Index

Symbols

* (asterisks), 172

/ (backslash), 39, 94

$ (dollar sign), 56, 567

. (dot), 210

- (dash), 94

Numbers

1xx, HTTP (Hypertext Transfer Protocol), 228

2xx, HTTP (Hypertext Transfer Protocol), 228

3DES (Triple DES), 419

3xx, HTTP (Hypertext Transfer Protocol), 228

4 As, 595

4xx, HTTP (Hypertext Transfer Protocol), 228

5xx, HTTP (Hypertext Transfer Protocol), 228

802.11 standard, authentication, 258

802.11 wireless frames, 255–256

802.11 wireless LAN, 255–256

802.3 Ethernet LAN, 255

802.3 wireless association, 256

A

A, DNS (Domain Name System), 214

A (Availability Impact), 476

A4 threat model, 595

AAA (Authentication, Authorization, and Accounting), 385–387

accounting logs, 388–390

authentication, 386–388

RADIUS (Remote Authentication Dial-in User Service), 388

TACACS+ (Terminal Access Controller Access-Control System Plus), 388

AAA servers, 279–280

AAAA, DNS (Domain Name System), 214

ABAC (attribute-based access control), 385

AC (Attack Complexity), 475

acceptable use policy (AUP), 382

access attacks, 314

social engineering attacks, 317–318

types of, 315–316

access control

AAA (Authentication, Authorization, and Accounting), 385–387

access control models, 385

access control lists. See ACLs (access control lists)

access control models, 385

accessing network resources, 56–57

Account Lockout Policy, 62

accounting and auditing, AAA servers, 279

accounting logs, AAA (Authentication, Authorization, and Accounting), 388–390

ACK, 195

ACLs (access control lists), 508–509

communications security, 384

features of, 273–274

traffic control, 272–273

actions on objectives, Cyber Kill Chain, 587

active mode, wireless devices, 258

address classes, IPv4, 155–156

address formatting, IPv6, 162

address notation, IPv4, 148–149

address resolution, IPv6, 167

Address Resolution Protocol (ARP), 127, 179

ARP tables, on networking devices, 181–182

functions, 179–180

IP (Internet Protocol)

destination on remote networks, 178

destination on same network, 176–177

issues

ARP broadcasts, 182–183

ARP spoofing, 183

MAC (Media Access Control)

destination on remote networks, 178

destination on same network, 176–177

removing entries from ARP tables, 181

vulnerabilities, 354–355

address spoofing attacks, 343, 348–349

addresses

compressing, IPv6, 162–163

network addresses, IPv4, 151–152

addressing

IPv4

address notation, 148–149

host address structure, 149–150

network addresses, 151–152

subnet masks, 151–152

subnetting broadcast domains, 152–153

network protocols, 131–132

administration of Linux

file system types, 92–94

hard links and symbolic links, 96–97

hardening devices, 88–89

monitoring service logs, 89–91

roles and file permissions, 94–96

service configuration files, 84–88

administrative shares, 56

Administrator Command Prompt, Windows, 41–42

administrators, running as administrator (Windows), 41–42

ADSs (Alternate Data Streams), 29–31

Advanced Encryption Standard (AES), 419–420

Advanced Malware Protection (AMP), 271

Advanced Packaging Tool (APT), 99–101

advantages

IDSs (intrusion detection systems), 268–269

IPSs (intrusion protection systems), 268–269

adware, 310

AES (Advanced Encryption Standard), 419–420

agent-based antivirus, 460

agent-based patch management, 488–489

agentless antivirus protection, 460

agentless scanning, patch management, 489–490

aggregation, SIEM (security information and event management), 339

AIS (Automated Indicator Sharing), 301, 393

alert data, 514

alert evaluation, 550–551, 552

deterministic analysis, 552–553

probabilistic analysis, 552–553

alert generation, 544–546

alerts

evaluating, 550–551, 552

deterministic analysis, 552–553

probabilistic analysis, 552–553

sources of alerts

alert generation, 544–546

analysis tools, 544

detection tools for collecting alert data, 543–544

rules, 546–547

Security Onion, 542

Snort rule structure, 547–550

allocating ports, TCP (Transmission Control Protocol), 196–198

Alternate Data Streams (ADSs), 29–31

amateurs, 4

AMD, IPv4, 151

AMP (Advanced Malware Protection), 271, 461, 462–463

ESA (Email Security Appliance), 272

amplification and reflection attacks, 346–347

analysis

digital forensics, 572

NIST incident response life cycle, 606

analysis centers, 600

analysis tools, sources of alerts, 544

AND, 152

anomaly detection, 472

anomaly-based HIDS, 465

antimalware programs, 63, 459

antimalware protection

endpoint security, 457–458

endpoint threats, 456–457

host-based malware protection, 459

antivirus/antimalware software, 459–461

host-based firewalls, 460

host-based security sites, 460–461

antivirus/antimalware software, 459–461

APs, 262

client to AP association process, 258–260

Apache access log, 522

Apache HTTP Server access logs, 522–523

API calls, investigating, 567–568

App history tab, Task Manager, 49

application gateway firewalls, 265

application layer, OSI (Open Systems Interconnection) model, 131

application logs, Event Viewer, 519

application security

attack surfaces, 466–467

blacklisting, 467–468

system-based sandboxing, 469

whitelisting, 467–468

applications, 36–37

identifying with transport layer protocols, 185

installing on Linux hosts, 100–101

PKI (public key infrastructure), 447

apt-get command, Linux, 78

apt-get update command, Linux, 102

apt-get upgrade command, Linux, 102

architecture, Windows

file systems, 28–29

HAL (hardware and abstraction layer), 27–28

kernel, 28

user mode, 28

ARP. See Address Resolution Protocol (ARP)

