INDEX
A
acceptable use policy (AUP), 514–515
acceptance testing, 224
access control lists (ACLs), 7, 70–71, 175, 397
access controls, 468–469
access points, 122
account management, 517
running as root, 518
accounting data, 383
accuracy of intelligence data, 13
active defense, 210
active tap, 438
Address Resolution Protocol (ARP), 413
Advanced Encryption Standard (AES), 246
advanced persistent threats (APTs), 22, 382
adversary capability, 48
air gaps, 194
Aircrack-ng, 110, 111
alert fatigue, 33–34
Amazon Lambda, 151–152
Amazon Simple Storage Service (S3), 157
Amazon Web Services, 149
American Fuzzy Lop (AFL), 103, 104
American Registry for Internet Numbers (ARIN), 7
Amin, Rohan, 40
anomalous activity, 425–426
anomaly analysis, 263
anti-tamper techniques, 251
Apache Lucene, 289
API, 220–221
automating API calls, 356–358
insecure, 154–156
integration, 354–358
restful APIs, 354–356
API Security Project, 154
application logs, 428
application programming interface. See API
approved scanning vendors (ASVs), 59
APT28, 422
Arachni, 91
artifacts, 420
assemblers, 102
assembly language, 102
asset management, 195–196
improper, 156
asset reporting format (ARF), 69
asset tagging, 195–196
assumption of breach, 329
asymmetric cryptography, 208, 209
asynchronous attacks, 249
atomic execution, 249
ATT&CK framework, 35–38, 331–332
attack patterns, 14–15
attack types, 163
asynchronous attacks, 249
authentication attacks, 169–173
buffer overflow attacks, 166–169
credential stuffing, 170
cross-site scripting (XSS) attacks, 165–166
cyclic redundancy check (CRC) attacks, 169
directory traversal attacks, 166, 167
downgrade attacks, 177
eXtensible Markup Language (XML) attack, 164–165
heap-based attacks, 168
impersonation, 170–171
injection attacks, 164–166
integer attacks, 168–169
jailbreaking, 169
man-in-the-middle, 171–172
Pass-the-Hash (PtH) attacks, 334
password spraying, 170
privilege escalation, 169
remote code execution (RCE), 128, 164
rooting, 169
rootkits, 173
server-side request forgery (SSRF) attacks, 165
session hijacking, 173
SQL injection, 165
stack-based attacks, 168
XML bombs, 164–165
XML External Entity (XXE) attacks, 164, 165
attestation, 244–245
attestation identity keys (AIKs), 241
attribute-based access control (ABAC), 202
audits, 521
attacks, 169–173
logs, 286
multifactor authentication (MFA), 198–199
single-factor authentication, 198
two-factor authentication (2FA), 198–199
authorization, 197
authorization creep, 198
automation concepts
API integration, 354–358
automated malware signature creation, 358–360
data enrichment, 351
machine learning, 361
overview, 345–346
scripting, 351–353
software engineering, 365–366
threat feed combination, 360–361
workflow orchestration, 346–351
automation protocols and standards, 362–365
availability analysis, 287
AWS CloudFormation, 152, 153
B
bandwidth, utilization, 410
Bangladesh Bank, 140
barcodes, 196
bare-metal hypervisors, 190–191
baselining, 263
BASS, 359
beaconing, 410–411
behavioral analysis, 262–263
behavior-based detection, 267
Betz, Christopher, 38
Bianco, David, 46
bias, 13
big data analytics, 259
Billion Laughs attack, 164–165
boot device select (BDS), 244
Booz Allen Hamilton, 157
buffer overflow attacks, 166–169
bug bounty programs, 21
Burp Suite, 88, 89
bus encryption, 246–247
business impact analysis (BIA), 479–480
business process interruption, 82
C
Caltagirone, Sergio, 3, 38, 39
CAN bus, 133–134
capacity, 65
capacity consumption, 414–416
cell phones. See mobile devices
Cellebrite, 453
Center for Internet Security (CIS), 61, 195
controls, 512–513
OVAL database, 363
CERT Coordination Center, 21, 169
certificate authorities (CAs), 209–210, 312
certificate management, 209–210
certificate revocation lists (CRLs), 210
change advisory board (CAB), 197
change control board (CCB), 404
change management, 196–197
changes, unauthorized, 419–420
Check Point Software Technologies, 136
ciphertext, 206
Cisco
Common Service Platform Collector (CSPC), 177
Talos, 44–45
classification, 206
classification level, 202
classified data, 10–11
clearance level, 202
client/server systems, 217
Cloppert, Michael, 40
cloud access security broker (CASB), 205
Cloud Computing Security Requirements Guide (CCSRG), 158
cloud deployment models, 149–150
cloud infrastructure, vs. on-premises solutions, 186
cloud infrastructure assessment, 115
Pacu, 117
Prowler, 116–117
Scout Suite, 115–116
cloud service models, 143–144
Infrastructure as a Service (IaaS), 144, 148–149
Platform as a Service (PaaS), 144, 146–148
Security as a Service (SECaaS), 146
shared responsibility model, 144
Software as a Service (SaaS), 144–146
cloud-connected protection, 268
clustering analysis, 335–336
CMOS RAM, 243
Cobalt Group, 37
Cobra Gold, 389
code coverage, 228
code review, 101
codes of conduct, 514
coding best practices
authentication, 231–232
