Threat Intelligence Information

Cybersecurity analysts, as well as threat intelligence tools, rely upon threat intelligence sources. Now, this comes in a few forms, one of which is from the open-source community. This means it's freely available to anyone over the Internet. And often when we talk about open-source threat intelligence sources, we refer to it as OSINT for open-source intelligence.

 

The other side of it is that we also have private or subscription-based threat intelligence sources. So, for example, this could be a commercial paid threat feed that is used in conjunction with enterprise class threat intelligence and threat hunting software. It could also be private in the sense of threat intelligence data that belongs to government agencies such as the U.S. Dept of Homeland Security.

 

Where possible, using a combination of OSINT and private or subscription-based types of threat intelligence sources is definitely recommended.

 

Let's take a peek at some common open-source IT security intelligence sources. Starting with the Common Vulnerability Scoring System (CVSS). This is a scoring system that’s used to determine how serious threats are when it comes to cybersecurity. And there are many tools that use this internally when it comes to providing visual dashboards about the seriousness of detected or potentially serious threats that get detected by tools.

 

The Center for Internet Security (CIS), is a website that is designed to provide cybersecurity analysts with best practices related to IT security via extensive lists of security controls, and how they map to various security standards, which is similar to what we saw when we talked about the Cloud Controls Matrix (CCM).

 

Except this isn’t specific only to cloud computing. CIS also provides security configuration baselines for specific IT products. These types of benchmarks can allow us to assess our current security posture when it comes to the configuration of deployed solutions.

 

The Open Web Application Security Project (OWASP) Top 10, stems from a collection of nonprofit worldwide experts that identify the ten most common web app vulnerabilities. And the OWASP Top 10 is published every few years. There are many tools you'll find out there, like web application firewalls that can be configured to apply standard OWASP Top 10 protection to secure a web application.

 

And then we have Open-source Security Information Management, otherwise called OSSIM, spelled OSSIM. This is really a SIEM system, SIEM. A centralized logging and analytic tool that gives analysts an overall picture of the security posture for the data that is fed into the OSSIM system.

 

And often that will be a combination of things like logs of various types from apps, from websites, from operating systems, from security appliances, and also supports correlation features to identify potential indicators of compromise. And OSSIM solutions usually also have the ability to bring in data from intrusion detection sensors and also often have functionality. Sometimes in the form of add-ins or plug-ins for your OSSIM tool to discover and classify data. Looking for sensitive data.

 

Let’s go into some of these things in a bit more detail, starting with CVSS. Pictured on the screen, we’ve got an example of the CVSS Calculator tool, which is freely available to anyone on the Internet using a web browser. Now, the formulas that are used to calculate these vulnerability scores can get very complex, and the resulting score of a given vulnerability will range between 0 up to 10, where 10 is the most serious type of vulnerability or threat and 0 is the least. Many tools use CVSS formulas to assess how serious potential threat indicators really are.

 

The OWASP Top 10 is published every few years. This is a nonprofit worldwide collection of experts that identify the 10 topmost web application vulnerabilities in web applications, along with solutions for how to mitigate and minimize their impact.

 

[Video description begins] A screenshot of What's changed in the OWASP Top 10 for 2021 displays. It lists the topmost web app vulnerabilities for 2021 and compares it to the 2017 OWASP Top 10 list. [Video description ends]

 

You'll find a lot of security tools, especially those related to web application firewalls (WAFs), that can be configured to use rule sets that are based on the OWASP Top 10.

 

Then we have industry security awareness documentation. In our screenshot, this is from the SANS Institute. It’s the SANS 2023 Security Awareness Report. This would be the type of thing that a cybersecurity analyst would subscribe to and read to gain insights about current security trends and emerging threats.

 

A lot of threat intelligence tools that will monitor and identify threats will use specific IT intelligence data formats. One such format is the Structured Threat Information Expression (STIX) format. Now, this is used to detect anomalies such as in a centralized logging system to identify potential indicators of compromise, threat actors, any exploits.

 

And then we have the Trusted Automated Exchange of Indicator/Intelligence Information, otherwise called TAXII, spelled TAXII. Now, TAXII is a little bit different than STIX, because STIX is actually a format for threat information; TAXII is a method of transmitting it or exchanging it. Such as through threat feeds that feed into threat monitoring software.

 

So these are the types of data sources that cybersecurity analysts must keep up to date with. So keeping track of security trends and emerging threats isn't a one time thing. This is constant. It is a continual journey for security professionals and any security tools that we use to monitor for threats, whether on-premises or in the cloud, should be configured to retrieve and use the latest intelligence feeds that are available.

 

VEs. These are common vulnerabilities and exposures. So this is yet another one of those absolutely valuable cybersecurity analyst resources. As it states on the site here at cve.org,this is a catalog of publicly disclosed cybersecurity vulnerabilities.

 

[Video description begins] The website www.cve.org is open on a web browser. The top is lined by a search bar to find CVE records and the top describes the CVE Program Mission. [Video description ends]

 

Now we can search by a specific CVE ID which takes the format CVE - YYYY - NNNN.

