So, You Want to Be a Cyber Security Professional?
An Overview of Security along with the Basics and Fundamentals according to the CompTIA Security+ Certification Exam
I’m summarizing the CompTIA certification because it is one of the more widely recognized certifications amongst employers.
To learn more about the certification I recommend searching the official CompTIA website, because I’m just going to jump into the study material, right meow!
Overview of Security
When it comes to IT security a balancing act takes place between security and convenience. These two aspects inversely correlate with each other, meaning when one favors more security, then convenience is sacrificed and vice versa. Furthermore, that convenience relates to the ease of access regarding a company’s data and/or network.
These security measure can be generally split into two categories: Information Security and Information Systems Security.
This refers to the security of the data being held within a system, not the systems themselves. For example, bank balances or a list of client emails.
It is the act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure, corruption and destruction.
Information Systems Security
This refers to the security of devices (systems) that hold the data, or…
The act of protecting the systems that hold and process our critical data.
Basics & Fundamentals
The following paragraphs will cover the basic topics that comprise good security as well as other fundamental areas of knowledge to be an effective professional.
In order to lay the foundation for good InfoSec practices, one must know some important concepts. These are a couple of acronyms which are pretty easy to memorize.
Imagine that you want to protect your Data & Information with an imaginary triangle. Obviously, this triangle will be comprised of three sides, those being:
- Confidentiality — information has not been disclosed to unauthorized people; like using a key to unlock a safe or using encryption to secure emails
- Integrity — information has not been modified or altered without proper authorization; for example, making sure that no one can change your bank balance; using hashes
- Availability — information is able to be stored, accessed, or protected at all times; data is useless if it is not available
AAA of Security
The first ‘A’ refers to authentication. With this we’re making sure that a person’s identity is established with proof and confirmed by a system. Basically, logging into an account with a username and password is an example of this. But authentication can be beefed-up by incorporating more practices, which include:
- Something you know — password, username, SSN, birthday
- Something you are — biometrics like retina scan, fingerprint
- Something you have — driver’s license, key
- Something you do — speech recognition, signature analysis
- Somewhere you are — geographic location, zip code, area code
As you might imagine, it would be cumbersome to implement all of the above practices for authentication. The amount of practices implemented should be relative to the importance/sensitivity of the data being protected. However, this provides a good demonstration of the constant conflict between Security and Convenience, as described earlier.
Occurs when a user is given access to a certain piece of data or certain areas of a building, like when having a badge to access a special department.
Refers to the tracking of data, computer usage, and network resources. Also, this allows for non-repudiation, which occurs when you have proof that someone has taken an action. Log files help ensure good accounting practices
This covers the avenues of attack through which an attacker can take. They include:
- Malware — short-hand term for malicious software; virus, trojans, worms, etc…
- Unauthorized Access — occurs when access to computer resources and data occurs without the consent of the owner; like sneaking past a security guard.
- System Failure — occurs when a computer crashes or an individual application fails; have you ever experienced the b.s.o.d. or blue screen of death?
- Social Engineering — act of manipulating users into revealing confidential information or performing other detrimental actions; for example phishing or wearing a disguise to access a server room
To be most effective at staving off attacks, it is best practice to implement the following three controls in combination. These controls include:
- Physical Controls — alarm systems, locks, surveillance cameras, identification cards security guards
- Technical Controls — smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication
- Administrative Controls, a.k.a. Managerial Controls— policies, procedures, security awareness training, contingency planning, and disaster recovery plans; this type of control can be further divided into two more categories which include: procedural controls and legal/regulatory controls; user training is often considered to be the most cost-effective security control to use
Hackers are generally categorized by their ethics and skill level. To describe a hackers ethics we have four descriptive terms:
- White Hats, a.k.a. ethical hackers — non-malicious hackers who attempt to break into a company’s system at their request
- Black Hats — malicious hackers who break into computer systems and networks without authorization or permission; these types do the data stealing and ransoming, etc…
- Gray Hats — these types have more vague or ambiguous ethics; they don’t have an affiliation to a company and attempt to break into a company’s network but risk the law by doing so; they hack for “bragging rights” and they don’t necessarily have any malicious intentions
- Blue Hats — hackers who attempt to hack a network with permission of the company but not employed by the company, like with regards to bug bounties
To describe a hacker’s skill level we just say a white hat hacker, for example, to refer to a moderately skilled hacker. However, to describe a highly skilled hacker we would say an elite white hat hacker. Elites are typically characterized as
hackers that can find and exploit vulnerabilities before anyone else does. 1 in 10,000 are elite.
