Saturday, April 29, 2017
Defining Adversaries as Threats
Several aspects are important when studying and attempting to understand adversarial behavior. First, be careful in assuming you understand their objective. False flag or 5th column activities can muddy what appears to be a straightforward attack. Threat objectives are ultimately one of the hardest topics on which to achieve clarity. Continuing to understand adversaries would include knowledge of their capabilities. I would refer the reader back again to Fig. 14.1: DoD Cyber Adversary Tiers. Understanding that not all threats are equal, not all threat actors have similar skills, resources or abilities will help enable a more nuanced study and observation of this aspect of cyber security research. Contextualizing adversaries into whatever modalities you prefer (DoD tiers) common label (hacktivist, organized crime, nation-state, etc.) will all add more precision and fidelity that the overloaded, often inaccurate “hacker” label.
In addition to understanding capabilities, adversary Tactics, Techniques, and Procedures can be studied to better understand how they operate, what their intentions are, and perhaps even attribute them to a specific organization. This line of inquiry requires, often, considerable information to be collected from the various IT systems throughout the adversary campaign. Models such as the Cyber Kill Chain, conceptualized by Lockheed Martin, can be used to collect information (some of which will be outside the victim network, and very hard to get) and the rest (inside) might be tampered on unavailable. Alternative approaches would include lurking on various criminal and semi criminal message boards, website, and darknet forums. Open source information is often provided to the public free of charge from commercial organizations and other researchers. Often the raw information is missing, but the information can be a reasonable starting point. Organizations with an appropriate risk tolerance can actually set up a Honeypot or Honeynet.22 This can be a very hard system to set up and integrate, but it can be an invaluable source of information. The key challenges are to ensure that the honeypot is of sufficient quality and realism so that sophisticated threats do not realize that they are not on a real system. However, you also do not want to allow any vital resources to be compromised or worse your systems to be used to compromise some other organization. Similarly, the integration of the honeynet into your operations network can be a technical challenge. For more details on Honeypots refer to Chapter 13, Instrumentation.
Research Methods for Cyber Security
Fundamental Cyber Security Work
As with every scientific field, there is research that is performed that is an inflection point for future research. Below is a list of seminal papers that will give you a solid foundation for cybersecurity research. This list includes research that had impacts that changed the way the field thought about topics. This list is not meant to be a list of just good research or interesting topics. A brief explanation of why the paper is seminal is provided per reference.
Friday, April 28, 2017
Live Phishing Education Slides
This template (or one like it created by you and your team!) can be used when auto-directing users after a live phishing campaign, as well as for normal instruction.
You’ve Been Hacked!
But it’s OK...and it was only a quiz (the real test is from an attacker). (Click the arrows for more info!) What Just Happened, and Why? Did you know: real attackers are making these same attempts all the time against our network?
We’d rather help ourselves become stronger before the attackers can help themselves to our patients’ data. No matter how many advanced technical hurdles internet security puts in place, the best defense is always an alert member of the team (you!).
Classroom is theory—treating that first patient wasn’t. It’s better to practice when it’s safe.
Social Engineering 101(0101)
Computers are black and white, on or off; humans aren’t, so unfortunately we present a better target to attackers:
RSA (security company) hacked in 2011 via email
HBGary (security company) hacked 2011 via reused passwords, email
Google/Adobe—hacked, operation Aurora 2010
So It’s OK That You Were Exploited (This Time)
If people who work for computer technology companies—some of which specialize in security—fall for attacks, it’s to be expected that you would fall for similar attacks as well.
We get better with practice; this is an opportunity for that practice.
No Blame, No Shames, Just...
You work for a healthcare organization where listening and trusting people is a priority! That’s good!
...but social engineering plays on your good nature and trust by building rapport (“I love our patients, too!”), making a request (“Password, please!”), and often faking urgency (“The CEO/CIO/CNO all want this done now!”).
A Few Strategies for Next Time
If you aren’t expecting an email from someone (even if you know them), don’t click the links or open the attachment.
If you think it might be work-related, reply to the person and ask for more specifics.
If a website is asking for personal information (like your password), and you don’t recognize the site, call the IT helpdesk.
Because There Will Be a Next Time
If the site looks correct, make sure that it is a secure site (https:// in the URL bar, look for the lock).
If Something Feels Funny
You just logged in, and you went immediately back to the login page.
The site doesn’t use HTTPS but requests a password.
You received an email from someone you don’t know or about a package you didn’t send.
A document that claims to have payroll information in it.
A greeting card as an attachment.
If Something Looks Funny
You open an attachment and you get a weird error, or the document doesn’t contain what it said it would.