arp -a command, 181

ARP broadcasts, 182–183

ARP cache poisoning, 355–357

ARP Reply, 355

ARP Request, 354

ARP spoofing, 183

ARP tables, on networking devices, 181–182

asset management, 377, 486

assets, 297, 376

identifying, 376–377

association, client and AP association, 260

asterisk (*), 172

asymmetric encryption algorithms, 416, 417, 421–423

authentication, 425–426

confidentiality, 423–424

integrity, 426–428

ATP (Advanced Packaging Tool), 99–101

attachment-based attacks, 366

attack attribution, digital forensics, 575–576

Attack Complexity (AC), 475

attack indicators, 300

attack surfaces, 297, 466–467

Attack Vector (AV), 475

attack vectors, NIST incident response life cycle, 605

attacker identification, NIST incident response life cycle, 608–609

attacks, 301–302

address spoofing attacks, 343, 348–349

amplification and reflection attacks, 346–347

attachment-based attacks, 366

buffer overflow attacks, 322–323

categories of attacks, 304–305

compromised-key attacks, 305

data modification attacks, 304

DDoS attacks, 320, 345–346

Dyn, 5

examples, 321–322

DDoS attacks, 343, 347–348

DHCP spoofing attacks, 359

DHCP starvation attacks, 362

DNS amplification and reflection attacks, 357

DNS attacks, 357–358

DNS cache poisoning attacks, 357

DNS resource utilization attacks, 357

DNS tunneling, 358–359

domain shadowing, 365

DoS (denial-of-service) attacks, 305, 319–322, 343, 345–346

eavesdropping attacks, 304

email spoofing, 366

evasion methods, 323–324

homoglyphs, 367

HTTP 302 cushioning attack, 364–365

ICMP attacks, 343–345

ICMP flood attacks, 344

IP address spoofing attacks, 304

malware, 305–306

adware, 310

common behaviors, 310–311

phishing, 310

ransomware, 309

rootkits, 310

scareware, 310

spyware, 310

Trojan horses, 306–307

viruses, 306

worms, 307–308

man-in-the-middle attacks, 305, 315, 317, 343

network attacks. See network attacks

open mil, 366

pass-the-hash, 315

password attacks, 315

password-based attacks, 304–305

PHI (protected health information), 6

PII (personally identifiable information, 6

port redirection, 315, 316–317

session hijacking, 343

TCP (Transmission Control Protocol), 352

Smurf attacks, 346

sniffer attacks, 305

social engineering attacks, 317–318

phishing, 318–319

spam email, 366

spoofing attacks, 315

TCP reset attacks, 352

TCP SYN flood attacks, 351–352

trust exploitation, 315–316

UDP (User Datagram Protocol), 353

UDP flood attack, 353

web-based attacks, 362–363

defending against, 364

attribute-based access control (ABAC), 385

AUP (acceptable use policy), 382

authentication

802.11 standard, 258

AAA (Authentication, Authorization, and Accounting), 386–388

AAA servers, 279

asymmetric encryption algorithms, 425–426

client and AP authentication, 260

origin authentication, 402

peer authentication, 446

PKI (public key infrastructure), 444–446

authoritative servers, DNS (Domain Name System), 211

authorities, 474

authorities system, PKI (public key infrastructure), 439–441

authorization, AAA servers, 279

Automated Indicator Sharing (AIS), 301, 393

AV (Attack Vector), 475

availability

downtime, 11

versus security, SOC (Security Operations Centers), 11

Availability Impact (A), 476

AVC (Application Visibility and Control), 529

AV-TEST, 461

B

backslash (/), 39, 94

baiting, 318

Base metric group, CVSS (Common Vulnerability Scoring System), 475–476

Impact metrics, 476

Basic Input-Output System (BIOS), 31–32

BCD (Boot Configuration Database), 32–33

behavior-based malware, 459

behaviors, malware, 310–311

best effort process, IPv4, 145

best evidence, 573

BGP (Border Gateway Protocol), 244

binary, converting to dotted decimal, 148

binary addresses, 151

BIOS (Basic Input-Output System), 31–32

bitcoin, 309

bits, encapsulation, 136

black hat hackers, 299

blacklisting, 467–468

blind spoofing, 348

block ciphers, 418

blogs, security blogs and podcasts, 392

Boot Configuration Database (BCD), 32–33

boot processes for Windows, 31–33

Boot tab, system configuration, 34

Bootmgr.exe, 32–33

BOOTP (bootstrap protocol), 126

Border Gateway Protocol (BGP), 244

border routers, NAT (Network Address Translation), 218

botmasters, 321

botnets, 5, 321

bots, 321, 347

bridges, 244–245

Bring Your Own Device (BYOD) policies, 382–383

Bro, 515, 543–544

broadcast, communication protocols, 130

brute-force method, 407

buffer overflow attacks, 322–323

bus, LAN topologies, 285

business continuity planning, incident response, 603

business policies, 381

BYOD (Bring Your Own Device) policies, 382–383

C

C (Confidentiality Impact), 476

C2 (command and control), Cyber Kill Chain, 586–587

CA (certificate authority), 438

Caesar substitution cipher, 404

calculators (CVSS), 476–477

CAM (content addressable memory), 245

CapME, 543

CareerBuilder.com, 13

careers

finding jobs, 14

first jobs, 14

cat command, Linux, 79

categories of attacks, 304–305

CCNA Cyber Ops certification, 12

cd command, Linux, 79

CDFS (Compact Disc File System), Linux, 92

centralized AAA, 388

CERT (Computer Emergency Response Team), 391, 600

certificate authority (CA), 438

certificate database, 439

certificate enrollment, PKI (public key infrastructure), 444–446

certificate requests, submitting, 445

certificate revocation list (CRL), 446

certificate store, 439

certificates

classes of, 440

PKI (public key infrastructure), 439

retrieving, 444

certifications, 493

CCNA Cyber Ops, 12

CompTIA Cybersecurity Analyst (CSA+), 12

GIAC (Global Information Assurance Certification), 12

(ISC)² Information security, 12

chain of custody, digital forensics, 574

channel settings, 257

characteristics, IPv4, 144–147

best effort process, 145

connectionless, 144–145

media independent, 146–147

checking IP configuration on Windows PCs, 149

chkrootkit command, Linux, 106–109

chmod command, Linux, 78

chosen-ciphertext method, 407

chosen-plaintext method, 407

chown command, Linux, 78

CIA (Confidentiality, Integrity, Availability), 384

cipher suites, 448

ciphers, 403–407

block ciphers, 418

polyalphabetic ciphers, 406–407

rail fence ciphers, 405

Rivest ciphers (RC), 420–421

stream ciphers, 418

substitution ciphers, 404

transposition ciphers, 405–406

ciphertext method, 407

Cisco 2960-X Series switches, 245

Cisco Advanced Malware Protection (AMP), 271, 462–463

Cisco Application Visibility and Control (AVC), 529

Cisco Cloud Email Security, 271–272

Cisco Cloud Web Security (CWS), 271

Cisco Cognitive Threat Analytics, 517–518

Cisco content filtering devices, 531

Cisco Cybersecurity Reports, 392

Cisco Cybersecurity Scholarship, 14

Cisco devices, logging from, 531–532

Cisco Email Security Appliance (ESA), 271–272

Cisco Meraki Systems Manager, 487

Cisco SSL Appliance, 449

Cisco Stealthwatch, 338

Cisco syslog message formats, 532

Cisco Talos, 392–393

Cisco Talos Security Intelligence and Research Group, 271

Cisco Web Security Appliance (WSA), 271

Cisco wireless router WRP500, 261

Class A, IPv4, 155

Class B, IPv4, 155

Class C, IPv4, 155

Class D, IPv4, 155

classes of certificates, 440

classful addressing, IPv4, 156

classifications

of alerts, 551–552

Trojan horses, 307

CLF (common log format), 522

CLI (command line interface), 41, 44–46

Linux, 74, 77

client error 4xx, 363

client to AP association process, wireless network operations, 258–260

clients, 119

Linux, 83–84

uploading files to servers, 84

client-server communications, 119

Linux, 82

clients, 83–84

services and ports, 83

Cloud Email Security, 271–272

Cloud Web Security (CWS), 271

cmdlets, 45

CnC (command and control), Cyber Kill Chain, 586–587

Code Red worm, 308, 309

code signing, digital signatures, 430, 432–435

Cognitive Threat Analytics, 517–518

collapsed core, LAN topologies, 287

collision fragments, 140

command accounting, 389

command and control (CnC), Cyber Kill Chain, 586–587

command injection, 367

command line interface. See CLI (command line interface)

command line-based text editors, 80

commands

apt-get command, Linux, 78

apt-get update command, Linux, 102

apt-get upgrade command, Linux, 102

arp -a command, 181

cat command, Linux, 79

cd command, Linux, 79

chkrootkit command, Linux, 106–109

chmod command, Linux, 78

chown command, 78

cp command, Linux, 79

dd command, Linux, 78

grep command, Linux, 78, 79, 110

ifconfig command, Linux, 78

ipconfig command, 54–55

ipconfig/displaydns command, 214

iwconfig command, Linux, 78

kill command, Linux, 103

Linux, 77–79

ls command, Linux, 77, 79, 94, 110

man command, Linux, 77, 79

man ls command, Linux, 77

mkdir command, Linux, 79

mount command, Linux, 93–94

for MS-DOS, 21–23

mv command, Linux, 78, 79

net accounts, 48

net command, 47–48

net session, 48

net share, 48

net start, 48

net stop, 48

net use, 48

net view, 48

netstat -abno command, 58–59

netstat command, 55, 58–59

nslookup command, 55

passwd command, Linux, 79

ping command, 53–54, 55, 168, 343–344

piping commands, Linux, 110

PowerShell, 45

ps command, Linux, 78, 103

pwd command, Linux, 78

rm command, Linux, 79

shutdown, Linux, 78

su command, Linux, 78

sudo command, Linux, 78

top command, Linux, 103–105

common log format (CLF), 522

common security architectures, 288–289

Common Vulnerabilities and Exposures (CVE), 391, 393, 479

Common Vulnerability Scoring System. See CVSS (Common Vulnerability Scoring System)

communication processes, tracing paths, 121–122

communication protocols, 123

broadcast, 130

encapsulation, 132–137

formatting, 128

multicast, 129

reference models, 130

OSI (Open Systems Interconnection) model, 131

TCP/IP model, 131–132

size, 128

three addresses, 131–132

timing, 129

unicast, 129

communications, securing, 400–402

with cryptology, 402–403

communications security, 384

Compact Disc File System (CDFS), Linux, 92

companies, ransomed companies, 3

company policies, 381

comparing

attack tools and technical knowledge, 302

host-based IPS versus network-based IPS, 269

IDS and IPS, 268

OSI (Open Systems Interconnection) model versus TCP/IP model, 130

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), 194

competitive advantage, loss of competitive advantage, 6

compliance regulations, 383, 480

FISMA (Federal Information Security Management Act of 2002), 481–482

GLBA (Gramm-Leach-Bliley Act), 482

HIPAA (Health Insurance Portability and Accountability Act), 482

PCI DSS (Payment Card Industry Data Security Standard), 480–481

SOX (Sarbanes-Oxley Act of 2002), 482

compressing addresses, IPv6, 162–163

compromised-key attacks, 305

CompTIA Cybersecurity Analyst (CSA+) certification, 12

Computer Emergency Response Team (CERT), 391, 600

computer programming, Python programming, 13

Computer Security Incident Response Team. See CSIRT (Computer Security Incident Response Team)

confidentiality

asymmetric encryption algorithms, 423–424

encryption, 416

Confidentiality Impact (C), 476

configuration files, Linux, 80–81

configuration management, 487–488

Windows administration

accessing network resources, 56–57

CLI and PowerShell

local users and domains

net command, 47–48

networking, 51–55

Resource Monitor, 49, 50–51

Run as Administrator

Task Manager, 49–50

Windows Server, 56–57

WMI (Windows Management Instrumentation), 46–47

configuration options, Windows, 33–36

configuring

network adapters, 51

networking properties, 51

Nginx web server, Linux, 85–86

NTP, Linux, 86

Snort configuration file, 86–88

Windows, 41

CONNECT, HTTP (Hypertext Transfer Protocol), 227

connection accounting, 389

connection establishment, TCP (Transmission Control Protocol), 199

connection events, NGIPS (NextGen IPS), 535

connection termination, TCP (Transmission Control Protocol), 200–201

connectionless, IPv4, 144–145

connectivity to local LAN, testing, with ping, 169–170

connectivity to remote hosts, testing, with ping, 170–171

connectivity verification

ICMP packet format, 175–176

ICMPv4 messages, 164–166

ICMPv6 RS and RA messages, 166–168

ping

testing connectivity to local LAN, 169–170

testing connectivity to remote hosts, 170–171

testing local stacks, 168–169

traceroute, testing paths, 172–175

containment, eradication, and recovery (NIST incident response life cycle), 607–609

containment strategies, NIST incident response life cycle, 607–608

content addressable memory (CAM), 245

content filter logs, 530–531

content filtering devices, 531

control bits, TCP (Transmission Control Protocol), 350

converting, binary to dotted-decimal, 148

corporate espionage, 6

correlation, SIEM (security information and event management), 338

corroborating evidence, 573

cost, incident data collection and retention, 611

cp command, Linux, 79

CPU tab, Resource Monitor, 51

CRC (cyclic redundancy check), 141

CRL (certificate revocation list), 446

Cron, 90

cross-certified CA topologies, 441–442

cross-site scripting (XSS), 368

cryptanalysis, 403, 406–407

cryptanalysts, 407

cryptography, 384, 403

ciphers, 403–407

confidentiality. See confidentiality

encrypting, network transactions, 447–448

encryption, and security monitoring, 448–449

hash functions, 409–410, 411, 411–412

HMAC (hash message authentication code), 413–416

MD5 (Message Digest 5), 412

SHA-1 (Secure Hash Algorithm 1), 412–413

SHA-2 (Secure Hash Algorithm 2), 413

keys, 408

PKI (public key infrastructure). See PKI (public key infrastructure)