data protection, 232–234
input validation, 229–230
output encoding, 230–231
overview, 229
parameterized queries, 234
session management, 231
See also software development lifecycle (SDLC)
Cole, August, 250
Command and Control (C2), 43, 334, 410
commodity malware, 27
Common Access Cards (CACs), 74
Common Vulnerabilities and Exposures (CVE), 69, 132
Common Vulnerability Scoring System (CVSS), 69
communications, 371–372
external, 372–373
internal, 372
irregular peer-to-peer communication, 411–412
response coordination with relevant entities, 373–378
of risk factors, 487
unexpected outbound communication, 427
communications channels security, 135
community clouds, 150
compensating controls, 80, 490, 520–521
compliance, 521–522
components, insecure, 176
Computer Emergency Readiness Team (CERT), 398
Computer Fraud and Abuse Act (1986), 168
Computer Incident Response Center Luxembourg (CIRCL), 46
confidence levels, 13
configuration, weak or default configurations, 177
connected vehicles, 133
CAN bus, 133–134
containerization, 191
content delivery networks (CDNs), 335
continuous integration and continuous delivery (CI/CD), 152
continuous delivery, 366
continuous deployment, 366
continuous integration, 365–366
continuous monitoring, 518–519
contractors, 376–377
control types, 519–521
copyright. See intellectual property
corporate confidential information, 383
corporate governance, 81–82
corporate security policy, 60
corrective controls, 520
counterfeit products, 494
credential stuffing, 170
credentials, 197
critical assets, vulnerabilities, 62
critical security controls (CIS Controls), 61, 195
cron service, 351–352
cross-site scripting (XSS) attacks, 165–166
cryptography, 207
tools, 449
cryptoprocessors, 247
cryptosystems, 207
Cuckoo Sandbox, 46
Cyber Observable eXpression (CybOX), 35
cyclic redundancy check (CRC) attacks, 169
D
data
aggregation, 258–260
analysis, 260–262
classification, 60–61, 464–465
confidentiality, 465
correlation, 395
deidentification, 469–470
enrichment, 351
integrity, 393
legal requirements for, 462–463
masking, 469
minimization, 466
in motion, 233
protection, 232–234
purpose limitation, 466–467
at rest, 233
sharing while preserving privacy, 469–470
sovereignty, 466
tokenization, 470
types of data, 462
in use, 233–234
data encryption keys (DEKs), 246
data exposure
excessive, 154–155
sensitive, 175–176
data loss prevention (DLP), 146, 317–318, 422, 473
data flows, 473
data inventories, 473
endpoint DLP (EDLP), 475
hybrid DLP, 475–476
implementation, testing, and tuning, 474
network DLP (NDLP), 474
Datagram Transport Layer Security (DTLS), 122
dd utility, 450
decompilers, 103
decomposition, 265–267
Defense Information Systems Agency (DISA), 73–74, 362
defense-in-depth, 519
degaussing, 400
degrading functionality, 82
deidentification, 469–470
Delphi technique, 485
dereferencing, 174
Desktop as a Service (DaaS), 191
detection and monitoring
behavior-based detection, 267
signature-based detection, 267
detective controls, 520
deterrent controls, 520
Diamond Model of Intrusion Analysis, 38–40, 51
digital certificates, 209–210
digital forensics, 433
acquisition utilities, 449–454
analysis, 436–437
building a forensic kit, 447–449
controlling the crime scene, 434
data acquisition, 435–436
endpoints, 442–445
file carving, 453–454
forensic duplicators, 450
forensic suites, 453
hashing utilities, 452
hubs, 439
live forensics, 443
log viewers, 444–445
mobile devices, 445
network tap, 438–439
OS and process analysis, 443–445
password crackers, 450–452
phases of an investigation, 434–438
principles of investigation, 433
procedures, 446–449
reporting, 437–438
seizure, 434–435
servers, 443
switches, 439
tcpdump, 440–441
virtualization and the cloud, 445–446
Wireshark/TShark, 439–440, 441
digital rights management (DRM), 471–472
digital signatures, 296–297
directory traversal attacks, 166, 167
disassemblers, 103
disposal, secure, 401
DMARC, 293–294
DNS, 7–8
analysis, 269–270
DNS harvesting, 7
DNS poisoning, 7
DNS spoofing, 7
DNS tunneling, 334
domain generation algorithms (DGAs), 270–271, 335
Domain Name System. See DNS
DomainKeys Identified Mail (DKIM), 292
DOM-based XSS attacks, 166
downgrade attacks, 177
downtime, 391–392
driver execution environment (DXE), 244
drones, 134–136
due diligence, 492–493
dynamic analysis, 102, 228–229
dynamic code analysis, 395
dynamic random-access memory (DRAM), 124
E
eFuse, 242–243
Elastic Compute Cloud (EC2), 149
Elasticsearch-Logstash-Kibana (ELK), 259
electronic control units (ECUs), 133
electronically erasable programmable ROM, 220, 243
e-mail analysis, 291
digital signatures and encryption, 296–297
Domain-based Message Authentication, Reporting, and Conformance (DMARC), 293–294
DomainKeys Identified Mail (DKIM), 292
embedded links, 297
forwarding, 296
headers, 294–295
malicious payload, 292