You are prompted to turn on macros or install a driver update, or a new version of Flash player.
The website looks like ours, but the website address (URL) in the address bar looks different.
You find a USB thumb drive or a CD/DVD lying around.
If Something Sounds Funny
You get a call from “IT” and they ask for your username and password, or say they are working on a problem you have not reported.
A call from a new vendor who wants to know who our current vendor for xyz is (so they can call back and pose as being from that company).
A request from the “fire marshal” to look at the extension cords under your computer desk (should be with facilities).
You find a USB thumb drive or a CD/DVD lying around.
Feels, Looks, or Sounds Funny—Call the IS Helpdesk
If it is something normal, they can help you.
If it is not, they’ll escalate the issue so we can take swift, appropriate action and warn other users.
What If I Already Clicked the Link, or Opened the Attachment?
No blame, no shame, but please—CALL NOW!
The sooner your IT team knows, the sooner they can help you and prevent the issue from going farther.
What If I Didn’t Click the Link or Attachment?
If you think it looks suspicious, better safe than sorry.
Your IT team still needs to know about the possible threat to our patients’ protected health information (PHI).
Other users might not be as discerning.
The attacker might come back with something better next time.
Your IT Team Is Here for You!
Would you like a one-on-one session to talk about any of this information?
Do you lead a team who could benefit from this material?
If so, please contact the helpdesk at x1111 and let us know!
Phishing Program Rules
Some explanation and rules of the phishing program will help your users get excited and involved in the rewards program.
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
The IT team would like to present a new contest called “Something Smells Phishy!”
We’ll be putting on our hacker hats and trying to get you to fall for our security tests. While we won’t be trying to gather your credit card details, there are currently real hackers out in the world trying to get every bit of information they can.
They are the real bad guys and the whole point behind this campaign. Expect to see more training and key points to remember:
Don’t click links in emails.
Don’t open attachments that you aren’t expecting.
Never give your username/password to anyone.
If it smells phishy REPORT IT!
All of this is a training exercise and the more you learn, the safer we all are and the more chances you have to win some awesome prizes! Each time you report a legitimate phishing attempt (either from us or a real attacker) your name gets entered into the phish bowl for the following prizes!
Things that should be reported:
Suspicious emails trying to get your information (usernames, passwords, what software we use, banking info, etc).
Suspicious emails with attachments that you didn’t expect.
People attempting to access your computer that you haven’t authorized.
Bruce Schneier books
He is the author of over 12 books, including such early books as 1996’s
Applied Cryptography: Protocols, Algorithms and Source Code in C (https://
www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source
/dp/1119096723). He wrote a few other books on cryptography (including a
couple with Niels Ferguson), but Schneier also began to follow his long-time
interest in the larger reasons why computer security was not being improved.
The result was a series of books, each exploring the non-technical reasons
(trust, economics, sociology, and so on) for the continued weakness. They are
filled with easy-to-understand theory and elucidated by example stories. Here
are my favorite general-interest Schneier books:
■■ Secrets and Lies: Digital Security in a Networked World (https://www
.amazon.com/Secrets-Lies-Digital-Security-Networked/
dp/0471453803)
■■ Beyond Fear: Thinking Sensibly About Security in an Uncertain World (https://
www.amazon.com/Beyond-Fear-Thinking-Sensibly-Uncertain
/dp/0387026207)
■■ Liars and Outliers: Enabling the Trust that Society Needs to Thrive
(https://www.amazon.com/Liars-Outliers-Enabling-Society-Thrive
/dp/1118143302/)
■■ Data and Goliath: The Hidden Battles to Collect Your
Data and Control Your World (https://www.amazon.com
/Data-Goliath-Battles-Collect-Control/dp/039335217X/)
Applied Cryptography: Protocols, Algorithms and Source Code in C (https://
www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source
/dp/1119096723). He wrote a few other books on cryptography (including a
couple with Niels Ferguson), but Schneier also began to follow his long-time
interest in the larger reasons why computer security was not being improved.
The result was a series of books, each exploring the non-technical reasons
(trust, economics, sociology, and so on) for the continued weakness. They are
filled with easy-to-understand theory and elucidated by example stories. Here
are my favorite general-interest Schneier books:
■■ Secrets and Lies: Digital Security in a Networked World (https://www
.amazon.com/Secrets-Lies-Digital-Security-Networked/
dp/0471453803)
■■ Beyond Fear: Thinking Sensibly About Security in an Uncertain World (https://
www.amazon.com/Beyond-Fear-Thinking-Sensibly-Uncertain
/dp/0387026207)
■■ Liars and Outliers: Enabling the Trust that Society Needs to Thrive
(https://www.amazon.com/Liars-Outliers-Enabling-Society-Thrive
/dp/1118143302/)
■■ Data and Goliath: The Hidden Battles to Collect Your
Data and Control Your World (https://www.amazon.com
/Data-Goliath-Battles-Collect-Control/dp/039335217X/)
Thursday, April 27, 2017
SLAAC
Perimeter Security Concerns.
