Module 08 - Network Security Assessment Techniques and Tools_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Cybersecurity Technician Network Security Controls PDF
- Threat Hunting Maturity Model PDF
- CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition Module 2 PDF
- Cybersecurity: Protecting Your Digital Landscape PDF
- Advanced Cyber Security Techniques PDF
- Cyber Threat Management - Module 2: Network Security Testing PDF
Full Transcript
Module - 08 Network Security Assessment Techniques and Tools Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Module Objectives 0000 Understanding Threat Hunting Concepts Understanding Cyber Threat Intelligence and Various Feeds and Sources of Threat In...
Module - 08 Network Security Assessment Techniques and Tools Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Module Objectives 0000 Understanding Threat Hunting Concepts Understanding Cyber Threat Intelligence and Various Feeds and Sources of Threat Intelligence Understanding Vulnerability Assessment and Various Types of Vulnerability Assessment Understanding Ethical Hacking Concepts ©0 Understanding Penetration Testing and its Benefits Understanding the Importance of Asset Management and Configuration Management Module Objectives Network security assessment plays a vital role in safeguarding the networks, devices, and data pertaining to an organization. To protect these assets from evolving cyberattacks, organizations require an understating of the current technical security posture of their network. Network security assessment helps organizations in identifying existing security flaws and possible security threats and risks to their IT assets. Network security assessment helps in improving the integrity and resilience of both internal and external networks. At the end of this module, you will be able to do the following: Understand threat hunting concepts Understand cyber threat intelligence and various feeds and sources of threat intelligence Understand vulnerability assessment and various types of vulnerability assessment Explain ethical hacking concepts Understand penetration testing and its benefits Understand the importance of asset management and configuration management Module 08 Page 1013 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Module Flow Discuss Threat Hunting Discuss Various Threat Intelligence Feeds and Sources Discuss Vulnerability Assessment Discuss Ethical Hacking Concepts Understand Fundamentals of Penetration Testing and its Benefits Understand the Fundamentals of Configuration Management and Asset Management Copyright © by EC-C eil. All Rights Discuss Threat Hunting Threat hunting helps in counteracting the cyber threats with a systematic process and in detecting the most recent and sophisticated threats that have affected the organization’s network. It is important for organizations to employ a threat hunting process to prevent malicious actors from penetrating and remaining covertly in the network. This section discusses the threat hunting process, threat hunting maturity model, and threat hunting tools. Module 08 Page 1014 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Hunting p Threat hunting is a proactive and iterative approach of searching networks, devices, endpoints, and datasets to identify and isolate the cyber threats that have entered a network by evading the current security systems Threat Hunting Steps Collect and process: Collect and analyze data using threat intelligence Investigation: Investigate malicious files/activities to eliminate the identified threats Hypothesis: Make Trigger: Based on the hypothesis, threat- Response: Generate a assumptions using TTPs detection tools trigger an anomaly report for future detection Threat Hunting Threat hunting is a proactive and iterative approach of searching networks, devices, endpoints, and datasets to identify and isolate the cyber threats that have entered a network by evading the current security systems. Threat hunting is performed by a threat hunter or security analyst by thorough research on existing indicators of compromise and advanced persistent threats across networks and devices. Security analysts track down attack attempts using threat hunting software or tools and eliminate hidden threats before they cause any damage to the assets. Steps of Threat Hunting Discussed below are the various steps involved in the threat hunting process. Collect and process: Collect and analyze data using threat intelligence Hypothesis: Make assumptions using TTPs Investigation: Investigate malicious files/activities to eliminate the identified threats Trigger: Based on the hypothesis, threatdetection tools trigger an anomaly Response: Generate a report for future detection Figure 8.1: Steps involved in the threat hunting process Module 08 Page 1015 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools = Exam 212-82 Step 1: Hypothesis The hypothesis is an idea or assumption regarding threats existing in the environment and ways to discover them. It includes the attacker’s TTP. Threat hunters use threat intelligence, together with all the available resources such as system and network logs and network flow, to identify threats. = Step 2: Collect and process the data To investigate the threats, hunters must collect and process accurate data and threat intelligence; this process requires a plan. Security information and event management (SIEM) software can help in tracking historical events and activities in the network. Threat hunters analyze the collected data using threat intelligence to identify malicious activities. = Step 3: Trigger Based on the hunter’s hypothesis, the threat detection tools may trigger an anomaly in the system or network, following which the investigation process begins. = Step 4: Investigation After finding the exact location of the anomaly, the threat hunters use threat detection tools such as endpoint detection and response (EDR) to diagnose the malicious behaviors in the network or system. The hunter can eliminate the identified threats only after thorough investigation of the malicious files/activities. = Step 5: Response/resolution If the hypothesis were confirmed, the malicious system is identified and isolated. The above steps can help in eliminating the malware and restoring the files. The identified information is labeled as a new mitigation technique/indicator of compromise and is added to the list for identifying similar threats in the future. Subsequently, analysts create a new rule for the threat, update the firewall/IPS, and make configuration changes accordingly. Module 08 Page 1016 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Types of Threat Hunting 9 o » [, Intel-driven Hunting. @ @ TTP-driven Hunting bfi 1 Data-driven Hunting ‘ ‘ Hybrid Hunting Types of Threat Hunting The threat hunting process begins with the analyst determining what they need to hunt. A series of planned and organized hunts can gather appropriate data, which can be used further to detect cyber threats effectively. There are different types of threat hunting methods, which help in discovering threats in advance: = Data-driven Hunting: Generating a hypothesis from observations is the initial step in hunting activities. It is a simple process of searching for what analysts can hunt from existing data. Organizations check DNS data and proxy logs for hunting. = Intel-driven Hunting: Threat intelligence data or feeds are potential sources to hunt for threats in advance. Enterprises should have different levels of trust in both intelligence feeds and utilities. = Entity-driven Hunting: Irrespective of the sizes of the network and administrative teams, enterprises are required to prioritize hunting operations to enhance the success rate. Attackers often target high-valued assets such as servers, privileged accounts, and domain controllers. Entity-driven hunting helps in initiating hunts over critical assets with high risk and protect network resources and other intellectual properties. = TTP-driven Hunting: To prevent attacks before they damage assets, organizations must understand or be aware of the tactics, techniques, and procedures (TTPs) and tools attackers employ to compromise networks or systems. It is also important to note where an attack has been initiated and how attackers achieve further goals. These techniques are also a part of threat hunting, through which a conceptual representation of tackling imminent issues is created. Module 08 Page 1017 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Hybrid Hunting: Hybrid hunting can be a combination of any of the above-mentioned hunting types that yields a productive output. For instance, a hunting process initiated based on intel about an attack can reveal what type of TTP an attacker can use and the type of assets an attacker can target, resulting in a combination of intel-, TTP-, and entity-driven hunting, which is a form of hybrid threat hunting. Characteristics of Threat Hunting Threat hunting is not confined to large enterprise networks. Even small and medium organizations implement it by applying the following characteristics. Prescient hunting: The prescient approach identifies all imminent threats, instead of simply relying on the alerts generated by security monitoring tools. Threat hunters presciently identify intruders before alerts are generated. Trusting the hypothesis: Rather than relying solely on the alerts generated automated threat detectors, threat hunters analyze all the data, conduct by an investigation based on the hypothesis, and create a new rule based on their findings. Following traces: It is a process of analyzing the compromised systems and traces left by attackers in a network. A threat hunter follows these traces and proceeds with their investigation, irrespective of its depth. Creating new methods: Threat hunters need not follow existing rules; they can stay ahead of attackers by creating new rules. Threat hunters can use their creativity and adopt relevant methods to attain their ultimate goal. Module 08 Page 1018 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Hunting Maturity IModel (HMIM) The threat hunting maturity model (HMM) describes the quantity and quality of information collected from a network for investigation % Level 0: =3 < 4 g Level 1: B Q » O [VY Level 2: Level 3 Level 4: - ovative = Primarily depends on * systems and alerts = automated monitoring = Follows the latest threat = reports Moderate- to igh- level hngh- (Creates custom data = igh- to very H.lgh = analysis procedures Automates existing data analysis procedures others = collection collection = procedures created by routine data ; Low data Adopts data analysis High- to very- hi gh-level G Tounine collection high-level : E routine data ce collection High- - to very - high-level ] routine data collection Threat Hunting Maturity Model (HIVIM) The threat hunting maturity model (HMM) is defined by the quality and quantity of information collected from the