phishing, 296
Sender Policy Framework (SPF), 293
e-mail harvesting, 8–9
embedded links, 297
embedded systems, 131, 219–220
EnCase, 453
encryption, 206–207, 274, 400, 469
Advanced Encryption Standard (AES), 246
asymmetric cryptography, 208, 209
bus encryption, 246–247
data encryption keys (DEKs), 246
digital signatures, 208
digital signatures and, 296–297
full-disk encryption, 245
self-encrypting drives (SEDs), 245–246
symmetric cryptography, 207, 209
where data can be encrypted, 250
endorsement key (EK), 241
endpoint detection and response (EDR), 318–319, 490
endpoint DLP (EDLP), 475
endpoints
digital forensics and, 442–445
security, 263–269
vulnerabilities, 62
entropy, 335
enumeration, 105–106
hping, 106–107
nmap, 105, 106
nslookup, 108
passive vs. active, 107–108
responder, 108–109
error handling, 173–174
ethics, 514
event logs, 280–281
Executable and Linkable Format (ELF), 265–266
exfiltration, 334–335, 421–422
exploit marketplace, emergence of, 21
eXtensible Markup Language. See XML (eXtensible Markup Language)
eXtensible Markup Language (XML) attack, 164–165
external parties, 376–377
F
F2T2EA, 40
Fancy Bear, 422
Faraday bags, 445
Federal Bureau of Investigation (FBI), InfraGard Portal, 46
Federal Information Security Management Act (FISMA), 69, 522
Federal Trade Commission, Financial Privacy Rule, 380
federated identity, 199–200
FedRAMP, 521
field-programmable gate arrays (FPGAs), 132
file carving, 453–454
File Checksum Integrity Verifier (FCIV), 452
file systems, 420
filters, 273–274
fingerprinting, 264–265
Firefox, 171–172
firewall logs, 282–284
misconfigured firewall rules, 121
next-generation firewalls (NGFs), 263
operating system firewalls, 312–314
web application firewalls (WAFs), 312
attestation, 244–245
measured boot, 244–245
trusted firmware updates, 245
Unified Extensible Firmware Interface (UEFI), 244
flow analysis, 271–272
NetFlow analysis, 272–273
forensic acquisition, 435–436
forensic duplicators, 450
forensic kit, 447–449
forensic suites, 453
forensics. See digital forensics
FPGAs, 132
frames, 439
frameworks, 35
CIS controls, 512–513
Diamond Model of Intrusion Analysis, 38–40
Framework for Improving Critical Infrastructure Cybersecurity, 505–506
ISO/IEC 27000 series, 508–511
kill chain, 40–43
NIST frameworks, 502–508
overview, 501–502
Risk Management Framework (RMF), 503–505
SP 800-53, 506–508
types of, 502
FTK, 453
full-disk encryption, 245
Function as a Service (FaaS), 151–152
function level authorization, broken, 155
functional policy, 60
functions, use of insecure functions, 178
fuzzing, 103–104
G
General Data Protection Regulation (GDPR), 175, 380, 463, 466
geoblocking, 472
geofencing, 196
geospatial intelligence (GEOINT), 4
Ghost Fleet (Singer and Cole), 250
Google, 5–6
cached pages, 6
operators, 5
Safe Browsing, 44
VirusTotal, 45
Gramm-Leach-Bliley Act (GLBA), 380, 522
grouping, 336
groups, 303–305
H
“Hack the Pentagon” challenge, 21
hacktivists, 23
hardening networks, 78–80
hardware description language (HDL), 132
hardware root of trust, 239–240
hardware security, drones, 135
hardware security module (HSM) service, 156, 242
hash value, 264
hashing, 264–265
hashing utilities, 452
Health Insurance Portability and Accountability Act (HIPAA), 59, 65, 380, 463, 522
heap, 168
heap-based attacks, 168
heuristic analysis, 20, 262–263
high entropy domains, 335
high value assets (HVAs), 380
HIPAA. See Health Insurance Portability and Accountability Act (HIPAA)
historical analysis, 261–262
host scanning, 63
host-based IDSs (HIDSs), 284
host-based IPSs (HIPSs), 317
host-based security systems (HBSSs), 71
hping, 106–107
HSM. See hardware security module (HSM) service
HTTP Strict Transport Security (HSTS), 176
hubs, 439
human intelligence (HUMINT), 4
human resources (HR), 374–375
Hutchins, Eric, 40
HVAC systems, 136–137
hybrid clouds, 150
hybrid DLP, 475–476
hypervisors, 190–191
I
identification, 197
identity and access management (IAM), 145, 197–204
identity federation, 199–200
identity providers (IDPs), 200
IEC, 58
impact, 48
impact analysis, 286–287
impact interpretation maps, 486
incident response, 50–51, 371, 387–388
change control process, 404
containment, 396–398
data correlation, 395
data integrity, 393
detection and analysis, 390–396
documentation, 390
downtime, 391–392
economic impacts, 394
eradication and recovery, 399–403
and forensic kit, 449
indicators of compromise (IOC), 405
isolation, 397–398
lessons-learned report, 403–404
monitoring, 405
patching, 401–402
preparation, 388–390
ransomware, 393–394
reconstruction, 401
recovery time, 392–393
removal, 398
response coordination with relevant entities, 373–378
restoration of permissions, 402–403
restoration of services, 403
reverse engineering, 395–396
sanitization, 400
scope of impact, 391
secure disposal, 401
segmentation, 397
