers. The raw data is converted into meaningful information by highly trained professionals using sophisticated technology and tools. This interpreted data is converted into a usable format that can be directly used in the data analysis phase. The processing to be effective requires proper understanding of the data collection plan, requirements of the consumer, analytical strategy, and types of data that are being processed. Many automated tools are used to apply data processing functions such as structuring, decryption, language translation, parsing, data reduction, filtering, data correlation, and data aggregation. Analysis and Production After processing the intelligence into a proper format, analyzing the intelligence for getting refined information is performed in this phase. The analysis includes facts, findings, and forecasts, which enable the estimation and anticipation of attacks and results. The analysis should be objective, timely, accurate, and actionable. To extract timely and accurate information, analysts need to implement four types of reasoning techniques, which include deduction, induction, abduction, and scientific method based on confidence. As the information is obtained from different sources, analysts try to combine these various sources into a single entity in this phase. The raw data is converted into information by applying various data analysis techniques such as qualitative and quantitative analyses, machine-based techniques, and statistical methods. When the analyzed information provides sufficient context for identifying a threat, then it is elevated to intelligence. This phase identifies potential threats to the organization and further helps in developing appropriate countermeasures to respond to the identified threats. Dissemination and Integration The analyzed information is then ready for the integration and distribution to the intended consumers, which is done either by automated means or by manual methods. Module 01 Page 68 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Major threat information types that are generally used for dissemination include threat indicators, adversary TTPs, security alerts, threat intelligence reports, and tool configuration information for using tools to automate all the phases of threat intelligence. Different intelligence reports are generated to meet the requirements of the management and higher-level executives at strategic, operational, tactical, and technical levels. The strategic threat intelligence is consumed by high-level executives and management and focuses on high-level business strategies. The operational threat intelligence is consumed by cyber security professionals such as security managers and network defenders and mainly focuses on specific threats to the organizations. The tactical threat intelligence is consumed by cyber security professionals such as IT service and SOC managers, administrators and architects and focuses on adversary’s TTPs. The technical threat intelligence is consumed by SOC staff and IR teams and includes information related to the identified loCs. The disseminated intelligence helps organizations in building defensive and mitigation strategies for the identified threats. Sharing threat intelligence internally and externally helps the organizations gain situational awareness and also to enhance the current security posture and risk management processes. This phase also provides feedback giving more inputs to the information requirements thereby repeating the threat intelligence lifecycle. The feedback is an assessment that describes whether the extracted intelligence meets the requirements of the intelligence consumer. This feedback helps in producing more accurate intelligence through relevant and timely assessments. Module 01 Page 69 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Threat Modeling C :E H Threat modeling is a risk assessment approach for analyzing the security of an application by capturing, organizing, and analyzing all the information that affects the security of an application Threat Modeling Process 01 Identify Security ' Objecti Helps to determine how much effort needs to be put toward subsequent steps Application.. 02 Overvi ' Identify the components, data flows, and trust boundaries Decompose the f 03 Asticetion ‘ Helps to find more relevantand more detailed threats Identify ' Identify threats relevant to the control scenario and context using the information 04 Threats obtainedinsteps2 and3 Identify. o 5 v b. ' Identify weaknesses related to the threats found usingvulnerability categories Threat Modeling Threat modeling is a risk assessment approach for analyzing the security of an application by capturing, organizing, and analyzing all the information that affects it. The threat model consists of three major building blocks: understanding the adversary’s perspective, characterizing the security of the system, and determining threats. Every application should have a developed and documented threat model that should be revisited as the application evolves and development progresses. Threat modeling helps to: = |dentify relevant threats to a particular application scenario = |dentify key vulnerabilities in an application’s design * Improve security design When using this approach, an administrator should keep the following in mind: = Try not to be rigid about specific steps or implementations; instead, focus on the approach. If any step becomes impassable, go right to step 4 of the threat modeling process and identify the problem. = Use scenarios to scope the modeling activity. = Use existing design documents. Use items like documented use cases or use stories, architectural diagrams, data flow diagrams, or other design documentation. = Start with a whiteboard before capturing information in documents