cryptology, 402–403

CSIRT (Computer Security Incident Response Team), 599

types of, 599–600

Cuckoo Sandbox, 469

CVE (Common Vulnerabilities and Exposures), 391, 393, 479

CVSS (Common Vulnerability Scoring System), 473–474

metric groups, 474–475

Base metric group, 475–476

processes, 476–478

reports, 478–479

CWS (Cloud Web Security), 271

Cyber Kill Chain, 582–583

actions on objectives, 587

command and control (CnC), 586–587

delivery, 585

Diamond Model and, 590–591

exploitation, 585–586

installation, 586

reconnaissance, 583–584

weaponization, 584–585

cyber security analysts

dashboards and visualizations, 570

workflow management, 570

cyber threat indicators, 300–301

cyberattacks, 4

economic impact of cyberattacks, 5

cybercriminals, 300

CyberOPS, output of mount, 93–94

cybersecurity analysts, 118

Cybersecurity Awareness Month, 301

cybersecurity tasks, 300

cyberthreat intelligence (CTI), 394

cyberwarfare, 6–7

cyclic redundancy check (CRC), 141

D

DAC (discretionary access control), 385

DAD (Duplicate Address Detection), 167, 168

IPv6, 168

dash (-), 94

dashboards, 570

$DATA, 29

data, segmenting (transport layer protocols), 185

data archiving, 557–558

data collection, digital forensics, 572

data confidentiality, 402

data encapsulation, Ethernet, 140

Data Encryption Standard (DES), 418–419

Data field, Ethernet frames, 141

data integrity, 402

digital forensics, 574–575

data layer, encapsulation, 135

data link layer, OSI (Open Systems Interconnection) model, 131

data loss prevention, 532

data modification attacks, 304

data non-repudiation, 402

data normalization, 556–557

data platforms

data archiving, 557–558

data normalization, 556–557

data reduction, 554–556

ELSA (Enterprise Log Search and Archive), 554

data protection, 6

data reduction, 554–556

data retention, 611

data streams, 29

data transfer, TCP (Transmission Control Protocol), 201–204

datagrams, UDP (User Datagram Protocol), 196

data-sending Trojan horses, 307

DCs (domain controllers), 44

dd command, Linux, 78

DDNS (dynamic DNS), 214–215

DDoS (distributed DoS) attacks, 320, 343, 345–346, 347–348

Dyn, 5

examples, 321–322

debuggers, 304

de-encapsulating, packets, 240

default gateways, 159–160

host forwarding decision, 157–158

defending against, web-based attacks, 364

defense-in-depth, 376

identifying

assets, 376–377

threats, 378–379

vulnerabilities, 377–378

security artichoke, 380

security onion, 379

DELETE, HTTP (Hypertext Transfer Protocol), 227

delivery, Cyber Kill Chain, 585

demilitarized zone (DMZ), firewalls, 288–289

Deming cycle, 491

denial-of-service (DoS) attacks, 305

deploying

IDSs (intrusion detection systems), 269

IPSs (intrusion protection systems), 269

DES (Data Encryption Standard), 418–419

destination (SPAN) port, 334

Destination MAC Address field, Ethernet frames, 141

destination MAC addresses, switches, 247

destination on remote networks

IP (Internet Protocol), address resolution protocol, 178

MAC (Media Access Control), address resolution protocol, 178

destination on same network, MAC (Media Access Control), 176–177

destination port, TCP (Transmission Control Protocol), 188

Destination Unreachable, ICMPv4 messages, 165–166

destructive Trojan horses, 307

Details tab, Task Manager, 50

detection, NIST incident response life cycle, 606

detection and analysis, NIST incident response life cycle, 605–607

deterministic analysis, alert evaluation, 552–553

device hardening, Linux, 88–89

devices

network components, 282

wireless devices, 261–262

DH (Diffie-Hellman), 422, 428–429, 432

DHCP (Dynamic Host Configuration Protocol), 126, 206–208

DHCPv4 message format, 208–209

vulnerabilities, 359–362

DHCP spoofing attacks, 359

DHCP starvation attack, 362

DHCPACK, 206–207

DHCPDISCOVER, 206–207

DHCPNAK, 206–207

DHCPREQUEST, 206–207

DHCPv4 message format, 208–209

DHS (U.S Department of Homeland Security), 301

Diamond Model, 588–589

Cyber Kill Chain and, 590–591

pivoting across, 589

Diffie-Hellman (DH), 422, 428–429, 432

digital certificates, 430

digital signatures, 435–437

digital fingerprints, 410

digital forensics, 571

attack attribution, 575–576

chain of custody, 574

data integrity, 574–575

evidence, 573

evidence collection order, 573–574

preservation, 574–575

processes, 572

Digital Signature Algorithm (DSA), 422, 431

Digital Signature Standard (DSS), 422, 431

DSA (Digital Signature Algorithm), 431

ECDSA (Elliptic Curve Digital Signature Algorithm), 431

RSA (Rivest-Shamir-Adleman Algorithm), 431

digital signatures, 430–432

code signing, 432–435

for digital certificates, 435–437

directly connected interfaces, 243

directly connected routes, 242

directory commands, Linux, 79

disadvantages

IDSs (intrusion detection systems), 268–269

IPS (intrusion protection systems), 268–269

discovery and response, VERIS, 595

discretionary access control (DAC), 385

Disk Operating System (DOS), Windows, 21–23

Disk tab, Resource Monitor, 51

displaying

PIDs, 59

web pages, 137

distributed DoS (DDoS) attacks. See DDoS attacks

distributed firewalls, 464

DLP (data loss prevention), 532

DMZ (demilitarized zone), firewalls, 288–289

DNS (Domain Name System), 126, 209–210

DNS message format, 213–214

domain hierarchy, 210–211

dynamic DNS (DDNS), 214–215

exfiltration, 504

load balancing, 513

lookup processes, 211–213

security monitoring, 504

testing, 55

WHOIS, 215–216

DNS amplification and reflection attacks, 357

DNS attacks, 357–358

DNS cache poisoning attacks, 357

DNS message format, 213–214

DNS resource utilization attacks, 357

DNS tunneling, 358–359

DNS Zone, 211

dollar sign ($), 56, 567

domain controllers (DCs), 44

domain generation algorithms, 358

domain hierarchy, DNS (Domain Name System), 210–211

Domain Name System. See DNS (Domain Name System)

domain shadowing, 358, 365

domains, Windows, 42–44

DoS (denial-of-service) attacks, 305, 319–322, 343, 345–346

buffer overflow attacks, 322–323

DOS (Disk Operating System), Windows, 21–23

DoS Trojan horses, 307

dot (.), 210

dotted-decimal notation, 148

converting from binary, 148

double IP flux, 358

downtime, availability, 11

dropped frames, Ethernet, 140

DSA (Digital Signature Algorithm), 422, 431

DSS (Digital Signature Standard), 422, 431

DSA (Digital Signature Algorithm), 431

ECDSA (Elliptic Curve Digital Signature Algorithm), 431

RSA (Rivest-Shamir-Adleman Algorithm), 431

Duplicate Address Detection (DAD), 167, 168

IPv6, 168

Dyn, 5

dynamic DNS (DDNS), 214–215

Dynamic Host Configuration Protocol. See DHCP (Dynamic Host Configuration Protocol)

dynamic routing protocol, 243–244

E

eavesdropping attack, 304

ECDSA (Elliptic Curve Digital Signature Algorithm), 431

Echo Request, 343–344

economic impact of cyberattacks, 5

edge routers, 379

editing text files in nano (Linux, 81

education, 12

certifications, 12

.efi files, 32

EFI System Partition), 32

egress traffic, 334

EIGamal, 423

EIGRP (Enhanced Interior Gateway Routing Protocol), 127

Elasticsearch, 339

electronic banking, threats, 377

electronic medical records (EMR), 6

elements of SOC (Security Operations Centers), 7

enterprise and managed security, 10

people, 8

processes, 8–9

technologies, 9–10

ELK (Elasticsearch, Logstash, Kibana), 339

Elliptic Curve Digital Signature Algorithm (ECDSA), 431

elliptical curve techniques, 423

ELSA (Enterprise Log Search and Archive), 544, 554, 564

data normalization, 557

queries, 565–567

email, 222–223

IMAP (Internet Message Access Protocol), 224–225

POP3 (Post Office Protocol version 3), 223–224

SMTP (Simple Mail Transfer Protocol), 223

email protocols, security monitoring, 507

Email Security Appliance (ESA), 271–272

email spoofing, 366

email viruses, 306

employee policies, 381

EMR (electronic medical records), 6

encapsulating packets, 240

encapsulation, 134

bits, 136

communication protocols, 132–137

data layer, 135

Ethernet, 136

IP (Internet Protocol), 135

IPv4, 142–143

TCP (Transmission Control Protocol), 135

encrypting network transactions, 447–448

encryption, 323, 510

asymmetric encryption algorithms, 416, 417, 421–423

authentication, 425–426

confidentiality, 423–424

integrity, 426–428

Diffie-Hellman (DH), 428–429

keys, 408

security monitoring and, 448–449

symmetric encryption, 417–418

symmetric encryption algorithms, 416–417, 418–421

wireless devices, 257

encryption tools, 304

end device logs

Apache HTTP Server access logs, 522–523

host logs, 518–520

IIS access log, 523–524

server logs, 521–522

SIEM (security information and event management), log collection, 525–526

syslog, 520–521

end devices, 237–238

endpoint events, NGIPS (NextGen IPS), 536

endpoint protection

antimalware protection

endpoint security, 457–458

endpoint threats, 456–457

host-based malware protection, 459–460

application security

attack surfaces, 466–467

blacklisting, 467–468

system-based sandboxing, 469

whitelisting, 467–468

host-based intrusion protection

HIDS operation, 465–466

HIDS products, 466

host-based firewalls, 463–464

host-based intrusion detection, 464–465

host-based malware protection

AMP (Advanced Malware Protection (AMP), 462–463

network-based malware protection, 461–462

endpoint security, 457–458

endpoint threats, 456–457

endpoint vulnerability assessment

network anomaly detection, 472

network profiling, 470–471

network vulnerability testing, 473

server profiling, 471

endpoints, 456

Enhanced Interior Gateway Routing Protocol (EIGRP), 127

enterprise patch management, 488–489

techniques for, 488–490

enterprise security, SOC (Security Operations Centers), 10

enterprise services

domain shadowing, 365

email, 366–367

HTTP (Hypertext Transfer Protocol), 362–364

HTTP 302 cushioning attack, 364–365

HTTPS (HTTP Secure), 362–364

iFrame (inline frames), 364

web-exposed databases. See web-exposed databases

entries from ARP tables, removing, 181

environmental metric group, CVSS (Common Vulnerability Scoring System), 475

eradication, NIST incident response life cycle, 609

error messages, role of protocols, 125

ESA (Email Security Appliance), 271–272, 461, 530–531

ESP (EFI System Partition), 32

Ethernet, 127, 137, 139–140

default gateways, 159–160

host forwarding decision, 157–158

encapsulation, 136

frames, 140–141

IPv4

addressing. See addressing

characteristics, 144–147

encapsulation, 142–143

packet headers, 147–148

types of addresses, 155–157

IPv6. See IPv6

MAC address format, 141–142

Ethernet II frames, 140–141

Ethernet properties, Windows 10, 53

EtherType field, Ethernet frames, 141

ethical hacking, 302

evaluating

alerts, 550–551, 552

deterministic analysis, 552–553

probabilistic analysis, 552–553

sources of alerts

alert generation, 544–546

analysis tools, 544

detection tools for collecting alert data, 543–544

rules, 546–547

Security Onion, 542

Snort rule structure, 547–550

evasion methods, 323–324

event handling, Sguil, 563

Event Table fields, Sguil, 560

Event Viewer, 59–60

host logs, 519

IIS access log, 523

evidence

digital forensics, 573

NIST incident response life cycle, 608

evidence collection order, digital forensics, 573–574

examination, digital forensics, 572

EXEC accounting, 389

exFAT (Extended FAT), 29

exfiltration, DNS (Domain Name System), 504

experience, gaining, 13–14

exploitation, Cyber Kill Chain, 585–586

exploits, 297, 298

EXT (Extended File System), 29

ext2 (second extended file system), Linux, 92

ext3 (third extended file system), Linux, 92

ext4 (fourth extended file system), Linux, 92

Extended FAT (exFAT), 29

Extended File System (EXT), 29

extended star, LAN topologies, 285

F

fast flux, 357–358

FAT (File Allocation Table), 28–29

FAT16, 28–29

FAT32, 28–29

FCS (Frame Check Sequence) field, Ethernet frames, 141

features of

ACLs (access control lists), 273–274

wireless communications, 254–256

Federal Information Processing Standard (FIPS), 432

Federal Information Security Management Act of 2002 (FISMA), 481–482

fields, Ethernet II frames, 140–141

File Allocation Table (FAT), 28–29

File Area, 30–31

file commands, Linux, 79

file details, investigating, 568–569

file permissions, 94–96

file sharing, SMB (Server Message Block), 220–221

file systems

Linux, 92–94

Windows, 28–29

File Transfer Protocol (FTP). See FTP (File Transfer Protocol), 83, 126

file transfer services

FTP (File Transfer Protocol), 219–220

TFTP (Trivial File Transfer Protocol), 220

FIN (Finish), 195, 200

financial gain, threat actors, 4

FIPS (Federal Information Processing Standard), 432

FirePOWER, 535

firewalls, 262–263, 288, 379

application gateway firewalls, 265

distributed firewalls, 464

host-based firewalls, 265, 460, 463–464

hybrid firewalls, 265

next-generation firewalls, 266

packet filtering firewalls, 264, 265–266

SOC (Security Operations Centers), Linux, 75

stateful firewalls, 264, 266

transparent firewalls, 265

Windows, 64

ZPFs (zone-based policy firewalls), 289

firmware rootkits, 106

FIRST (Forum of Incident Response and Security Teams), 391, 474

first jobs, 14

FISMA (Federal Information Security Management Act of 2002), 481–482

flow control, TCP (Transmission Control Protocol), 202–204, 351

flow deduplication, 338

flow stitching, 338

FlowViewer, NetFlow, 528

forensic analysis, SIEM (security information and event management), 338

forensic tools, 303

forking, Linux, 102–104

forks, Linux, 102–104

format and structure, role of protocols, 124

formatting

NTFS (New Technology File System), 31

partitions, 31

protocols, 128

Forum of Incident Response and Security Teams (FIRST), 391, 474

fourth extended file system (ext4), Linux, 92

FQDN (fully qualified domain name), DNS (Domain Name System), 211

Frame Check Sequence field, Ethernet frames, 141

frames, 128

Ethernet, 140–141

FTP (File Transfer Protocol), 83, 126, 219–220

FTP Trojan horses, 307

full packet captures, 516–517

functions, address resolution protocol (ARP), 179–180

fuzzers, 303

G

gamers, typical session for gamers, 120

General tab, system configuration, 33–34

Generic Routing Encapsulation (GRE), 281

GET, HTTP (Hypertext Transfer Protocol), 227

GIAC (Global Information Assurance Certification), 12

glassdoor.com, 13

GLBA (Gramm-Leach-Bliley Act), 482

Global Cybersecurity Scholarship, 14

Global Information Assurance Certification (GIAC), 12

global politics, 4

global threat intelligence, ESA (Email Security Appliance), 272

gnome terminal, Linux, 77

Gnome window manager, 98

GNU nano text editor, 80

Gramm-Leach-Bliley Act (GLBA), 482

graphical user interface (GUI), Windows, 24–26

gratuitous ARP, 354

gray hat hackers, 299

GRE (Generic Routing Encapsulation), 281

grep command, Linux, 78, 79, 110

group permissions (r--), 95

Guest account, 43

GUI (graphical user interface)

