Detection, Protection and Response – Single Platform – behaviour analytics, vulnerability scanning, threat intelligence, Siem, asset discovery, AntiVirus, Patching
Data Breach Infographics
- VERIS – http://vcdb.org/explore.html
- Data Breach – http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
- VERIS framework http://vcdb.org/explore.html
Cyber Security Research Reports
- Cisco 2017 – 2017-Annual-Cybersecurity-Report
- Verizon 2017 – rp_DBIR_2017_Report_en_xg
- Verizon Data Breach rp_DBIR_2016_Report_en_xg
- Deloitte Privacy Index – https://www2.deloitte.com/au/en/pages/risk/articles/deloitte-australian-privacy-index-2017.html?_lrsc=0cb1c85c-d3c0-4c10-a0e9-74653b66fca5&trk=elevate_li
Security operations and analytics platform architecture (SOAPA)
Security information and event management (SIEM) systems have been around for a dozen years or so. During that timeframe, SIEMs evolved from perimeter security event correlation tools, to GRC platforms, to security analytics systems. Early vendors like eSecurity, GuardedNet, Intellitactics, and NetForensics, are distant memories; today’s SIEM market is now dominated by a few leaders: LogRhythm, McAfee (aka: Nitro Security), HP (aka: ArcSight), IBM (aka: QRadar), and Splunk.
Of course, there is a community of innovative upstarts that believe that SIEM is a legacy technology. They proclaim that log management and event correlation can’t keep up with the pace of cybersecurity today, thus you need new technologies like artificial intelligence, machine learning algorithms, and neural networks to consume, process, and analyze security data in real-time.
As an industry analyst, I should be waving my arms around madly, proclaiming that “SIEM is dead,” since that’s what those in my profession tend to do. Sorry, but I don’t think SIEM is dead at all. Instead, enterprise security operations and analytics requirements are forcing rapid consolidation into something new that ESG calls a security operations and analytics platform architecture (SOAPA).
Within SOAPA, SIEM -like functionality still plays a starring role, often aggregating analytics data into a common repository. But unlike the past, SIEM is one of several security tools within SOAPA, and these technologies must be designed for asynchronous cooperation so security analysts can quickly pivot across tools to find data and take action as they need to in real-time.
SOAPA is a dynamic architecture, meaning that new data sources and control planes will be added incrementally overtime. I do believe, however, that today’s SOAPA is built with SIEMs (or similar log management and search products/services) and:
- Endpoint detection/response tools (EDR). Security analysts often want to dig deep into security alerts by monitoring and investigating host behavior so EDR (i.e. CarbonBlack, Countertack, CrowdStrike, Guidance Software, etc.) is an essential component of SOAPA.
- Incident response platforms (IRPs). Aside from collecting, processing, and analyzing security data, cybersecurity professionals want to prioritize alerts and remediate problems as soon as possible. These requirements are giving rise to the rise of IRPs like Hexadite, Phantom, Resilient Systems (IBM), ServiceNow, and Swimlane.
- Network security analytics. SIEM’s log analysis and EDR host behavior monitoring are complemented by flow and packet analysis in SOAPA, provided by vendors like Arbor Networks, Blue Coat/Symantec, Cisco (Lancope), RSA, etc.
- UBA/machine learning algorithms. While these tools have received an inordinate degree of industry hype, there’s little doubt that machine learning will be baked into security analytics henceforth, thus vendors like Bay Dynamics, Caspeda (Splunk), Exabeam, Niara, Sqrrl, and Varonis should be included in SOAPA.
- Vulnerability scanners and security asset managers. Part of security operations is knowing which alerts should be prioritized. These decisions must be driven by solid data from vulnerability management systems (i.e., Qualys, Rapid7, Tanium), and other tools that monitor the state of systems and network configurations (i.e., RedSeal, Skybox, Verodin, etc.).
- Anti-malware sandboxes. This technology represents another key pivot point for understanding targeted attacks that may use zero-day malware. Sandboxes from FireEye, Fidelis, and Trend Micro are definitely part of SOAPA.
- Threat intelligence. Enterprise organizations want to compare internal network anomalies with malicious “in-the-wild” activities so SOAPA extends to threat intelligence sources and platforms (i.e., BrightPoint [ServiceNow], FireEye/iSight Partners, RecordedFuture, ThreatConnect, ThreatQuotient, etc.).