 

Well, how would you know of that? When you are performing threat hunting, when you're looking at security tool logs, often, even the result of a vulnerability scan, might disclose that there was a problem. There is a vulnerability that might have been discovered or that might be taking place on the network now, based on CVE. And then it’ll give you the ID. So if you need to, you can come here and search that up.

 

Although many tools now are good at showing you those details or having a link to cve.org built in for you. So down below is states there are over 211,000 CVE records. So we can click on search, if we decide we want to search on them. [Video description begins] The host clicks on the Search hyperlink below the program mission. A new tab opens. It has a section in the middle called Search CVE List displaying a search box with a Submit button below it. [Video description ends] So we can either search based on the CVE ID or keywords.

 

For example, I’m going to search for apache struts. Now, this is one of the problems that led to the massive data breach years ago of Equifax financial information. But at any rate, even up to date, there are issues or problems with it. When you look at a CVE, so we know it’s going to say CVE, it’s going to have the year, it’s going to have an assigned number; but then the description gives you some details about what the vulnerability is.

 

[Video description begins] The page now displays results of the search, with CVE names mentioned in the CVE-YYYY-NNNN format on the left and Descriptions mentioned on the right. [Video description ends]

 

And then, of course, even in just the brief description, it tells you what to do. Update to the newest version of that component. Struts is used for server side Java component development for web apps.

 

Even further back, let's say back to 2016, there’s a plugin on for the REST API for Struts that allows remote attackers to execute arbitrary code via a crafted expression. Let's click on that to open up the details. When you open up the details about one of these CVEs, you'll have a number of references shown here.

 

There are even links here to other resources like the National Vulnerability Database (NVD). Let’s go ahead and click on that. That opens up in another browser.

 

This, of course, is sponsored by the National Institute of Standards and Technology, NIST. It's an American government website. So here we have the CVSS score, where 10 is considered to be the most serious. This has a score of 9.8. Yeah, that would be a critical issue. So down below it even gives these specific known software configurations that are vulnerable with the specific version of Struts.

 

So you can bet that attackers would be looking for this type of thing. If they scan a network and they detect a web server, the next thing to do is to look for whether some server side tools might be in use.

 

That’s why we don’t want to disclose too much information, even when errors occur in a web app. We don’t want attackers to know that we might be using a component like this. So under the Weakness Enumeration, this type of problem can result from Improper Input Validation.

 

Whenever data is supplied into an application, whether by a user interface or by some other piece of code, we must always, from a development standpoint, treat that as being hostile, assume it is hostile. You need to very carefully look at what's being submitted for data or in a request to make sure it's what you would expect given the nature of the app. Make sure there are no special characters in it by making sure you have proper input sanitization rules in place and whatnot.

 

So there are plenty of links even here from other vendor sites related to this problem. And again, a cybersecurity analyst can only effectively use this knowledge if they are allocated the time in the first place to be able to go through these things periodically. [Video description begins] The host scrolls back to the middle of the page and points towards a table with hyperlinks listed on the left and resources listed on the right. [Video description ends] There must be at least a small portion of time dedicated to this. Even though we're always busy when we do our jobs. This has to be considered a part of the job.

 

To take that a step further. Why don’t we take a look at the network security scan results of using the OpenVAS security scanner tool. So this is a PDF report. In the table of Contents, of course, we have Results per Host, when it comes to port number usage like 53/udp for DNS. But once again, as we go through this security report result, notice that we have references to things that we’ve talked about like the CVSS, the threat severity score. So 5 is the halfway mark, 10 being the most serious.

 

This one’s related to DNS Cache Snooping. As I go further down, I have a reference here to deprecated TLSv1.0 and TLSv1.1 being used. We know we should be using at least TLSv1.2 as of this time. But as I go further down, the mitigation is to disable the deprecated protocols, well that’s kind of an obvious conclusion, in favor of the newer version.

 

On the Windows side of things, say on Windows Server, this can be done in the registry. This can be done in config files on the Linux platform, let’s say if we’re using the NGINX or the Apache HTTP web server.

 

But also notice the references here under the Vulnerability Insight section, where you can learn more about the vulnerability. Notice the CVE references.

 

This stuff is referenced everywhere and that's why we're taking the time to carefully talk about the CVSS scoring system and common vulnerabilities and exposures (CVEs), because they are used by most security monitoring tools.

 

Yet another important aspect of a cybersecurity analyst’s toolbox, so to speak, is the MITRE ATT&CK framework or knowledge base. Now, not only is it important to know how to use these resources, not only is it important to know how to access these resources, but of course how to use them.

 

How to apply what we learn from these cybersecurity frameworks and best practices solutions so that we can better secure our IT environments. So let's talk about the MITRE ATT&CK knowledge base.

[Video description begins] The MITRE ATT&CK knowledge base is open on a web browser. The URL reads https://attack.mitre.org [Video description ends]

 

So it states here it's a globally accessible knowledge base of adversary tactics and techniques based on real world observations. In a loose, conceptual way similar to a honeypot.

 

You deploy a honeypot, which is an intentionally vulnerable host, or collection of hosts, so that you can attract malicious activity and monitor it to learn how attackers actually exploit these vulnerabilities. While that's valuable, a lot of that has already been done. That's part of what this knowledge base is about.