Linux hosts

Linux GUI, 99–100

X Window System, 98–99

Windows, 24–26

H

hackers, 298–299

hacking operating systems, 304

hacktivists, 300

hactivists, 4

HAL (hardware and abstraction layer), Windows, 27–28

handlers, 321

hard drives (HDs), 28–29

partitions, 30–31

hard links, Linux, 96

hardening, devices, Linux, 88–89

hardware abstraction layer (HAL), 27–28

hash functions, 409–410, 411, 411–412

HMAC (hash message authentication code), 413–416

MD5 (Message Digest 5), 412

SHA-1 (Secure Hash Algorithm 1), 412–413

SHA-2 (Secure Hash Algorithm 2), 413

hash message authentication code (HMAC), 413–416

hashes, creating, 410

HDs (hard drives), 28–29

headers

TCP (Transmission Control Protocol), 194–195

UDP (User Datagram Protocol), 196

Health Insurance Portability and Accountability Act (HIPAA), 6, 482, 571

help, PowerShell, 45–46

heuristics-based malware, 459

hexadecimal, 141

hextets, 162

HFS+ (Hierarchical File System Plus), 29

Linux, 93

Hiberfil.sys file, 32–33

hibernation, Windows, 36

HIDS (host-based intrusion detection system), 464–465, 518–519, 568

HIDS operation, 465–466

HIDS products, 466

hierarchical CA topologies, 441–442

hierarchical design model, 286–287

Hierarchical File System Plus (HFS+), Linux, 29, 93

hijacked people, 2

HIPAA (Health Insurance Portability and Accountability Act), 6, 482, 571

HIPDS (host-based intrusion detection and prevention systems), 464

HIPS (host-based IPS), 270

history of Windows

DOS (Disk Operating System), 21–23

GUI (graphical user interface), 24–26

versions, 23–24

HKEY_CLASSES_ROOT (HKCR), 39

HKEY_CURREN_USER (HKCU), 39

HKEY_CURRENT_CONFIG (HKCC), 39

HKEY_CURRENT_USER, 33

HKEY_LOCAL_MACHINE, 33

HKEY_LOCAL_MACHINE (HKLM), 39

HKEY_USERS (HKU), 39

HMAC (hash message authentication code), 413–416

homoglyphs, 367

hop limits, IPv6, 172–175

host address structure, IPv4, 149–150

host confirmation, ICMPv4 messages, 164–165

host default gateways, 159

host events, NGIPS (NextGen IPS), 536

host forwarding, default gateways, 157–158

host IP binary address, 151

host logs, 518–520

host-based firewalls, 265, 460, 463–464

host-based intrusion detection, 464–465

host-based intrusion protection

HIDS operation, 465–466

HIDS products, 466

host-based firewalls, 463–464

host-based intrusion detection, 464–465

host-based intrusion detection system. See HIDS (host-based intrusion detection system)

host-based IPS, 269, 270

host-based malware protection, 459

AMP (Advanced Malware Protection (AMP), 462–463

antivirus/antimalware software, 459–461

host-based firewalls, 460

host-based security sites, 460–461

network-based malware protection, 461–462

host-based security sites, 460–461

HTTP (Hypertext Transfer Protocol), 83, 127, 136, 225–226, 362–364

HTTPS (HTTP Secure), 228

security monitoring, 505

status codes, 228–229

HTTP 302 cushioning attack, 364–365

HTTP Secure (HTTPS), 228

HTTP URL, 227

HTTPS (HTTP Secure), 228, 362–364

security monitoring, 505–506

hub and spoke, WAN topologies, 285

hubs, 244–245

human attack surfaces, 467

human resources, incident response, 603

hybrid, WAN topologies, 285

hybrid firewalls, 265

Hypertext Transfer Protocol. See HTTP (Hypertext Transfer Protocol)

I

I (Integrity Impact), 476

ICANN, WHOIS, 215–216

ICMP (Internet Control Message Protocol), 127

ICMPv4 messages, 164–166

mitigating abuse, 508

packet format, 175–176

rules for R1 traffic, 509

security monitoring, 507–508

ICMP attacks, 343–345

ICMP Echo messages, 164

ICMP flood attack, 344

ICMPv4 messages, 164–166

ICMPv6 (Internet Control Message Protocol version 6), 161

ICMPv6 RS and RA messages, 166–168

identification and authentication policies, 382

identifying

applications, transport layer protocols, 185

assets, defense-in-depth, 376–377

threats, defense-in-depth, 378–379

vulnerabilities, defense-in-depth, 377–378

IDS sensors, 268

IDSs (intrusion detection systems), 267, 363

advantages/disadvantages, 268–269

SOC (Security Operations Centers), Linux, 75

IETF (Internet Engineering Task Force), 161

ifconfig command, Linux, 78

iFrame (inline frames), 364, 505

IIS access log, 522, 523–524

IKE (Internet Key Exchange), 422

IM (instant messaging), 511

IMAP (Internet Message Access Protocol), 126, 224–225

security monitoring, 507

impact assessment, VERIS, 595

Impact metrics, Base metric group, 476

incident analysis, 606

incident data collection and retention, 610–611

incident description, VERIS, 595–597

incident handling

CERT (Computer Emergency Response Team), 600

CSIRT (Computer Security Incident Response Team), 599

types of addresses, 599–600

NIST 800-61r2. See NIST 800-61r2

reporting requirements and information sharing, 612

incident handling procedures, 382

incident notification, NIST incident response life cycle, 607

incident response capabilities, NIST 800-61r2, 594–601

incident response life cycle, NIST, 603–604

containment, eradication, and recovery, 607–609

detection and analysis, 605–607

post-incident activities, 609–610

preparation, 604–605

incident response models

Cyber Kill Chain, 582–583

actions on objectives, 587

command and control (CnC), 586–587

delivery, 585

and Diamond Model, 590–591

exploitation, 585–586

installation, 586

reconnaissance, 583–584

weaponization, 584–585

Diamond Model, 588–589

Cyber Kill Chain and, 590–591

pivoting across, 589

VERIS, 592

creating records, 592–594

schema elements. See schema elements

VCDB (VERIS Community Database), 598

incident response stakeholders, NIST 800-61r2, 602–603

incident tracking, VERIS, 598

Indeed.com, 13

indicators, 606

indirect evidence, 573

individual conversations, tracking, with transport layer protocols, 184–185

individuals, hijacked people, 2

INET_ATON() function, 560

information assurance, incident response, 603

information sharing, NIST 800-61r2, 612

information sources, network intelligence communities, 390–392

Information Systems Security (InfoSysSec), 391

informational 1xx, 363

INFOSYSSEC (Information Systems Security), 391

ingress traffic, 334

initial sequence number (ISN), 201

installation, Cyber Kill Chain, 586

installing applications on Linux hosts, 100–101

instant messaging (IM), 511

integrity, asymmetric encryption algorithms, 426–428

Integrity Impact (I), 476

Interface drivers, 127

intermediary network devices, 238

internal CSIRTs, 600

internal LAN elements, 458

internal routers, 379

International Information Systems Security Certification Consortium (ISC)², 391

Internet, 119

Internet Control Message. See ICMP (Internet Control Message)

Internet Engineering Task Force (IETF), 161

Internet Exchange Point (IXP), 122

Internet Key Exchange (IKE), 422

Internet Message Access Protocol (IMAP), 126

Internet of Things (IoT), 4–5

Internet Protocol Flow Information Export (IPFIX), 517

Internet Protocol. See IP (Internet Protocol)

Internet Relay Chat (IRC), 586–587

Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527), 443

internships, 14

interoperability of different PKI vendors, 442–443

intrusion detection systems. See IDSs (intrusion detection systems)

intrusion events, 588–589

Diamond Model. See Diamond Model

NGIPS (NextGen IPS), 535–536

investigating

file details, 568–569

processes or API calls, 567–568

IoT (Internet of Things), 4–5

IP (Internet Protocol), 127, 137, 186

address resolution protocol

destination on remote networks, 178

destination on same network, 176–177

encapsulation, 135

IP address spoofing attack, 304

IP addresses, querying, in ELSA, 566

IP configuration, checking on Windows PCs, 149

IP packets, 142–143

IP services

ARP cache poisoning, 355–357

ARP vulnerabilities, 354–355

DNS attacks, 357–358

vulnerabilities

ARP (Address Resolution Protocol), 354–355

ARP cache poisoning, 355–357

DHCP (Dynamic Host Configuration Protocol), 359–362

DNS attacks, 357–358

DNS tunneling, 358–359

IP vulnerabilities, 340, 343

address spoofing attacks, 348–349

amplification and reflection attacks, 346–347

DDoS (distributed DoS) attacks, 345–346, 347–348

DoS (denial-of-service) attacks, 345–346

ICMP attacks, 343–345

IPv4 packet headers, 340–342

IPv6 packet headers, 342–343

ipconfig command, 54–55

ipconfig/displaydns command, 214

IPFIX (Internet Protocol Flow Information Export), 517

iPhone IPv4 address, 150

IPS (intrusion protection systems), 267

advantages/disadvantages, 268–269

host-based IPS, 269, 270

network-based IPS, 269, 270

IPS sensors, 269

IPsec VPN, 281–282

iptables, 464

IPv4

addresses, 160

addressing

address notation, 148–149

host address structure, 149–150

network addresses, 151–152

subnet masks, 151–152

subnetting broadcast domains, 152–153

characteristics, 144–147

best effort process, 145

connectionless, 144–145

media independent, 146–147

classful addressing, 156

encapsulation, 142–143

packet headers, 147–148, 340–342

properties, Windows 10, 52

routing protocols, 244

routing tables, 160

testing connectivity to local LAN, 170

TTL (Time to Live), 172–175

types of addresses

address classes, 155–156

reserved private addresses, 156–157

IPv6, 160–161

address formatting, 162

compressing addresses, 162–163

hop limits, 172–175

packet headers, 342–343

prefix length, 163

routing protocols, 244

size and representation, 161

IRC (Internet Relay Chat), 586–587

(ISC)² Information security certifications, 12

(ISC)² International Information Systems Security Certification Consortium, 391

ISMS (Information Security Management System), 491

ISO-27001, 491–493

NIST Cybersecurity Framework, 493–495

security management systems, 491

ISN (initial sequence number), 201

ISO-27001, 491–493

IT support, incident response, 603

iwconfig command, Linux, 78

IXP (Internet Exchange Point), 122

J

jobs

finding, 14

first jobs, 14

K

Kali Linux, 76

KDE window manager, 99

kernel, 27

kernel mode, Windows, 28

Kernel Mode Code Signing (KMCS), 33

key length, 408

key size, 408

keyed-hash message authentication code (HMAC), 413

keyloggers, 40

keys, 408

PKI (public key infrastructure). See PKI (public key infrastructure)

private keys, 425–426

public keys, 423–424

keyspace, 408–409

KHMAC (key-hashed message authentication code), 413

Kibana, 124

kill command, Linux, 103

KMCS (Kernel Mode Code Signing), 33

known-plaintext method, 407

L

labeling messages, 133–134

labs

creating user accounts, 57

monitoring and managing system resources in Windows, 58

using Windows PowerShell, 57

Windows Task Manager, 58

LAN switches, 244–245, 246

LAN topologies, 285–286

LANs, internal LAN elements, 458

Layer 3 switches, 253

LBM (load balancing manager), 513

lease origination, DHCPv4, 207

lease renewal, DHCPv4, 207

legal department, incident response, 603

lesson-based hardening, post-incident activities, 609–610

lightweight APs (LWAPs), 262

links

hard links, Linux, 96

soft links, Linux, 96–97

Linux, 73

administration

file system types, 92–94

hard links and symbolic links, 96–97

hardening devices, 88–89

monitoring service logs, 89–91

roles and file permissions, 94–96

service configuration files, 84–88

CLI (command line interface), 74

client-server communications, 82

clients, 83–84

services and ports, 83

commands, 77–79

file and directory commands, 79

forking, 102–104

hard links, 96

paths, 77

penetration testing tools, 76

shell, 77

SOC (Security Operations Centers), 74–75

text editors, 79–80

text files, 79–80, 81

tools, 76

value of, 74

Linux CLI, 77

Linux GUI, 99–100

Linux hosts

GUI (graphical user interface)

