Enterprise Security Fundamentals

 Course Syllabus
Module 1 Module 2
Understanding the cybersecurity Red Team: Penetration, lateral
landscape movement, escalation, and exfiltration

 The current cybersecurity landscape  Red Team versus Blue Team

 The evolution of attacks  Red Team kill chain
 Understanding “Assume Compromise”  Beachhead
 Examples of compromises  Lateral movement
 Evolution of Attacks  Privileged escalation
 Execution of attacker’s mission
 Demonstration of Pass the hash
attack
 Demonstration of Golden Ticket
Attack
Module 3 Module 4
Blue Team: Detection, investigation, Beyond the breach
response, and mitigation Developing a Baseline Security
Posture
 Gathering baseline data
 Detecting Intrusion  Information Classification
 Alerting  Change Tracking
 Investigation  Monitoring
 Planning a Response  Reporting
 The Blue Team kill chain  Organizational preparations
 Restricting privilege escalation  Processes
 Demonstration of Device Guard  CIA Triad
 Demonstration of Credential Guard  Developing a strategic roadmap
 OMS/Azure Security Center  Microsoft Security Response Center
 On-premises network security Exploitability Index
 Restrict lateral movement
 Demonstrations of LAPS
 Attack detection
 Outcome / Goals
After completing this course, you Red team kill chain, including:
will be able to:
 Reconnaissance
 Describe the current cybersecurity  Beachhead
landscape  Persistence
 Explain the Assume Compromise  Lateral movement
approach to security  Elevation
 Red team versus Blue team  Exfiltration
exercises Blue team kill chain, including
 Organizational preparation, security
processes, and responses  Gathering baseline data
 Detection
 Alerting
 Investigation
 Response
 Execution

 Audience
In addition to their professional experience, students who take this training should
already have the following technical knowledge:

1. Basic experience with Windows Server administration, maintenance, and

troubleshooting.
2. Basic experience and understanding of Windows networking technologies, to
include Windows Firewall network setting, and cloud services concepts.
3. Introductory level knowledge of Active Directory, including functions of a domain
control, sign on services, and an understanding of group policy.

 Course Pre-requisites
Learners who take this training can meet the prerequisites by obtaining equivalent
knowledge and skills through practical experience as a Security Administrator,
System Administrator, or a Network Administrator.

 Course Content
This course is designed to get you started as quickly as possible. There are a variety
of self-paced learning activities.

 Scored Questions are located at the end of each module to check your general
understanding of the key concepts.
 Videos and Demonstrations are located throughout the course to explain the
concepts and provide system walk-throughs.
 Final Exam: The Final Exam questions are scored and check your understanding
of the key concepts in the course. The Final Exam plus the scored questions at
the end of each module will count for 100% of your course grade.

 Grading
To obtain a Verified Certificate for this course you need an overall total grade of at
least 70%.
Module 1 : Understanding the cybersecurity landscape
a. Current Cybersecurity Landscape

Overview
The current cybersecurity landscape is complex. Attackers develop new and
ingenious methods of compromising systems on a daily basis. Intrusion tools,
originally developed by the intelligence agencies of nation states, have been leaked,
reverse engineered, and then made available to anyone clever enough to know
where to look for them. New credential breaches are published on breach notification
services, such as haveIbeenpwned.com, every few days. Exploit frameworks are
updated to leverage newly discovered vulnerabilities.

Every month a new set of vulnerabilities is patched by vendors. Security

researchers continue to find vulnerabilities in applications, products, and operating
systems. Often vendors are able to release updates before knowledge of those
vulnerabilities makes it to the public. While vendors are usually diligent in releasing
updates to address vulnerabilities, information security personnel don’t always get
around to installing those updates in a timely manner.

In the current cybersecurity landscape, attackers are finding it simpler to

monetize their activities, either by deploying ransomware that encrypts a target’s
data and system and demanding payment for a solution, or by deploying coin mining
software that generates cryptocurrency using the resources of the target
organization’s infrastructure. Making a profit by compromising a target’s
infrastructure is becoming easier. This is likely to lead to a more, rather than less,
aggressive cybersecurity landscape.

The current cybersecurity landscape is vast and likely impossible for any one
individual to comprehend in its entirety. There are, however, several aspects of that
landscape to which those interested in the fundamentals of enterprise security
should pay attention. These include, but are not limited to:

 Technology lag  Monetization of malware

 Application development security  Automation of Detection
 Skill gap  Internet of Things
 Asymmetry of attack and defense  Transition to the cloud
 Increasing availability and  Increasing regulation
sophistication of attack tools
 Ransomware, In March 2018 a survey of 1200 IT security practitioners and
decision makers across 17 countries was performed by the CyberEdge group and
basically the subject of the survey was recovery from ransomware. And the
interesting thing about this survey and the same group performed a survey
previously is that they looked at how many of these 1200 IT security practitioners
and decision-makers and that was across 1200 organizations suffered ransomware
infections.

