1.7 Summarize the techniques used in security assessments

  • Threat Hunting
    • Intelligence Fusion
    • Threat Feeds
    • Advisories and Bulletins
    • Maneuver
  • Vulnerability Scans
    • False Positives
    • False Negatives
    • Log Reviews
    • Credentialed vs Non-Credentialed
    • Intrusive vs Non-Intrusive
    • Application
    • Web Application
    • Network
    • Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
    • Configuration Review
  • Syslog/Security Information and Event Management (SIEM)
    • Review Reports
    • Packet Capture
    • Data Inputs
    • User Behavior Analysis
    • Sentiment Analysis
    • Security Monitoring
    • Log Aggregation
    • Log Collectors
  • Security Orchestration, Automation, and Response (SOAR)

Threat Hunting

We will know learn how to effectively conduct a security assessment.  How can we identify potential threats?

  • Intelligence Fusion.  I previously mentioned that there are many sources of intelligence including private intelligence, open source intelligence, and feeds.

    We need to take all these sources and think about how reliable each one is.  Then we need to extract the specific information that is relevant to the organization we are conducting a security assessment for.  When we merge all this information, we call it an intelligence fusion.  Now we have an idea of the threats that we are looking for.

  • Threat Feeds.  We should also look at feeds of new threats that have the potential to impact our organization.

  • Advisories and Bulletins.  Advisories can be issued by vendors, manufacturers, or the government.  An advisory tells us about a potential threat that we need to be aware of.

Vulnerability Scans

A vulnerability scanner is a general term for a device that detects security flaws and weaknesses.  It may be software based or hardware based.

The scanner will have specific items that it looks for, which could include

  • Open ports

  • Weak passwords

  • Computers without malware scanners

  • Computers without required patches or updates

  • Switches without port security

A scanner may

  • Report the detected vulnerabilities to an administrator

  • Automatically repair or rectify the detected vulnerabilities

  • Quarantine or disable the affected device

Some parameters we need to think about

  • False Positives.  A False Positive is when our scanner labels a legitimate item as a threat.  If our scanner is too sensitive, we may have too many false positives.  Having too many false positives is bad because we must manually review each one to determine whether it is legitimate.

  • False Negatives.  A False Negative is when our scanner labels a threat item as a legitimate item.  If our scanner is not sensitive enough, we may have too many false negatives.  Having too many false negatives is bad because we will allow many threats to enter the organization.

  • Log Reviews.  Part of our scan should involve the review of logs.  The log review may be conducted automatically, especially when there are many longs with many lines.

  • Credentialed vs Non-Credentialed.  A credentialed scan is one where the scanner is given full administrator rights.  A credentialed scan shows us the vulnerabilities that are visible to somebody who has already gained access to the organization’s network (either legitimately or illegally).  We can use it to understand the threats that a rogue administrator or a hacker with stolen credentials can pose.

    We can run the scan with different sets of credentials, each with a different privilege level.  That will tell us whether some privilege levels are misconfigured or have access to resources that they shouldn’t.

    A non-credentialed scan is one where the scanner is not given any rights.  A non-credentialed scan shows us the vulnerabilities that are visible to somebody outside of the organization.

  • Intrusive vs Non-Intrusive.  A non-intrusive scan is one that only identifies the vulnerabilities, while an intrusive scan is one that tries to exploit them.  We may not want to run an intrusive scan on a live system because there is a risk that it would be damaged. 

    On the contrary, if we run a non-intrusive scan, we won’t know whether the vulnerability can actually be exploited or what damage will happen when it is exploited.

  • Application.  An application scan checks for vulnerabilities in a specific application.

  • Web Application.  A web application scan checks for vulnerabilities in a specific web application.  The scan may simulate attacks from remote users.

  • Network.  A network scan checks for vulnerabilities within a specific network.

  • Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS).  A group sponsored by MITRE and the US Department of Homeland Security created a database of vulnerabilities called Common Vulnerabilities and Exposures, or CVE.

Each time a vulnerability is discovered in a commercial device, it is listed in this database.  The scan can (and should) check for vulnerabilities that are present in this database.  These vulnerabilities are well researched and usually have patches.