Aside from the technologies themselves, here are a few other thoughts on SOAPA:
- Beyond data exchange between security tools, the next big innovation will be central SOAPA command-and-control for analytics and management (i.e., configuration management, policy management, etc.) of the security infrastructure.
- The market is already moving in SOAPA’s direction. Witness IBM’s acquisition of Resilient Systems for IRP, Splunk’s purchase of Caspida for UBA, and Elastic Search’s acquisition of Prelert.
- Now that McAfee is independent of Intel, look for it to invest in its enterprise security manager (i.e., Nitro). McAfee will also accelerate SOAPA technology integration with its own tools and ecosystem partners, and acquisitions aimed at filling architectural gaps.
- Given the central role that SIEM still plays in SOAPA, someone (CA? Palo Alto? Symantec? Trend Micro?) will buy LogRhythm.
- Each of the technology elements described above could be delivered on-premises or via SaaS options. SOAPA must be flexible to accommodate these options.
- SOAPA must be built for immense scale – especially as organizations increase their use of cloud computing and IoT. It’s likely cloud analytics or storage will become part of the architecture.
- A few vendors may be able to deliver their own proprietary SOAPA solutions but enterprise customers will likely eschew single vendor solutions while anchoring their SOAPAs with lead vendors and ecosystem partners. Small enterprises and SMBs could buy from a single product or SaaS vendor however.
Cyber Security Frameworks
- Intel Tara
- APRA 234 Assessment
- Prudential Practice Guide (CPG234)
- ISO 27001
- Australian Privacy Principles
- ENISA Cloud Computing Risk Assessment – http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
- Jericho Forum Self Assessment Scheme – https://www.opengroup.org/jericho/self-assessment.htm
- Carnegie Mellon OCTAVE Risk Assessment – http://www.cert.org/octave/
- Microsoft STRIDE Threat Model – http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
- Factor Analysis of Information Risk (FAIR) – http://fairwiki.riskmanagementinsight.com/
- Common Assurance Maturity Model – http://common-assurance.com/
- BITS Shared Assessments – http://www.sharedassessments.org/
List of Cyber Threats
- Malicious software
- Unauthrized access
- Denial of Service
- Data Leak
- Unauthrozed use of services
- Government and competitor cyber espionage
- 3rd Party attack
- Physical Security
- Human Error
- misdelivery of sensitive information to the wrong person by email or fax;
- mistakenly making information publicly available on a web server or website;
- losing or inadequately disposing of data, including paper records;
- losing an unencrypted laptop, cellphone or storage device such as a USB key.
- Insider Threat
- Misuse of privileges by rogue employee or other insiders,
- Payment card skimmers, a skimming device is implanted in a device that reads magnetic stripe data from a payment card. Examples include ATMs, gas pumps, and POS (Point of Sale) terminals.
- Cyber Risk and Business Impact Analysis
RTLO (right to left override) technique for file extension spoofing
- Open Windows Character Map Tool (Start, Run, Charmap)
- Go to Unicode 202E: Right-To-Left Override
- Click Select and then Copy
- Edit a file name and just before the . Paste here. (Example, notepad.exe notepad[202E].exe
- Then type in the file extension your require.
- User Resource Hacker to change the ICON (http://www.angusj.com/resourcehacker/)
Self Extracting and Executing archive SFX
- Email encrypted self extracting SFX file that is a .SCR VbScript with file name that looks like a PDF using 202E which then executes DLL to download payload and executes in users admin area.
Essentially, the file’s actual name can be something like “Awesome Song uploaded by [U+202e]3pm.SCR”. The special character forces Windows to display the end of the file’s name in reverse, so the file’s name will appear as “Awesome Song uploaded by RCS.mp3”. However, it’s not an MP3 file – it’s an SCR file and it will be executed if you double-click it. (See below for more types of dangerous file extensions.)
Method 1: Universal
This method works regardless of any of your language settings, but is the most cumbersome to type.
- Press and hold down the
- Press the
+(plus) key on the numeric keypad.
- Type the hexidecimal unicode value.
- Release the
Alas, this appears to require a registry setting. It was already set on my computer, but some readers report that this method didn’t work for them, and this is probably why. If you don’t know what the registry is, please don’t try this. Under
HKEY_Current_User/Control Panel/Input Method, set EnableHexNumpad to “1”. If you have to add it, set the type to be
Method 2: Input-language Specific
This method depends on the specific input language you are using.
- Press and hold down the
0(zero) and the decimal unicode value on the numeric keypad.