severity level classification, 391
summary report, 405
system process criticality, 394–395
testing, 389–390
training, 388–389
updates to response plan, 404
verification of logging, 403
vulnerability mitigation, 399–400
See also communications
incidents, defined, 20
indexing, 468
indicator SDO, 15
indicators
defined, 14
lifecycle, 14
OpenIOC, 19
Structured Threat Information Expression (STIX), 14–17
Trusted Automated Exchange of Indicator Information (TAXII), 18–19
indicators of compromise (IOC), 46–47, 398, 405
industrial control systems (ICSs), 136–137
Information Security Management Systems (ISMS), 58
information sharing and analysis centers (ISACs), 27–28, 398
information sharing and analysis communities, 27–28
Information Sharing and Analysis Organizations (ISAOs), 28
Infrastructure as a Service (IaaS), 144, 148–149
Infrastructure as Code (IaC), 152–153
infrastructure management
asset management, 195–196
cloud vs. on-premises solutions, 186
containerization, 191
honeypots and honeynets, 194–195
network architecture, 186–190
network segmentation, 192–194
virtualization, 190–191
infrastructure vulnerability scanners, 92
Nessus, 92–97
QualysGuard, 99–100
injection attacks, 164–166
injection flaws, 155–156
input validation, 230
insider threat actors, 24–25
insider trading, 383
Insomnia, 356
integer attacks, 168–169
integrated intelligence, 339–340
integration testing, 224
intellectual property, 381–382
US copyright law, 463
intelligence cycle, 25–27
intelligence disciplines, 4
intelligence sources
characteristics of, 12–13
general information, 4
open source intelligence (OSINT), 4–10
proprietary/closed source intelligence, 10–12
internal networks, 10
internal trends, 261
International Electrotechnical Commission. See IEC
International Organization for Standardization. See ISO
Internet Assigned Numbers Authority (IANA), 414
Internet Control Message Protocol (ICMP), 274–275, 413
Internet Corporation for Assigned Names and Numbers (ICANN), 7
WHOIS, 8
Internet of Things (IoT)
medical devices, 130
Mirai botnet, 130
overview, 129–130
Internet Protocol Security (IPSec), 122
Internet registries
overview, 6
regional Internet registries (RIRs), 6–7
intrusion detection systems (IDSs), 71
host-based, 284
network-based, 284
See also intrusion detection/prevention systems
intrusion detection/prevention systems, 284
rules, 314
intrusion prevention systems (IPSs), 71
host-based, 317
See also intrusion detection/prevention systems
intrusion sets, 15
IoT. See Internet of Things
ISO, 58
ISO/IEC 27000 series, 508–511, 521
ISO/IEC 27001 Standard, 58–59, 509–510
ISO/IEC 27005 Standard, 510–511
isolation, 397–398
IT Asset Management (ITAM), 195
J
jailbreaking, 169
jidoka, 345–346
job sites, 8–9
John the Ripper, 451
JSON (JavaScript Object Notation), 14
jump boxes, 192–193
jump servers, 192–193
Jumper, John, 40
K
key management, improper, 156–157
Kibana Query Language (KQL), 289
Knight Capital Group, 139
L
languages, generations of, 266–267
Lapse+, 101
lateral movement, 411
law enforcement agencies (LEAs), 377
Layer 2 Tunneling Protocol (L2TP), 122
leadership, 377–378
least privilege, 302
legacy and proprietary systems, 82
legal counsel, 374
lessons-learned report, 403–404
levels of war, 34
Levy, Elias, 168
likelihood, 48
linear congruential generators, 270
Link-Local Multicast Name Resolution (LLMNR), 108
Linux Memory Grabber, 419
live forensics, 443
See also digital forensics
live-fire exercise (LFX), 495–496
locally developed analytics solutions, 259
Lockheed Martin Cyber Kill Chain, 40–41
log aggregation, 222
log managers, 258
authentication logs, 286
event logs, 280–281
firewall logs, 282–284
packet captures, 276–279
proxy logs, 284
syslog, 281–282
system logs, 279–282
web application firewall logs, 283
log viewers, 444–445
logging, 205–206
and cloud solutions, 158
verification of, 403
Long, Johnny, 5
M
machine learning, 361
malicious payload, 292
malicious processes, 417–418
automated malware signature creation, 358–360
cloud-connected protection, 268
commodity malware, 27
decomposition, 265–267
detect and block, 267
fileless, 267–268
fingerprinting/hashing, 264–265
rootkits, 173
SDO, 16
See also TTPs (tactics, techniques, and procedures)
malware information sharing platforms (MISPs), 46
malware-as-a-service, 27
managed security service providers (MSSPs), 146
mandatory access control (MAC), 202–203
Mandiant, 19
man-in-the-middle attacks, 171–172
manual review, 203–204
mass assignment, 155
maximum tolerable downtime (MTD), 392
maximum transmission units (MTUs), 275
McAfee 2019 Cloud Adoption and Risk Report, 145
MD5, 452
measured boot, 244–245
measurement and signature intelligence (MASINT), 4
Media Access Control (MAC), 412–413
medical devices, 130
memorandum of understanding (MOU), 81
memory contents, 418–419
memory overflows, 428
mergers and acquisitions, 383