organization’s network. Providing more information to analysts will help in the investigation launched to find existing threats. The HMM is described in different levels as follows based on the quantity of information collected from level 0 to level 4. Level 0: = Primarily depends on automated monitoring systems and alerts « Lowdata collection Level 1: = Level 2: Follows the latest threat = reports procedures created by others Moderate- to high.. level routine data collection Adoptsdata analysis = High- to veryh igh-level oy foaene e collection Level 3: = Creates custom data Level 4: = analysis analysis procedures H-igh = to very. high-level i routine data collection Automates existing data procedures = High-to very high-level. routine data collection Figure 8.2: Threat hunting maturity model = Level 0: Initial This is the initial level in the HMM. In this level, analysts rely on automated monitoring and alerting tools such as SIEM, intrusion detection systems (IDSes), and antimalware solutions to detect malicious activities across the organization’s network. They may integrate threat intelligence indicators and signature update feeds and could even build their own indicators or signatures; all these are directly loaded into monitoring and Module 08 Page 1019 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 alerting systems to detect threats. In this level, enterprises do not gather much data from IT resources; therefore, the efficiency of identifying threats in advance is limited. = Level 1: Minimal In the minimal level of HMM, organizations use threat intelligence to search for anomalies in the network, follow the latest threat reports gathered from open and closed sources, and use open-source tools for analysis. They rely on routine IT data collection and threat intelligence data. = level 2: Procedural In the procedural level of HMM, organizations adopt data analysis procedures created by other entities and use them in analysis with minimal changes. In this level, organizations may not be able to create their own procedures every time, although they could collect a large amount of information from their network and start a threat hunting program. = Level 3: Innovative In the innovative level of HMM, the organization recruits a group of security analysts with knowledge discovering of existing malicious data activities. analysis Rather programs. than depending others, organizations create and apply their own collection is higher than in the previous levels. = The analysts on are procedures tasked with created by procedures in this level, and the data Level 4: Leading The leading level of HMM is the same as the innovative level, but a key difference is that the leading level allows automation. At this level, organizations automate the data collection, detection, and analysis procedures. This helps analysts save time as the automation permits them to focus on enhancing existing procedures and creating new procedures, instead of spending time on routine processes. Module 08 Page 1020 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Hunting Considerations Intelligence fusion is an approach to integrate security with threat intelligence and other cyber intelligence sources Threat feeds are real-time feeds collected from real-time attacks. These feeds include 10Cs, l0As, potential threats, vulnerabilities, and existing risks Security advisories and bulletins are informative blogs or websites that provide information about the latest security threats and attacks Maneuver is a technique used in cyber warfare that is based on knowledge of some recent attacks and the nature of those attacks Threat Hunting Considerations To perform threat hunting, the analyst requires a large amount of data from multiple sources that contain historical information, security logs and feeds, etc. Threat hunters should consider the following measures to gather information and hunt threats effectively. Intelligence fusion: Manual threat hunting can be performed by investigating log and network data from different sources, which can be tedious task. Intelligence fusion is an approach to integrate security with threat intelligence and other cyber intelligence sources to increase the capability of detecting, managing, and mitigating evolving threats. It is a prescient approach to deal with potential cyber threats by identifying their impact in advance. Threat feeds: Threat feeds or threat intelligence feeds are real-time feeds collected from real-time attacks. These feeds include indicators of compromise (loCs), indicators of attack (loAs), potential threats, vulnerabilities, and existing risks. The information that can be acquired from a threat includes IP addresses, malicious URLs, phishing URLs, malware signatures, bot information, and ransomware indicators. Advisories and bulletins: Security advisories and bulletins are informative blogs or news from vendors or security specialists that provide information about the latest security threats and attacks. Security bulletins publish the latest attacks and cyber threats for all customers by documenting the threats and attack vectors with their effects and mitigation techniques. Whereas advisories are part of the same team, they do not post about the attacks; rather, they address and provide advice on the security changes required for the software being used by the customers. Module 08 Page 1021 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools = Maneuver: detection An attacker can methods by Exam 212-82 expect threat implementing hunting programs countermeasures against and attempt to evade the threat hunter. A maneuver is a technique used in cyber warfare that is based on knowledge of some recent attacks and the nature of those attacks. The maneuver is among the techniques and procedures used to retaliate and protect IT resources, as it is initiated to give one actor a competitive advantage over another actor. Module 08 Page 1022 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Hunting Tools MVISION EDR MVISION EDR is an Al-based threat investigation tool that helps security analysts in quickly prioritizing threats and minimizing potential disruption Cognito rfi 0606 https://www.vectro.ci Infocyte https://www.infocyte.com Exabeam https.//www.exabeam.com ValueMentor https://valuementor.com FlowTraq https.//www.flowtreg.com https//www.mcofee.com Threat Hunting Tools Threat hunting tools proactively monitor a network or system for imminent threats and provide alerts of abnormal behaviors and solutions to tackle threats in advance. The tools are integrated with all the necessary resources to hunt threats effectively. = MVISION EDR Source: https://www.mcafee.com MVISION EDR is an Al-based threat investigation tool that helps security analysts in quickly prioritizing threats and minimizing potential disruption. The tool reduces the time to detect and respond to threats. It facilitates high-quality and actionable threat detection across the workspace without noise. Module 08 Page 1023 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools v Exam 212-82 Process Attributes v Process Activity Sevgmertod Viewe Figure 8.3: Screenshot of MVISION EDR Some additional threat hunting tools are listed below: = Cognito Recall (https.//www.vectra.ai) = Infocyte (https://www.infocyte.com) = Exabeam (https://www.exabeam.com) = ValueMentor (https://valuementor.com) * FlowTraq (https.//www.flowtrag.com) Module 08 Page 1024 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Module Flow Discuss Threat Hunting Discuss Various Threat Intelligence Feeds and Sources Discuss Vulnerability Assessment Discuss Ethical Hacking Concepts Understand Fundamentals of Penetration Testing and its Benefits Understand the Fundamentals of Configuration Management and Asset Management Discuss Various Threat Intelligence Feeds and Sources Building a strong defense system for an organization requires strong and reliable threat intelligence. However, what’s more important is that the intelligence acquired provides information about the latest and the trending threats that are active in the cyberspace. To obtain such a reliable intelligence, organizations use different intelligence sources and feeds that provide the essential information about the threats. These threat intelligence feeds are the building element of a strong and powerful defense system. This section discusses about the various feeds and sources of threat intelligence. Module 08 Page 1025 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Cyber Threat Intelligence (CTI) Q Cyber Threat Intelligence (CTI) is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make Q knowledgeable decisions Cyber threat intelligence helps the organization to identify and mitigate various business risks by converting unknown threats into known threats, and helps in implementing various advanced and for the preparedness, prevention, and response proactive defense strategies actions against various cyber-attacks Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited Cyber Threat Intelligence (CTI) According to Oxford dictionary, a threat is defined as “[t]he possibility of a malicious attempt to damage or disrupt a computer network or system.” Threat is a potential occurrence of an undesired event that can eventually damage and interrupt the operational and functional activities of an organization. A threat can affect the integrity and availability factors of an organization. The impact of threats is very high, and it can affect the existence of the physical IT assets in an organization. The existence of threats may be accidental, intentional, or due to the impact of some other action. The threat intelligence, usually known as CTI, is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks. It is the process of recognizing or discovering any “unknown threats” that an organization can face so that necessary defense mechanisms can be applied to avoid such occurrences. It involves collecting, researching, and analyzing trends and technical developments in the field of cyber threats (i.e., cybercrime, hacktivism, espionage, etc.). Any knowledge about threats that result in the planning and decision-making in an organization to handle it is a threat Intelligence. The main aim of the CTl is to make the organization aware of the existing or emerging threats and prepare them to develop a proactive cyber security posture in advance before these threats could exploit them. This process, where the unknown threats are converted into the possibly known ones, helps anticipating the attack before it could happen and ultimately results in better and secured system in the organization. Thus, threat Intelligence is useful in achieving secured data sharing and transactions among organizations globally. Module 08 Page 1026 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat intelligence process can be used to identify the risk factors that are responsible for malware attacks, SQL injections, web application attacks, data