Linux GUI, 99–100

X Window System, 98–99

installing applications, 100–101

malware, 105–106

patches, 102

piping commands, 110

processes, 102–104

rootkits, 106–109

LLC (Logical Link Control), 139, 140

load balancing, 512–513

load balancing manager (LBM), 513

local AAA authentication, 386–387

local exploits, 298

local host, host forwarding, 158

local loopbacks, pinging, 169

local ports, TCP (Transmission Control Protocol), 187–188

local route interfaces, 243

Local Security Authority Subsystem Service (LSASS), 520

Local Security Policy, 61–62

local stacks, testing with ping, 168–169

local TCP/IP stacks, testing, 169

local users, Windows, 42–44

log collection, SIEM (security information and event management), 525–526

log entries, 558

log file analysis, 89

log files, 558

alert data, 514

Cisco devices, 531–532

end device logs

Apache HTTP Server access logs, 522–523

host logs, 518–520

IIS access log, 523–524

server logs, 521–522

SIEM (security information and event management), 525–526

syslog, 520–521

full packet captures, 516–517

network logs

AVC (Application Visibility and Control), 529

content filter logs, 530–531

NetFlow, 527–529

tcpdump, 526–527

proxy logs, 532

session data, 515

statistical data, 517–518

transaction data, 515–516

web proxies, 532–534

log managers, SOC (Security Operations Centers), Linux, 75

logical AND operation, IPv4, 151

Logical Link Control (LLC), 139, 140

logical topology, networks, 284

logs, AAA (Authentication, Authorization, and Accounting), 388–390

Logstash, 124

LOIC (Low Orbit Ion Cannon), 353

lookup processes, DNS (Domain Name System), 211–213

loopback addresses, pinging, 54

loss of competitive advantage, 6

Low Orbit Ion Cannon (LOIC), 353

ls command, Linux, 77, 79, 94, 110

LSASS (Local Security Authority Subsystem Service), 520

lusrmgr.msc, 43

LWAPs (lightweight APs), 262

M

MAC (mandatory access control), 385

MAC (Media Access Control), 139, 140

address resolution protocol

destination on remote networks, 178

destination on same network, 176–177

Ethernet, 140

MAC address format, Ethernet, 141–142

MAC addresses, switches, 245–247

MACE (Modify, Access, Create, and Entry Modified), 29

MAC-to-IP address mapping, removing, 181

malicious iFrames, 364

malvertising, 309

malware, 63, 305–306

adware, 310

challenges of, 456–457

common behaviors, 310–311

Linux hosts, 105–106

phishing, 310

ransomware, 309

rootkits, 310

scareware, 310

spyware, 310

Trojan horses, 306–307

classifications, 307

viruses, 306

worms, 307–308

components of, 308–309

malware analysis tools, SOC (Security Operations Centers), Linux, 75

malware protection programs, 63

man command, Linux, 77, 79

man ls command, Linux, 77

managed security, SOC (Security Operations Centers), 10

managed security service provider (MSSP), 600

management, incident response, 603

management frames, 256

Management Information Base (MIB), 274

mandatory access control (MAC), 385

man-in-the-middle attacks, 305, 315, 317, 343

master boot record (MBR), 31–32

Linux, 93

Master File Table (MFT), 31

maximum transmission unit (MTU), 147

MBR (master boot record), 31–32

Linux, 93

MD5 (Message Digest 5), hash functions, 412

MDM (Mobile Device Management), 486–487

MDM (Mobile Device Management) software, 383

mechanisms, transport layer protocols, 186

media, network components, 283

Media Access Control (MAC). See MAC (Media Access Control)

media independent, IPv4, 146–147

media relations, incident response, 603

meet-in-the-middle method, 407

memory allocation, Windows, 38–39

Memory tab, Resource Monitor, 51

mesh, WAN topologies, 285

Message Digest 5 (MD5), 412

message multiplexing, 133

message segmentation, 133

messages

DNS message format, 213–214

encapsulation, 132–137

ICMPv4 messages, 164–166

ICMPv6 RS and RA messages, 166–168

labeling, 133–134

NA (Neighbor Advertisement) messages, 166

NS (Neighbor Solicitation) messages, 166

RA (Router Advertisement) messages, 166

receiving, 137

RS (Router Solicitation) messages, 166

meta-features, Diamond Model, 589

metric groups, CVSS (Common Vulnerability Scoring System), 474–475

Base metric group, 475–476

MFT (Master File Table), 31

MIB (Management Information Base), 274

Microsoft Windows, host logs, 519

Mime Types, 568

MITRE Corporation, 391

mkdir command, Linux, 79

Mobile Device Management (MDM), 486–487

Mobile Device Management (MDM) software, 383

models

access control models, 385

reference models. See reference models

monitoring

networks. See network monitoring

service logs, Linux, 89–91

monitoring systems, SOC (Security Operations Centers), 10

mount command, Linux, 93–94

mounting, 93

MPLS (Multiprotocol Label Switching), 281

Msconfig tool, 33

MS-DOS, 21–23

MS-ISAC (Multi-State Information Sharing & Analysis Center), 391

MSSP (managed security service provider), 600

MTU (maximum transmission unit), 147

multicast, communication protocols, 129

multilayer switching, 253–254

multiplexing, 133

Multiprotocol Label Switching (MPLS), 281

Multi-State Information Sharing & Analysis Center (MS-ISAC), 391

mv command, Linux, 78, 79

MX, DNS (Domain Name System), 214

MySQL log file, 326

N

NA (Neighbor Advertisement) messages, 166

NAC (Network Admission Control), 462

nano text editor, 80

NAT (Network Address Translation), 127, 157, 216–217, 509–510

FTP (File Transfer Protocol), 219–220

PAT (Port Address Translation), 218–219

routers, 217

SMB (Server Message Block), 220–221

TFTP (Trivial File Transfer Protocol), 220

NAT stitching, 338

NAT-enabled routers, 217

national CSIRTs, 600

national security, politics, 6–7

National Vulnerability Database (NVD), 480

nations, sophisticated malware, 3

NBA (Network Behavior Analysis), 517

NBAD (Network Behavior Anomaly Detection), 517

NDP (Neighbor Discovery Protocol), 166

Neighbor Advertisement (NA) messages, 166

Neighbor Discovery Protocol (NDP), 166

Neighbor Solicitation (NS) messages, 166

net accounts, 48

net command, 47–48

net session, 48

net share, 48

net start, 48

net stop, 48

net use, 48

net view, 48

NetFlow, 275–276, 335, 337–338, 510, 527–529

events, 536

netstat -abno command, 58–59

netstat command, 55, 58–59

network adapters, configuration management, 51

Network Address Translation (NAT). See NAT (Network Address Translation)

network addresses, IPv4, 151–152

Network Admission Control (NAC), 462

Network and Sharing Center, 51–52

network anomaly detection, 472

network attack surfaces, 467

network attacks, 311–312

access attacks, 314

types of, 315–316

DoS (denial-of-service) attacks, 319–322

network monitoring. See network monitoring

reconnaissance attacks, 312–314

Network Behavior Analysis (NBA), 517

Network Behavior Anomaly Detection (NBAD), 517

network communication, Ethernet. See Ethernet

network communication devices

network devices

bridges, 244–245

end devices, 237–238

hubs, 244–245

LAN switches, 244–245

multilayer switching, 253–254

router operations, 241–242

routers, 238–240

routing information, 242–244

STP (Spanning Tree Protocol), 248–252

switching operations, 245–247

VLANs (virtual LANs), 247–248

wireless communications. See wireless communications

network communications processes. See also communication protocols

client-server communications, 119

typical session for gamers, 120

typical session for students, 119–120

typical session for surgeons, 121

views of the network, 118–119

network components, 282–283

network devices

bridges, 244–245

end devices, 237–238

hubs, 244–245

LAN switches, 244–245

multilayer switching, 253–254

router operations, 241–242

routers, 238–240

routing information, 242–244

STP (Spanning Tree Protocol), 248–252

switching operations, 245–247

VLANs (virtual LANs), 247–248

network discovery events, NGIPS (NextGen IPS), 536

Network File System (NFS), Linux, 92

network intelligence communities, 390–392

network interface card (NIC), 276

network layer, OSI (Open Systems Interconnection) model, 131

network logs

AVC (Application Visibility and Control), 529

content filter logs, 530–531

NetFlow, 527–529

tcpdump, 526–527

network maintenance policies, 382

network mode, 257

network monitoring, 333

network security topology, 332–333

TAPs (Terminal Access Points), 333–334

tools, 335

network protocol analyzers, 335–339

traffic monitoring and SPAN, 334

network packet capture software, SOC (Security Operations Centers), Linux, 74

network penetration tests, 303

network profiling, 470–471

network protocol analyzers, 335–339

network protocol communication, 123

network protocol suites, 124–125

network protocols

Address Resolution Protocol. See Address Resolution Protocol (ARP)

communication processes

client-server communications, 119

tracing paths, 121–122

typical session for gamers, 120

typical session for students, 119–120

typical session for surgeons, 121

views of the network, 118–119

connectivity verification. See connectivity verification

encapsulation, 132–137

role of, 124–125

TCP/IP protocol suite, 126–128

transport layer protocols. See transport layer protocols

network representations, network topologies

common security architectures, 288–289

LAN topologies, 285–286

logical topology, 284

network components, 282–283

physical topology, 283–284

three-layer network design model, 286–287

WAN topologies, 285

network resources, accessing, 56–57

network scanning tools, 303

network security

attacks. See attacks

cyber threat indicators, 300–301

cybercriminals, 300

cybersecurity tasks, 300

evaluation methods, 323–324

hackers, 298–299

risk, 297–298

threat actor tools. See threat actor tools

threat actors, evolution of, 299–300

threats, 297–298

vulnerabilities, 297–298

network security data

data archiving, 557–558

data normalization, 556–557

data reduction, 554–556

ELSA (Enterprise Log Search and Archive), 554, 564

queries, 565–567

investigating

file details, 568–569

processes or API calls, 567–568

Sguil, 559–560

event handling, 563

pivoting from, 562–563

queries, 560–562

network security infrastructure

security devices

firewall types, 263–265

firewalls, 262–263

intrusion protection and detection devices, 267

next-generation firewalls, 266

packet filtering firewalls, 265–266

specialized security appliances, 271–272

stateful firewalls, 266

security services

AAA servers, 279–280

NetFlow, 275–276

NTP (Network Time Protocol), 277–279

packet tracers, 274

port mirroring, 276

SNMP (Simple Network Management Protocol), 274

syslog servers, 277

traffic control with ACLs, 272–273

VPNs (virtual private networks), 280–282

network security monitoring (NSM), 502

network security organizations, 390

network security topology, 332–333

network services

DHCP (Dynamic Host Configuration Protocol), 206–208

DHCPv4 message format, 208–209

DNS (Domain Name System), 209–210

DNS message format, 213–214

domain hierarchy, 210–211

dynamic DNS (DDNS), 214–215

lookup processes, 211–213

WHOIS, 215–216

email. See email

HTTP (Hypertext Transfer Protocol), 225–226, 227

HTTP URL, 227

HTTPS (HTTP Secure), 228

status codes, 228–229

NAT. See NAT (Network Address Translation)

Network tab, Resource Monitor, 51

network TAPs (Terminal Access Points), 333–334

Network Time Protocol (NTP), 277–279

security monitoring, 503

network topologies

common security architectures, 288–289

LAN topologies, 285–286

logical topology, 284

network components, 282–283

physical topology, 283–284

three-layer network design model, 286–287

WAN topologies, 285

network transactions, encrypting, 447–448

network vulnerability testing, 473

CVSS (Common Vulnerability Scoring System), 473–474

metric groups, 474–475

processes, 476–478

reports, 478–479

network-based IPS, 269, 270

network-based malware protection, 461–462

networking, 51–55

networking accounting, 389

networking devices, ARP tables, 181–182

networks, 153

stub networks, 217

views of, 118–119

New Technology File System. See NTFS (New Technology File System)