or getting lost in details. It may be helpful to use a digital camera with printing capabilities to document and distribute the information from the whiteboard. Module 01 Page 70 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Use an iterative approach. Add more details and improve the threat model as design and development continue. This will help with becoming familiar with the modeling process and developing the threat model to better examine more possible scenarios. Obtain input about the host and network constraints from the system and network administrators. To better understand the end-to-end deployment diagram, obtain as much information as possible about host configurations, firewall policies, allowed protocols and ports, and other relevant details. The threat modeling process involves five steps: 1. Identify Security Objectives Security objectives are the goals and constraints related to the application’s confidentiality, integrity, and availability. Security-specific objectives guide the threat modeling efforts and help to determine how much effort needs to be put toward subsequent steps. To identify security objectives, administrators should ask the following questions: o What data should be protected? o Are there any compliance requirements? o Are there specific quality-of-service requirements? o Are there intangible assets to protect? 2. Application Overview Identify the components, data flows, and trust boundaries. To draw the end-to-end deployment scenario, the administrator should use a whiteboard. First, they should draw a rough diagram that explains the workings and structure of the application, its subsystems, and its deployment characteristics. The deployment diagram should contain the following: o End-to-end deployment topology o Logical layers o Key components o Key services o Communication ports and protocols o lIdentities o External dependencies Identify Roles The administrator should identify people and the roles and actions they can perform within the application. For example, are there higher-privileged groups of users? Who can read data? Who can update data? Who can delete data? Module 01 Page 71 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Identify Key Usage Scenarios The administrator should use the application’s use cases to determine its objective. Use cases explain how the application is used and misused. Identify Technologies The administrator should list the technologies and key features of the software, as well as the following technologies in use: o Operating systems o Web server software o Database server software o Technologies for presentation, business, and data access layers o Development languages Identifying these technologies helps to focus on technology-specific threats. Identify Application Security Mechanisms The administrator should identify some key points regarding the following: o Input and data validation o Authorization and authentication o Sensitive data o Configuration management o Session management o Parameter manipulation o Cryptography o Exception management o Auditing and logging These efforts aim to identify relevant details and to add details where required, or to identify areas that require more. 3. Decompose the Application In this step, the administrator breaks down the application to identify the trust boundaries, data flows, entry points, and exit points. Doing so makes it considerably easier to find more relevant and more detailed threats and vulnerabilities. Identify Trust Boundaries Identifying the application’s trust boundaries helps the administrator to focus on the relevant areas of the application. It indicates where trust levels change. o ldentify outer system boundaries Module 01 Page 72 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking o Identify access control points or key places where access requires extra privileges or role membership o Identify trust boundaries from a data flow perspective Identify Data Flows The administrator should list the application’s data input from entry to exit. This helps to understand how the application communicates with outside systems and clients and how the internal components interact. They should pay particular attention to the data flow across trust boundaries and the data validation at the trust boundary entry point. A good approach is to start at the highest level and then deconstruct the application by testing the data flow between different subsystems. Identify Entry Points The application’s entry point can also serve as an entry point for attacks. All users interact with the application at these entry points. Other internal entry points uncovered by subcomponents over the layers of the application may be present only to support internal communication with other components. The administrator should identify these entry points to determine the methods used by an intruder to get in through them. They should focus on the entry points that allow access to critical functionalities and provide adequate defense for them. Identify Exit Points The administrator should also identify the points where the application transfers data to the client or external systems. They should prioritize the exit points at which the application writes data containing client input or data from untrusted sources, such as a shared database. 4. Identify Threats The administrator should identify threats relevant to the control scenario and context using the information obtained in the application overview and decompose application steps. They should bring members of the development and test teams together to identify potential threats. The team should start with a list of common threats grouped by their application vulnerability category. This step uses a question-driven approach to help identify threats. 