 

Down below, we have the ATT&CK Matrix for Enterprise, where there are 10 techniques that attackers will use to ultimately gain access to a system and do whatever it is that their goal defines it should be doing. So from a brief overview standpoint, first let's take a look at some of these categories.

 

[Video description begins] The host scrolls down to reveal the ATT&CK matrix which is a series of attack techniques currently open in the side layout. The technique categories are displayed as columns headers lined one next to the other, with numerous techniques listed in the column for each category. [Video description ends]

 

There are 10 commonly used techniques for Reconnaissance. Attackers must know what is on a network. So by performing network scanning in some way before, they can determine what is there that might be vulnerable under Resource Development. Then gaining Initial Access. Executing some kind of attack. Making back doors so that there is a persistent way for the attacker to keep coming into the system.

 

Then Privilege Escalation so that attackers have full reign of a host or a collection of hosts that they’ve compromised; instead of just basic user access. Then Defense Evasion. What can attackers do to basically cover their tracks? Gaining Credential Access through many techniques like man-in-the-middle attacks, brute-force attacks.

 

Discovering what is being used by an organization. This is closely related to the reconnaissance phase, but the difference here is that we are enumerating services that are out there on the network to take a look at what's being used. There's a scroll bar. So at the bottom, if I kind of scroll over to the right and then scroll back up to the top, we have Lateral Movement.

 

So once attackers gain access to or compromise one or more hosts, through those hosts that they were able to compromise, they can initiate connections to other hosts on an internal network and keep kind of piggybacking in that way for lateral movement throughout the network. Then the Collection of potentially sensitive data. Command and Control, such as infecting machines so that they periodically refer to an external source under the attacker's control to receive instructions on what they should be doing. Think botnet data exfiltration.

 

And then of course, the impact that this type of compromise or these types of compromises, there are many, might have on an organization like Data Destruction, Data Manipulation, even the Defacement of a website, even a Disk Wipe, if a ransom is not paid when we have a ransomware infection. Okay, So, let's begin by going back to Reconnaissance and taking a peek at some of these detailed items, such as Gather Victim Network Information. What’s that about? [Video description begins] The Gather Victim Network Information tab opens. [Video description ends]

 

Well, this is a sub-technique that falls under the heading of Reconnaissance from an attacker’s perspective. Things like IP ranges being in use, DNS domain names, the network topology and what's being used on it. The more attackers know, the more they can focus their energy on breaking into stuff and stealing things.

 

So it could be Active Scanning on the network using a variety of tools. We’ll take a look at network scanning later on. Or trying to trick people, perhaps through some kind of email phishing campaign to trick people into providing sensitive details, clicking a link, downloading a file attachment.

 

And what we really are interested in here is Detection. How do we detect that this might be happening and that it's a security problem as opposed to normal activity? Well, it says this type of activity could have a high occurrence with a lot of false positives. So it can be hard to detect and take seriously.

 

But one of the things about threat hunting isn’t just individual one-by-one log entries or suspicious items on the network. It's the correlation of related items. So it says down at the bottom here, detection efforts then might be focused on related stages of the adversary lifecycle, like Initial Access, especially within a reasonably short time frame. So that is something to think about.

 

Let’s go back. For example, let’s take a look at Persistence. So once an attacker discovers, finds a vulnerability, is able to compromise something, they’re usually interested in having a way to continue to come back in, ideally with elevated privileges. So whether that's through creating an account or taking advantage of flaws, even in end user productivity tools like Office Application Startup.

 

Let’s click on that. [Video description begins] The Office Application Startup tab opens. [Video description ends] It talks about here that when an office-based application or document like a Microsoft Word document is open, there might be a Template Macro or some kind of add-in, placed there by the malicious actor that gives access to that machine. Or at least plants some kind of an agent, a small piece of malware, that in the future could perhaps exfiltrate data or cause some kind of damage, like initiate a malware, like initiate a ransomware attack.

 

These days, Luckily, because Microsoft Office VBA macro security issues are widely known, this isn’t as pervasive. But there are some procedural examples of how this has been done, and some of the mitigations would be to follow Microsoft’s Office macro security best practices where usually macros, especially the ones that kick in when we fire up an app or a document, are disabled by default. You have to enable the content to do that.

 

But combined with social engineering or tricking a user such as attaching one of these infected files and telling the user in the email that there's some kind of macros used by the organization, you must click the Enable content button, there are ways that this can happen.

 

So how do we detect this? Because detection and how we respond and how quickly we respond, these are the key elements of a cybersecurity analyst. You might be able to detect this by viewing Windows application log entries or by new files that might have been created or downloaded that seem to be suspicious because they don't fit the normal file creation or download patterns on that host.

 

Or persistence techniques that make changes to the Windows Registry. When users are logged in, they should not have access to write to the Registry. Of course, just adding Windows users to an administrator's group is always a problem that violates the principle of least privilege. So we want to make sure that when users sign in with their account, they only have the permissions they absolutely need to do their jobs and nothing more.

