Security engineering basing on gracenolan notes. part 4
From the Oscakampala open source cyber security branch.
Welcome. Today we are going to continue with gracenolan notes. Please do some further deep-diving in web application pen-testing as there are many technical details to understand and practical workouts. Am writing according to the notes.
Mitigations:
mitigations are strategies or techniques employed to reduce or prevent the impact of security threats such as cyber-attacks. The list you provided includes various types of mitigations, including:
Patching: Patching involves fixing known vulnerabilities or weaknesses in software systems by updating them with the latest security patches. This helps to prevent attackers from exploiting known vulnerabilities.
Data Execution Prevention (DEP): DEP is a security feature that prevents the execution of code from data pages in memory, which helps to prevent certain types of attacks, such as buffer overflows.
Address Space Layout Randomization (ASLR): ASLR is a security technique that randomly arranges the memory layout of an application, making it harder for attackers to locate and exploit specific areas of memory, such as those used in buffer overflow attacks.
Principle of least privilege: The principle of least privilege is a security concept that advocates for limiting access to resources and privileges only to the extent necessary for users or applications to perform their functions. This reduces the potential for attackers to gain elevated privileges and carry out malicious actions.
Code signing: Code signing involves digitally signing software or firmware components to verify their authenticity and integrity. This helps to prevent unauthorized code from running on a system and reduces the risk of malicious code execution.
Compiler security features: Some compilers include security features that can detect and prevent buffer overflow vulnerabilities during the compilation process, such as stack canaries or bounds checking.
Encryption: Encryption involves encoding data or software/firmware components to prevent unauthorized access or modification. This can be used to protect sensitive data or prevent tampering with critical system components.
Mandatory Access Controls (MACs): are security mechanisms that control access to resources based on a set of predefined rules or policies. This ensures that only authorized users or processes can access or modify specific resources, such as files, directories, or network services.
Access Control Lists (ACLs): are a type of MAC that define a list of permissions associated with a particular resource, such as a file or directory. These permissions determine who can access or modify the resource, and what actions they are allowed to perform.
Operating systems with Mandatory Access Controls, such as SELinux (Security-Enhanced Linux), are designed to provide an additional layer of security by enforcing strict access control policies and preventing unauthorized access or modification of critical system resources.
"Insecure by exception" refers to the practice of allowing users to perform certain actions or access certain resources based on exceptions to established security policies. This can lead to security vulnerabilities and compromise the overall security of a system. Instead, it is recommended to establish and enforce strict security policies and only make exceptions when necessary.
Finally, it is important not to blame the user for security issues. Instead, security should be designed to be user-friendly and easy to use, while still providing effective protection against threats. By building technology that people can trust, we can create a more secure and resilient digital ecosystem.
These mitigations can be used in combination to provide layers of protection against various types of attacks.
Cryptography, Authentication, Identity:
Encryption, encoding, hashing, obfuscation, and signing are all techniques used in cryptography to protect data, but they are used for different purposes and provide different levels of security:
Encryption: This is the process of converting plaintext into ciphertext using an encryption algorithm and a secret key. The ciphertext can only be decrypted back to the original plaintext using the same secret key. Encryption is used to protect data in transit or at rest.
Encoding: This is the process of converting data from one format to another format. Encoding does not provide any security or protection and can often be reversed easily.
Hashing: This is the process of converting any input (plaintext or ciphertext) into a fixed-length string of characters, called a hash. Hashing is a one-way process, meaning that it is difficult (ideally impossible) to derive the original input from the hash. Hashing is often used to store passwords securely.
Obfuscation: This is the process of making data or codes more difficult to understand or read. Obfuscation does not provide any security or protection and can often be reversed with enough effort.
Signing: This is the process of attaching a digital signature to a message or document to prove the authenticity and integrity of the message or document. A digital signature is generated using a private key and can only be verified using the corresponding public key. Signing is often used to ensure the integrity and authenticity of digital documents.
Various attack models, such as the chosen-plaintext attack, refer to different methods that an attacker can use to try to compromise the security of a cryptographic system. For example, a chosen-plaintext attack involves an attacker being able to choose the plaintext input to an encryption algorithm and observing the resulting ciphertext output. This can be used to try to derive the secret key or other sensitive information.
As for encryption standards and implementations, some commonly used ones include:
RSA (asymmetric encryption)
AES (symmetric encryption)
ECC (elliptic curve cryptography, including ed25519)
Chacha/Salsa (symmetric encryption)
Asymmetric encryption, such as RSA and ECC, involves using a public key and a private key to encrypt and decrypt data. Asymmetric encryption is slower than symmetric encryption, but it is more secure and is often used to establish a trusted connection or transfer a shared secret key.