messaging platforms, 128–129
meta-analysis, 91
microprobing, 251
microservices architectures, 221, 222
Microsoft SDL fuzzers, 104
Miller, Charlie, 134
MiniFuzz File Fuzzer, 104
Mirai botnet, 130
MITM. See man-in-the-middle attacks
MITRE Corporation
MITRE ATT&CK Navigator, 36, 37, 333
ML. See machine learning
mobile apps, 219
mobile devices, 123
app vulnerabilities, 127–128
device vulnerabilities, 124–125
forensics, 445
network vulnerabilities, 124
operating system vulnerabilities, 125–126
Modbus, 139
monitoring, 205–206
and cloud solutions, 158
continuous, 518–519
post-incident, 405
Morris, Robert Tappan, 168
Morris Worm, 168
MOU. See memorandum of understanding (MOU)
moving target defense (MTD), 210
multifactor authentication (MFA), 198–199, 232
N
National Infrastructure Security Coordination Centre (NISCC), 11
National Institute of Justice, 433
National Institute of Standards and Technology (NIST), 48, 67, 502
Framework for Improving Critical Infrastructure Cybersecurity, 505–506
National Vulnerability Database (NVD), 51
Risk Management Framework (RMF), 503–505
SP 800-53, 506–508
SP 800-137, 518
National Security Agency (NSA), 73–74
National Vulnerability Database (NVD), 67, 73
nation-state threat actors, 23
Nessus Attack Scripting Language (NASL), 69, 70, 95
NetBIOS Name Service (NBT-NS), 108
NetFlow analysis, 272–273, 410
Network Access Control (NAC), 122, 319–320, 412
network architecture, 186–187
physical network, 187–188
serverless architecture, 190
software-defined networking (SDN), 188
virtual private cloud network, 188–189
virtual private networks (VPNs), 189
network behavior anomaly analysis, 262
network DLP (NDLP), 474
Network Mapper, 63
network mapping, 63
network segmentation, 192–194
network tap, 438–439
network-based IDSs (NIDSs), 284
new accounts, introduction of, 426
next-generation firewalls (NGFs), 263
Nikto, 89–91
nmap, 105, 106
noncritical assets, vulnerabilities, 62
nondisclosure agreements (NDAs), 465
nonpersistent XSS attacks, 165–166
nonvolatile RAM (NVRAM), 241
normalization of data, 206, 468
nslookup, 108
Number Resource Organization (NRO), 7
O
Obama, Barack, 505
object level authorization, broken, 154
object reference, insecure, 174
observed data, 16
OinkMaster, 315
See also Snort
on-premises infrastructure, vs. cloud, 186
open source intelligence (OSINT), 4–10
Open Source Vulnerability Database (OSVDB), 73
Open Web Application Security Project (OWASP), 127, 154
logging best practices, 176–177
top ten web application security risk list, 218
OpenID, 200–201
OpenIOC, 19
OpenSCAP, 363–365
See also Security Content Automation Protocol (SCAP)
operating system firewalls, 312–314
Operation Aurora, 382
Operation ShadowHammer, 217
operational technology (OT) network, 137
operational threat intelligence, 34
orchestration playbooks, 348–351
organizational governance, 81–82
organized crime, 24
OS fingerprinting, 63
OSINT. See open source intelligence (OSINT)
Outlook Web Access (OWA) page, fake, 422
output encoding, 230–231
OVAL database, 363
overwriting, 400
OWASP. See Open Web Application Security Project (OWASP)
OWASP Zed Attack Proxy (ZAP), 88, 89
P
package analysis, 412
packet analysis, 273–275, 439–440
Pacu, 117
parameterized queries, 234
passive reconnaissance, 5
passive tap, 438
Pass-the-Hash (PtH) attacks, 334
Passware Kit Forensic, 450–451
password crackers, 450–452
password spraying, 170
passwords
and industrial control systems (ICSs), 137
and IoT, 129–130
policies, 515
weak, 122
PASTA, 49–50
patching, 77, 401–402
and IoT, 129
missing patches, 121
pattern recognition, 206
Payment Card Industry Data Security Standard (PCI DSS), 59, 65, 380–381, 463, 522
payment card information, 380–381
PCI DSS. See Payment Card Industry Data Security Standard (PCI DSS)
Peach Fuzzer, 104
peer-to-peer communication, irregular, 411–412
Pendergast, Andrew, 38
perfect forward secrecy (PFS), 176
permissions, 301–302
groups, 303–305
least privilege, 302
users, 302–303
validating, 402–403
persistent memory, 241
persistent XSS attacks, 165
personal health information (PHI), 380
personally identifiable information (PII), 16, 378–379
Phantom Cyber. See Splunk Phantom
PhotoRec, 453–454
physical access control, 132–133
physical destruction, 400
physical network architecture, 187–188
physical segmentation, 192
plaintext, 206–207
Platform as a Service (PaaS), 144, 146–148
platform configuration registers (PCRs), 241
playbooks, 348–351
policies and procedures
acceptable use policy (AUP), 514–515
account management, 517
continuous monitoring, 518–519
data ownership, 515–516
data retention, 516
ethics and codes of conduct, 514
overview, 513–514
password policy, 515
work product retention, 516–517
port scanning, 63
See also vulnerability scanning
ports, 79, 80
common protocol over a nonstandard port, 414
registered, 323