 

At any rate, this is an example of the MITRE ATT&CK knowledge base and how it can prove to be extremely valuable in helping secure an organization's use of IT services.

 

We've mentioned that the Open web Application Security Project or OWASP Top 10 is the listing of the Top 10 most common web application vulnerabilities. And this gets published every few years as the threat landscape changes. So it's designed to secure web applications from common attacks.

 

And these 10 most common or serious web application security flaws are usually determined by extensive research and interviews over a previous time frame. Sometimes the OWASP Top 10 remains the same for a number of years running, but there are always some changes.

 

[Video description begins] The screen heading reads Open Web Application Security Project (OWASP) Top 10 2021. [Video description ends]

 

So let’s go through each of the 10 items, starting with item A01: Broken Access Control. Think of things like permissions that are not assigned properly for a web application, whether it’s for the web application HTTP service itself. Perhaps having too many file system permissions, or it could be for user accounts that are used in conjunction with authentication to the web app.

 

So a violation of the principle of least privilege. Which really simply means we want to assign permissions that are required and no more. Another possible way that this might manifest itself is through a cross-site request forgery or a CSRF.

 

A CSRF results from a user station being compromised or a web browser session when that user has an authenticated session to a trusted web app. So the malicious actor then can initiate unwanted actions that appear to be coming from an authenticated user when really it's not.

 

Software developers will often use secret tokens client side that help assure that the request is valid. Another thing to do is to perhaps set a timeout value to a lesser time frame to force re-authentication. These of course won’t always solve all CSRF issues, but they help mitigate the problem.

 

Item A02 on the OWASP Top 10, Cryptographic Failures. An example of which might be a private key that gets compromised when you talk about asymmetric encryption with a related public and private key. Public key is called as such because it can be shared with anyone and there's no security risk. The private key is not the same. It needs to be secure. Only the owner of the key should have access to it.

 

So if a user's smartphone, for example, is compromised and that private key is stored on that device in a file and it's not even password protected, that is an issue. Another example of a cryptographic failure is not encrypting data at rest when that data should be protected. Perhaps it's personally identifiable information.

 

There are many ways encryption can be enacted using Windows Encrypted File System or EFS, for example, which is tied to the logged in user or using Bitlocker in the Windows operating system, which is not tied to a user but rather tied to the machine, for full disk encryption.

 

EFS can encrypt individual files and folders that the user chooses. In Linux, there are many options, including dm-crypt. And then there are always third party encryption solutions and sometimes the benefit of using them is additional features, including the ability to centrally configure data at rest.

 

Data at rest encryption settings that can be deployed to a multitude of devices from that central config. Another example of a cryptographic failure. What about encrypting data in transit as it's sent over the network? So use of HTTP, for example instead of HTTPS. Or using cleartext transmissions for protocols, older protocols like Telnet or FTP.

 

Or connecting over the Internet to a remote private network without using IPsec or a VPN. Remember that IPsec can be used separately from a VPN for end-to-end network traffic encryption. but it is often used with a VPN as well.

 

A03: Injection. This means that the attacker is somehow feeding malicious input to a web app that for some reason accepts it. Usually that's because the web app isn't properly validating what the user is submitting, whether it's through a URL and parameters, whether it's through a web based form, or the developers are not properly sanitizing user input.

 

Looking for special characters which might not be normal in, for example, a date of birth field. So common injection attack types would include XML injection, serialized object injection, database query injection. This is a pretty common one. SQL injection attacks are executed when an attacker feeds a query string to a database that doesn't properly check that query string. And so it ends up returning many more records than is intended by the developers.

 

A04: Insecure Design. Now the secure design of an IT solution through every phase of the software development lifecycle or SDLC is difficult. More difficult than not doing that, it takes more time, which means it's more expensive.

 

However, when you compare that cost with having a serious security flaw, especially in a widely used website or app that can be very costly to address after the fact. Could also result in fines depending on regulations that might not have been complied with.

 

Examples of an insecure design would be things like error messages that disclose too much sensitive information from the server. Like the specific web server stack being used, the version number. Or credentials that are stored in plaintext, such as in scripts or in code. So all of these things are considered to be insecure design.

 

A05: Security Misconfiguration. This is a big one. Sticking with defaults like usernames, passwords, especially when it comes to network appliances or IoT devices. That's a problem. Same with the default config settings for like the web server root directory or having a web server stack that just uses HTTP. So it’s not using Transport Layer Security or TLS.

 

An open Wi-Fi network where that shouldn’t be used. Or having user accounts that aren’t used, but they remain enabled. Again, all you’re doing there is increasing the attack surface unnecessarily. Or having services that are left running on a device or a host operating system where those services aren’t even required. Like an FTP service, an SMTP service.

 

Item A06 in the OWASP Top 10 is Vulnerable and Outdated Components. Software developers will often use pre-existing components instead of recreating everything from scratch for a given solution. However, not having the proper detailed knowledge of component functionality can lead to security flaws when using that component or using components that are not updated.

 

It's one thing to update the operating system with updates and the web server stack, but what about all the individual smaller programing components used by the web app? Item A07: Identification and Authentication Failures. We know that authentication means the proving of one’s identity. And we know that authorization occurs after authentication, when permissions to access a given resource get exercised.