Symmetric encryption, such as AES and Chacha/Salsa, uses a single shared secret key to encrypt and decrypt data. Symmetric encryption is faster than asymmetric encryption, but it requires the secure sharing of the secret key. Many cryptographic protocols use a combination of both asymmetric and symmetric encryption, such as using asymmetric encryption to establish a secure connection and then using symmetric encryption for the actual data transfer.
Perfect forward secrecy (PFS) is a property of some cryptographic protocols that ensures that even if an attacker can compromise the secret key used for symmetric encryption, they cannot use that key to decrypt past communications. This is achieved by using a different symmetric key for each communication session. PFS is used in some secure messaging applications, such as Signal.
Cryptography, Authentication, and Identity are all important concepts in computer security. Let me provide a brief overview of the concepts you mentioned.
Cryptography:
Encryption vs Encoding vs Hashing vs Obfuscation vs Signing: Encryption, encoding, hashing, obfuscation, and signing are all different techniques used in cryptography to achieve different security goals. Encryption is the process of converting plain text into cipher text using a key, making it unreadable by unauthorized parties. Encoding, on the other hand, is the process of converting data into a particular format that is usable by systems, but it doesn't provide any security. Hashing is the process of transforming data into a fixed-length string that is unique to the input data. Obfuscation is the process of making code or data difficult to understand or read. Signing is the process of attaching a digital signature to a message, which can verify the authenticity of the message and the sender.
Asymmetric vs symmetric: Asymmetric encryption is slow but good for establishing a trusted connection, while symmetric encryption is faster and uses a shared key. Many protocols use asymmetric encryption to transfer a symmetric key, which is then used for the actual data encryption. Perfect forward secrecy is a concept where even if the symmetric key is compromised, it cannot be used to decrypt previously encrypted data.
Ciphers:
Block vs stream ciphers: Block ciphers encrypt data in fixed-size blocks, while stream ciphers encrypt data one bit or byte at a time.
Block cipher modes of operation: Block ciphers can be used in various modes of operation to achieve different security goals, such as confidentiality, integrity, and authenticity. Some popular modes of operation include ECB, CBC, OFB, and CTR.
AES-GCM: AES-GCM is a block cipher mode of operation that combines the AES block cipher with the Galois/Counter Mode (GCM) of operation for authenticated encryption with associated data (AEAD).
Integrity and authenticity primitives:
Hashing functions, MACs, and HMACs are all primitives used for data integrity and authenticity.
Hashing functions: Hashing functions are used to create a fixed-length "fingerprint" of data. Common hashing functions include MD5, SHA-1, and BLAKE.
MACs and HMACs: MACs (Message Authentication Codes) and HMACs (Keyed-hash Message Authentication Codes) are used to verify the integrity and authenticity of data. They use a shared secret key to create a "tag" that is attached to the data, which can be verified by the receiver.
Entropy:
PRNGs, entropy buffer draining, and methods of filling entropy buffers are all concepts related to generating random data in a computer system.
PRNGs: PRNGs (Pseudo Random Number Generators) are used to generate random data in computer systems. They are deterministic algorithms that use a seed value to generate random-looking data.
Entropy buffer draining: Entropy buffer draining is the process of using up the random data available in the system's entropy pool. This can cause problems with cryptographic operations that require random data.
Methods of filling entropy buffer: There are several methods for filling the entropy buffer, including mouse movements, keyboard timings, network timings, and hardware events.
Authentication:
Certificates, TPMs, O-Auth, Auth Cookies, Sessions, SAMLv2, OpenID, Kerberos, Biometrics, Password Management, U2F/FIDO, and multi-factor auth methods are all different concepts related to authentication.
Malware & Reversing:
Malware is a type of software that is designed to harm or exploit computer systems, often for financial gain. Malware can come in many forms, such as viruses, worms, Trojans, spyware, ransomware, and more. Here are some key topics related to malware:
Interesting malware:
Conficker: A worm that spread rapidly in 2008 and infected millions of computers around the world, exploiting a vulnerability in Windows operating systems.
Morris worm: One of the first worms to gain widespread attention, created by a graduate student in 1988 to demonstrate the potential risks of networked computers.
Zeus malware: A Trojan horse that targets online banking systems, stealing login credentials and financial information from infected machines.
Stuxnet: A highly sophisticated worm that targeted industrial control systems, believed to be created by a nation-state to damage Iranian nuclear facilities.
Wannacry: A ransomware attack that spread globally in 2017, using a vulnerability in Windows operating systems to encrypt data on infected machines.