On the lower end of the skill level spectrum we have Script Kiddies. They are the opposite of elite and have limited skills. They are typically only capable of running other people’s exploits and tools, because they are not savvy enough to create their own.
These are the meanies that conduct malicious attacks. There are four general categories and they’ll be listed below in order from least dangerous to most dangerous.
Script kiddies — as we saw above, this group of threat actors is not very skilled, furthermore script kiddies typically don’t operate ethically which is why they are their own category of threat actors; most of these types don’t even know about the tools they use; a.k.a. baby hackers and the least dangerous, but dangerous nonetheless!
Hacktivists — hackers who are driven by a cause like social change, political agendas, or terrorism; like the hacker group Anonymous
Organized Crime — hackers who are part of a crime group that is well-funded and highly sophisticated; these types use ransomware the most
Advanced Persistent Threats (APTs) — highly trained and funded groups of hackers (often by nation-states) with covert and open-source intelligence at their disposal
Threat Intelligence and Sources
Threat intelligence refers to the information you have on an attack or potential threat, and the sources of that information. These aspects are very important to factor because they help us gauge the reliability of the intelligence and source, and therefore our response to the attack or potential threat. We can think of threat intelligence as having various properties. Those properties include:
- Timeliness — property of an intelligence source that ensures it is up-to-date; basically the time at which we hear of an attack will influence what the security team’s response is; the sooner, the better
- Relevancy — property of an intelligence source that ensures it matches the use cases intended; this is where we ask “what affects me and my organization?”
- Accuracy — property of an intelligence source that ensures it produces effective results; eliminating as many false positives as possible
- Confidence levels — property of an intelligence source that ensures it produces qualified statements about reliability; several standardized scales help gauge this, the admiralty scale is an example of one
So, not only are there several properties of intelligence, but also a few types of sources of intelligence. They include:
- Proprietary — threat intelligence is commonly provided as a commercial service, where access is subject to a subscription fee, like antivirus software
- Closed-Source — data that is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized; for example FireEye
- Open-Source — data that is available to use without subscription, which may include threat feeds similar to the commercial providers and may contain reputation lists and malware signature databases
A list of open-source data includes:
- US-CERT — a feed of current activity and news; threat feed
- UK’s NCSC — similar the US-CERT
- AT&T Security — formerly OTX
- MISP — malware information sharing project
- VirusTotal — great place to upload any file of which you’re suspicious
- Spamhaus — focuses on Spam and other email attacks
- SANS ISC Suspicious Domains — a feed of domains that are suspected to be malicious
Lastly, we have Open-Source Intelligence (a.k.a. OSINT), and this refers to methods of obtaining information about a person or organization through public records, websites, and social media. This would include google searches and facebook searches.
Furthermore, there’s one more distinction we need to make regarding threat intelligence. That is explicit vs. implicit knowledge. Explicit knowledge refers to the knowledge gained from harvesting one of the above mentioned data sources. Implicit knowledge refers to knowledge gained from experience or working within a niche domain, and even intuition.
This cyber security technique aims at detecting threats that have not been discovered by normal security monitoring. This is a proactive approach, as opposed to the typical reactive approach commonly taken. It’s important to realize that this is not like pentesting because it only involves using data that is already available. As a result, threat hunting has the advantage of being less disruptive to business operations than pentesting.