- Release the
You can see which input language you are using (and which are installed) by:
- Start Menu
- Control Panel
- Regional and Language Options
- Languages tab
- Detail button
The entries in the Unicode character information section are using the Windows Latin 1 input language.
Method 3: Code-page Specific
This method depends on the specific code page you have installed.
- Press and hold down the
- Type the decimal codepage value on the numeric keypad. Do not type any leading zeros.
- Release the
You can see which code page you have by typing
chcpat a command prompt. Check the grid for your code page from the list of known code pages to see what characters you can enter this way.
The entries in the Unicode character information section are using code page 437.
Method 4: Application-specific
Applications can support their own methods. These are not standardized.
Several Microsoft applications, including WordPad and Microsoft Word:
press Alt-X after typing some hex digits. You see the digits as you type them, and they’re replaced by the Unicode equivalent. Pressing Alt-X again converts it back to numbers.
Method 5: Unicode IME
Microsoft has a Unicode Input Method ?Editor? that works the same way my UnicodeInput pop-up does, but with
LeftAlt Shift as the trigger key.
Michael Kaplan, a Microsoft i18n guru, has the details on how the Unicode IME works. Some notes to fill in some details that he assumes:
- Go into Control Panel -> Regional Settings, on the languages tab, enable support for East Asian languages. This takes 230 MB of disk space and a restart.
- Go back into Control Panel -> Regional Settings, on the languages tab, press the Details button.
Chinese (Taiwan)(Others would probably work too) and choose
Chinese (Traditional) - Unicode.
- You will now have an extra do-hickey in the taskbar showing which language you’re in.
LeftAlt Shiftto switch into the IME (taskbar shows
- Type the hex digits of the Unicode character. As soon as you type the last one, it is sent to the application.
LeftAlt Shiftto switch out of the IME (taskbar shows your original language code).
- Fonts – you must have a font that contains the character. It seems obvious, but Windows can’t display characters it doesn’t know about. Often, you will need to select the font yourself, since only a few applications are smart enough to switch fonts automatically.
- WordPad – works, but you have to have it set to a font that contains the character. Method 4 ([hex][AltX]) seems to switch to an appropriate font automatically.
- Notepad – generally doesn’t work since its font doesn’t support many characters.
- Internet Explorer – in the URL bar, the universal method doesn’t work if it has A-F, since it opens the menu (i.e. Alt-F opens the File menu).
- Mozilla Firebird – works correctly (if you have a font that supports it). Note that if you type it on a page that is is using a charset that doesn’t support it, it will not be transmitted to the website correctly.
- The Alt+NumPad entry in Microsoft’s Global Windows Glossary
- Windows XP docs that inexcusably don’t mention the universal variation.
- Discussion on GeorgeHernandez.com (search for “2005-04-24”) – discussion of the various problems with someone who did some real work to figure out what works and doesn’t. He also has a Unicode shortcuts page that summarizes his findings (quite similar to this page, but with more detail).
- Wikipedia article Unicode_input with some Mac and Linux tips.
- Use Generation 1 in Hyper-V
- Install VM Guest Tools
- sudo su
- apt-get update && apt-cache search kali-linux-full
- apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y
- apt-get autoremove
- install nexpose -https://community.rapid7.com/community/nexpose/blog/2014/06/11/kali-for-ya
- install metasploit –
- Install Nesus Home – https://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code
- Install BurpSuit
- Install ExploitPack – http://exploitpack.com/download.html
- Install OpenVAS https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/
- Install Visual Trace Route – https://www.thefanclub.co.za/how-to/how-install-open-visual-traceroute-ubuntu
- Arpscanning – https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/
- HPING3 – https://www.blackmoreops.com/2015/04/21/denial-of-service-attack-dos-using-hping3-with-spoofed-ip-in-kali-linux/
- DDOS – https://www.blackmoreops.com/2015/10/21/free-dos-attack-tools/
- DDOS Tools – http://null-byte.wonderhowto.com/how-to/hack-like-pro-denial-service-dos-tools-techniques-0165699/
- DDOS Tools – http://picateshackz.com/2016/02/ddos-attack-using-goldeneye-in-kali-sana.html
- Install HTTPRINT – http://www.net-square.com/httprint.html
- proxychain use socks5 only
- update dns to opendns and in nertherlands
- Disable webrtc
- Use OpenVPN
- use duckduckgo.com for searching
- spoof mac address