CookieMiner: A malware that targets macOS systems to steal sensitive information from cryptocurrency exchanges and users.
Sunburst: A supply chain attack that affected many organizations, including U.S. government agencies, by compromising the SolarWinds software.
Malware features:
Remote code execution: Techniques for getting malicious code to run on a target system.
Domain-flux and Fast-Flux: Techniques for changing the IP addresses of C2 servers to evade detection and takedowns.
Covert C2 channels: Techniques for hiding the communication between malware and C2 servers, such as using legitimate network protocols or hiding data in images.
Evasion techniques: Techniques for avoiding detection and analysis by security software or researchers, such as checking for the presence of sandboxes or VMs.
Process hollowing: A technique for creating a new process in a suspended state and then replacing its memory with malicious code, to evade detection by antivirus software.
Mutexes: A technique for preventing multiple instances of malware from running on the same system.
Multi-vector and polymorphic attacks: Techniques for using multiple attack vectors and changing the appearance of the malware to evade detection and analysis.
RAT (remote access trojan) features Capabilities for remote control of infected machines, such as keylogging, screen capture, and file transfer.
Decompiling/reversing:
Obfuscation of code and unique strings: Techniques for hiding the true purpose and behavior of malware, such as using random variable names or encrypting strings.
IdaPro, Ghidra: Reverse engineering tools for analyzing malware code and behavior.
Static and dynamic analysis are two approaches used to analyze software or code for security vulnerabilities and potential threats.
Static analysis involves examining the code without executing it, to identify security flaws or other issues that may be present. This is done by examining the source code, byte code, or machine code of the program. This approach can be automated and is often used to scan large codebases for common vulnerabilities, such as buffer overflows or SQL injection.
Dynamic analysis, on the other hand, involves running the software in a controlled environment to observe its behavior and identify any issues that may arise during runtime. This approach involves executing the code and observing its interactions with the operating system, network, and other resources. This approach can be useful for detecting issues that may not be apparent during static analysis, such as runtime errors, memory leaks, or other issues related to program execution.
VirusTotal, Reverse.it, and Hybrid Analysis are all online services that provide both static and dynamic analysis of software and code. These services allow users to submit files or URLs for analysis and provide reports on any potential security threats or issues that may be present. They also use machine learning and other advanced techniques to identify potential threats and vulnerabilities in code.
Exploits:
Social engineering attacks aim to trick people into performing certain actions that can harm the security of the system or the data stored within it. Common social engineering attacks include phishing, spear phishing, baiting, and tailgating.
Physical attacks target the physical security of the system or data and often involve gaining physical access to the system or device. Such attacks can be mitigated by using disk encryption, trusted platform modules, and other security mechanisms.
Network attacks involve finding vulnerabilities in networked systems and exploiting them to gain unauthorized access. Attackers use tools like Nmap, Metasploit, and Shodan to scan networks, search for vulnerabilities, and launch attacks.
Exploit kits and drive-by download attacks are typically used to distribute malware to unsuspecting victims through infected websites or emails.
Remote control attacks involve taking control of a remote system, typically through a vulnerability or exploit. These attacks can lead to remote code execution and privilege escalation.
Spoofing attacks involve impersonating a legitimate entity to gain unauthorized access or launch attacks. Spoofing can be done for email, IP addresses, MAC addresses, and biometric data.
Tools like Metasploit, ExploitDB, Shodan, and Hak5 are used by security researchers and attackers alike to find and exploit vulnerabilities. It's important to note that using such tools for unauthorized purposes is illegal and can lead to severe legal consequences.
Attack Structure:
Reconnaissance: The attacker gathers information about the target, often through open-source intelligence (OSINT) methods like Google Dorking or using tools like Shodan to identify vulnerable systems.
Resource development: The attacker builds the infrastructure and tools needed for the attack, which may include creating malware or obtaining access to compromised systems.
Initial access: The attacker gains access to the target network or system, often through methods like phishing or exploiting public-facing applications.
Execution: The attacker runs code on the compromised system, often through shells or interpreters like PowerShell or Python.
Persistence: The attacker establishes a foothold in the compromised system by creating backdoors and modifying startup scripts.
Privilege escalation: The attacker elevates their access privileges on the compromised system, often through methods like a token or key theft.
Defense evasion: The attacker attempts to evade detection and defensive measures, such as disabling logging or reverting virtual machines.
Credential access: The attacker gains access to login credentials, often through methods like brute-forcing or keylogging.
Discovery: The attacker explores the target system and network, looking for other vulnerable systems or sensitive information.