NextGen IPS (NGIPS), 535–536

next-generation firewalls, 266

nfdump, 527

NFS (Network File System), Linux, 92

nftables, 464

Nginx web server configuration, Linux, 85–86

NGIPS (NextGen IPS), 535–536

NIC (network interface card), 276

NIDS (network-based IDS), 514

NIST 800-61r2, 599

incident response capabilities, 594–601

incident response life cycle, 603–604

containment, eradication, and recovery, 607–609

detection and analysis, 605–607

post-incident activities, 609–610

preparation, 604–605

incident response stakeholders, 602–603

objective assessments of incidents, 610–611

plans, 602

policies, 601–602

procedures, 602

reporting requirements and information sharing, 612

NIST Cybersecurity Framework, 493–495

non-blind spoofing, 348

non-discretionary access control, 385

non-repudiation, 402

normalization, 558

NS, DNS (Domain Name System), 214

NS (Neighbor Solicitation) messages, 166

nslookup command, 55

NSM (network security monitoring), 502

NTFS (New Technology File System), 29

ADSs (Alternate Data Streams), 29–31

formatting, 31

Ntoskrnl.exe, 33

NTP (Network Time Protocol), 277–279

security monitoring, 503

NTP configuration file, Linux, 86

numbered ACLs, 274

NVD (National Vulnerability Database), 480

O

ocatal values, for permissions, Linux, 95

OCSP (online certificate status protocol), 446

octets, 148

online certificate status protocol (OCSP), 446

open authentication, 258

open mail relay server, 366

open revolvers, 357

Open Shortest Path First (OSPF), 127

Open Systems Interconnection model (OSI) model, 130, 131

stateful firewalls, 266

versus TCP/IP model, 130

open web proxies, 533

OpenDNS, 533–534

operating system vulnerabilities, Windows, 26–27

operations

transport layer protocols

TCP connections, 199–201

TCP data transfer, 201–204

TCP port allocation, 196–198

UDP (User Datagram Protocol), 204–205

wireless network operations, 256–258

OPTIONS, HTTP (Hypertext Transfer Protocol), 227

origin authentication, 402

OS updates, Linux, 102

OSI (Open Systems Interconnection) model, 130, 131

stateful firewalls, 266

versus TCP/IP model, 130

OSPF (Open Shortest Path First), 127

OSSEC (Open Source HIDS SECurity), 466, 519, 544, 568

outbound message control, ESA (Email Security Appliance), 272

output of mount in the CyberOPS VM, 93–94

output of /var/log/syslog, 91

Overview tab, Resource Monitor, 51

P

P2P (peer-to-peer) networking, 511–512

package managers, 100–101

ATP (Advanced Packaging Tool), 99–101

packet analyzers, 276

packet crafting tools, 303

packet filtering firewall, 264, 265–266

packet format, ICMP (Internet Control Message Protocol), 175–176

packet forwarding, 241

routers, 239

packet headers, IPv4, 147–148

packet sniffers, 276, 303, 335–336

packet tracers, ACLs (access control lists), 274

packets

de-encapsulating, 240

encapsulating, 240

PADS, 563

parameters, wireless parameters, 257–258

Partition Boot Sector, 31

partitions, 30–31

formatting, 31

mounting, 93

passive mode, wireless devices, 258

passive network monitoring, patch management, 490

Passive Real-time Asset Detection System (PRADS), 562–563

pass-the-hash, 315

passwd command, Linux, 79

password attacks, 315

password crackers, 303

password guidelines, 62

password policies, 382

password-based attacks, 304–305

passwords, wireless devices, 258

PAT (Port Address Translation), 218–219, 509–510

patch management, 488–489

techniques for, 488–490

patches, 60

Linux, 102

path determination, routers, 239

paths

Linux, 77

testing with traceroute, 172–175

tracing, communication processes, 121–122

PCI DSS (Payment Card Industry Data Security Standard), 480–481

PDU (protocol data unit), 134

peer authentication, 446

peer-to-peer (P2P) networking, 511–512

penetration testing, 473

penetration testing tools, Linux, 76

pentesting, Linux, 76

people, SOC (Security Operations Centers), 8

permissions

octal values, Linux, 95

viewing for Linux files, 94

personally identifiable information (PII), 5–6

PGP (Pretty Good Privacy), 422

pharming, 318

PHI (protected health information), 6

phishing, 310, 318

social engineering attacks, 318–319

phreaking, 299

physical layer, OSI (Open Systems Interconnection) model, 131

physical security and facilities management, incident response, 603

physical topology, networks, 283–284

PIDs, displaying, 59

PII (personally identifiable information), 5–6

ping, testing

connectivity to local LAN, 169–170

connectivity to remote hosts, 170–171

local stacks, 168–169

ping command, 53–54, 55, 168, 343–344

Ping of Death, 322

pinging

local loopbacks, 169

loopback addresses, 54

piping commands, Linux, 110

pivoting, 323–324

across Diamond Model, 589

from Sguil, 562–563

PKCS (public key cryptography standards), 432

PKI (public key infrastructure), 438–439

applications, 447

authentication, 444–446

authorities system, 439–441

certificate enrollment, 444–446

interoperability of different PKI vendors, 442–443

public key cryptography

digital signatures, 430–432

digital signatures for code signing, 432–435

digital signatures for digital certificates, 435–437

public key management, 437–438

revocation, 444–446

trust system, 441–442

PKI certificates, 439

Plan-Do-Check-Act cycle, ISO-27001, 492–493

plans, NIST 800-61r2, 602

PLC (programmable logic controllers), 3

podcasts, security blogs and podcasts, 392

Point of Presence (PoP), 122

point-to-point, WAN topologies, 285

Point-to-Point Protocol (PPP), 127

policies

AUP (acceptable use policy), 382

business policies, 381

BYOD (Bring Your Own Device) policies, 382–383

company policies, 381

employee policies, 381

identification and authentication policies, 382

network maintenance policies, 382

NIST 800-61r2, 601–602

password policies, 382

remote access policy, 382

security policies, 381–382

policy-based HIDS, 466

politics, national security, 6–7

polyalphabetic ciphers, 406–407

PoP (Point of Presence), 122

POP3 (Post Office Protocol version 3), 126, 223–224

security monitoring, 507

Port Address Translation (PAT), 218–219, 509–510

port allocation, TCP (Transmission Control Protocol), 196–198

port mirroring, 276, 334

port redirection, 315, 316–317

port scanning, 205

ports

destination (SPAN) port, 334

Linux, 83

routed ports, 253

source (SPAN) port, 334

TCP (Transmission Control Protocol), 187–188

POST (power-on self-test), 31–32

HTTP (Hypertext Transfer Protocol), 227

Post Office Protocol version 3 (POP3), 126, 223–224

security monitoring, 507

post-incident activities, 609–610

power-on self-test (POST), 31–32

PowerShell, 44–46

commands, 45

help, 45–46

PowerShell functions, 45

PowerShell scripts, 45

PPP (Point-to-Point Protocol), 127

PR (Privileges Required), 475

PRADS (Passive Real-time Asset Detection System), 562–563

Preamble field, Ethernet frames, 141

precursors, 606

preferred uptime, 11

prefix length, IPv6, 163

preparation, incident response life cycle, NIST, 604–605

presentation layer, OSI (Open Systems Interconnection) model, 131

preservation, digital forensics, 574–575

pretexting, 318

Pretty Good Privacy (PGP), 422

principle of least privilege, 385

private IPv4 addresses, 156

NAT (Network Address Translation), 217

private keys, 425–426

privilege escalation, 385

Privileges Required (PR), 475

probabilistic analysis, alert evaluation, 552–553

probing, web servers, with telnet, 105–106

procedures, NIST 800-61r2, 602

processes, 36–37

CVSS (Common Vulnerability Scoring System), 476–478

digital forensics, 572

investigating, 567–568

Linux, 102–104

SOC (Security Operations Centers), 8–9

Windows, 36–38

Processes tab

Task Manager, 49

Windows Task Manager, 37

processor-sharing P2P networks, 511

profiling, 606

programmable logic controllers (PLC), 3

properties, of hash functions, 411

Properties dialog box, 52

prosecution, 611

protected health information (PHI), 6

protocol data unit (PDU), 134

protocol suites, 124–125

TCP/IP protocol suite, 126–128

protocol-level misinterpretation, 323

protocols, 123

address resolution protocol. See Address Resolution Protocol

BGP (Border Gateway Protocol), 244

BOOTP (bootstrap protocol), 126

communications protocols. See communications protocols

DHCP. See DHCP (Dynamic Host Configuration Protocol)

dynamic routing protocol, 243–244

EIRGRP (Enhanced Interior Gateway Routing Protocol), 127

Hypertext Transfer Protocol. See HTTP (Hypertext Transfer Protocol)

ICMP. See ICMP (Internet Control Message Protocol)

IMAP. See IMAP (Internet Message Access Protocol)

IP. See IP (Internet Protocol)

network protocols. See network protocols

NTP. See NTP (Network Time Protocol)

POP3. See POP3 (Post Office Protocol version 3)

PPP (Point-to-Point Protocol), 127

RDP (Remote Desk Protocol), 56

SMTP (Simple Mail Transfer Protocol), 126, 223

SNMP (Simple Network Management Protocol), 274, 335

STP (Spanning Tree Protocol), 248–252

TCP. See TCP (Transmission Control Protocol)

TFTP (Trivial File Transfer Protocol), 127, 220

transport layer protocols. See transport layer protocols

UDP. See UDP (User Datagram Protocol)

for wireless communications, 254–256

proxy logs, 532

proxy servers, 532

proxy Trojan horses, 307

ps command, Linux, 78, 103

PSH, 195

public affairs, incident response, 603

public IPv4 addresses, 156

public key cryptography, digital signatures, 430–432

for code signing, 432–435

for digital certificates, 435–437

public key cryptography standards (PKCS), 432

public key infrastructure. See PKI (public key infrastructure)