leaks, phishing, denial-of-service attack, etc. Such risks, after being filtered out, can be put on a checklist and handled appropriately. Threat intelligence is beneficial for an organization to handle cyber threats with effective planning and execution along with thorough analysis of the threat; it also strengthens the organization’s defense system, creates awareness about the impending risks, and aids in responding against such risks. Module 08 Page 1027 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Types of Threat Intelligence L3 /\ / g Strategic € E i @ § 3 High-level information on © @ € / K Consumed by IT Service and SOC Managers, Administrators N 4 Technical Information on specific |§ Consumed AN @ Information on specific € Consumed by SOC Staff, IR Teams J Defenders < N indicators of compromise by Security Managers, Network £] Information on attacker’s procedures (TTPs) @ incoming attack ? ) tactics, techniques, and Operational E Tactical Consumed by High-Level 4 ] 2 / changing risks Executives and Management \ (2] ) High-Level | l Y, Low-Level > Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited Types of Threat Intelligence Threat intelligence is contextual information that describes threats and guides organizations in taking various business decisions. It is extracted from a huge collection of sources and information. It provides operational insight by looking outside the organization and issuing alerts on evolving threats to the organization. For the better management of information that is collected from different sources, it is important to subdivide threat intelligence into different types. This subdivision is performed based on the consumers and goals of the intelligence. Based on the consumption of threat intelligence, it is divided into four different types. They are namely strategic, tactical, operational, and technical threat intelligence. These four types differ in terms of data collection, data analysis, and intelligence consumption. = Strategic Threat Intelligence Strategic threat intelligence provides high-level information regarding cyber security posture, threats, details about the financial impact of various cyber activities, attack trends, and the impact of high-level business decisions. This information is consumed by high-level executives and management of the organization such as IT management and CISO. It helps the management in identifying current cyber risks, unknown future risks, threat groups, and attribution of breaches. The intelligence obtained provides a risk- based view that mainly focuses on high-level concepts of risks and their probability. It mainly focuses on long-term issues and provides real-time alerts of threats on organization’s critical assets such as IT infrastructure, employees, customers, and applications. This intelligence is used by the management to take strategic business decisions and to analyze the effect of such decisions. Based on the analysis, the management can allocate sufficient budget and staff to protect critical IT assets and business processes. This intelligence is collected from sources such as OSINT, CTI vendors, and ISAO/ISACs. Module 08 Page 1028 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools = Exam 212-82 Tactical Threat Intelligence Tactical threat intelligence plays a major role in protecting the resources of the organization. It provides information related to TTPs used by threat actors (attackers) to perform attacks. Tactical threat intelligence is consumed by cyber security professionals such as IT service managers, security operations managers, network operations center (NOC) staff, administrators, and architects. It helps the cyber security professionals understand how the adversaries are expected to perform the attack on the organization, identify the information leakage from the organization, and the technical capabilities and goals of the attackers along with the attack vectors. Using tactical threat intelligence security personnel develop detection and mitigation strategies beforehand by updating security products with identified indicators, patching vulnerable systems, etc. The collection sources for tactical threat intelligence include campaign reports, malware, incident reports, attack group reports, human intelligence, etc. = QOperational Threat Intelligence Operational threat intelligence provides information about specific threats against the organization. It provides contextual information about security events and incidents that help defenders disclose potential risks, provide greater insight into attacker methodologies, identify past malicious activities, and perform investigations on malicious activity in a more efficient way. It is consumed by security managers or heads of incident response, network defenders, security forensics, and fraud detection teams. It helps organizations understand the possible threat actors and their intention, capability, and opportunity to attack, vulnerable IT assets, and the impact of the attack if it is successful. In many cases, only government organizations can collect this type of intelligence, which also helps IR and forensic teams in deploying security assets with the aim of identifying and stopping upcoming attacks, improving the capability of detecting attacks at an early stage, and reducing its damage on IT assets. Operational threat intelligence is generally collected from sources such as humans, social media and chat rooms, and also from real-world activities and events that result in cyberattacks. * Technical Threat Intelligence Technical threat intelligence provides information about an attacker’s resources that are used to perform the attack; this includes command and control channels, tools, etc. It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific 1oC. It provides rapid distribution and response to threats. For example, a malware used to perform an attack is tactical threat intelligence, whereas the details related to the specific implementation of the malware come under technical threat intelligence. Other examples of technical threat intelligence include specific IP addresses and domains used by malicious endpoints, phishing email headers, hash checksums of malware, etc. Technical threat intelligence is consumed by SOC staff and IR teams. The indicators of technical threat intelligence are collected from active campaigns, attacks that are performed on other organizations, or data feeds provided by external third parties. Module 08 Page 1029 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Layers of Threat Intelligence Q Anintelligence provider can be an open-source community or movement or a private or commercial body that provides threat intelligence as sources, threat intelligence feeds (Tl feeds), platforms, and professional services Providers aources Copyright © by Layers of Threat Intelligence An intelligence provider can be an open-source community, a movement, a private body, or a commercial body that provides threat intelligence as sources, feeds, platforms, and professional services. Threat intelligence providers are categorized based on the way they deliver or organize threat-related content. A threat intelligence provider is a body that provides a few or all four layers of threat intelligence. Threat intelligence is provided by commercial providers, government institutes, and independent research bodies. Providers Plattorms Figure 8.4: Layers of threat intelligence Module 08 Page 1030 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Feeds Threat intelligence feeds (Tl feeds) are continuous streams of packaged data related to potential or current threats to the organization Different sources of TI feeds QO These feeds are easily available on the Internet (open QO An organization must purchase these feeds O O source, social listing, OSINT, etc.) Examples of websites providing freely available TI feeds: » SHODAN » Threat Connect » Virus Total » AlienVaults Open Threat Exchange (OTX) » Zeus Tracker » Thedark web (government, commercial vendors, etc.) Examples of commercial Tl feed vendors: » Microsoft Cyber Trust Blog » Kaspersky » IBM X-Force Exchange » FireEye » Recorded Future Threat Intelligence Feeds Threat intelligence feeds (Tl feeds) are continuous streams of packaged data related to potential or current threats to the organization. Threat intelligence feeds (Tl feeds) feature a packaged collection of data taken from different sources related to potential or current threats in an organization. Most feeds concentrate on domains, malicious IP addresses, or botnet activity. These comprise actionable information and are implemented along with technical controls to prevent cyber-attacks. Tl feeds are used by network defenders for the following purposes: = Coupling of TI feeds to security tools (e.g., blocking bad IP addresses after accepting feeds by some firewalls) = Use of Tl feeds to generate alerts (e.g., SIEM and user and entity behavior analytics (UEBA) correlate Tl feed data with internal security events to generate alerts) = Manual review to investigate threats if they seem relevant to the security posture It is recommended that organizations know their feed requirements before obtaining Tl feeds. To know their requirements, they should assess themselves based on the following factors. = Network infrastructure: how does the network infrastructure look like? = Current security posture: What are the unique risks to the organization? = Finance: What are the budget and resources available for implementing threat intelligence? = The ability of threat intelligence management. = |s the above information sufficient for building a strong strategy for the organization? Module 08 Page 1031 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Sources of Tl Feeds Important Tl feeds are obtained from the following sources. = Publicly available feeds These feeds are easily available on the Internet (open source, social listing, OSINT, etc.). Freely available Tl feeds include the following: = o SHODAN o Threat Connect o Virus Total o AlienVaults Open Threat Exchange (OTX) o Zeus Tracker o The dark web Commercial providers An organization (e.g., government and commercial vendors) needs to purchase these feeds. The following are some Tl commercial feed providers: o Microsoft Cyber Trust Blog o SecureWorks Blog o Kaspersky Blog o IBM X-Force Exchange o FireEye o Recorded Module 08 Page 1032 Future Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Example: Free and Open-source TI Feed Providers o threatfeeds CatEeAS. io | 4 threatfeeds.io is a free and open-source threat intelligence. provider of popular free and open-source Tl feeds and sources - Hi o : o H ft threatfeedsio : - O e - - ==. o IPSpamist h,,,S,“,’:w,p,,a,,,,,,,_m Darklist http://dorklist.de SSLBL https://ssiblabuse.ch Botvrij.eu - ips https://www.botvrij.eu Monitor Malicious H Executable Urls https://www.urlvir.com & https://thr Is.i0 Example: Free and Open-source TI Feed Providers = threatfeeds.io Source: https://threatfeeds.io threatfeeds.io is a free and open-source threat intelligence provider of popular free and open-source summaries. « C Tl feeds and sources. It also lists links for direct @ threatfeedsio downloads and a « live @ ¥ threatfeeds.io threat intelligence feeds. Q Pasees tout rame o o Malware URLs o — % Alienvault 1P Reputation |ooeut | s Figure 8.5: Screenshot of threatfeeds.io Module 08 Page 1033 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Some additional free and open-source Tl feed providers are listed below: = |PSpamlist (http.