Lateral movement: The attacker moves laterally through the network, compromising additional systems and accounts.
Collection: The attacker steals valuable information or data, often through methods like capturing audio or video, database dumps, or intercepting network traffic.
Exfiltration: The attacker removes stolen data from the target network, often through covert channels like DNS exfiltration or cloud backup services.
Command and control: The attacker maintains communication with the compromised systems, often through encrypted channels or removable media.
Impact: The attacker achieves their objectives, which may include data theft, data destruction, or disruption of services.
Threat Modeling:
The Threat Matrix is a tool used to map out and visualize the different types of threats facing an organization. It is often used as part of a risk assessment process to identify and prioritize the most critical risks. The matrix typically includes different threat categories along one axis (such as natural disasters, human error, cyber attacks, etc.) and the potential impacts along the other axis (such as financial losses, reputational damage, legal/regulatory penalties, etc.).
Trust boundaries refer to the points in a system where different levels of trust exist, and where security controls are typically implemented to protect the system. For example, a trust boundary might exist between an organization's internal network and the public Internet, or between different parts of an application that handle sensitive data and those that do not.
Security controls are measures put in place to protect systems, data, and other assets from threats. These can include technical controls such as firewalls, intrusion detection systems, and encryption, as well as administrative controls such as policies, procedures, and employee training.
The STRIDE framework is a tool for identifying and categorizing potential threats to software systems. The six threat categories in the framework are Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations of cyber attacks. It is organized into different categories of tactics, such as initial access, execution, persistence, and exfiltration, and includes specific techniques associated with each tactic.
Lilly Ryan's "Defense Against the Dark Arts" talk is a presentation on information security that uses examples from the Harry Potter series to explain concepts such as threat modeling, incident response, and risk management. It is a creative and engaging way to introduce people to these important security concepts.
Detection:
IDS: An Intrusion Detection System is a security system that detects unauthorized access to a network or computer system. It can be signature-based or behavior-based and uses rules to identify potential security threats.
SIEM: Security Information and Event Management is a technology that provides real-time analysis of security alerts generated by network hardware and applications. It collects and correlates data from multiple sources, allowing for the detection of complex security incidents.
IOC: Indicator of Compromise is a piece of forensic data that suggests that a system has been hacked or compromised. It may include information such as IP addresses, file names, or other artifacts.
Honeypots: A honeypot is a decoy system set up to attract and detect hackers. It can be a server or a network of servers designed to mimic a legitimate system, gather information about attacks and analyze them.
Firewall rules: Firewall rules are used to block or allow traffic based on specific criteria. For example, they can be set up to detect brute-force attacks or port scanning.
Anomaly / Behavior-based detection: This is a technique used to detect security threats by monitoring network traffic for patterns that are not typical. It involves developing a baseline of normal network behavior and then identifying deviations from this baseline.
Tools for detection: There are various tools used in threat detection such as Splunk, ArcSight, Qradar, Darktrace, Tcpdump, Wireshark, and Zeek.
Things to know about attackers: Attackers can use various techniques to evade detection, such as spoofing packets or creating a lot of noise. It can be challenging to correlate IP addresses with physical locations.
Logs to look at: Several types of logs can be useful for detecting security threats, including DNS queries, HTTP headers, traffic volume, traffic patterns, and execution logs.
A curated list of awesome threat detection resources: This is a list of various resources related to threat detection, such as blogs, tools, and frameworks.
Digital Forensics:
Digital forensics is the process of collecting, preserving, analyzing, and presenting electronic data in a way that is admissible in a court of law. It is often used to investigate computer-related crimes or to recover data that has been lost or delete
Evidence volatility: different types of evidence (network, memory, disk) have different levels of volatility, which affects how they are collected and analyzed.
Network forensics: analyzing network traffic, including DNS logs, NetFlow, and sampling rates.
Disk forensics: analyzing data stored on disk, including disk imaging, filesystems, logs, and data recovery.
Memory forensics: analyzing data stored in memory, including memory acquisition, memory structures, and tools like Volatility and WinDbg.
Mobile forensics: analyzing data stored on mobile devices, including differences between mobile and computer forensics, and specific considerations for Android vs. iPhone.
Anti-forensics: techniques used by malware to try to hide, such as timestamping.
Chain of custody: documentation and procedures used to maintain the integrity of the evidence, including handover notes.
These concepts and tools are used by digital forensics investigators to collect and analyze electronic evidence in a way that is accurate, reliable, and legally admissible.
Incident Management:
Incident management is the process of responding to and resolving information security or privacy incidents when they occur. It involves a coordinated effort to detect, investigate, contain, and recover from the incident while minimizing damage to the organization.
