Just another IT Blog

A Cyber Security Notes #04

Based on EC Council the Ethical Hacking Framework is consist of 5 phases:

• Reconnaissance (Information Gathering): This initial phase involves gathering as much information as possible about the target system or network. Ethical hackers use techniques like open-source intelligence (OSINT), scanning public data, and footprinting to understand the target’s infrastructure and potential vulnerabilities. Example Activities: WHOIS lookups, DNS enumeration, social engineering, and scanning for IP addresses.
• Scanning and Enumeration: In this phase, ethical hackers actively probe the target to identify live hosts, open ports, services running, and system configurations. This phase maps the attack surface and identifies vulnerabilities. Example Activities: Network scanning using tools like Nmap, vulnerability scanning with Nessus, and enumerating user accounts or shared resources.
• Exploitation (Gaining Access): Ethical hackers attempt to exploit identified vulnerabilities to gain access to the target system. This phase simulates what a malicious attacker might do, but within ethical and authorized boundaries. Example Activities: Exploiting web application flaws, bypassing authentication mechanisms, or using Metasploit to test vulnerabilities.
• Maintaining Access (Post-Exploitation): Once access is gained, this phase tests whether the attacker can retain access and move laterally within the system without detection. Ethical hackers evaluate privilege escalation and persistence techniques. Example Activities: Creating backdoors, testing privilege escalation paths, or mapping sensitive data access.
• Covering Tracks: The final phase involves erasing evidence of the hacking activities to avoid detection. Example Activities: Clearing logs, deleting files, and other methods to obscure the hacker’s presence and actions within the system.

There are also another frameworks in Ethical Hacking that we should learn, such as: Cyber Kill Chain, MITRE ATT&CK, and Diamond Model of Intrusion Analysis.

There are 7 steps in Cyber Kill Chain:

• Reconnaissance: Attackers gather information about the target, such as system configurations, employee details, or network vulnerabilities, to plan their attack. Example: Scanning for open ports or harvesting email addresses.
• Weaponization: Attackers create a weaponized payload, combining an exploit with a backdoor, designed to exploit vulnerabilities in the target system. Example: Crafting a malicious email attachment with malware.
• Delivery: The weaponized payload is delivered to the target via email, USB drives, phishing websites, or other methods. Example: Sending a phishing email with a malicious attachment.
• Exploitation: The payload exploits vulnerabilities in the target system to execute the attacker’s code. Example: A victim opening the malicious attachment, triggering the malware.
• Installation: The attacker installs malware, such as a backdoor or remote access tool (RAT), on the target system to establish a foothold. Example: Installing a trojan to maintain access to the system.
• Command and Control (CnC): The attacker establishes a communication channel with the compromised system to control it remotely. Example: Using a CnC server to issue commands to infected devices.

Meanwhile, The MITRE ATT&CK® framework is a more comprehensive knowledge base that categorizes the tactics and techniques employed by adversaries during cyberattacks. It outlines 14 distinct tactics, each representing a specific objective that attackers aim to achieve:

• Reconnaissance: The adversary is trying to gather information they can use to plan future operations.
• Resource Development: The adversary is trying to establish resources they can use to support operations.
• Initial Access: The adversary is trying to get into your network.
• Execution: The adversary is trying to run malicious code.
• Persistence: The adversary is trying to maintain their foothold.
• Privilege Escalation: The adversary is trying to gain higher-level permissions.
• Defense Evasion: The adversary is trying to avoid being detected.
• Credential Access: The adversary is trying to steal account names and passwords.
• Discovery: The adversary is trying to figure out your environment.
• Lateral Movement: The adversary is trying to move through your environment.
• Collection: The adversary is trying to gather data of interest to their goal.
• Command and Control: The adversary is trying to communicate with compromised systems to control them.
• Exfiltration: The adversary is trying to steal data.
• Impact: The adversary is trying to manipulate, interrupt, or destroy your systems and data.

The last but not least, The Diamond Model of Intrusion Analysis is a framework designed to help cybersecurity professionals analyze and understand intrusions systematically. It provides a structured way to dissect and map out cyberattacks by identifying the relationships between key elements of an intrusion. This model is widely used in threat intelligence and incident response. The model is built around four interrelated elements, forming the vertices of a diamond:

• Adversary: Refers to the attacker or threat actor responsible for executing the intrusion. This could range from an individual hacker to an organized group or even a state-sponsored entity. Example: A hacking group, an individual attacker, an insider employee attempting to steal proprietary company data.
• Capability: Represents the tools, techniques, or methods the adversary uses to carry out the attack. These can include automated software, custom-developed malware, or exploit kits. Example: Phishing emails with malicious links to gain initial access, Exploit kits targeting vulnerabilities in unpatched software, Keylogging tools to capture sensitive login credentials.
• Infrastructure: Denotes the physical or virtual resources used by the adversary to deliver their capabilities and maintain control over compromised systems. This includes networks, domains, and servers. Example: Command-and-control (CnC) servers, Botnets used to launch coordinated attacks, Domains hosting fake login pages for phishing campaigns, Public cloud services misused to store or transmit stolen data.
• Victim: Refers to the entity targeted by the adversary, which can be an individual, organization, or even a specific system. Victims are chosen based on the adversary’s objectives. Example: A healthcare organization targeted to steal patient records, An employee in the finance department targeted for wire fraud schemes, Industrial control systems targeted in critical infrastructure for sabotage.