 

So one way to secure this type of situation is to use multifactor authentication and again, with authorization, make sure you adhere to the principle of least privilege.

 

A08: Software and Data Integrity Failures. An example of this might be a developer that writes code that calls code elsewhere. So remote code, but there's no verification of where that request came from. And one way that that verification might be done is through digital signatures for network transmissions. Which are created with the sender’s private key verified on the other end with the related public key. And we know that application containers like Docker containers, for example, are widely used.

 

We want to make sure that software developers or technicians do not just download container images from anywhere, from unverified sources. Because they might contain malicious code that might then execute when that container is launched, for example, on a Docker host. Then there's the concept of data that might not necessarily have been vetted as being trustworthy that gets deserialized. Serializing and deserializing can occur over the network, when it comes to object oriented programing.

 

Item A09: Security Logging and Monitoring Failures. This is really a key point of the CySA+ certification. Not only having a knowledge of as much as we can related to IT and networking, and malware, and threats, but having a solution in place that can monitor the logs of a multitude of devices in one place. For networks, devices, apps, intrusion detection sensors, and whatnot.

 

Centralized log analysis and the prioritization of potential threats. Now, in order for that to be valuable, we also have to trust the integrity of that logged and monitored data. Which means, of course, hardening all of the hosts involved with generating logs and then analyzing and generating alerts for potential indicators of compromise.

 

And item A10 are Server Side Request Forgeries. This is called an SSRF. The way that this works would be that an attacker would supply a malicious URL to a vulnerable app. Now, normally attackers will perform network scans and then vulnerability scans and attempt to see if there are any weaknesses in any servers or web apps.

 

Once that's been identified, then the attacker can focus and do things like supply maliciously crafted URLs to a web server. The server would then fetch the data from the user-supplied URL without proper validation.

 

What this would mean is that the attacker indirectly might be able to gain access to private internal network resources by going through the vulnerable web server that accepted the malicious URL on the attacker's behalf. Software developers must make sure their code validates and sanitizes any user supplied data.

 

Basically, user supplied data must always be treated as hostile. In addition, technicians should ensure that a web application firewall (WAF), is always in place to protect web applications from common threats. As as always, monitoring individual hosts and networks for unusual port scans can also be indicative of attackers looking for vulnerable servers for this type of attack.

 

An advanced persistent threat or APT consists of either a compromised network, an entire network, or multiple networks. But it could also, of course, include just a single host. Usually APT attacks begin with a single host.

 

The problem with this, and what makes it very serious is that once the attacker is in, they could be in for a very long time, months or even years without detection, which allows the attacker persistent access. In order to execute an APT, the threat actor needs to be highly skilled (very advanced skills) and focused.

 

And that's why often it's theorized that a lot of APTs stem from nation-state cyber espionage and cyber warfare. So just imagine a nation-state, maybe organized crime, breaking into a specific computer network, maybe for a government agency, and kind of lurking in there for years without detection.

 

So the normal strategy from the attacker's perspective is that the network or the individual host will be compromised. Now, how does that happen? That could mean a lot of things. It could mean acquiring user credentials through deception or social engineering. It could mean exploiting unpatched systems.

 

It could mean tricking people with a phishing email to click on a link or open a file attachment. In step 2, once a host is compromised, the malicious actor will normally use lateral movement to scan the network looking for other high value targets in an attempt to compromise them, perhaps by installing malware. Imagine a malicious actor doing this for a period of time undetected, to the point where they can infect numerous machines within an internal network with ransomware.

 

So in step 3, of course, the attacker might choose instead to exfiltrate valuable data or deface or take over a website. There really are no limits to this type of activity. Other advanced persistent threat tactics would include attackers gaining elevated privileges or creating backdoors, like creating additional high privileged user accounts that look benign but are really under the control of the attacker. This would allow attackers a continual way to get back into the system, even if the account that they have compromised, is removed or disabled.

 

So we know then that threat actors will always be performing network and host scans in order to determine who the most vulnerable targets are. But because the nature of APT is such that a compromised system might not get detected because there’s nothing abnormal happening on it for an extended period of time. Maybe it’s under attacker control until a certain point in time when a certain event occurs or when something valuable enough is available on that machine. So that makes it pretty hard to detect since it’s not constant, predictable activity.

 

Malicious actors will often take advantage of zero-day exploits. These are exploits that are not yet known to the vendor, whether it be hardware or software. But attackers, a limited subset, have a way to exploit some kind of a vulnerability. So there's no patch available for it yet because the vendor doesn't even know about it, as we've mentioned.

 

If not that, then maybe tricking a user into somehow infecting their computer with some form of malware. So where do the effects of this? What can happen if advanced persistent threats successfully allow compromise of hosts on a network? Well, we know it could mean loss of intellectual property or personally identifiable information. It could be loss of revenue. And indirectly, let's not forget about the costs that will be associated with mitigating and dealing with APT incidents. Not to mention the inconveniences in the form of service disruptions, let's say, for a web app, even potentially legal actions or lawsuits, regulatory penalties.