security, 323
Postman, 356
PowerShell, 259
scripting, 353
predictive analytics, 206, 261
pre-EFI initialization (PEI), 244
Pretty Good Privacy (PGP), 297
preventative controls, 520
privacy, vs. security, 461–462
private cloud solutions, 150
privilege escalation, 169, 334, 421
privilege management, 198
privileges, unauthorized, 421
process automation systems (PASs), 139–140
Process for Attack Simulation and Threat Analysis. See PASTA
processor security extensions, 249
programmable logic controllers (PLCs), 137
protected health information (PHI), 59
protocol analysis, 274–275
Prowler, 116–117
proxy logs, 284
PsExec, 411
public cloud solutions, 149
Public Key Infrastructure (PKI), 74
public relations, 375
See also communications
Pulled Pork, 315
See also Snort
Pyramid of Pain, 46–47
Python, 259
scripting, 352–353
Q
Qualys, 83
QualysGuard, 99–100
query writing, 289–291
queue wedge condition, 132
Quick Response (QR) codes, 196
R
race condition, 174–175
radio frequency identification (RFID), 132, 196
ransomware, 393–394
rate limiting, 155
real user monitoring (RUM), 205
real-time operating system (RTOS), 131
Reaver, 112
reconnaissance, passive, 5
reconstruction, 401
recovery time, 392–393
recovery time objective (RTO), 393
reflected XSS, 165–166
Regex Fuzzer, 104
regional Internet registries (RIRs), 6–7
registered ports, 323
registry changes, 423
regulatory compliance, 522
regulatory environments, 58
Health Insurance Portability and Accountability Act (HIPAA), 59
ISO/IEC 27001 Standard, 58–59
Payment Card Industry Data Security Standard (PCI DSS), 59
regulatory requirements for scanning, 65
relevancy of intelligence data, 12–13
remediation plan, 518–519
remote code execution (RCE), 128, 164
Remote Desktop Protocol (RDP), 191, 334
remote terminal units (RTUs), 137
replay, 132–133
reports, 16
representational state transfer (REST), 221, 290, 354–356
requestors, 196
research. See threat research
research of threats, 43
resource starvation, 227
resource-monitoring tools, 287
responder, 108–109
REST. See representational state transfer (REST)
restful APIs, 354–356
reverse engineering, 102–103, 395–396
revocation authority (RA), 210
Rhino Security Labs, 117
rich execution environments (REEs), 247, 248
Rich Site Summary (RSS) feeds, 67
risk acceptance, 80
risk appetite, 64–65
risk assessment
asking the right questions, 482
avoiding group biases, 487
Delphi technique, 485
engineering tradeoffs, 490
magnitude, 486
overview, 481
prioritization, 488
probability, 484–485
quantitative vs. qualitative risk, 483–484
risk calculation, 483–487
risk identification, 482–483
security controls, 488–489
of supply chain, 491–494
training exercises, 494–497
risk factors, communication of, 487
risk management, 52
Risk Management Framework (RMF), 503–505
risk mitigation, 488
risk register, 483
Roesch, Martin, 284
rogue devices, 412–413
role-based access control (RBAC), 201–202
root, running as, 518
rooting, 169
rootkits, 173
Roth, Florian, 358
Rowhammer attack, 125
RSA, SecureID, 391
RTOS, 131
runtime (RT), 244
S
Safe Browsing, 44
SAML. See Security Assertion Markup Language (SAML)
SAML assertions, 223
sanitization, 400
SANS Internet Storm Center, 21
Sarbanes-Oxley Act (SOX), 522
SCADA devices, 138–139
scan sweeps, 413
scanning. See vulnerability scanning
scheduled tasks, unauthorized, 423–425
Scout Suite, 115–116
scripting
command line interface (CLI), 351–352
PowerShell, 353
Python, 352–353
Secure Shell (SSH) protocol, 352
SDLC. See software development lifecycle (SDLC)
secure boot, 244
secure enclaves, 247
secure processing, 247
atomic execution, 249
processor security extensions, 249
trusted execution environment (TEE), 247–248
Secure Shell (SSH) protocol, 352, 411
Secure Sockets Layer (SSL), 274
Secure/Multipurpose Internet Mail Extensions (S/MIME), 297
security
misconfiguration, 155
vs. privacy, 461–462
vs. usability, 79
Security as a Service (SECaaS), 146
Security Assertion Markup Language (SAML), 199, 222–223
Security Content Automation Protocol (SCAP), 69–70, 362–363
See also OpenSCAP
security data analytics, 257–258
data aggregation and correlation, 258–260
historical analysis, 261–262
trend analysis, 260–261
security engineering, 53
security frameworks. See frameworks
security information and event management (SIEM) systems, 259, 288–289
and data correlation, 395
security operation centers (SOCs), 66
security orchestration, automation, and response (SOAR) platforms, 346–348
security phase (SEC), 244
Security Technical Implementation Guides (STIGs), 73–74, 362
seeds, 270
segmentation, 397
self-encrypting drives (SEDs), 245–246
Sender Policy Framework (SPF), 293
sensitive personal information. See personally identifiable information (PII)
Server Message Block (SMB), 411
serverless architecture, 150–151
Function as a Service (FaaS), 151–152