public key management, 437–438

public keys, 423–424

PulledPork rule management utility, 550

PUT, HTTP (Hypertext Transfer Protocol), 227

pwd command, Linux, 78

Python programming, 13

Q

queries

ELSA (Enterprise Log Search and Archive), 565–567

Sguil, 560–562

Query Builder, Sguil, 560, 561

R

r-- (group permissions), 95

RA (Router Advertisement) messages, 166

radio frequencies (RF), 255

RADIUS (Remote Authentication Dial-in User Service), 205, 279–280

AAA (Authentication, Authorization, and Accounting), 388

ransomed companies, 3

ransomware, 309

RBAC (role-based access control), 385

RDP (Remote Desk Protocol), 56

reassembling segments, transport layer protocols, 185

receiving

messages, 137

web pages, 136–139

reconnaissance, Cyber Kill Chain, 583–584

reconnaissance attacks, 312–314

record types, DNS (Domain Name System), 214

records, VERIS, 592–594

recovery, NIST incident response life cycle, 609

recursion, DNS (Domain Name System), 211

recursive resolvers, DNS (Domain Name System), 211

redirection 3xx, 363

redundancy, STP (Spanning Tree Protocol), 248–249

reference models, 130

OSI (Open Systems Interconnection) model, 131

TCP/IP model, 131–132

REG_BINARY, 40

REG_DWORD, 40

REG_SZ, 40

Regional Internet Registries (RIRs), 160

registry, Windows, 38–40

registry keys, 40

regular expressions, 569

regulations. See compliance regulations

regulatory compliance, 383

remediation, NIST incident response life cycle, 609

remote access policy, 382

Remote Authentication Dial-in User Service (RADIUS), 205, 279–280

Remote Desk Protocol (RDP), 56

remote exploits, 298

remote hosts

host forwarding, 158

testing connectivity with ping, 170–171

remote ports, TCP (Transmission Control Protocol), 187–188

remote routes, 242

Remote SPAN (RSPAN), 334

remote-access Trojan horses, 307

removing

entries from ARP tables, 181

MAC-to-IP address mapping, 181

reporting

digital forensics, 572

SIEM (security information and event management), 339

reporting requirements, NIST 800-61r2, 612

reports, CVSS (Common Vulnerability Scoring System), 478–479

Request Tracker for Incident Response (RTIR), 545

reserved private addresses, IPv4, 156–157

resolvers, DNS (Domain Name System), 211

resource accounting, 390

resource exhaustion, 323

Resource Monitor, 49, 50–51

retrieving CA certificates, 444

retrospective security analysis (RSA), 552

revocation, PKI (public key infrastructure), 444–446

RF (radio frequencies), 255

ring, LAN topologies, 286

RIRs (Regional Internet Registries), 160

risk, 297–298

risk acceptance, 298

risk analysis, 473

risk assessment, 483

risk avoidance, 298, 484

risk limitation, 298

risk management, 298, 482–484

risk reduction, 484

risk retention, 484

risk sharing, 484

risk transfer, 298

Rivest, Ron, 412

Rivest ciphers (RC), 420–421

Rivest-Shamir-Adleman Algorithm (RSA), 431

rm command, Linux, 79

role of protocols, 124–125

transport layer protocols, 184–185

role-based access control (RBAC), 385

roles, Linux, 94–96

roles of, people at SOC, 8

root CA, 441

rootkit detectors, 303

rootkits, 310, 324

Linux hosts, 106–109

round-trip time (RTT), testing paths with traceroute, 172

routed ports, 253

Router Advertisement (RA) messages, 166

router operations, 241–242

Router Solicitation (RS) messages, 166

routers, 238–240

internal routers, 379

NAT (Network Address Translation), 217

packet forwarding, 241

routers sharing path information, role of protocols, 125

routing information, 242–244

routing protocol classification, 244

RR, DNS (Domain Name System), 211

RS (Router Solicitation) messages, 166

RSA (retrospective security analysis), 552

RSA encryption algorithms, 423

RSA Security Inc.432

RSPAN (Remote Span), 334

RST, 195

RTIR (Request Tracker for Incident Response), 545

RTT (round-trip time), testing paths with traceroute, 172

rule headers, Snort, 548

rule location, 548

rule options, Snort, 549

rules

alerts and, 546–547

for compressing IPv6 addresses, 163

Snort, 547–550

Run as Administrator, Windows, 41–42

runbook automation, 570

running applications on Linux hosts, 100–101

runt frames, 140

rw- (group permissions), 94

rwx (user permissions), 94

S

S (Scope), 475

salary information, 13

SANCP (Security Analyst Network Connection Profiler), 562, 563

sandboxing, 469

SANS (SysAdmin, Audit, Network, Security), 391

Sarbanes-Oxley Act of 2002 (SOX, 482

scareware, 310

schema elements, VERIS, 594

discovery and response, 595

impact assessment, 595

incident description, 595–597

incident tracking, 598

victim demographics, 597

Scope (S), 475

scoping, NIST incident response life cycle, 606–607

scores, CVSS (Common Vulnerability Scoring System), 478–479

script kiddies, 4, 299

SEAL (Software-Optimized Encryption Algorithm), 420

second extended file system (ext2), Linux, 92

second-level elements, VERIS, 594

secure communications, 401–402

Secure Hash Algorithm 1 (SHA-1), 412–413

Secure Hash Algorithm 2 (SHA-2), 413

secure network topology, 401

Secure Shell (SSH), 422

Secure Sockets Layer (SSL), 422

securing communications, 400–402

cryptology, 402–403

security

versus availability, SOC (Security Operations Centers), 11

common security architectures, 288–289

endpoint security, 457–458

Windows

Event Viewer, 59–60

Local Security Policy, 61–62

netstat command, 58–59

Windows Defender, 63–64

Windows Firewall, 64–65

Windows Update Management, 60–61

Security Analyst Network Connection Profiler (SANCP), 562, 563

security artichoke, 380

security blogs and podcasts, 392

security descriptors, 29

security device management

asset management, 486

configuration management, 487–488

enterprise patch management, 488–489

techniques for, 488–490

mobile device management (MDM), 486–487

risk management, 482–484

vulnerability management, 484–485

security devices

firewalls, 262–263

application gateway firewalls, 265

packet filtering firewall, 264

stateful firewalls, 264

IDSs (intrusion detection systems), 267

IPS (intrusion protection systems), 267

next-generation firewalls, 266

packet filtering firewall, 265–266

specialized security appliances, 271–272

stateful firewalls, 266

security information and event management. See SIEM (security information and event management)

security logs, Event Viewer, 519

security management systems, 491

security mode, 257

security monitoring

common protocols

DNS (Domain Name System), 504

HTTP (Hypertext Transfer Protocol), 505

HTTPS (HTTP Secure), 505–506

NTP (Network Time Protocol), 503

syslog, 502–503

email protocols, 507

encryption and, 448–449

ICMP (Internet Control Message Protocol), 507–508

log files. See log files

NextGen IPS (NGIPS), 535–536

Security Onion, 542, 543

analysis tools, 544

data archiving, 557–558

Sguil, 545

security onion, 379

Security Operations Centers. See SOC (Security Operations Centers)