 

So what can we as cybersecurity analysts do, to mitigate APTs? 1. And this is always probably the most important item - user awareness and training. So that users are aware of common social engineering techniques. Maybe an email message coming in that tries to trick the user into quickly clicking a link because their account is about to be locked out for some kind of online provider or a website. Of course, there’s always endpoint malware scanning, firewalls on every single device in addition to at the network perimeter, applying patches to firmware and software, intrusion detection systems to detect anomalous activity.

 

Now, speaking of that, usually an intrusion detection system will forward off its information to a centralized security analysis system so that you have continuous network and host monitoring. So you'd be able to determine, given that you have a baseline of normal activity, for instance, if there's excessive data transfers which might be causing network spikes for outbound traffic.

 

When it comes to cloud computing, mitigating threats, including APTs, is possible using a Cloud Access Security Broker or a CASB solution. Our configured policies that affect organizational users in terms of which services they are allowed to access and what permissions they have that can be exercised.

 

There’s also a Secure Access Secure Edge or SASE solution spelled SASE. This is essentially one or more cloud based security services, such as the ability to link different offices around the world through the cloud, not directly over the Internet, using secured connections, almost like a collection of site-to-site VPNs.

 

 ISO and IEC standards have been around for a very long time. Specifically, ISO was founded back in the 1940s and IEC was founded in 1906. But what are these standards? The International Organization for Standardization is ISO. So this is international manufacturing and technology standards. The International Electrotechnical Commission, or IEC, also establishes standards, but these are focused on electrical and electronic testing and conformity to make sure that there are some worldwide standards in place.

 

But besides standardization, both of these frameworks also include efficiency and safety. But what does this have to do with the cybersecurity analyst? Well, it's very important, especially when we talk about ISO/IEC standard 27001.

 

This is a standard that's designed for the protection of information. This is a standard that focuses on information security. Many organizations strive to achieve this ISO certification because it clearly demonstrates that the organization's security posture is of the highest standard to ensure safe and secure business operations. ISO certification can sometimes be required for business partnerships or to be awarded contracts, and being ISO certified definitely won't hurt client relationships or shareholder confidence.

 

The latest incantation of this is from the year 2022. So we still have the same kind of ISO 27001 standard where it applies to an information security management system or an ISMS that’s designed to prevent corruption, misuse, or loss of sensitive information. And we know that data privacy is a big deal these days. So the loss of that sensitive information, perhaps through malware infections, through data exfiltration or theft, vandalism, or unauthorized use.

 

Part of the ISO standard here focuses on how to deal with business continuity and risk management to minimize the impact of realized threats. And new in 2022 is how the ISO/IEC 27001 standard addresses cloud security controls. Talk about that a little bit more shortly. Now, when organizations strive to achieve this certification, what they first need to do is perform a gap analysis.

 

A gap analysis identifies the current security posture of the organization relative to the requirements set forth by this standard. So where are we now? Where do we want to be? In simplified terms, that's a gap analysis.

 

The 27001 standard has an Annex A, which is a security controls list. We know that security controls are put in place to satisfy security objectives for things like asset use, where an asset doesn’t have to be something tangible like equipment, like laptops or manufacturing equipment. But it could also be data.

 

It also covers cloud service use, remote work, which has become a very big thing, of course, due to the pandemic. Another form of security control is a non-disclosure agreement such as might be signed off by IT security auditors, because they probably would have access to sensitive information.

 

And then, of course, a very big one, security monitoring. A lot of the CySA+ exam is focused on interpreting the results of security logs or indicators of compromise. So this is a big thing, not just for the exam, but certainly for any cybersecurity expert to know. The details will vary depending on what's being monitored and on which tools are being used.

 

The next security control in Annex A is facilities security or physical security. And there are many other ones as well focused on things like strong authentication, encryption of data at rest as well as data in transit, data leak or data loss prevention, software developers adhering to secure coding best practices, masking data such as on a screen.

 

Or when working with documentation such as when we have a receipt and we've used a credit card to pay for something, the receipt usually masks out all but the last four digits of the credit card number. Centralized configuration management is another security control. The use of threat intelligence sources, which usually integrates with a lot of security monitoring tools. And using the appropriate methods of deleting data once it has reached end of life.

 

So based on all of these, and this is not an entire complete list, we get a sense of why organizations go through the process of achieving their ISO certification.

 

As cybersecurity analysts, we must not only be aware of the wealth of security and best practice information that's out there, which is updated all of the time, but we also must use it.

 

So in this case, we're going to take a look at the Center for Internet Security, otherwise called CIS.

[Video description begins] The home page of CIS Center for Internet security website is open on a web browser. [Video description ends]

 

Here in my browser, I’ve navigated to cisecurity.org There's only one s in there. So what we could do from here is scroll down and we can download a number of different valuable resources from this site, including CIS Controls, which also get mapped to a lot of standards for compliance, such as with ISO certification.

 

We also have CIS Benchmarks which, as it states here are a series of configuration guidelines for popular products. This is the one we’re primarily interested in, CIS Benchmarks. Let's take a look at this.