//www.ipspamlist.com) = Darklist (http://darklist.de) = SSL BL (https://sslbl.abuse.ch) = Botvrij.eu - ips (https://www.botvrij.eu) = Monitor Malicious Executable Urls (https.//www.urlvir.com) Module 08 Page 1034 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Example: Government TI Feed Providers The Department of Defense The free Automated Indicator Sharing (AIS), provided by e the US Department of Homeland Security (DHS), allows the Indicator Sharin haring (AIS) Cyber Crime Center (DC3) https://www.dc3.mil 0O 606 exchange of cyber threat indicators between the federal government and the private sector at machine speed US Computer Emergency Response Team (US-CERT) 3 Homeland https://us-cert.cisa.gov nogm-Q~ Secun(y European Union Agency for Network and Information Security (ENISA) CI"A https://www.enisa.europa.eu CYBER « INFRASTRUCTURE R Federal Bureau of Investigation (FBI) Cyber Crime R a—— https://www.fbi.gov Automated ]ndlcator Sharing (AIS) itermation shaing Atomated indicator Sharing51 The Depastment of Homeland Security's (DHS) tiee Automated Indicatos Shazing (AIS) capability enables the exchange of cybet threat indicators between the Federal Government STOP. ate pieces of information like Thieat indicators TH'NK. CONNECT. © and the private sector at machine speed. malicious P addiesses o1 the sender addiess of a phishing email (although they can also be much mote complicated) https://www.stopthinkconnect.org https://www.dhs.gov Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited. Example: Government TI Feed Providers = Automated Indicator Sharing (AlS) Source: https.//www.dhs.gov The free Automated Indicator Sharing (AlIS), provided by the US Department of Homeland Security (DHS), allows the exchange of cyber threat indicators between the federal government and the private sector at machine speed. Here, threat indicators are malicious IP addresses, sender addresses of phishing emails, etc. noEm--Q= g Homeland Securlty Topics News In Focus Mow Do 1? Get Involved AbOut DHS Enter Search Term On DHS gov v m CICA CYBER+INFRASTRUCTURE About CISA A > Q84 > Cyvbersecurty Cybersecurity > Information Shannp > Infrastructure Security Emergency Communications National Risk Management News & Media Automated Indicator Sharing (AIS) Information Sharing Automated Indicator Sharing (AIS) Automated Indicator Sharing (AIS) The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) Cyber Information Sharing and Collaboration Program (CISCP) capability enables the exchange of cyber threat indicators between the Federal Government Enhanced Cybersecurity Services malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated). Information Sharing and Analysis and the private sector at machine speed. Threat indicators are pieces of information like Figure 8.6: Screenshot of Automated Indicator Sharing (AIS) Module 08 Page 1035 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Some additional government Tl feed providers are listed below: The Department of Defense Cyber Crime Center (DC3) (https.//www.dc3.mil) US Computer Emergency Response Team (US-CERT) (https.//us-cert.cisa.gov) European Union Agency for Network and Information Security (ENISA) (https://www.enisa.europa.eu) Federal Bureau of Investigation (FBI) Cyber Crime (https.://www.fbi.gov) STOP. THINK. CONNECT. (https.//www.stopthinkconnect.org) Module 08 Page 1036 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Sources Open-Source Intelligence Human Intelligence (OSINT) (HUMINT) QO Information is collected from the publicly available sources and analyzed to obtain a rich useful form of intelligence Q OSINT sources: o Media o Internet o Public government data o Corporate/academic o Literature publishing Q Information is collected from interpersonal contacts O HUMINT sources: o Foreign defense personnel and advisors o Accredited diplomats o NGOs o Prisoners of War (POWs) o Refugees o Traveler interview or debriefing il All Rights Reserved. Reproduction is Strictly Prohibited. Threat Intelligence Sources (Cont’d) Signals Intelligence (SIGINT) O Information is collected by intercepting the signals O The signals intelligence comprises of: * * Communication Intelligence (COMINT): Obtained from interception of communication signals Electronic Intelligence (ELINT): Obtained from electronic sensors like radars and lidar * Foreign Instrumentation Signals Intelligence (FISINT): Signals detected from non-human communication systems Technical Intelligence (TECHINT) Q Information is collected from an adversary’s equipment or captured enemy material (CEM) O TECHINT sources: = Foreign equipment = Foreign weapon systems = Satellites = Technical research papers * Foreign media * Human contacts L. All Rights Reserved. Reproduction is Strictly Prohibited Module 08 Page 1037 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Sources (Cont’d) Social Media Intelligence (SOCMINT) manipulation techniques to lure and trap threats CCl Sources: Facebook Linkedin o Honeypots Twitter o Passive DNS monitors WhatsApp o Online web trackers o Sock puppets (fake profiling) on online forums o Publishing false reports o o o SOCINT sources: Information is collected from proactively established security infrastructure or by employing various threat o O a o Information is collected from social networking sites and other types of social media sources (CCI) o Q Cyber Counterintelligence Instagram Telegram Threat Intelligence Sources (Cont’d) Industry Association and Vertical Communities Indicators of Compromise (IoCs) Q Information is collected from network security threats and breaches and also from the alerts generated on the security infrastructure, which will likely indicate an intrusion Q 1oCs Sources: o Commercial and industrial sources o Free loC specific sources o Online security-related sources o Social media and news feeds o loC buckets Module 08 Page 1038 Q Information is collected from various threat intelligence sharing communities where the organizations share intelligence information among each other Q Vertical community sources: o Financial Services Information Sharing and Analysis Center (FS-ISAC) o o MISP (Malware Information Sharing Platform) Information Technology—Information Sharing and Analysis Center (IT-ISAC) Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Sources (Cont’d) Co Government and Law Enforcement Sources S QO Information is collected from commercial entities and security vendors that provide the threat information to various organizations O Commercial sources: o QO Information is collected from government and law enforcement sources O Government sources: o Kaspersky Threat Intelligence © McAfee US Computer Emergency Response Team (US- CERT) o European Union Agency for Network and o Avast Information Security (ENISA) o FortiGuard o FBI Cyber Crime o SecureWorks o StopThinkConnect o Cisco o CERIAS Blog Copyright © by EC cil. All Rights Reserved. Reproduction is Strictly Prohibited Threat Intelligence Sources Intelligence sources are the important resources in designing an efficient intelligence system. Threat intelligence sources provide a large amount of information to intelligence analysts to identify potential and evolving threats and allow an organization to make strategic decisions in time. Some of the sources of intelligence collection are described below: = Open-Source Intelligence (OSINT) The OSINT is the information gathered from the publicly available sources and analyzed to obtain a rich useful form of intelligence. In OSINT, data collection is done using various forms of sources according to the requirement of the subject. OSINT is primarily used for national security, law enforcement, and for collecting intelligence required for business or strategic decision-making. The information is collected from non-sensitive sources and is analyzed to create an actionable form of intelligence. Various sources that can be used to obtain such intelligence include: o Media—newspapers, magazines, brochures, television, and radio o Internet—information publicly accessible through the World Wide Web such as social media website, blogs, groups, forums, or job sites o Public Government Data—press conferences, speeches, releases, official declarations, and telephone directories government reports and o Corporate/Academic Publications—handouts, conferences, seminars, white papers, journals, and academia papers Module 08 Page 1039 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools o Commercial Exam 212-82 Surveys—company driven surveys for business-related tracking and market research and database analysis o * Literature—books, research papers, business documents, newsletters, and preprints Human Intelligence (HUMINT) The human intelligence is a form of information that is collected by means of interpersonal communication. It can provide different information like observations or findings during a site visit or events involving travelers, prisoners of war, and refugees. It can provide the required data that can be analyzed to form necessary intelligence based on the subject. The source of this form of intelligence can be another human subject who can be interrogated or in case of friendly or cooperative spies, an interview can be conducted to collect sensitive information to which they had access to. The human intelligence is also a useful source of a strong counterintelligence value. Examples of human intelligence sources are as follows: » o Foreign defense personnel and advisors o Accredited diplomats o NGOs o Prisoners of war (POWs) o Refugees o Traveler interview or debriefing Signals Intelligence (SIGINT) Signals intelligence of information by intercepting the signals. These communication intercepts can be direct between indirectly using electronic media. Signals intelligence two people or transmitted requires various analytical methods, which involves the gathering may include cryptanalysis, translation, intelligence provides useful information about adversary countermeasures against adversary’s advancements. authentication, and helps in etc. This creating Signals intelligence comprises: o Communication about messages communications. Intelligence or (COMINT): voice It involves extracted from the the gathering of information interception of foreign It reveals information about the sender, receiver, their locations, time and duration of the transmission, frequencies of communication, and so forth. o Electronic