security policies, 61, 381–382

BYOD (Bring Your Own Device) policies, 382–383

Local Security Policy, 61–62

regulatory and standard compliance, 383

security recommendations, for Windows, 26–27

security services

AAA servers, 279–280

NetFlow, 275–276

NTP (Network Time Protocol), 277–279

port mirroring, 276

SNMP (Simple Network Management Protocol), 274

syslog servers, 277

traffic control with ACLs, 272–273

VPNs (virtual private networks), 280–282

security software disabler Trojan horses, 307

security technologies

ACLs (access control lists), 508–509

encryption, 510

load balancing, 512–513

NAT (Network Address Translation), 509–510

P2P (peer-to-peer) networking, 511–512

PAT (Port Address Translation), 509–510

tunneling, 510

security tools, evolution of, 302–304

security wipes, 31

security-aware culture, 319

segment sequence numbers, 202

segmentation, 132–133

segmenting, data, transport layer protocols, 185

segments, reassembling, transport layer protocols, 185

self zone, 289

sending web pages, 136–139

server error 5xx, 363

server logs, 521–522

Server Message Block (SMB), 56

server profiling, 471

server-based AAA authentication, 387–388

servername, UNC (Universal Naming Convention), 56

servers, 119

service configuration files, Linux, 84–88

service logs, monitoring (Linux), 89–91

service packs, 60

service set identifier (SSID), 257

services

Linux, 83

network components, 283

Windows, 37–38

Services tab

system configuration, 34–35

Task Manager, 50

session data, 515

session hijacking, 343

TCP (Transmission Control Protocol), 352

session layer, OSI (Open Systems Interconnection) model, 131

Session Manager Subsystem (SMSS), 33

session setup and termination, role of protocols, 125

SET (Social Engineering Toolkit), 319

setup logs, Event Viewer, 519

SFD (Start Frame Delimiter) fields, Ethernet frames, 141

Sguil, 544, 545, 545, 547, 559–560

event handling, 563

pivoting from, 562–563

queries, 560–562

SHA-1 (Secure Hash Algorithm 1), 412–413

SHA-2 (Secure Hash Algorithm 2), 413

shared key authentication, 258, 260

sharename, UNC (Universal Naming Convention), 56

shares, 56

shell, Linux, 77

shutdown, Windows, 36

shutdown command, Linux, 78

SIEM (security information and event management), 335, 338–339

log collection, 525–526

SOC (Security Operations Centers), Linux, 75

signature validation error, 448

signature-based antimalware, 459

signatures, 267

digital signatures. See digital signatures

Simple Mail Transfer Protocol (SMTP), 126, 223

Simple Network Management Protocol (SNMP), 274, 335

single-root PKI topology, 441

size

IPv6, 161

protocols, 128

SMB (Server Message Block), 56, 220–221

smishing, 319

SMSS (Session Manager Subsystem), 33

SMTP (Simple Mail Transfer Protocol), 126, 223

security monitoring, 507

Smurf attacks, 346

sniffer attacks, 305

SNMP (Simple Network Management Protocol), 274, 335

Snort, 514, 543

rule structure, 547–550

Snort configuration file, 86–88

SOC (Security Operations Centers), 2, 5

elements of, 7

enterprise and managed security, 10

processes, 8–9

technologies, 9–10

Linux, 74–75

monitoring systems, 10

security versus availability, 11

SOC Manager, 8

social engineering attacks, 317–318

phishing, 318–319

Social Engineering Toolkit (SET), 319

socket pairs, transport layer protocols, 189

sockets, 189

soft links, Linux, 96–97

software attack surfaces, 467

Software-Optimized Encryption Algorithm (SEAL), 420

SolarWinds Patch Manager, 489

solid state drives (SSDs), 28–29

something for something (quid pro quo), 318

SOPs (standard operating procedures), 602

source (SPAN) port, 334

Source MAC address field, Ethernet frames, 141

source MAC addresses, switches, 246

source port, TCP (Transmission Control Protocol), 187

sources of alerts

alert generation, 544–546

analysis tools, 544

detection tools for collecting alert data, 543–544

rules, 546–547

Security Onion, 542

Snort, rule structure, 547–550

sources of career information, 13

SOX (Sarbanes-Oxley Act of 2002), 482

spam, 318

spam blocking, ESA (Email Security Appliance), 272

spam email, 366

SPAN (Switched Port Analyzer), 333

traffic monitoring, 334

SPAN sessions, 334

Spanning Tree Protocol (STP), 248–252

spear fishing, 318

specialized security appliances, 271–272

Splunk, 525

spoofing attacks, 315, 348–349

spyware, 310

SQL injections, 367–368

SQL Slammer worm, 308

Squid web proxy logs, 533

SSDs (solid state drives), 28–29

SSH (Secure Shell), 422

SSH File Transfer Protocol, 220

SSID (service set identifier), 257

SSL (Secure Sockets Layer), 422

SSSD (System Security Services Daemon), 90

standard compliance, 383

standard operating procedures (SOPs), 602

standards, threat intelligence communication standards, 394

star, LAN topologies, 285

Start Frame Delimiter (SFD) field, Ethernet frames, 141

startup, Windows, 33–36

Startup tab

system configuration, 35

Task Manager, 50

stateful communication, TCP (Transmission Control Protocol), 351

stateful firewalls, 264, 266

state-sponsored hacking, 300

statistical data, 517–518

status codes, HTTP (Hypertext Transfer Protocol), 228–229

Step 7 software, 3

STIX (Structured Threat Information Expression), 394

“Stop. Think. Connect.”, 301

STP (Spanning Tree Protocol), 248–252

stratum, NTP (Network Time Protocol), 278

stream ciphers, 418

Structured Threat Information Expression (STIX), 394

stub networks, 217

students, typical sessions for, 119–120

Stuxnet worm, 3, 6–7

su command, Linux, 78

submitting, certificate requests, 445

subnet, 153

subnet masks, IPv4, 151–152

subnets, 241

subnetting, 153

subnetting broadcast domains, IPv4, 152–153

substitution ciphers, 404

successful 2xx, 363

sudo command, Linux, 78

surgeons, typical session for, 121

Suricata, 544

SVI (switch virtual interface), 253–254

swap file system, Linux, 92

switch virtual interfaces (SVI), 253–254

Switched Port Analyzer (SPAN), 333

switches

LAN switches, 245

traffic sniffing, 276

switching operations, 245–247

symmetric encryption, 417–418

symmetric encryption algorithms, 416–417, 418–421

SYN, 195

SysAdmin, Audit, Network, Security (SANS) Institute, 391

Sysinternals RamMap, 38–39

syslog, 520–521

security monitoring, 502–503

syslog servers, 277

system accounting, 389

system calls, 567

System Files, 31

system logs, Event Viewer, 519

System Security Services Daemon (SSSD), 90

system-based sandboxing, 469

T

TACACS+ (Terminal Access Controller Access-Control System Plus), 279–280

AAA (Authentication, Authorization, and Accounting), 388

Tactics, Techniques, and Procedures (TTP), 575

tailgating, 318

Talos, 271

TAPs (Terminal Access Points), 333–334

Task Bar, Windows 10, 24

Task Manager, 49–50

Windows, 36–37

Processes tab, 37

TAXII (Trusted Automated Exchange of Indicator Information (TAXII), 394

TCP (Transmission Control Protocol), 127, 137

comparing to UDP (User Datagram Protocol), 194

connection establishment, 199

connection termination, 200–201

data transfer, 201–204

encapsulation, 135

flow control, 202–204, 351

headers, 194–195

local and remote ports, 187–188

segments, 350

stateful communication, 351

terminating connections, 352

transport layer protocols, 190–191

vulnerabilities, 350–351

attacks, 351–352

session hijacking, 352

window size, 203

TCP reset attack, 352

TCP SYN flood attacks, 351–352

TCP Wrapper, 464

tcpdump, 336–337, 526–527

TCP/IP model, 131–132

versus, OSI (Open Systems Interconnection) model, 130

TCP/IP protocol suite, 126–128

formatting, 128

techniques for patch management, 488–490

technologies, SOC (Security Operations Centers), 9–10

telnet, probing, web servers, 105–106

temporal metric group, CVSS (Common Vulnerability Scoring System), 475

temporary agencies, 14

terminal, Linux, 77

Terminal Access Controller Access-Control System Plus (TACACS+), 279–280

Terminal Access Points (TAPs), 333–334

terminating TCP connections, 352

testing

connectivity to local LAN with ping, 169–170

connectivity to remote hosts with ping, 170–171

DNS (Domain Name System), 55

local stacks, ping, 168–169

local TCP/IP stacks, 169

network vulnerability testing, 473

paths with traceroute, 172–175

penetration testing, 473

text editors, Linux, 79–80

text files, Linux, 79–80, 81

TFTP (Trivial File Transfer Protocol), 127, 220

third extended file system (ext3), Linux, 92

threads, Windows, 36–37

threat actor tools

attack tools, 301–302

security tools, evolution of, 302–304

threat actors, 297

amateurs, 4

evolution of, 299–300

financial gain, 4

global politics, 4

versus hackers, 298–299

hacktivists, 4

trade secrets, 4

threat incident escalation process, 9

threat intelligence

Cisco Cybersecurity Reports, 392

information sources, network intelligence communities, 390–392

security blogs and podcasts, 392

threat intelligence services

AIS (Automated Indicator Sharing), 393

Cisco Talos, 392–393

communication standards, 394

CVE (Common Vulnerabilities and Exposures), 393

FireEye, 393

threats, 297–298, 376

endpoint threats, 456–457

identifying, 378–379

three addresses, network protocols, 131–132

three-layer network design model, LAN topologies, 286–287

three-way handshake, TCP (Transmission Control Protocol), 199

ticketing systems, SOC (Security Operations Centers), Linux, 75

Tier 1 Alert Analyst, SOC (Security Operations Centers), 8

Tier 2 Incident Responder, SOC (Security Operations Centers), 8

Tier 3 Subject Matter Expert (SME)/Hunter, SOC (Security Operations Centers), 8

Time Exceeded messages, ICMPv4 messages, 166

Time to Live (TTL), IPv4, 172–175

time to live (TTL), 55

timestamps, 29

timing, protocols, 129

tools

attack tools, 301–302

Linux, 76

Msconfig tool, 33

for network monitoring, 335

network protocol analyzers, 335–339

security tools, 302–304

Tools tab, system configuration, 35–36

top command, Linux, 103–105

top-level elements, VERIS, 594

Tor network, 512

Torvalds, Linus, 73

traceroute, testing, paths, 172–175

traces, 118

tracing paths, communication processes, 121–122

tracking individual conversations, transport layer protocols, 184–185

trade secrets, threat actors, 4

traffic control with ACLs, 272–273

traffic fragmentation, 323

traffic insertion, 323

traffic mirroring, 333

traffic monitoring. See network monitoring

traffic sniffers, 276

traffic sniffing with switches, 276

traffic substitution, 323

transaction data, 515–516

Transmission Control Protocol. See TCP (Transmission Control Protocol)

transparent firewalls, 265

transport layer, OSI (Open Systems Interconnection) model, 131

transport layer protocols

mechanisms, 186

operations

TCP connections, 199–201

TCP data transfer, 201–204

TCP port allocation, 196–198

UDP (User Datagram Protocol), 204–205

role of, 184–185

socket pairs, 189

TCP (Transmission Control Protocol), 190–191

headers, 194–195

TCP local and remote ports, 187–188

tracking individual conversations, 184–185

UDP (User Datagram Protocol), 191–193

headers, 196

transport layer services, 186

transposition cipher, 405–406

Triple DES (3DES), 419

Trivial File Transfer Protocol (TFTP), 127, 220

Trojan horses, 306–307

classifications, 307

trust exploitation, 315–316

trust system, PKI (public key infrastructure), 441–442

Trusted Automated Exchange of Indicator Information (TAXII), 394

TTL (Time to Live), 166

IPv4, 172–175

TTL (time to live), 55

TTP (Tactics, Techniques, and Procedures), 575

tunneling, 323, 510

types of addresses, IPv4

address classes, 155–156

reserved private addresses, 156–157

U

Ubuntu GUI-based software updater, 102

Ubuntu Linux, 99

UDP (User Datagram Protocol), 127, 204–205

attacks, 353

comparing, to TCP (Transmission Control Protocol), 194

headers, 196

transport layer protocols, 191–193

vulnerabilities, 353

UDP flood attack, 353

UDP Unicorn, 353

UEFI (Unified Extensible Firmware Interface), 31–32

UI (User Interaction), 475

UNC (Universal Naming Convention), 56

unicast, communication protocols, 129

Unified Extensible Firmware Interface (UEFI), 31–32

Uniform Resource Identifier (URI), 523

Uniform Resource Locator (URL), 523

Unity, Ubuntu Linux, 99–100

Universal Naming Convention (UNC), 56

UNIX, 304

unreliable, 145

Update status, 61

URG, 195

URI (Uniform Resource Identifier), 523

URL (Uniform Resource Locator), 523

HTTP URL, 227

U.S. Computer Emergency Readiness Team), (US-CERT), 301

U.S. Department of Homeland Security (DHS), 301

USAJobs.gov, 13

US-CERT (U.S. Computer Emergency Readiness Team), 301

User Datagram Protocol. See UDP (User Datagram Protocol)

User Interaction (UI), 475

user mode, Windows, 28

user permissions (rwx), 94

user spaces, 38

users

administration of, 43

local users, 42–44

Users tab, Task Manager, 50

V

/var/log/auth.log, Linux, 90

/var/log/boot.log, Linux, 90

/var/log/cron, Linux, 90

/var/log/dmesg, Linux, 90

/var/log/kern.log, Linux, 90

/var/log/messages, Linux, 90

/var/log/mysqld.log, Linux, 326

/var/log/secure, Linux, 90

/var/log/syslog, output, 91

VCDB (VERIS Community Database), 598

vendor teams, 600

verifying Windows blacklisted applications, 469

VERIS (Vocabulary for Event Recording and Incident Sharing), 592

creating records, 592–594

schema elements, 594

discovery and response, 595

impact assessment, 595

incident description, 595–597

incident tracking, 598

victim demographics, 597

VCDB (VERIS Community Database), 598

VERIS Community Database (VCDB), 598

VeriSign certificates, 440

versions of Windows, 23–24

victim demographics, VERIS, 597

viewing, permissions, for Linux files, 94

Vigenère cipher, 407

virtual address space, 38

virtual addresses, 38

virtual LANs (VLANs), 247–248

virtual private networks (VPNs), 280–282

viruses, 306

vishing, 319

visual hacking, 318

visualizations, 570

VLANs (virtual LANs), 247–248

Vocabulary for Event Recording and Incident Sharing. See VERIS

VPNs (virtual private networks), 280–282

vulnerabilities, 297–298, 376

ARP (Address Resolution Protocol), 354–355

ARP cache poisoning, 355–357

email, 366–367

identifying, 377–378

IP services

DHCP (Dynamic Host Configuration Protocol), 359–362

DNS attacks, 357–358

DNS tunneling, 358–359

IP vulnerabilities, 340, 343

address spoofing attacks, 348–349

amplification and reflection attacks, 346–347

DDoS attacks, 345–346, 347–348

DoS (denial-of-service) attacks, 345–346

ICMP attacks, 343–345

IPv4 packet headers, 340–342

IPv6 packet headers, 342–343

Linux, 105

operating system vulnerabilities, Windows, 26–27

TCP (Transmission Control Protocol), 350–351

attacks, 351–352

session hijacking, 352

UDP (User Datagram Protocol), 353

vulnerability assessment, 473

vulnerability brokers, 299

vulnerability exploitation tools, 304

vulnerability management, 484–485

Vulnerability Management Life Cycle, 485

vulnerability scanners, 304

W

WAN topologies, 285

war dialing programs, 299

watering hole, 319

weaponization, Cyber Kill Chain, 584–585

web browsers, 83

web pages

displaying, 137

sending and receiving, 136–139

web proxies, 532–534

Web Security Appliance (WSA), 271

web servers, probing with telnet, 105–106

web-based attacks, 362–363

defending against, 364

web-exposed databases, 367

command injection, 367

cross-site scripting (XSS), 368

SQL injections, 367–368

whaling, 318

white hat hackers, 299

whitelisting, 467–468

WHOIS, DNS (Domain Name System), 215–216

window size, TCP (Transmission Control Protocol), 203

Windows

administration, configuration management

accessing network resources, 56–57

CLI and PowerShell, 44–46

local users and domains, 42–44

net command, 47–48

networking, 51–55

Resource Monitor, 49, 50–51

Run as Administrator, 41–42

Task Manager, 49–50

Windows Server, 56–57

WMI (Windows Management Instrumentation), 46–47

architecture

file systems, 28–29

HAL (hardware and abstraction layer), 27–28

kernel mode, 28

user mode, 28

boot process, 31–33

configuration options, 33–36

history of

DOS (Disk Operating System), 21–23

GUI (graphical user interface), 24–26

versions, 23–24

memory allocation, 38–39

operating system vulnerabilities, 26–27

processes, 36–38

Remote Desktop Connection, 56–57

services, 37–38

shutdown, 36

startup, 33–36

windows, WMI Control Properties window, 46–47

Windows 7, 24

Windows 8, 24

Windows 8.1, 24

Windows 10, 23, 24

Ethernet properties, 53

GUI (graphical user interface), 25

IPv4 properties, 53

Network and Sharing Center, 52

network connections, 52

Resource Monitor, 50

Task Manager, 49

Windows Defender, 63–64, 459

Windows Event Viewer, 59–60

Windows File Explorer, 25–26

Run as Administrator, 41–42

Windows Firewall, 64–65, 460, 464

Windows Home Server 2011, 24

Windows Management Instrumentation. See WMI

Windows NT, 23

Windows PCs, checking IP configuration, 149

Windows PowerShell. See PowerShell

Windows Registry, 38–40

Windows Registry Editor, 40

Windows security

Event Viewer, 59–60

Local Security Policy, 61–62

netstat command, 58–59

Windows Defender, 63–64

Windows Firewall, 64–65

Windows Update Management, 60–61

Windows Server, 56–57

Windows Server 2000, 57

Windows Server 2008 R2, 24

Windows Server 2012, 24

Windows Server 2012 R2, 24

Windows Server 2016, 24

Windows Services control panel, 37–38

Windows Task Manager, Processes tab, 37

Windows Update Management, 60–61

Windows XP, 23

windump, 337

Winload.exe, 32–33

Winresume.exe, 32–33

wireless communications

protocols and features, 254–256

wireless devices, 261–262

wireless network operations, 256–258

client to AP association process, 258–260

wireless devices, 261–262

wireless hacking tools, 303

Wireless LAN Controller (WLC), 262

wireless LANs (WLANs), 254–256

wireless network operations, 256–258

client to AP association process, 258–260

wireless parameters, 257–258

Wireshark, 139, 336, 516, 544

capture of web page requests, Linux, 75

WLANs (wireless LANs), 254–256

WLC (Wireless LAN Controller), 262

WMI (Windows Management Instrumentation), 41, 46–47

WMI Control Properties window, 46–47

workflow management, 570

worms, 307–308

components of, 308–309

WSA (Web Security Appliance), 271, 462, 531

X-Y

X Window System, Linux GUI, 98–99

X.509v3, 443, 447

Xbox One, IPv4 address, 150

XSS (cross-site scripting), 368

Z

Zero Days, 3

zero-day exploits, 60

zombies, 321

DDoS attack, 345–346

ZPFs (zone-based policy fireeszdwalls), 289