Addressing. IPv6 is more flexible in its approach to dynamic addressing. Instead
of solely relying on DHCP, an IPv6 device can address itself through stateless address autoconfiguration (SLAAC). The host uses a unique identifier (typically its own Message Authentication Code (MAC) address) in addition to the Neighbor Discovery (ND) protocol to complete the automatic addressing. Since there is no authentication requirement, the GSD must prevent external devices from attempting to act as an internalrouter during the addressing process.
The significant increase of available addresses in any particular IPv6 network makes it infeasible to discover devices and network topology using traditional port scanning methodologies. By using the multicast listener discovery (MLD) protocol, an attacker can send a probe to the link-local multicast address (ff02::1) and listen for responses. The GSD must block this capability at the perimeter to prevent external devices from attempting to discover internal host sand topologies.
Addressing. IPv6 is more flexible in its approach to dynamic addressing. Instead
of solely relying on DHCP, an IPv6 device can address itself through stateless address autoconfiguration (SLAAC). The host uses a unique identifier (typically its own Message Authentication Code (MAC) address) in addition to the Neighbor Discovery (ND) protocol to complete the automatic addressing. Since there is no authentication requirement, the GSD must prevent external devices from attempting to act as an internalrouter during the addressing process.
The significant increase of available addresses in any particular IPv6 network makes it infeasible to discover devices and network topology using traditional port scanning methodologies. By using the multicast listener discovery (MLD) protocol, an attacker can send a probe to the link-local multicast address (ff02::1) and listen for responses. The GSD must block this capability at the perimeter to prevent external devices from attempting to discover internal host sand topologies.
interface resets
—Repeated resets of the connection, resulting in lower-quality utilization; caused by an interface misconfiguration.
LACP
The IEEE 802.3ad standard supports
Link Aggregation Control Protocol (LACP). Unlike some of the older vendor-proprietary solutions, LACP supports automatic configuration and prevents an individual link from becoming a single point of failure. Specifically, with LACP, if a link fails, that link’s traffic is forwarded over a different link.
You can configure port channels on a Nexus switch statically, or dynamically via the Link
Aggregation Control Protocol (LACP), which can bundle multiple links into a single port channel as
well as help to detect link failures. LACP is a non-proprietary IEEE 802.1AX port channel
negotiation standard. After enabling it globally on the device, you can then enable LACP for each
channel by setting the channel mode for each interface to either active or passive. When a port is
configured for passive mode, it will respond to the LACP packets it receives, but it won’t initiate an
LACP negotiation. When a port is configured for active mode, the port initiates negotiations with
other ports by sending LACP packets.
Link Aggregation Control Protocol (LACP). Unlike some of the older vendor-proprietary solutions, LACP supports automatic configuration and prevents an individual link from becoming a single point of failure. Specifically, with LACP, if a link fails, that link’s traffic is forwarded over a different link.
Aggregation Control Protocol (LACP), which can bundle multiple links into a single port channel as
well as help to detect link failures. LACP is a non-proprietary IEEE 802.1AX port channel
negotiation standard. After enabling it globally on the device, you can then enable LACP for each
channel by setting the channel mode for each interface to either active or passive. When a port is
configured for passive mode, it will respond to the LACP packets it receives, but it won’t initiate an
LACP negotiation. When a port is configured for active mode, the port initiates negotiations with
other ports by sending LACP packets.
split horizon
Split horizon: The split horizon feature prevents a route learned on one interface from being advertised back out of that same interface.
Poison reverse: The poison reverse feature causes a route received on one interface to be advertised back out of that same interface with a metric considered to be infinite.
ARP Cache Poisoning
contains IP address to MAC address mappings that a device has learned through the ARP
process. One of the ways this cache can be poisoned is by pinging a device with a spoofed
IP address. In this way, an attacker can force the victim to insert an incorrect IP address
to MAC address mapping into its ARP cache. If the attacker can accomplish this with
two computers having a conversation, they can effectively be placed in the middle of the
transmission. After the ARP cache is poisoned on both machines, they will be sending data
packets to the attacker, all they while thinking they are sending them to the other member
of the conversation.
Subscribe to:
Posts (Atom)
-
Curso Wireshark na UDEMY https://www.udemy.com/curso-profissional-sobre-wireshark/learn/v4/overview A filtragem em sinalizadores...