Intelligence (ELINT): It includes information extracted using electronic sensors, and it is mainly focused on the noncommunication signal intelligence. The purpose is to obtain the location of the target, which could be a radar or lidar. o Foreign Instrumentation Signals Intelligence (FISINT): This form of intelligence is gathered from the interception of nonhuman communication systems emitting some sort of signals or radiations. These systems may be in their testing phase or Module 08 Page 1040 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 under operational deployment over aerospace, surface, or under the surface. These signals may include telemetry data of weapons, data from reconnaissance devices, remotely controlled equipment, and control signals for the remote devices. = Technical Intelligence (TECHINT) Technical intelligence is the information that is collected from an adversary’s equipment or captured enemy material (CEM). This form of information is gathered to achieve a technological advantage over the adversary. This will allow in preventing technological surprise by the adversary and helps the analyst to assess the adversary’s scientific and technical capabilities. It also provides a quick assessment of the performance and vulnerability of the enemy’s equipment, providing a critical advantage to the analysts. TECHINT enables the analyst in designing the countermeasures that will neutralize the adversary’s attacks. Some examples of technical intelligence sources are given below: = o Foreign equipment o Foreign weapon systems o Satellites o Technical research papers o Foreign media o Human contacts Social Media Intelligence (SOCMINT) Social media intelligence is the information that is collected from social networking sites and other types of social media sources. The analyst can collect the SOCMINT both from open and closed social networks. SOCMINT is also a part of OSINT. The social network provides detailed knowledge about an organization, employee profiles, contacts, activity threads, potential partners, websites, and upcoming news about the adversary. Some of the social media intelligence sources are as follows: = o Facebook o LinkedIn o Twitter o WhatsApp o Instagram o Telegram Cyber Counterintelligence (CCl) Cyber counterintelligence (CCl) is used as a security mechanism to protect the organization against the adversary’s intelligence operations. CCl can also sometimes be effective in providing crucial information about the adversary. Module 08 Page 1041 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Cyber counterintelligence established security Exam 212-82 is the infrastructure information or by that employing is collected various from threat proactively manipulation techniques to lure and trap threats. CCl is basically classified into two types: o Defensive CCI Defensive CCl is used to identify and counter the threats or intrusions before they take place. o Offensive CCI Offensive CCl deals with interactions with the adversaries for direct collection of the threat information. Some of the CCl sources are as follows: * o Honeypots o Passive DNS monitors o Online web trackers o Sock puppets (fake profiling) on online forums o Publishing false reports Indicators of Compromise (10Cs) Indicators of compromise (loCs) are the artifacts of network security incidents. loC information is collected from network security threats and breaches and from the alerts generated on the security infrastructure, which will likely indicate an intrusion. loCs represent security threats and breaches like malware MD5 hashes, DNS attack, virus signatures, botnet URL or domain, and malicious IP address, which may indicate the intrusion activity in the organization’s network. IoCs are often considered as a technical or tactical intelligence data and usually represents the known threats. Some of the loC sources are provided below: o Commercial sources o Industrial sources o Free loC specific sources o Online security-related sources o Social media o News feeds o loC buckets Module 08 Page 1042 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools = Exam 212-82 Industry Association and Vertical Communities Vertical communities are the hierarchical chain of organizations that share resources and data within their business sector. Vertical communities are considered as one of the threat intelligence sources where the information is collected from various threat intelligence sharing communities. It is a many-to-many interaction between the organizations to share the data, and the data that is shared is highly valuable and specific. Some of the attack groups target specific industries working in the similar field of interest. Such industries often become potential targets if any of the industry with similar field of work suffers an attack. To overcome this vulnerability, industries with similar field of work build an association to coordinate and carry out resource and information exchange among them. Such industrial associations generate information with higher accuracy as compared to regular commercial feeds. Some of the vertical community sources are as follows: = o Financial Services Information Sharing and Analysis Center (FS-ISAC) o MISP (Malware Information Sharing Platform) o Information Technology—Information Sharing and Analysis Center (IT-ISAC) o MineMeld o DarkReading.com o Krebsonsecurity.com o spamhaus.org o virustotal.com o AT&T Alien Labs Commercial Sources Commercial sources are considered as one of the threat intelligence sources where the information is collected from commercial entities and security vendors that provide the threat information to various organizations. Commercial sources of intelligence are those providers who make the feeds and other forms of intelligence data commercially available to the organizations. These feeds may include white papers, threat databases, legally available industrial data, use cases, or reports. These providers exhibit deep insights into the areas of intelligence that have fewer false positives. Though the information they provide may not be completely relevant to the organization, it is a bit expensive. Some of the commercial sources are as follows o Kaspersky Threat Intelligence o McAfee o Avast Module 08 Page 1043 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools = o FortiGuard o SecureWorks o Cisco Exam 212-82 Government and Law Enforcement Sources Government and law enforcement departments facilitate functions that may require data sharing with the organizations. Threat intelligence being one of the information type that is promptly shared with the agencies, these are considered as one of the sources for threat intelligence gathering. The information is collected from government and law enforcement sources and it may be limited due to confidentiality and ongoing inquiry. Some of the government and law enforcement sources include the following: o US Computer Emergency Response Team (US-CERT) o European Union Agency for Network and Information Security (ENISA) o FBI Cyber Crime o StopThinkConnect o CERIAS Blog Module 08 Page 1044 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Deep and Dark Web Searching Q Surface Web Itis the surface layer of online cyberspace that allows user to find the web pages and content using normal web browsers QO It can be accessed by simple browsers like Deep Web Google Chrome, Mozilla Firefox, and Opera Q Deep Web It consists of web pages and content that are hidden and unindexed and cannot be located using traditional web browser and search engines Q It can be accessed by search engines like (Not accessible by search engines) Surface Web (accessible by search engines) Dark Web (Anonymous) DeeperWeb and Surfwax Dark Web or Dark Net Q Itis the subset of deep web where it enables anyone to navigate anonymously without being traced O It can be accessed by browsers like TOR Browser, Freenet, GNUnet, I2P, OneSwarm, and Retroshare Copyright © by EC til. All Rights Reserved. Reproduction is Strictly Prohibited. Deep and Dark Web Searching Surface web is the surface layer of online cyberspace that allows the user to find the web pages and content using normal web browsers. Search engines use crawlers that are the programmed bots to access and download the web pages. The surface web can be accessed by browsers like Google Chrome, Mozilla Firefox, and Opera. Deep web is a layer of online cyberspace that consists of web pages and content that are hidden and unindexed. The content on the deep web cannot be located using a traditional web browser and search engines. The size of the deep web is incalculable, and it expands to almost the entire World Wide Web. Deep web does not allow the crawling process of basic search engines. The deep web consists of official government or federal databases and other information linking to various organizations. The analyst can look for untraced threat information from the deep web. Deep web can be accessed by using search engines like DeeperWeb, Surfwax, InfoMine, and The WWW Virtual Library. Deep web can be used for both legal and illegal activities. Dark web or Darknet is a deeper layer of online cyberspace, and it is the subset of deep web where the dark web enables anyone to navigate anonymously without being traced. Dark web can be accessed only through specialized tools or darknet browsers. Threat actors primarily use dark web to perform illegal activities and cybercrimes. Dark web can be accessed by using search engines like DeeperWeb, TOR Browser, and so forth. Threat analysts can browse this space to look for data and information related to the attacker resources and other vulnerability scopes. Module 08 Page 1045 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Deep Web (Not accessible by search engines) Surface Web (accessible by search engines) Dark Web (Anonymous) Figure 8.7: Deep and dark web Module 08 Page 1046 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Deep and Dark Web Searching Tools TOR B b It is used to access the deep and dark web where it acts like a default VPN for the user and bounces the network IP address through several servers before interacting with the web Aot Ve ® x O ¢ i Ulnbhime @ 10 green s s e A i§. 8 awcanty shder b e bebs you st o et & ) | ExoneraTor Q https.