By breaking down an attack using these four elements, the Diamond Model provides a clear view of the relationships between attackers, their tools, their infrastructure, and their targets, enabling more effective analysis and defense strategies.

A Cyber Security Notes #03

Why organizations needs ethical hackers?

• Identify Vulnerabilities Proactively: Ethical hackers simulate potential attacks to uncover security gaps before malicious actors can exploit them, ensuring vulnerabilities are addressed promptly.
• Protect Sensitive Data: Organizations handle vast amounts of confidential data, such as customer information, financial records, and intellectual property. Ethical hackers help secure this data from breaches and unauthorized access.
• Mitigate Insider Threats: Ethical hackers can assess internal systems and processes to identify potential insider threats, whether intentional or accidental.
• Stay Ahead of Cybercriminals: With cyber threats constantly evolving, ethical hackers help organizations stay updated on the latest hacking techniques and ensure defenses are equally advanced.
• Support Incident Response Planning: Ethical hackers contribute to developing and testing incident response strategies, enabling organizations to respond effectively in case of a breach.
• Ensure Compliance: Many industries have strict regulations regarding data security (e.g., GDPR, HIPAA, PCI DSS). Ethical hackers help organizations meet these compliance standards by identifying and resolving potential gaps.
• Prevent Financial Losses: Cyberattacks can result in significant monetary losses through theft, ransom demands, or operational downtime. Ethical hackers minimize these risks by fortifying defenses.

In essence, ethical hackers act as a critical line of defense, ensuring organizations can operate securely in an increasingly digital world.

Some certain rules for ethical hackers:

• Obtain Proper Authorization: Ethical hackers must have explicit permission from the organization or individual before conducting any tests or activities on their systems. Example: Before conducting a penetration test, an ethical hacker signs a formal agreement with the company outlining permissions to test their systems and networks.
• Define and Respect the Scope: They must clearly define the scope of their work and avoid testing areas or systems outside the agreed-upon boundaries. Example: If a company allows testing only on its public-facing website, the ethical hacker avoids probing internal servers or unrelated systems outside the agreed scope.
• Maintain Confidentiality: Ethical hackers are obligated to keep all information they access secure and confidential, ensuring sensitive data is not leaked or misused. Example: After discovering customer data stored in the company’s database during testing, the ethical hacker ensures this information is not disclosed to anyone outside the authorized stakeholders.
• Avoid Causing Harm: While testing vulnerabilities, ethical hackers must ensure their actions do not disrupt business operations or cause damage to systems, data, or networks. Example: While testing for vulnerabilities in a company’s web application, the ethical hacker uses non-invasive tools and methods to identify weak points, such as outdated software or insecure configurations, without altering or disrupting the functionality of the live application.
• Report Findings Responsibly: They must document and report all identified vulnerabilities to the organization in a detailed and constructive manner, providing recommendations for remediation. Example: An ethical hacker prepares a detailed report listing the identified vulnerabilities, their potential impact, and step-by-step recommendations to fix them, then shares it only with the designated security team.
• Follow Legal and Ethical Standards: Ethical hackers must operate within the legal framework of the region they are working in and adhere to professional codes of conduct. Example: An ethical hacker operating in a country with strict data protection laws ensures compliance with regulations like GDPR when handling sensitive user data during testing.
• Avoid Personal Gain: They should not exploit the vulnerabilities they discover for personal or financial benefit, directly or indirectly. Example: After identifying a critical vulnerability, the ethical hacker responsibly informs the company instead of exploiting the flaw to gain unauthorized access or sell the information to others.

A Cyber Security Notes #02

Hacking: Hacking is a set of activities of exploiting system vulnerabilities and/or bypassing security controls to gain unauthorized or improper access to system, applications, database, or another resources. It includes altering system or application functionalities to steal, misappropriate, or distribute intellectual property, potentially resulting in significant business losses.

Hacker: A hacker is an individual skilled in computer systems, networks, or software who uses their knowledge to identify and exploit vulnerabilities. For some hackers, hacking serves as a hobby, driven by curiosity and a desire to test how many computers or networks they can infiltrate. Their primary goal is often to gain knowledge or explore systems without necessarily intending harm. However, other hackers engage in illegal activities, motivated by malicious intent. These individuals exploit their skills to steal sensitive information, such as business data, credit card details, social security numbers, and email credentials.

Ethical hacking is the authorized practice of hacking to enhance their security. Ethical hackers, often called white hat hackers, are authorized professionals who mimic the tactics of malicious hackers to test and strengthen defenses. Ethical hacking plays a crucial role in strengthening cybersecurity, helping organizations protect sensitive data, and reducing the risk of breaches.