 

So I’m going to click the Download Latest link down below. And on the next page I’m going to go ahead and click Download Benchmarks. [Video description begins] The host clicks on the Download Latest button below CIS Benchmarks on the Home Page to open a new tab, and clicks on the Download Benchmarks button on the screen left. [Video description ends]

 

Here, we’re being asked to specify a few details like our name, organization, the sector we work in, our role, and so on. [Video description begins] The host is on the download tab. The screen right has a section with columns requesting for the information mentioned by the host and a button to Get Free Benchmarks Now at the very bottom. [Video description ends] I'm going to go ahead and do this because I want to get these Benchmark documentation, because I’m interested in this Benchmark documentation. Okay.

 

So when I open the link that was sent to me via email for downloading the Benchmarks, this is where it takes me. Now, we've got numerous Benchmarks here, such as, for example, for Linux, for Windows Desktop, whether we're talking about Windows 10, Windows 11, and these specific editions, Debian Linux, Ubuntu Linux, Amazon Linux, even Apple’s Mac OS, IBM AIX Linux. All the way down to things like Microsoft Windows Server, the Microsoft IIS Web Server.

 

And then databases like Microsoft SQL Server, the NGINX HTTP Web Server platform. And then for cloud computing, Benchmarks for working with Amazon Web Services, Google Cloud Computing Platform, Microsoft Azure. I think we get the picture. This is valuable stuff and of course it's being updated all of the time. [Video description begins] The page has the benchmark documentations for different versions of these environments listed on the left, and a Download PDF button on the right for each listing. [Video description ends]

 

So let's go back up, let's say to Microsoft IIS. IIS stands for Internet Information Services. That’s the Microsoft Web Server that’s included with the OS. Not installed, but it's included to install. At any rate, I’m going to choose IIS 10 Benchmark v1.2.0 and I’m going to click Download PDF.

 

Now this stuff is an absolute gold mine. So here it’s opened the PDF directly here in my web browser. As I go through the table of contents, notice some of the things it's focusing on. We can't possibly go through it all here right now, but things like ASP.NET Configuration Recommendations, if you’re going to be running server-side code.

 

Things like setting the cookie HttpOnly attribute. HttpOnly means that that’s the only way a cookie on the client-side device can be accessed. In other words, it protects cookies which can contain sensitive session information for authenticated things like websites. It prevents any client malware or scripts from accessing the cookie. It can only be accessed over HTTP. So that’s what the HttpOnly attribute is about. But that's only one of many things to consider.

 

Then there are Logging Recommendations. We all know that logging is absolutely crucial for proper threat hunting and ultimate detection and then of course ensuring that things like SSL, all versions of SSL, are disabled since they are prone to vulnerabilities that are all well known and there are freely available tools that can exploit those. So we never use SSL, There is never a good reason to use SSL anymore.

 

Now be careful. We don't want to fall into the trap of thinking, well, when I configure my web server, it says SSL certificate. Really it should say PKI certificate. TLS and SSL, they’re just network security protocol suites that can be used to secure network connections. And they do require a PKI certificate.

 

But don’t use SSL, only use TLS, ideally only some of the newer versions. Here, it talks about ensuring that TLS 1.2 is enabled and disabling previous versions because as you guessed, there are known vulnerabilities. So, if I search for HttpOnly since we talked about that one.  [Video description begins] The host switches to the part of the Benchmark document that is dedicated to the HttpOnly cookie attributes. [Video description ends]

 

Here, it gives us the details about what the purpose of HttpOnly cookies are and then actually how to configure it.

 

Because remember, we're looking at the Benchmark documentation for the Microsoft IIS Web Server. At any rate, this just gives us a sense of how incredibly valuable this type of documentation is.

 

A portion of a cybersecurity analyst’s time must be spent keeping up to date with changes in the security landscape. There must be time set aside for this because by applying some of these things that we've become aware of for security, it can only serve to harden services, IT services, within the organization.

 

We’ve made references to the Common Vulnerability Scoring System , otherwise called CVSS. But let's dig into that in a little bit more detail. Here in my web browser, I’ve navigated to the National Vulnerability Database run by NIST. This is a US government website. [Video description begins] The website has a navigator on the left and two large hyperlinked icons on the right. The icon on the extreme right links to Common Vulnerability Scoring System. [Video description ends]

 

First thing we'll do here down below is click on the Common Vulnerability Scoring System. So I’ll click OK. [Video description begins] A dialog box leading to another website with the Common Vulnerability Scoring System opens up, with OK and Cancel buttons on the bottom. [Video description ends]

 

I'm going to be redirected to the CVSS portion. [Video description begins] The browser is redirected to a new website sporting the Common Vulnerabilities Scoring System SIG. It has a navigator on the left with options such as Calculator, Specification Document, User Guide, Examples and more. The right pane displays details about the scoring system. [Video description ends] So what we're talking about here is having a numerical score that represents the seriousness or the severity of a given IT vulnerability. So if I were to click Examples in the left-hand navigator, if I scroll down to the User guide, I can click on that link, open up a specific version of the User Guide.

 

There's also an important point here that CVSS scores are designed to convey how severe a vulnerability is; not the risk of it occurring in an IT environment. Part of how the CVSS scores are determined is by looking at the CIA security triad - confidentiality, integrity, and availability.