//metrics.torproject.org ! q =1 oo 2 bl Check 8 ot =) Cpen ooty wtiags Freenet https://freenetproject.org Welcome to Tor Browser You are now free 10 browse the internet ananymously. Tt Tt Motwork Settngs GNUnet https://gnunet.org e ecueiwh DuconrectTe What Next? You Can Help! Thes mak 1 : ars you can belp Hotwork factor and 1y 12P $ https://geti2p.net Q) OneSwarm http://www.oneswarm.org sale Tips On Staying Asommous » https://www.torproject.org | Copyright © by EC il. All Rights Reserved. Reproductionis Strictly Prohibited. Deep and Dark Web Searching Tools *= Tor Browser Source: https://www.torproject.org TOR Browser is used to access the deep and dark web where it acts like a default VPN for the user and bounces the network IP address through several servers before interacting with the web. This browser is used to access the hidden content, unindexed websites, and encrypted databases present in the deep web. Avout Tor § @ S € Uicbome o 2 Search or enter oddre C o Qseo @ The green onion menu now has a secunty slider which lets you adjust your secunity level. Check it cut! x = Open gecurity settings Tor Browser 60 * You are now free to browse the Internet anonymously, Test Tor Network Settings Search securely with Disconnedt me What Next? You Can Help! Tor is NOT all you need to browse anonymously! You may need to change some of your browsing There are many ways you can help make the Tor Network faster and stronger habits to enswre your identity stays safe Tips On Staying Anonymous » o Run a Tor Relay Node » ¢ Volunteer Your Services » * Make a Donation » Figure 8.8: Tor Browser Module 08 Page 1047 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Some of the additional deep and dark web searching tools are as follows: = ExoneraTor (https://metrics.torproject.org) = Freenet (https://freenetproject.org) = = = GNUnet (https://gnunet.org) |2P (https://geti2p.net) OneSwarm (http.//www.oneswarm.org) Module 08 Page 1048 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 O Attackers use diverse and distributed mechanisms to evade existing security boundaries O The Al-based correction of cyber threat intelligence, security intelligence, and predictive analysis can help organizations identify threats across every attack surface within their network Artificial Intelligence (AI) and Machine Learning (IML) @ v Al/ML enhances opportunities to respond to security incidents quickly ¥ Using Al and ML for threat hunting can reduce the time required for hunting, analyzing, and responding to threats Al-backed Predictive Analysis @ v By performing predictive analysis through Al-backed intelligence, reactive measures can be taken in advance, enabling security teams to be ahead of attackers All Righ its Reserved. Reproduction is Strictly Prohibited AT and Predictive Analysis for Threat Hunting Mere threat feeds or IT data obtained from different security solutions do not provide complete threat intelligence to proactively hunt threats. Attackers use mechanisms to evade existing security boundaries. To overcome diverse and distributed such incidents, cyber threat intelligence and security intelligence should be combined, analyzed, and processed, which can help in initiating appropriate strategies to identify threats and other security-related issues. By integrating threat intelligence from both the sources, security specialists can analyze the attacker’s TTPs and risk-associated assets and reduce further attack surfaces. The Al-based correction of cyber threat intelligence, security intelligence, and predictive analysis can help organizations identify threats across every attack surface within their network. = Artificial security but also systems by intelligence (Al) and machine learning (ML): Al and ML not only have uses in operations centers (SOCs) to improve the detection and prevention of threats, enhance opportunities to respond to security incidents quickly. Al creates with human-like capabilities. ML, a subset of Al, supports security infrastructure detecting behavioral patterns and mapping real-time attack surfaces through algorithms evolved from earlier statistical analysis and datasets. Using Al and ML for threat hunting can reduce the meantime required for hunting, analyzing, and responding to threats. = Al-backed predictive analysis: Al-backed predictive analysis is an idea that is implemented proactively, instead of waiting for an attack to be launched. Using Albased threat intelligence, security teams can analyze the signs of previous attacks, examine existing attack tools, and identify breach postures. By performing predictive analysis through enabling Module 08 Page 1049 security Al-backed teams to intelligence, be ahead reactive measures of attackers. Al can and be taken ML with in advance, risk-sensing Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 capabilities predict risks or threats ahead of time, which can be difficult for humans and rule-based security systems. Module 08 Page 1050 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Frameworks MISP—Open Source Threat Intelligence Platform MISP is used for sharing, storing and correlating Indicators of Compromise (loCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, etc. o TC Identify https://threotconnect.com - OSINT - Cisco I0S CVE-2018-0171 attack D 108 Vuld SacB00e2 Org cIRcL Owner org CIRCL Contributors Email Tags 2a76-4237 8830 AOLHINIC0S 1 it x | estimative-language likelibood -piobabilitys*roughly-even-chance™ estimative-language. contidence-in-analytic-judgmen Date Theeat Lovel Distribul mu:l sodersie” x : x : e Published FAttributes Last change hllps://www.anomah.com H Medum Corvpiwted H Al communties H cf'fl.'r m..n 105 GVE 2018.0171 attack IBM You : 1" s X-Force Exchange https://exchange.xforce.ibmcloud.com 2018041705 1630 Lxtends : Lxtended by Event (10701); Sighings Currertly In atomic view. O Activity Thfeatstream. 201804 07 Analysis https://yeti-platform.github.io : stove clerectiferd b. Yeti i Constiuercy affected with CVE Y3 2018.0171 < " : H : https.//www.misp-project.org b Copyright © by IntelMQ htips://www.enisa.curopa.eu L. All Rights Reserved. Reproductionis Strictly Prohibited. Threat Intelligence Frameworks = MISP—Open Source Threat Intelligence Platform Source: https://www.misp-project.org MISP is an open-source threat intelligence platform for sharing, storing, and correlating loCs of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or even counter-terrorism information. MISP is used today in multiple organizations not only to store, share, collaborate on cyber security indicators, and malware analysis but also to use the IoCs and information to detect and prevent attacks or threats against ICT infrastructures, organizations, or people. Module 08 Page 1051 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 OSINT - Cisco I0S CVE-2018-0171 attack Event ID 10683 Uuid Sac8cee2-2a78-4237-88a0-d0b802de0b81 Org CIRCL Owner org CIRCL Contributors Email [email protected] Tags LURYATICE x feircl:osint-feed x | estimative-language:likelihood-probability="roughly-even-chance" cstimativc-Ianguagc:confidcnce-in-nnalytic-judgmcm="mioac7:r;)7f;: Date 2018-04.07 Threat Level Medium Analysis Completed Distribution All communities Info OSINT - Cisco |IOS CVE-2018-0171 Published Yes #Attributes 14 Last change 2018/04/17 05:16:30 xh S a x - attack Extends Extended by Event (10701): Constituency affected with CVE-2018-0171 Sightings Currently In atomic view. o 0(0) F < Activity Figure 8.9: Screenshot of MISP—opensource threat intelligence platform Listed below are some of the additional threat intelligence frameworks: » TC Identify ™ (https://threatconnect.com) = Yeti (https://yeti-platform.github.io) = ThreatStream (https.//www.anomali.com) = |BM X-Force Exchange (https://exchange.xforce.ibmcloud.com) = IntelMQ (https://www.enisa.europa.eu) Module 08 Page 1052 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Standards and Formats for Sharing Threat Intelligence Cyber Observable eXpression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange CTI S S — Trusted Automated Exchange of Intelligence Information (TAXII™) is an application-layer protocol for the communication of CTl in a simple and scalable manner Copyright © by EC-Council. Al Rights Reserved. Reproductson is Strictly Prohibited Standards and Formats for Sharing Threat Intelligence The use of common standards and formats is necessary for an effective exchange of intelligence. Using standard data formats for exchange of threat indicators helps in enhancing the interoperability and supports timely dissemination of intelligence. Unstructured formats such as text documents and email messages are mainly suitable to represent high-level threat intelligence reports intended for high-level executives and cyber security professionals rather than machines. Also, using standard data formats for automatic configuration of various security controls such as firewalls and IDS/IPS reduces the need for human assistance. It is also important that organizations information sharing. Discussed below are some need to participate in the development of the important standards and formats of standards for threat used in sharing threat intelligence: " CybOX Source: https://cyboxproject.github.io CybOX allows organizations to share indicators and detections for incoming computer network attacks in a standard format. The Cyber Observable eXpression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables. It is not targeted at a single cyber security use case but is intended to be flexible the ability allow both measured Module 08 Page 1053 enough to offer a common solution for all cyber security use cases requiring to deal with cyber observables. It is also intended to be flexible enough to the high-fidelity description of instances of cyber observables that have been in an operational context, as well as more abstract patterns for potential Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 observables that may be targets for observation and analysis apriori. CybOX is targeted to support a wide range of relevant cyber security domains including: = o Threat intelligence o Malware characterization o Security operations o SIEM/Logging o Incident response o Indicator sharing o Digital forensics STIX Source: http.