Some key concepts and best practices in incident management include:
Understanding the difference between privacy incidents (breaches of personal information) and information security incidents (breaches of company systems or data).
Knowing when to involve legal, users, managers, and directors in the incident response process.
Running through different scenarios to understand how an incident might unfold, from start to finish.
Delegating roles and responsibilities and establishing clear lines of communication between team members.
Identifying the type of alert triggering the incident and understanding how to find the root cause of the issue.
Understanding the stages of an attack (such as the cyber-kill chain) and the difference between symptoms and causes.
Building a timeline of events to identify the scope and impact of the incident.
Assuming good intent and working collaboratively with people to resolve the issue.
Developing response models such as SANS' PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned) or Google's IMAG (Incident Management At Google) to guide the response effort.
Overall, incident management is an essential part of any organization's information security and privacy program. It involves a coordinated effort to detect, respond to, and recover from incidents while minimizing damage to the organization and protecting its assets.
Incident Management:
Incident management is the process of responding to and resolving information security or privacy incidents when they occur. It involves a coordinated effort to detect, investigate, contain, and recover from the incident while minimizing damage to the organization.
Some key concepts and best practices in incident management include:
Understanding the difference between privacy incidents (breaches of personal information) and information security incidents (breaches of company systems or data).
Knowing when to involve legal, users, managers, and directors in the incident response process.
Running through different scenarios to understand how an incident might unfold, from start to finish.
Delegating roles and responsibilities and establishing clear lines of communication between team members.
Identifying the type of alert triggering the incident and understanding how to find the root cause of the issue.
Understanding the stages of an attack (such as the cyber-kill chain) and the difference between symptoms and causes.
Building a timeline of events to identify the scope and impact of the incident.
Assuming good intent and working collaboratively with people to resolve the issue.
Developing response models such as SANS' PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned) or Google's IMAG (Incident Management At Google) to guide the response effort.
Overall, incident management is an essential part of any organization's information security and privacy program. It involves a coordinated effort to detect, respond to, and recover from incidents while minimizing damage to the organization and protecting its assets.
Coding & Algorithms:
The basics: This covers fundamental concepts such as conditions, loops, dictionaries, lists, arrays, string and array operations, and pseudo code.
Data structures: This section delves into more complex data structures such as dictionaries/hash tables, arrays, stacks, SQL/tables, and Big tables.
Sorting: Quicksort and merge sort are common algorithms used to sort data.
Searching: This section covers binary and linear search algorithms.
Big O: This refers to the time and space complexity of algorithms.
Regular expressions: A powerful tool for pattern matching in strings.
Recursion: A technique where a function calls itself to solve a problem.
Python: A popular programming language with features such as list comprehensions, generators, slicing, regular expressions, and dynamic types. The section also compares Python to other programming languages and emphasizes the importance of understanding common functions.
Security Themed Coding Challenges:
These security-themed coding challenges provide a great opportunity for developers to practice their skills in text parsing and manipulation, basic data structures, and simple logic flows while also learning about various aspects of security engineering.
One of the challenges involves implementing a cipher that converts text to emoji or some other format, which can help developers understand how encryption works and how to implement basic ciphers. Another challenge involves parsing arbitrary logs to extract specific details such as domains, executable names, and timestamps, which can help developers understand how to handle and manipulate large amounts of data.
Web scraping is another challenge where developers need to write a script to extract information from a website. This can be useful for gathering data for research or analysis purposes. Port scanning is also a common task in security engineering, and writing a port scanner or detecting port scanning can help developers understand how networks and ports work.
The challenge of building an ssh botnet can help developers understand how botnets work and how to build and deploy one. Password brute-forcing is another challenge where developers need to generate credentials and store successful logins, which can help them learn about password security and common password vulnerabilities.
Another challenge is to write a mini forensics tool to collect identifying information from PDF metadata, which can help developers understand how to extract and analyze metadata from various types of files. Recovering deleted items is another challenge where developers need to find out where deleted items are stored and write a script to pull them from local databases.
Finally, the challenge of creating a program that looks for malware signatures in binaries and code samples can help developers understand how to detect and analyze malware and look at Yara rules for examples.
Developers are encouraged to put their work-in-progress scripts on GitHub and link them to their resume/CV, even if they are not perfect or complete, as this can demonstrate their skills and interest in security engineering.
It was my pleasure assisting you. I hope this was helpful and provided you with the information you were looking for. Don't hesitate to reach out to me if you need further assistance in the future. Have a great day!
@WarrenMu (github)