serverless network architecture, 190
servers, 443
vulnerabilities, 61–62
server-side request forgery (SSRF) attacks, 165
service discovery, 63
service interruption, 427–428
service level agreements, 81
service-oriented architecture (SOA)
microservices architectures, 221, 222
overview, 220–221
representational state transfer (REST), 221
Security Assertion Markup Language (SAML), 199, 222–223
Simple Object Access Protocol (SOAP), 221
session hijacking, 173
session IDs, 231
session management, 231
SHA-1, 452
shadow IT, 62
Signaling System No. 7 (SS7) protocols, 124
signals intelligence (SIGINT), 4
signature-based detection, 267
Simple Mail Transfer Protocol (SMTP), 293
Simple Object Access Protocol (SOAP), 221
Singer, P.W., 250
single sign-on (SSO), 199, 200
sinkholing, 321
SLAs. See service level agreements
smartphones. See mobile devices
“Smashing the Stack for Fun and Profit” (Levy), 168
Snort, 284–285
rules, 315
SOAP. See Simple Object Access Protocol (SOAP)
SOAs. See service-oriented architecture (SOA)
SoC, 131
social engineering, 9
social media, 9
social media profiling, 9
Society for Worldwide Interbank Financial Telecommunication (SWIFT) systems, 140
software, unauthorized, 416
software architectures
client/server, 217
distributed applications, 216–217
embedded systems, 219–220
firmware, 220
mobile apps, 219
overview, 215–217
standalone applications, 216
system on a chip (SoC), 131, 220, 240
two-tier architecture, 217
web applications, 218
Software as a Service (SaaS), 144–146, 318
code reviews, 227–228
dynamic analysis, 102, 228–229
formal methods of verifying critical software, 229
fuzzing, 103–104
Lapse+, 101
reverse engineering, 102–103
security regression testing, 227
static analysis, 101, 228, 229
stress testing, 226–227
user acceptance testing, 226
software development lifecycle (SDLC), 47, 152
development, 224
implementation, 225
operation and maintenance, 225
overview, 223
requirements, 223–224
See also coding best practices
software engineering, 365–366
software-defined networking (SDN), 188, 278
source authenticity, 493–494
SP 800-53, 506–508
SP 800-137, 518
spatial trends, 261
Splunk Phantom, 347–348
Splunk Search Processing Language (SPL), 289
SQL injection (SQLi) attacks, 165, 230, 234
SS7 protocols, 124
stack, 168
stack counting, 336
stack-based attacks, 168
stacking, 336
staff, internal, 375–376
stakeholders, 374
standards compliance, 521–522
tools, 228
statistics, 260
steganography, 471–472
storage, unprotected, 157–158
storage keys, 241
storage root key (SRK), 241
strategic threat intelligence, 34
strcpy() function, 178
STRIDE, 49
as applied to PaaS, 147–148
Structured Query Language injection attacks, 165
Structured Threat Information Expression (STIX), 14, 35
attack pattern SDO, 14–15
campaign SDO, 15
course of action SDO, 15
identity SDO, 15
indicator SDO, 15
intrusion set SDO, 15
malware SDO, 16
observed data SDO, 16
relationship SRO, 17
report SDO, 16
sighting SRO, 17
STIX Domain Objects (SDOs), 14
STIX Relationship Objects (SROs), 14
threat actor SDO, 16
tool SDO, 16–17
vulnerability SDO, 17
supervisory control and data acquisition. See SCADA devices
supply chain risk assessment, 491–492
hardware source authenticity, 493–494
vendor due diligence, 492–493
Suricata, 285
rules, 316–317
Swagger Codegen, 356
switches, 439
symmetric cryptography, 207, 209
syslog, 281–282
system isolation, 193–194
system logs, 279–282
system on a chip (SoC), 131, 220, 240
system process criticality, 394–395
system testing, 224
systems assessment, 490–491
T
tabletop exercises (TTXs), 495
tactical threat intelligence, 34–35
Talos, 44–45
Target, 137
taxonomy, 468
TCP streams, 274
tcpdump, 440–441
technical constraints for scanning, 65
temporal trends, 261
Tenable, 83
See also Nessus
testing incident response, 389–390
testing software, 224
code reviews, 227–228
dynamic analysis, 102, 228–229
formal methods of verifying critical software, 229
security regression testing, 227
static analysis, 101, 228, 229
stress testing, 226–227
user acceptance testing, 226
profiling, 331–332
threat classification
advanced persistent threats (APTs), 22
known vs. unknown threats, 20
overview, 20
preparation, 21
zero day, 20–21
threat data, 3
threat feed combination, 360–361
threat hunting
assumption of breach, 329
bundling critical assets, 337–338
delivering results, 336–340
documenting the process, 337
establishing a hypothesis, 330–331
improving detection capabilities, 340
integrated intelligence, 339–340
overview, 327–329
profiling threat actors and activities, 331–332
reducing attack surface area, 337–338
tactics, 332–336
threat intelligence
defined, 3
foundations of, 4
levels of, 34–35
threat intelligence sharing, 50–53
threat modeling methodologies, 47–50
threat research, 43
behavioral, 45–46
Common Vulnerability Scoring System (CVSS), 47