Hacker Categories:

• Script Kiddies
  • Hackers with limited technical skills who rely on pre-written tools, scripts, or software created by others to exploit systems.
  • Their primary motivation is often to gain attention or cause minor disruptions without fully understanding the underlying technology.
  • Target: Small websites
  • Activities: Deface, simple attacks, DDoS
• Black Hat Hackers
  • Malicious hackers who exploit vulnerabilities to gain unauthorized access, steal data, or cause harm.
  • Their activities are illegal and typically motivated by financial gain, revenge, or other personal objectives.
  • Target: Financial institutions, governments, individual, enterprises
  • Activities: Malware, phishing, ransomware, data breach
• Gray Hat Hackers
  • Hackers who operate between ethical and unethical practices.
  • They may access systems without permission but without malicious intent, often to expose vulnerabilities publicly or demand improvements.
  • Target: from individuals to enterprises
  • Activities: Vulnerability findings without permission
• White Hat Hackers
  • Ethical hackers who use their skills to improve security by identifying and fixing vulnerabilities.
  • They work within legal boundaries, often employed by organizations for penetration testing and cybersecurity defense.
  • Target: Enterprises, Government
  • Activities: Vulnerability assessments, Penetration testing
• Hacktivists
  • Hackers who target systems or networks to promote political, social, or ideological agendas.
  • Target: Mainly government, and also enterprises or political group or communities.
  • Activities: Defacement, DDoS, Data Leaks to draw attention to their cause
• Cyber Terrorists
  • Hackers who use their skills to conduct attacks aimed at causing widespread fear, disruption, or harm for their ideological or political reasons.
  • Target: often targeting critical infrastructure, governments, or large organizations.
  • Activities: Spreading messages, and/or propaganda; Disabling the critical infrastructure.
• Industrial Spies
  • Hackers hired by corporations or individuals to infiltrate competitors’ systems and steal trade secrets, proprietary data, or intellectual property for economic advantage.
  • Target: individual, enterprises (competitors)
  • Activities: Spying, data theft, unauthorized access
• State-Sponsored Hackers
  • Hackers funded or supported by governments to carry out espionage, sabotage, or cyber warfare activities.
  • Targets: other nations’ infrastructure, military systems, or sensitive information.
  • Activities: Infrastructure sabotage, data theft, unauthorized access
• Blue Hat Hackers
  • Independent security experts or external hackers invited by organizations to test their systems for vulnerabilities.
  • Unlike white hat hackers, they are not part of the organization’s internal team but help strengthen security through their assessments.
  • Target: Enterprises, Government
  • Activities: Vulnerability assessments, Penetration testing, IT Auditing
• Red Hat Hackers
  • Vigilante hackers who aim to stop black hat hackers. Instead of reporting malicious actors to authorities.
  • They often counter-attack and disable the black hats’ systems, sometimes using aggressive or destructive methods.
  • Target: Black Hat Hackers
  • Activities: Counter-attacking Black Hats, Tracking Cybercriminals, Destroying Malicious Infrastructure
• Green Hat Hackers
  • Novice hackers eager to learn and grow in the hacking community.
  • They lack experience but are highly motivated to acquire new skills and knowledge, often experimenting with ethical hacking under mentorship.
  • Target: Small websites, and/or small systems
  • Activities: Learning through experiment, practicing ethical hacking, testing theories and techniques

A Cyber Security Notes #01

Information security involves safeguarding information and information systems that process, store, and transmit data, ensuring protection against unauthorized access, disclosure, modification, and destruction. It is defined as a state where information and infrastructure are secure, minimizing the risks of theft, tampering, or disruption to information and services to an acceptable level. The main principles of information security are confidentiality, integrity, availability, authenticity, and non-repudiation.

• Confidentiality
  • Ensures that information is accessible only to authorized individuals and entities, protecting sensitive data from unauthorized disclosure or access.
  • Example: A bank encrypts its customers’ financial data so that even if the database is breached, the information cannot be accessed by unauthorized individuals.
• Integrity
  • Guarantees that information remains accurate, complete, and unaltered, safeguarding against unauthorized modifications, whether accidental or deliberate.
  • Example: A hospital uses checksums to ensure patient medical records are not altered without detection, preserving the accuracy and reliability of the data.
• Availability
  • Ensures that information and resources are accessible to authorized users whenever needed, maintaining system uptime and reliability.
  • Example: A company uses Distributed Denial of Service (DDoS) protection mechanisms, such as a web application firewall (WAF) and traffic monitoring tools, to prevent malicious actors from overwhelming its systems and ensuring that legitimate users can access the services without disruption.
• Authenticity
  • Confirms the genuineness of information and the identity of users or systems, ensuring that the data comes from a trusted source.
  • Example: When accessing an online service, a user must log in using a two-factor authentication (2FA) process to verify their identity, ensuring the system knows it’s the legitimate user.
• Non-repudiation
  • Provides assurance that a party cannot deny the authenticity of their actions, such as sending a message or approving a transaction, often achieved through mechanisms like digital signatures.
  • Example: An employee digitally signs a contract using a private key, providing proof of authorship that cannot later be denied or disputed.