In the threat hunting process, we Establish a Hypothesis. We derive a hypothesis from threat modeling and is based on potential events with higher likelihood and higher impact. When we consider our hypothesis, we ask the questions:
- who might want to attack us?
- how might they attack us?
In addition we’ll Profile Threat Actors and Activities, which involves the creation of a scenario that shows how a prospective attacker might attempt an intrusion and what their objectives might be.
Threat hunting relies on the usage of the tools developed for regular security monitoring and incident response. This will involve looking at the file logs, system process information, file system registry changes, etc… These items are typically viewed within a SIEM (Security Information & Event Management system), which is like a dashboard of charts. Furthermore, the network traffic, executable process list, and other infected hosts are analyzed. Then we’ll attempt to identify how the hypothesized malicious process was executed.
While threat hunting has the benefit of being less disruptive than pentesting, it does consume a lot of resources and time to conduct. However, it can yield several benefits, such as:
- improve detection capabilities, for example by being able to add new scripting
- integrate intelligence, which has the effect of making intelligence more actionable
- reduces attack surface
- block attack vectors
- identify critical assets, as in what is the data being targeted by attackers
Overall, the main result is that a company’s targets are harder for adversaries to access.
These are models of thinking developed by those trying to protect their assets and aid in the Threat Hunting process. They provide a framework by which to basically conduct a thought experiment in order to anticipate the steps and stages a malicious hacker might do to conduct an intrusion and exfiltrate data.
There are three frameworks commonly used. They can be used separately, but it has been found that when all three are combined, then anticipation of attacks can be more efficient or accurate.
The three frameworks include Kill Chain Analysis, MITRE ATT&CK framework, and the Diamond Model of Intrusion Analysis. Below each will be summarized.
Kill Chain (Intrusion Analysis)
Lockheed Martin developed this model and it describes the stages by which a threat actor progresses a network intrusion. This is the oldest of the frameworks used. It is often criticized for being too linear, instead of iterative. It is further criticized for focusing on just perimeter security → an outside-in approach to a network intrusion, which can overlook the need to have internal security measures in the event of a perimeter security breach.
Regardless of the shortcomings, it is still a useful framework to mentally map out how an intrusion would take place. The stages are as follows:
- Reconnaissance — the attacker determines what methods to use to complete the phases of attack; they try to be sneaky and they’ll typically start with passive scanning before progressing to more active scanning practices; basically they’re looking for vulnerabilities.
- Weaponization — the attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system; an attacker will develop this in a lab first.
- Delivery — the attacker identifies a vector by which to transmit the weaponization code to the target environment; for example, dropping an inconspicuous USB flash drive for someone to find in a company parking lot.
- Exploitation — the weaponized code is executed on the target system by this mechanism
- Installation — this mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system; this is typically downloaded from the exploitation code
- Command & Control (C2) — the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack; remote access equals control
- Actions on Objectives — this is where the attacker carries out what they initially intended to do; each step before this was just to set up getting to this point; the attacker typically uses the access they have achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives
One benefit of going through this lengthy thought process is that it can be used to define a defensive course-of-action matrix to counter progress at each stage of the attack. A security professional can use this to anticipate what an attacker might do. For example, what breadcrumbs to look for at each step, what programs/software the attacker might use, how attackers might defend themselves, what might be the attackers motives, etc…
MITRE ATT&CK framework
This is a knowledge base maintained by the MITRE Corporation. It lists and explains specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org). This is quite a neat tool and the website is very efficiently organized for easy navigation.
It provides a framework with which to address multiple lines of attack, and so it is more of a matrix type of model. The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization phases of the kill chain.
Diamond Model of Intrusion Analysis
A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.
Furthermore, there’s a list of meta-features to be considered in tandem with the model. So, by applying this framework, an example thought process would go as follows:
Essentially, map out each past incident, or hypothetical incident, to the diamond model above and determine the flow of the attack. After applying this framework, a security professional will create a tuple containing an array of information gleaned from this process for storage and further analysis.
That’s all folks!
Thanks for reading!