The Common Vulnerability Scoring System gives each vulnerability a score.  If we don’t have the time or money to fix every vulnerability right away, we can use the score to determine whether a vulnerability is a low, medium, or high risk.  Then we can manage them accordingly.

  • Configuration Review.  A configuration review is a process for reviewing the configuration on each device in the organization.  The review identifies whether the device is configured in accordance with best practices.

Syslog/Security Information and Event Management (SIEM)

SIEM stands for Security Information and Event Management.  It can be a dedicated appliance, or it can be a software application.  Many SIEM systems are cloud-based and share threat & intelligence data with multiple customers.

Most network devices generate and store security data.  For example, a router may detect traffic from an unauthorized location or a server may detect, and log failed login attempts.

An SIEM aggregates this security data from multiple locations including routers, switches, servers, IP Phones, network storage appliances, video recorders.  This is known as log collection.

The SIEM may convert the logs and data into a common format.  This is known as log aggregation.  The SIEM allows a security administrator to view all security events in one place (and in one format) instead of having to log in to multiple devices and extract logs.

The SIEM can also allow a network administrator to correlate events across multiple devices.  For example, if a hacker gains unauthorized access to a network through the router and then fails to log in a file server multiple times, both events can be correlated as coming from the same source IP address and occurring at the same time.

The SIEM can automatically send alerts to a network administrator either via SMS or e-mail.  The SIEM can be set to trigger alerts when specific events occur.

If network devices are in different time zones, the SIEM can automatically adjust the log times to the time zone of the security administrator.  The SIEM can also remove duplicate events from the log.

Some examples of logged data

  • Failed log in attempt on a server or router

  • Firewall refuses traffic from a specific IP address

  • IP address is engaged in port sniffing

Some features of the SIEM

  • Packet Capture.  The SIEM might be able to capture actual packets of data if the network has port mirroring or a packet sniffing device installed.

    Being able to analyse the contents of a packet is helpful because it allows us to see the source and destination of the data as well as the actual potentially malicious content. 

    It is more than just a log.  It is the equivalent of seeing security camera footage versus being alerted that an intrusion alarm went off.

  • User Behavior Analysis.  An advanced SIEM can use something called User and Entity Behavior Analytics to better detect threats through machine learning.  The analytics asks the following questions

    • Is the user behaving the way a typical user at this organization behaves?

    • Is the user behaving the way a typical user in this role behaves?

    • Is the user behaving the way this user typically behaves?

    • Is the user behaving the way that they did in the past or has something changed?

Some examples of abnormal behavior

  • User has accessed more files than usual today.

    • User is accessing files in directories that he normally does not access

    • User is accessing files in the marketing directory, but the user works in the accounting department.  Other users in the accounting department don’t normally access files in the marketing directory.

Once we see some abnormal behavior, we can investigate further to determine whether the behavior is legitimate or whether there is an attack.  Either way, we tell the SIEM the result so that it can learn better.

  • Sentiment Analysis.  Building on the user behavior analysis, the SIEM can also use sentiment analysis.  Sentiment analysis gathers data from multiple sources to understand human emotions and attitudes.

Security Orchestration, Automation, and Response (SOAR)

SOAR is an application that combines multiple types of threat response.  It includes an SIEM, a security incident response system, and security automation.

When the SIEM detects a threat, it automatically notifies an administrator and creates an incident.  It can also launch an automatic response; the type of response depends on the type of incident and its severity.  We can program the SOAR to respond the way that we want.

Some examples

  • The SIEM detects that a user has accessed too many shared files in a short time.  SOAR notifies an administrator or the user’s manager to investigate further.  SOAR takes no further action.

  • The SIEM detects that ransomware has infected a user’s computer through an e-mail.  SOAR automatically shuts down the user’s computer and isolates it from the network.  SOAR notifies an administrator of the issue and begins an in-depth scan of other devices on the network.  SOAR also takes a fingerprint of the ransomware and adds it to its threat database so that it can be blocked if it attempts to enter through another mechanism.