CyVally

Sec+ 007: Security Assessments Techniques

Hello Cyvally Readers, Let’s spice things up a little today, shall we? Today’s post is tailored around security assessment, and I will introduce you to some hands-on practicals/labs. Links to these labs will be provided after the review questions in this post.

I understand that many of my readers are entry-level professionals and might find the labs a bit challenging. However, if you encounter any difficulties, don’t hesitate to reach out to me in the comments section of this post or through my social media direct messages. I’ll be more than happy to guide you. I strongly encourage you to complete all the content on the CyberSecBase page and review the previous posts on the Sec+ page. This will help you to better understand the vulnerability assessment scope and get the idea around the labs. Yes, this may be challenging, but trust me, it will be fun too. You won’t just gain theoretical knowledge about vulnerability assessment, but also practical skills. I believe this will renew your passion for cybersecurity. I will love to know how engaging you find these practicals, so please remember to share your comments. Your feedback will help decide to add more hands-on activities in the future or not. THANK YOU

To assess anything, you should compare it to a standard to determine how well it aligns. This standard is your organization’s security policy, and should comply with external regulations. Threat hunting, penetration testing, and vulnerability assessment are three important security assessments. Threat hunting identifies hidden risks, penetration testing simulates actual attacks and scanners are used in vulnerability assessments to compare system configurations to the baseline.

In this post, you will learn about threat hunting, vulnerability scanning, and syslog/SIEM/SOAR technologies.

Basic Terms

IOCs (Indicators of Compromise): these are pieces of evidence that point to a network or system that has been infected or compromised by a threat actor. IP addresses, domain names, file hashes, URLs, registry keys, and suspicious activity patterns are a few examples.

TTP (Tactics, Techniques, and Procedures): are methods, strategies, and actions used by threat actors to achieve their objectives during a cyber attack.

Threat hunting

Threat hunting is an assessment that looks for TTPs in a system or network using information from threat intelligence. It entails looking for cyberthreats that avoid being noticed by the organization’s defenses. Using tools like Threat Intelligence and IOCs, threat hunters may determine the actions an attacker must take and the traces they leave behind. The following techniques are used in threat hunting:

Intelligence Fusion: Threat hunting uses a threat’s capabilities, motives, and resources as the foundation for understanding threats in the environment. Through security information and event management (SIEM) and threat analytics platforms, the intelligence fusion approach updates analytics platforms with TTP and IoC threat data feeds.

Threat Feeds: Threat feeds are information about adversaries collected from both internal and external sources. Threat details gathered internally, such as findings from incident responses, help in recognizing threats within your environment. Tools like Structured Threat Information eXpression (STIX) are used in the transfer of information from external sources.

Advisories and Bulletins: Threat hunting requires clear objectives and sufficient resources, often driven by hypotheses about potential threats. Security advisories that identify new TTPs or vulnerabilities are a good place to start when looking for threats. external threat feeds come from respected sources such as security vendors and industry associations.

Maneuver: This involves defenders and threat actors employing deceptive and counterattacking tactics to gain an advantage. It represents a sophisticated adversary’s method to network navigation. Threat hunting strengthens defenses against lateral movement by countering attacker lateral movement through network infrastructure monitoring and analysis.

Vulnerability Scans

Vulnerability scanning is the process of examining services on systems for known vulnerabilities in software using signatures and scripts. Scanners, such as Tenable Nessus or OpenVAS, check network hosts for vulnerabilities and compare results to templates and lists of vulnerabilities. These scanners group vulnerabilities, give impact alerts, and offer remedies. The following concept contribute to accuracy, thoroughness, and effectiveness of a vulnerability scan:

False positives: A false positive is something that a scanner incorrectly identifies as a vulnerability. It takes time and effort to investigate the problem and ignoring the scans entirely may result in more serious issues.

False negatives: These are potential vulnerabilities that go undetected by a scan. it can be reduced by regularly performing additional scans and by employing scanners from many vendors.

Log reviews: The validation procedure for vulnerability reports can be improved by reviewing relevant system and network logs. Log reviews might reveal security events, policy violations, and other unusual circumstances that call for additional investigation.

Credentialed vs. non-credentialed: The two methods for vulnerability scan are with credentials and without credentials. Non-credentialed scans provide an outsider’s perspective assessment of services for possible vulnerabilities, but they lack in-depth information. Credentialed scans requires login information and offer more thorough, accurate risk information. They entail extra steps and expose configuration errors, providing details on potential insider attacks.

Intrusive vs. non-intrusive: These are two types of vulnerability scans. Non-intrusive scans identify vulnerabilities, analyze intercepted network traffic or passive reconnaissance methods without direct engagement. it has no effect on the network but might not catch every vulnerability. Intrusive scans are active and actively explore target devices, increasing the likelihood of system breakdowns. Intrusive scans try to take advantage of vulnerabilities to show that they exist, which could result in disruptions.

Application: applications that process data and act as user interfaces are frequently targeted by attackers. A vulnerability scan measures an application’s resistance to attacks.