indicators of compromise (IOC), 46–47
reputational, 44–45
threat working group (TWG), 482–483
time series, 260
timeliness of intelligence data, 12
time-of-check to time-of-use (TOCTOU), 174, 249
Titan Rain, 22
tokenization, 470
topology discovery, 63
total attack surface, 48
Traffic Light Protocol (TLP), 11–12
training exercises, 494–495
blue teams, 497
live-fire exercise (LFX), 495–496
red teams, 496
tabletop exercises, 495
white teams, 497
transient system load (TSL), 244
Transport Control Protocol (TCP), 274, 413
Transport Layer Security (TLS), 122, 176, 274
trend analysis, 260–261
trust, 268
Trusted Automated Exchange of Indicator Information (TAXII), 18–19, 35
trusted execution environment (TEE), 247–248
Trusted Foundry Program, 250–251
Trusted Platform Module (TPM), 240–241
TShark, 439–440
TTPs (tactics, techniques, and procedures), 14, 35, 37–38
high-impact, 333–336
See also malware
two-tier architecture, 217
U
unexpected output, 426–427
Unified Extensible Firmware Interface (UEFI), 244
unit testing, 224
Universal Forensic Extraction Device (UFED), 453
untidy, 104
updates, missing, 121
UpGuard, 157
URL blacklisting, 44
US Army Intelligence and Security Command (INSCOM), 157
US copyright law, 463
US Department of Defense, 158
US National Geospatial-Intelligence Agency (NGA), 157
usability, vs. security, 79
user and entity behavior analytics (UEBA), 268–269
user authentication, broken, 154
User Datagram Protocol (UDP), 274, 413
V
Valasek, Chris, 134
versatile memory, 241
virtual desktop infrastructure (VDI), 191
virtual local area networks (VLANs), 192, 397
virtual private cloud network, 188–189
virtual private clouds (VPCs), 189
virtual private networks (VPNs), 122–123, 189
VirtualBox, 46
virtualization, 190–191
and the cloud, 445–446
VMware Workstation, 46
VPN split tunnels, 189
vSphere Hypervisor, 446
vulnerabilities, 173
dereferencing, 174
improper error handling, 173–174
insecure components, 176
insecure object reference, 174
insufficient logging and monitoring, 176–177
race condition, 174–175
sensitive data exposure, 175–176
use of insecure functions, 178
weak or default configurations, 177
vulnerability identification
asset inventory, 61–62
corporate security policy, 60
data classification, 60–61
overview, 57–58
regulatory environments, 58–59
See also vulnerability scanning
vulnerability management, 51–52
business process interruption, 82
compensating controls, 80
degrading functionality, 82
generating reports, 71–72
hardening, 78–80
legacy and proprietary systems, 82
memorandum of understanding (MOU), 81
organizational governance, 81–82
patching, 77
prioritizing, 78
remediation, 76–81
risk acceptance, 80
service level agreements, 81
validation, 72–76
verification of mitigation, 81
See also specific components
vulnerability mitigation, 399–400
vulnerability scanning, 57–58, 64
active vs. passive scanning, 63–64
approved scanning vendors (ASVs), 59
false negatives, 76
false positives, 75–76
generating reports, 71–72
host scanning, 63
infrastructure vulnerability scanners, 92–100
inhibitors to remediation, 81–83
internal vs. external, 69
network mapping, 63
noncredentialed vs. credentialed, 67–68
ongoing scanning, 83
OS fingerprinting, 63
port scanning, 63
regulatory requirements, 65
remediation, 76–81
risks, 64–65
scope, 67
Security Content Automation Protocol (SCAP), 69–70
sensitivity levels, 66
server-based vs. agent-based, 68
special considerations, 70–71
technical constraints, 65
tool updates and plug-ins, 69
true negatives, 76
types of data, 69
validation, 72–76
vulnerability feeds, 66–67
war dialing, 63
web app vulnerability scanning, 64, 88–91
workflow, 65–66
vulnerability window, 177
W
war dialing, 63
watermarking, 471–472
web app vulnerability scanning, 64, 88
Arachni, 91
Burp Suite, 88, 89
Nikto, 89–91
OWASP Zed Attack Proxy (ZAP), 88, 89
See also vulnerability scanning
web application firewalls (WAFs), 312
web applications, 218
firewall logs, 283
web of trust, 209
web portal security, and drones, 136
web proxies, 311–312
WhatsApp, 128–129
WHOIS, 8
Wi-Fi, and drones, 135
Windows Defender Firewall, 313
Wired Equivalent Privacy (WEP) protocol, 122
wireless access points (WAPs), 122
wireless assessment, 109–110
Aircrack-ng, 110, 111
oclHashcat, 111–115
Reaver, 110–111, 112
Wireshark, 439–440, 441
work product retention, 516–517
workflow automation systems (WASs), 139–140
workflow orchestration, 346
playbooks, 348–351
security orchestration, automation, and response (SOAR) platforms, 346–348
X
XML (eXtensible Markup Language), 221
XML bombs, 164–165
XML External Entity (XXE) attacks, 164, 165
XSS attacks, 165–166
Y
Yara Rules Project, 322
YARA signatures, 321–322, 358–360
yarGen, 358–360
Z
ZAP, 88, 89
Zeek, 285
rules, 315–316
zero-day exploits, 21
zero-day vulnerability, 20–21
zero-trust environment, 268
zone transfers, 7