//stixproject.github.io Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). It enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. Figure 8.10: STIX relationship example = TAXI Source: https://taxiiproject.github.io Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTl) over HTTPS. It enables organizations to share CTI by defining an API that aligns with common sharing models. TAXIl is specifically designed to support the exchange of CTI represented in STIX. TAXII defines two primary services to support a variety of common sharing models: o Collection A Collection is an interface to a logical repository of CTI objects provided by a TAXII Server that allows a producer to host a set of CTl data that can be requested by Module 08 Page 1054 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 consumers: TAXIl Clients and Servers exchange information in a request-response model. o Channel Maintained by a TAXII Server, a channel allows producers to push data to many consumers and consumers to receive data from many producers: TAXII Clients exchange information with other TAXII Clients in a publish-subscribe model. Collections Channels Consumer Producer TAXII Server Request * Response. * = Client sl Client Publish TAXIl | i Client Subscribe Consumer TAXII Client Figure 8.11: TAXII Module 08 Page 1055 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Module Flow Discuss Threat Hunting Discuss Various Threat Intelligence Feeds and Sources Discuss Vulnerability Assessment Discuss Ethical Hacking Concepts Understand Fundamentals of Penetration Testing and its Benefits Understand the Fundamentals of Configuration Management and Asset Management Copyright © by EC-C | erved. Reproduction s Strictly Prohibited. Discuss Vulnerability Assessment Vulnerability assessment plays a major role in providing security to any and infrastructure from various internal and external threats. vulnerability research, vulnerability assessment, types of vulnerability scoring systems, vulnerability management lifecycle, vulnerability vulnerability exploitation. Module 08 Page 1056 organization’s resources This section describes assessment, vulnerability assessment tools, and Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Vulnerability Research 7 O The process of analyzing protocols, services, and configurations to discover vulnerabilities and design flaws that will expose an operating system and its applications to exploit, attack, or misuse O Vulnerabilities are classified based on severity level (low, medium, or high) and exploit range (local or remote) An administrator needs vulnerability reseaxch: To gather information concerning security trends, threats, attack surfaces, attack l ‘ vectors and techniques o— A To gather information to aid in the prevention of security issues ———— To discover weaknesses in the OS and applications, and alert the network administrator before a network attack e @ To know how to recover from a network attack Copyright © by Vulnerability Research discover the vulnerabilities and design flaws that will expose an operating system and its applications to exploit, attack, or misuse. An administrator needs vulnerability research: = To gather information about security trends, newly discovered threats, attack surfaces, attack vectors and techniques = To find weaknesses in the OS and applications and alert the network administrator before a network attack * To understand information that helps prevent security problems = To know how to recover from a network attack A security professional needs to keep up with the most recently discovered vulnerabilities and exploits to stay one step ahead of attackers through vulnerability research, which includes: = Discovering the system compromise a system = Staying updated design faults and weaknesses that might allow attackers to about new products and technologies and reading news related to current exploits = Checking underground hacking web sites (Deep and Dark websites) for newly discovered vulnerabilities and exploits ®= Checking newly released alerts improvements for security systems Module 08 Page 1057 regarding relevant innovations and product Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Security experts and vulnerability scanners classify vulnerabilities by: = Severity level (low, medium, or high) = Exploit range (local or remote) Security professionals need to conduct intense research with the help of information acquired in the footprinting and scanning phases to find vulnerabilities. Module 08 Page 1058 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Resources for Vulnerability Research e %g%mmy. @ Security Magazine ! o Securityfocus Q=== Q e 1 M Q mue @ s, O oo i ; Resources for Vulnerability Research The following are some of the online websites used to perform vulnerability research: * Microsoft Vulnerability Research (MSVR) (https://www.microsoft.com) = Dark Reading (https://www.darkreading.com) = SecurityTracker (https.//securitytracker.com) * Trend Micro (https.//www.trendmicro.com) = Security Magazine (https://www.securitymagazine.com) = PenTest Magazine (https://pentestmag.com) = SC Magazine (https.//www.scmagazine.com) = Exploit Database (https://www.exploit-db.com) = SecurityFocus (https.//www.securityfocus.com) = Help Net Security (https://www.helpnetsecurity.com) = HackerStorm (http://www.hackerstorm.co.uk) = Computerworld (https://www.computerworld.com) Module 08 Page 1059 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 What is Vulnerability Assessment? | O Vulnerability assessment is an in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand the exploitation QO It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels «' A vulnerability assessment may be used to: v" Identify weaknesses that could be exploited v' Predict the effectiveness of additional security measures in protecting information resources from attacks Copyright © by L. All Rights Reserved. Reproductionis Strictly Prohibited What is Vulnerability Assessment? A vulnerability assessment is an in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand exploitation. It scans networks for known security weaknesses, and recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels. It identifies, quantifies, and ranks possible vulnerabilities to threats in a system. Additionally, it assists security professionals in securing the network by identifying security loopholes security mechanism before attackers can exploit them. or vulnerabilities in the current A vulnerability assessment may be used to: * |dentify weaknesses that could be exploited = Predict the effectiveness resources from attack of additional security measures information for IP-enabled devices and Typically, vulnerability-scanning tools search network enumerate applications to identify vulnerabilities systems, operating systems, and segments in protecting resulting from vendor negligence, system or network administration activities, or day-to-day activities. Vulnerability-scanning software scans the computer against the Common Vulnerability and Exposures (CVE) index and security bulletins provided by the software vendor. Module 08 Page 1060 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Limitations of Vulnerability Assessment The following are some of the limitations of vulnerability assessments: = Vulnerability-scanning software is limited in its ability to detect vulnerabilities at a given point in time = Vulnerability-scanning software must be updated when new vulnerabilities = Software is only as effective as the maintenance performed on it by the software vendor and by the administrator who uses it = Vulnerability Assessment does not measure the strength of security controls = Vulnerability-scanning software itself is not immune to software engineering flaws that discovered or when improvements are made to the software being used are might lead to it missing serious vulnerabilities = Human judgment is needed to analyze the data after scanning and identifying the false positives and false negatives. Module 08 Page 1061 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Information Obtained from the Vulnerability Scanning @ OS version running on computers or devices Open ports and running services i Application and services configuration errors Application and services vulnerabilities N Accounts with weak passwords Missing patches and hotfixes L. All Rights Reserved. Reproduction is Strictly Prohibited Information Obtained from the Vulnerability Scanning Vulnerability scanners are capable of identifying the following information: = The OS version running on computers or devices = |P and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening = Applications installed on computers = Accounts with weak passwords * Files and folders with weak permissions = Default services and applications that might have to be uninstalled = Errors in the security configuration of common applications = Computers exposed to known or publicly reported vulnerabilities = = = = EOL/EOS software information Missing patches and hotfixes Weak network configurations and misconfigured or risky ports Help to verify the inventory of all devices on the network Module 08 Page 1062 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Vulnerability Scanning Approaches Two approaches to network vulnerability scanning: @ Active Scanning @ QO The attacker interacts directly with the target network to find vulnerabilities QO Also known as intrusive scanning O Example: An attacker sends probes and specially crafted requests to the target host in the network to identify vulnerabilities Passive Scanning O The attacker tries to find vulnerabilities without directly interacting with the target network Q Also known as non-intrusive scanning O Example: An attacker guesses the operating system information, applications, and application and service versions by observing the TCP connection setup and teardown Copyright © by EC-{ cil. All Rights Reserved. Reproduction is Strictly Prohibited. Vulnerability Scanning Approaches There are two approaches to network vulnerability scanning: Active Scanning: The attacker interacts directly with the target network to find vulnerabilities. Active scanning helps in simulating an attack on the target network to uncover vulnerabilities that can be exploited by the attacker. This type of scanning is also known as intrusive scanning. Example: An attacker sends probes and specially crafted requests to the target host in the network to identify vulnerabilities. Passive Scanning: The attacker tries to find vulnerabilities without directly interacting with the target network. The attacker identifies vulnerabilities via information exposed by systems during normal communications. Passive scanning identifies the active operating systems, applications, and ports throughout the target network, monitoring activity to determine its vulnerabilities. This approach provides information about weaknesses but does not provide a path for directly combating attacks. This type of scanning is also known as non-intrusive scanning. Example: An attacker guesses the operating system information, applications, and application and service versions by observing the TCP connection setup and teardown. Attackers scan for vulnerabilities using tools such as Nessus, Qualys, GFl LanGuard, and OpenVAS. Vulnerability scanning enables an attacker to identify network vulnerabilities, open ports and running services, application and services configuration errors, and application and service vulnerabilities. Module 08 Page 1063 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Vulnerability Scoring Systems and Databases o = = L3 L3 An open framework for communicating the characteristics and impacts of IT vulnerabilities Common Vulnerability |ts quantitative model ensures repeatable accurate measurement, while enabling users to view the underlying vulnerability characteristics used to generate the scores CVSS v3.0 Ratings [t Common Vulnerability Scoring System Calculator None 0.0 Low 0.1-3.9 et Medium 4.0-6.9 ' l I High Critical 7.0-8.9 9.0-10.0 v 0.0-3.9 Medium 4.0-6.9 High 7.0-10 Scoring System (CVSS) s s CVE-2017-0144 ' e : im = ‘ ' ,. I a ‘“‘ R e —— e ER T https://www first.org https://nvd.nist.gov Cormymen Valnarabilities and Exposures arch CVE List Common Vulnerabilities and Exposures (CVE) A publicly available and free-to-use list or dictionary of standardized identifiers for common software vulnerabilities and exposures Search Download CVE Data Feeds Reques Results Name Description CVE-2019-9565 Druide Antidote RX, HD, 8 before 8,05.2287, 9 before 9.5.3937 and 10 before 10.1.2147 allows remote attackers to steal NTLM hashes or perform SMB relay attacks upon a direct launch of the product, or upon an indirect launch via an integration such as Chrome, Firefox, Word, Outlook, etc. This occurs because the product attempts to access a share with the PLUG-INS subdomaln name; an attacker may be able to use Active Directory Domain Services to register that name. CVE-2019-7097 Adobe Dreamweaver versions 19.0 and earlier have an Insecure protocol Implementation vulnerabllity. Successful exploitation could lead to sensitive data disclosure if smb request Is subject to a relay attack. CVE-2019-6452 Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB password. https://cve.mitre.org Copyright © by EC-Council. All Rights Reserved. Module 08 Page 1064 Reproduction Is Strictly Prohibited Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Vulnerability lotmaton Technology Laboratory scoring SYStems and I;ATIONALVULNERABILITVDATABASE Databases (Cont’d) Vulnerability Published Date QUICK INFO National = = vulnexability Datahase (NVD) w0 A U.S. government repository of standards- based vulnerability management data represented using the Security Content Automation Protocol (SCAP) These data enable the automation of Vulnefab"ity -. Impact.. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics " CVSS v1.0 Severit ym Metricst NS L C M legend) ATACkers 1o wtnse the Test Bitton i the enl(||°,",."“""w CVSS va. DS-v"IIyn MR mm VOCROP (AVMAC &S 1 w otrics: PN (V2 legirs Impact Subscore:. Impact Score:.0 Bty sabscorn b8 Exploitability Score: 2 1 Attack Vector (AV): stk Priviteges Regulred (PR): Low AMtack HROWS TR NOTe NVD Last Modified: } \mlnr WA PR management, security measurement, and compliance = 1 Complenity (AC): Usar interaction (LI): Low boew ACcess Vector (AV): W tw ok Access Complexity (ACK: Lovi Confidentisity (€): Portl Authentication (AU) ge Integrity (1): Hone https//nvd.nist.gov Copyright © by EC- il. All Rights Reserved. Reproduction s Strictly Prohibited. Vulnerability Scoring Systems and Databases (Cont’d) Common Wcakncss o Do Enumcratlon 7 List of SaftwareM [Aveut | cwkilst Common Weakness Enumeration (CWE) [ scoring || Community || Wews rvw Nesses. It s0rves re for weakness as identfia | Search | A category system for software vulnerabilities and e weaknesses View the List of Weaknesses by Research Concepts ) by Cuveligmant Concapts | by Aschitactoral Concapts ) Search CWE e Softmare weakness by per noa 1 of the CWE u-am t,n witple kevnn s, separ alvmn t'auuw LSt by beywords(s) or by CWE-ID It is sponsored by the National Cybersecurity ° FFRDC, which is owned by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security [ 5mp ° https:/fewe.mitre.ovg It has over 600 categories of weaknesses, which enable CWE to be effectively employed by the community as a baseline for weakness identification, mitigation, and prevention efforts Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Vulnerability Scoring Systems and Databases Due to the growing severity of cyber-attacks, vulnerability research has become critical as it helps to mitigate the chance of attacks. Vulnerability research provides awareness of advanced techniques to identify flaws or loopholes in the software that can be exploited by attackers. Vulnerability scoring systems and vulnerability databases are used by security analysts to rank information system vulnerabilities and to provide a composite score of the overall severity and Module 08 Page 1065 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools risk associated with identified Exam 212-82 vulnerabilities. Vulnerability databases collect and information about various vulnerabilities present in information systems. maintain Following are some of the vulnerability scoring systems and databases: = Common Vulnerability Scoring System (CVSS) = Common Vulnerabilities and Exposures (CVE) = National Vulnerability Database (NVD) = Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Source: https://www.first.org, https://nvd.nist.gov CVSS is a published standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The system’s quantitative model ensures repeatable, accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritizing vulnerability remediation activities and calculating the severity of vulnerabilities discovered on one’s systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities. CVSS helps capture the principal characteristics of a vulnerability and produce a numerical score to reflect its severity. This numerical score can thereafter be translated into a qualitative representation (such as low, medium, high, or critical) to help organizations properly assess and prioritize their vulnerability management processes. CVSS assessment consists of three metrics for measuring vulnerabilities: = Base Metric: Represents the inherent qualities of a vulnerability = Temporal Metric: Represents the features that continue to change during the lifetime of the vulnerability. = Environmental Metric: Represents vulnerabilities that are based on a particular environment or implementation. Each metric sets a score from 1-10, with 10 being the most severe. The CVSS score is calculated and generated by a vector string, which represents the numerical score for each group in the form of a block of text. The CVSS calculator ranks the security vulnerabilities and provides the user with information on the overall severity and risk related to the vulnerability. Module 08 Page 1066 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Severity Base Score Range None 0.0 Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0 Table 8.1: CVSS v3.0 ratings Severity Base Score Range Low 0.0-3.9 Medium 4.0-6.9 High 7.0-10 Table 8.2: CVSS v2.0 ratings f Common Vulnerability Scoring System Calculator version3 CVE-2017-0144 This page shows the components of the CVSS score for example and allows you to refine the CVSS base score. Please read the CVSS standards guide to fully understand how to score CVSS vulnerabilities and to interpret CVSS scores. The scores are computed in sequence such that the Base Score is used to calculate the Temporal Score and the Temporal Score is used to calculate the Environmental Score. Base Scores Temporal Environmental Overall CVSS Base Score: 8.1 10.0 10.0 10.0 10.0 Impact Subscore: 5.9 8.0 8.0 8.0 8.0 Exploitability Subscore: 2.2 6.0 6.0 6.0 6.0 CVSS Temporal Score: NA 4.0 4.0 - 4.0 4.0 CVSS Environmental Score: NA 2.0+ 0.0 2.0+ 0.0 Base Impact Exploitability Temporal Modified Impact Subscore: NA Overall CVSS Score: 8.1 Environmental Modified Impact Overall Show Equations CVSS v3 Vector AVIN/ACH/PRINJ/UEN/S:U/C:H/IH/AH Base Score Metrics Exploitability Metrics Attack Vector (AV)* Adjacent Network (AV:A) Scope (S)* Local (AV:L) Attack Complexity (AC)* Low (AC:L) None (C:N) Low (PR:L) Low (C:L) Integrity Impact (1)* High (PR:H) User Interaction (UI)* IO Impact Metrics Confidentiality Impact (C)* Privileges Required (PR)* TGO Physical (AV:P) Changed (S:C) None (:N) Low (L) (B ACL Availability Impact (A)* Reauired (ULR) None (AN) Low (AL) [EITCNLSR) * - Allbase metrics are required to generate a base score, Figure 8.12: Common Vulnerability Scoring System Calculator Version 3 Module 08 Page 1067 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Common Vulnerabilities and Exposures (CVE) Source: https://cve.mitre.org CVE® is a publicly available and free-to-use list or dictionary of standardized identifiers for common software vulnerabilities and exposures. The use of CVE Identifiers, or “CVE IDs,” which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when vulnerability. CVE discussing or sharing information provides a baseline for tool about a unique evaluation and software enables data or firmware exchange for cybersecurity automation. CVE IDs provide a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services coverage, easier interoperability, and enhanced security. compatible with CVE provide better What CVE is: = One identifier for one vulnerability or exposure = One standardized description for each vulnerability or exposure = Adictionary rather than a database = A method for disparate databases and tools to “speak” the same language = The way to interoperability and better security coverage = A basis for evaluation among services, tools, and databases = Free for the public to download and use = Industry-endorsed via the CVE Numbering Authorities, CVE Board, and the numerous products and services that include CVE NVD Go to for: Common Vulnerabilities and Exposures Search CVE List Download CVE Data Feeds Request CVE IDs TOTAL HOME > CVE Search SEARCH Update a CVE Entry CVE Entries: 118175 RESULTS Results [There are 414 CVE entries that match your search. Name Description CVE-2019-9565 Druide Antidote RX, HD, 8 before 8.05.2287, 9 before 9.5.3937 and 10 before 10.1.2147 allows remote attackers to steal NTLM hashes or perform SMB relay attacks upon a direct launch of the product, or upon an indirect launch via an integration such as Chrome, Firefox, Word, Outlook, etc. This occurs because the product attempts to access a share with the PLUG-INS subdemain name; an attacker may be able to use Active Directory Domain Services to register that name. CVE-2019-7097 Adobe Dreamweaver versions 19.0 and earlier have an insecure protocol implementation vulnerability. Successful exploitation could lead to sensitive data disclosure if smb request is subject to a relay attack. CVE-2019-6452 Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB password. Figure 8.13: Common Vulnerabilities and Exposures (CVE) Module 08 Page 1068 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 National Vulnerability Database (NVD) Source: https://nvd.nist.gov The NVD is the U.S. government repository of standards-based vulnerability management data. It uses the Security Content Automation Protocol (SCAP). Such data enable the automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. The NVD performs an analysis on CVEs that have been published to the CVE Dictionary. NVD staff are tasked with the analysis of CVEs by aggregating data points from the description, references supplied, and any supplemental data that are publicly available. This analysis results in association impact metrics (Common Vulnerability Scoring System — CVSS), vulnerability types (Common Weakness Enumeration — CWE), and applicability statements (Common Platform Enumeration — CPE), as well as other pertinent metadata. The NVD does not actively perform vulnerability testing; it relies on vendors, third party security researchers, and vulnerability coordinators to provide information that is used to assign these attributes. NIST Information Technology Laboratory NATIONAL VULNERABILITY DATABASE Vulnerability Identifier VULNERABILITIES =