 

So there’s the confidentiality requirement or the CR. Remember that confidentiality talks about sensitive data that gets discovered and classified as being such and making sure it's protected, such as with encryption of data at rest.

 

The integrity requirement or IR. Remember, integrity is all about making sure that the data we have hasn't been tampered with and that it's accurate. So where the data is being stored directly, these would have a high rating when it comes to the integrity requirement. Whereas network infrastructure equipment like routers or network switches would be rated medium. While they might be involved in data transfer, they don't actually store it.

 

Then we’ve got availability requirement or AR. This relates to things like service level objectives, SLOs, and service level agreements, SLAs to make sure that we know what the uptime requirements are for a given system. So it talks about having redundancy and having the ability based on the recovery time objective or the RTO to recover a failed system as quickly as possible.

 

If we were to click the calculator on the left, this is where, given that we input the appropriate values for a given security issue, it can generate a CVSS score. But there's a lot that goes into it. We're just pointing out that this can be done. [Video description begins] The host scrolls down on the Calculator tab until a banner called Base Score becomes completely visible. It lists various vectors that the host mentions further, with options to choose from below each vector. [Video description ends]

 

So specifying details about the Attack Vector, is it Network, is it Adjacent, is it Local? Is it a Physical type of attack? Is it a Low or high Complexity attack? Are Privileges Required in the first place to execute this attack? Is it related to data confidentiality, data integrity, or data or system availability?

 

Then things like the Remediation Level here. And this this is used to determine what’s called the Temporal Score,  which is a component.

 

[Video description begins] The host scrolls further down to reveal a banner called Temporal Score and points to it. It lists parameters such as Exploit Code Maturity, Remediation Level, and Report Confidence with options to choose from under each. [Video description ends] So is there a Temporary Fix for it, for example.

 

And then here we have what we've just talked about,things like the Confidentiality Requirement, Integrity and Availability Requirements. [Video description begins] He scrolls further down to reveal the banner called Environmental Score. [Video description ends]

 

However, most cybersecurity professionals won't be creating these calculations unless they are security researchers or directly involved with this type of thing. Instead, we refer to the CVSS scores, usually indirectly, because we have a threat monitoring tool that has detected something and notified us perhaps with a link to the vulnerability and a CVSS score so that we can focus on the most severe potential security problems.

 

We’ve been saying that a lot of these security tools use CVSS. As an example. The LanGuard Network Security Scanner tool determines its severity levels, and this is according to the LanGuard documentation from the Common Vulnerability Scoring System (CVSS), as calculated by the National Vulnerability Database of the United States. [Video description begins] The host navigates to new tabs on the web browser that display details about GFI LanGuard on the GFI LanGuard website. [Video description ends]

 

If we continue to work through the documentation for that particular network security scanning tool, scanning a network will result in any detected vulnerabilities being shown like high security, medium, and low, and potential. Well, how are those calculated? These are all based on CVSS scores cumulatively for all of the discovered vulnerabilities where a high vulnerability will have a score in the range of 8 through to 10.

 

Of course, 10 would be the highest as per CVSS security ratings. Where a score of less than or equal to 4 and greater than or equal to 1 means it’s a low vulnerability. A lot of these security monitoring and threat hunting tools will present dashboards so you can get an overall picture just at a quick glance about something like the result of

 

a security scan. But always remember that tools like this must be configured for periodic updates. As new vulnerabilities become publicly known, we want to make sure our scanning tools know about them so they can check that we do not have those vulnerabilities present on our network.

 

So CVSS then are important because it allows cybersecurity analysts to have a way to easily prioritize the most severe vulnerabilities. And thus focus time, and energy, and resources on protecting against those vulnerabilities.

 

Now that we've discussed a number of security frameworks, and data privacy standards, and whatnot, we can now focus on IT security policies, because often these are influenced by those things. So IT security policies apply to an organization and its use of technology, which of course supports business processes.

 

We know that most certainly the way an organization crafts its policies are partially influenced by laws, regulations, or maybe contractual obligations in order to be awarded a certain type of contract, perhaps with a government agency. It's not only important that these be created correctly, but that they be consistently enforced across the enterprise. We'll talk about how that can happen.

 

And of course, it's important that they get periodically reviewed. We know how quickly IT solutions change and as a result, so do the threats to those solutions. In order for IT security policies to be created correctly so that they’re effective in their method of enforcement, we need management buy-in or executive buy-in.

 

The best way to really view IT security these days is that it’s really become a part of doing business. It's just one of the costs of doing business. It cannot be treated as being an inconvenience or something that only applies sometimes.

 

So security policies. What are the components that make them up? One is revision history. We need a way to track when revisions were made and which revisions were made. And this is actually usually at the top of an official security policy document.

 

There needs to be an overview about what that specific policy document does. Because within an organization you will have many official security policies. May be one for how USB thumb drives are used. And a social media policy versus a web browsing or email usage policy. So, we have a purpose of the security policy, such as to prevent data exfiltration through the use of social media on work devices or even outside of work devices. There needs to be a scope.