Web application: web applications provide convenience but also increase the risk of unauthorized access. Vulnerability scans assesses the security of web applications .vulnerability of web app is mostly due to improper input validation

Network: Users and computing systems are connected through the network, which facilitates data exchange. The network is used by vulnerability scanners to access connected systems. To map and enumerate systems, scans typically cover the whole network.

Common Vulnerabilities and Exposures (CVE)/Common Vulnerability Scoring System (CVSS): Known software vulnerabilities are included in the CVE, which includes each vulnerability’s ID, description, and reference. Vulnerability scanners that identify software versions and related vulnerabilities are built on this foundation. Using a scale from 0 to 10, the Common Vulnerability Scoring System (CVSS) evaluates the severity of vulnerability risk. In addition to other factors, CVSS takes into account exploit complexity, user engagement, and permission requirements. The combination of CVE and CVSS offers insightful information about possible risks related to certain software systems.

Configuration review:  incorrect configurations make systems more vulnerable and may even bypass security controls. Verifying configurations is important for vulnerability assessments, It is advised to perform routine automatic configuration reviews. Resources for measuring and validating configurations are provided by protocols and standards like the  Common Configuration Enumeration (CCE) and Common Platform Enumeration (CPE) guides, part of NIST’s National Vulnerability Database (NVD)

Syslog/Security information and event management (SIEM)

Security controls generate log data and alerts that pose a risk. SIEM technologies aggregate data from various sources and analyze real-time security alerts from network hardware and applications. A protocol for Linux systems called Syslog aggregates logs and delivers them to a server, improving security by segregating problem reports from other logs. The following are concepts that are essential

Review reports: An alert or a report are the two main output formats from a SIEM. These are predetermined conditions that, in accordance with the system’s rules, cause a certain information output. Then, these reports can be examined to establish whether an incident actually occurred or if it was a false alarm.

Packet capture: Network sensors and NetFlow sources collect information that allows for comprehensive frame inspection and compiled statistics on bandwidth and protocol utilization. Packet captures help experts monitor different network segments. you can replay traffic and investigate incidents. The disadvantage is that it needs large storage and requires careful placement and length consideration for optimal use..

Data inputs: SIEM systems collect a variety of data inputs from multiple systems. SIEM focuses on locating critical information to support particular decisions. Specifying desired outputs and tracking the required inputs from firewalls, network devices, and important servers are what makes SIEM effective. Unused data sources are eliminated as SIEM develops, and more sources are incorporated. The SIEM is fine-tuned by security specialists to meet issues and risks unique to a given environment.

User behavior analysis: A User and Entity Behavior Analytics (UEBA) system can detect undesired activities by comparing them to a baseline. This software monitors user account activity across platforms and cloud services, including embedded hardware, machine accounts, and other services and mainly relies on AI and machine learning. SIEMs apply rules to data to identify incidents that match up with the patterns.

Sentiment analysis: Sentiment analysis is used to track brand-related events on social media, such as identifying dissatisfied customers. Sentiment analysis assists in gathering threat intelligence in security situations to anticipate and identify potential internal or external threats before they develop into attacks. This method looks for patterns in data that reflect human emotions, viewpoints, or attitudes.

Security monitoring: Data is gathered and analyzed as part of security monitoring in order to spot illegal changes or suspicious activity in connected systems and networks. Setting up alert triggers based on predetermined behaviors is required for this. SIEM devices first focused on data collection before moving on to event data management. Security orchestration, automation, and response (SOAR) systems, which completely automate security procedures, are used in the current stage. Without automated solutions like SIEM and SOAR, security monitoring would be impossible given the complexity of modern IT systems, businesses, attacks, and behavioral patterns.

Log aggregation: The technique of integrating logs from several systems allows for the peaceful coexistence of various forms. This generates a more complete picture of the system’s state than could be obtained from a single data source. Log aggregation transforms various data sources into a format that can be searched and used for particular purposes. This standardized approach encourages reliability and searchability. Log aggregation also synchronizes time zones for a single timeline.

Log collectors: This is a network device that acquires log and/or status information from other network systems. The purpose of log collectors is to collect data from various independent sources and input it into a single source, such as a SIEM. The formats of different sources may vary, but log collectors can synchronize these many field elements into a comprehensive data stream.

Security Orchestration, Automation, and Response (SOAR)

The goal of security orchestration, automation, and response (SOAR) is to address the issue of the high volume of warnings outpacing the capacity of analysts to respond. SOAR first scans the organization’s repository of security and threat information, analyzes it using machine learning and deep learning techniques, and then uses that data. SOAR systems gather the data and alerts together in one area and perform automated reactions to address the threats.

Security is always excessive until it’s not enough.

Robbie Sinclair

Review Questions

1. As part of your company's comprehensive vulnerability scanning policy, you decide to perform a passive vulnerability scan on one of your company's subnetworks. Which statement is true of this scan?

2. Which tool is used to perform a vulnerability test?

3. Which of the following is an advantage of using a Security Information and Event Management (SIEM) system?

4. A company is considering implementing a system that uses artificial intelligence to detect and respond to security threats in real-time. What type of system is this?

Links to the Labs

  1. Vulnerability Management
  2. Nessus Tool
  3. OpenVAS Tool

One comment

Leave a comment