5. Identify Vulnerabilities A vulnerability is @ weakness in an application (deployed in an information system) that allows attacker exploitation, thereby leading to security breaches. Security administrators should identify any weaknesses related to the threats found using the vulnerability categories to identifying vulnerabilities and fix them beforehand to keep intruders away. Module 01 Page 73 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Incident Management C:E H 4 Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future recurrence of the incident Incident Management ' Vulnerability Handling l I Incident Handling Artifact Handling F i ! F a"zeg::‘:’s"" ! I Announcements I fi '::::’:::e H ' i \ I Alerts I r Other Incident Management Services 1 Incident Management Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore the system to normal service operations as soon as possible, and prevent recurrence of the incident. It involves not only responding to incidents but also triggering alerts to prevent potential risks and threats. A security administrator must identify software that is open to attacks before someone takes advantage of the vulnerabilities. Incident management includes the following: = Vulnerability analysis = Artifact analysis = Security awareness training = |Intrusion detection = Public or technology monitoring The incident management process is designed to: = Improve service quality = Resolve problems proactively = Reduce the impact of incidents on an organization or its business = Meet service availability requirements = |Increase staff efficiency and productivity = Improve user and customer satisfaction Module 01 Page 74 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking = Assist in handling future incidents Conducting training sessions to spread awareness among users is an important part of incident management. Such sessions help end-users to recognize suspicious events or incidents easily and report an attacker’s behavior to the appropriate authority. The following people perform incident management activities: = Human resources personnel take steps to fire employees suspected of harmful computer activities. = The legal counsel sets the rules and regulations in an organization. These rules can influence the internal security policies and practices of the organization in case an insider or an attacker uses the organization’s system for harmful or malicious activities. = The firewall manager keeps filters in place. These filters are frequently where denial-of- service attacks are made. = An outsourced service provider repairs systems infected by viruses and malware. Incident response is one of the functions performed in incident handling. In turn, incident handling is one of the services provided as part of incident management. The following diagram illustrates the relationship between incident response, incident handling, and incident management. [| ‘ Incident Management | l Vulnerability Handling ' Incident Handling Reporting Triage ‘ fi W Artifact Handling J Eandpetacticn I Announcements l | P : [ | I Alerts | r Other Incident Management Services ‘ Figure 1.9: Block Diagram of Incident Management Module 01 Page 75 Ethical Hacking and Countermeasures Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking Incident Handling and Response C :E H 'a Incident handling and response (IH&R) is the process of taking organized and careful steps when reactingto a security incident or cyberattack Steps involved in the IH&R process: c Preparation o Eradication 9 Incident Recordingand Assignment 9 Recovery © incident Triage @ PostincidentActivities €@ Incident Documentation o Notification. €@ IncidentImpactAssessment @ Reviewand Revise Policies e Containment €@ Close the Investigation e Evidence Gathering and Forensic Analysis € Incident Disclosure Incident Handling and Response Incident handling and response (IH&R) is the process of taking organized and careful steps when reacting to a security incident or cyberattack. It is a set of procedures, actions, and measures taken against an unexpected event occurrence. It involves logging, recording, and resolving incidents that take place in the organization. It notes the incident, when it occurred, its impact, and its cause. It is the practice of managing the incident response processes, such as preparation, detection, containment, eradication, and recovery, to overcome the impact of an incident quickly and efficiently. IH&R processes are important to provide a focused approach for restoring normal business operations as quickly as possible after an incident and with a minimal impact on the business. The IH&R process involves defining user policies, developing protocols, building incident response teams, auditing organizational assets, planning incident response procedures, obtaining management approval, incident reporting, prioritization, and managing response. It also includes establishing proper communication between the individuals responding to an incident and guiding them to detect, analyze, contain, recover, and prevent incidents. Discussed below are the steps involved in the IH&R process: = Step 1: Preparation The preparation phase includes performing an audit of resources and assets to determine the purpose of security and define the rules, policies, and procedures that drive the IH&R process. It also includes building and training an incident response team, defining incident readiness procedures, and gathering required tools as well as training the employees to secure their systems and accounts. Module 01 Page 76 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Introduction to Ethical Hacking = Step 2: Incident Recording and Assignment In this phase, the initial reporting and recording of the incident take place. This phase handles identifying an incident and defining p