So here is the first thing o know about ransomware, of those 1200 people
surveyed across 1200 organizations 55% of them suffered some form of
ransomware infection in 2017. So more than half of organizations surveyed had a
ransomware infection in 2017, in 2016 it was 61% So of the surveyed organizations,
yes there had been a slight drop-off in the number that it suffered ransomware
infections and I kind of talk about one of the reasons I think that might be the case
back in the coin mining attack video. But I also think that organizations are becoming
a lot better, at responding to ransomware, so that might be one reason why we're
seeing less successful attacks.

But if we think it's 55% of 1200 that's 660 organizations of 1200 suffered
ransomware infections. Now here's some interesting stats that these researchers
found, of the organizations that were impacted so of that 660 organizations, 63% of
them chose not to pay the ransom. They chose not to interact with the people that
had gone and infected them with ransomware of that 63% ,53% managed to actually
recover files using their own tools. That might be basically restoring from backup
which is probably most common way to do it. But if you go out and look on the
internet, you will be able to find publicly available ransomware decrypter application.

So for the most common strains of ransomware there are applications that go
and decrypt the encrypted files. Now 10% reported that they lost files permanently,
what we can see by the number of people the chose not to pay is is it actually having
a good strategy to deal with ransomware that is having an effective backup strategy
is a very big predictor of whether or not an organization is actually going to pay or
even needs to pay. So one of the things we know about ransomware is that
organizations know what ransomware is know that it's a threat and have actually
taken preventative measures to deal with it.

Obviously not all effectively but even with a fairly good backup and recovery
strategy sometimes there's some files that you know you lose but the other really
interesting thing about this survey was that it turned out that of the 37% who actually
chose to pay the ransom.

Less than half were able to recover their files using the tools provided by the
attackers. So what this tells us is that paying the ransom certainly does not
guarantee victims get access to their files, you have almost got a 50-50 chance if
you pay that you're actually going to get your files back.

So that's an even better argument as to why you should have an effective

backup and recovery strategy so that you can deal with ransomware should your
organization suffer an infection and as we saw roughly just above half of
respondents in the survey did actually suffer ransomware. So your probability that
you're going to have ransomware in your organization pretty good, but you also likely
to be able to successfully recover from such an infection, if you've got an effective
backup and recovery strategy.

Technology lag
When considering the cybersecurity landscape, it’s important to note that the
versions of products that organizations have deployed exist on a spectrum, with a
small number of organizations running the latest versions, most organizations
running older but still supported versions, and a substantial number of organizations
running information systems that are no longer supported by the vendor.

While the latest operating systems and applications still have vulnerabilities,
organizations can substantially improve their security posture by ensuring that they
are running the most recent versions of operating systems and applications and by
keeping those products current with released updates. It’s also important to note that
many vendors are less diligent about addressing security vulnerabilities that are
discovered in older versions of their products. A vulnerability that may be addressed
in the current edition of a product may not be addressed in previous versions of the
product.

It’s usually the organizations running outdated or unsupported products that

you hear about when a large cybersecurity incident occurs. For example, the 2017
WannaCry ransomware attack disproportionally impacted organizations that had
servers running the Windows Server 2003 operating system where the ports that are
used for SMB storage protocol were exposed to the internet.

The WannaCry incident is reflective of a substantive part of the cybersecurity

landscape in that it demonstrated that not only are a large number of organizations
running outdated or unsupported information systems, but that the security
configuration of the networks that host those systems fell far below best practice.

Application development security

The adoption of secure application development practices is another
important part of the cybersecurity landscape. Many application developers create
applications that are subject to attacks including cross-site scripting (XSS) and SQL
injection, even though these attack vectors have been known about and understood
for many years. As applications move from being locally installed on computers and
devices to running as web applications in the cloud, it is important for organizations
to ensure that secure application development practices are followed.

Skill gap
It’s regularly reported that the field of information security doesn’t have
enough trained personnel to meet industry needs. The recent Global Information and
Security Workforce Study by the Center for Cyber Safety and Education projected a
global shortfall of 1.8 million information security workers by 2022. Organizations
cannot begin to protect themselves from the various threats that exist, if they aren’t
able to hire the personnel to manage and secure their information systems.

As you will be reminded throughout this course, information security is an

ongoing process. It’s not enough to have a consultant come in, deploy, and configure
software and hardware, and then your organization’s information systems are secure
going forward. Instead, the process of securing information systems is ongoing. For
most organizations this means having IT staff that are trained in information security
processes. Until the skill gap is closed, the cybersecurity landscape will be littered
with organizations who are unable to substantively improve their security posture
because they don’t have access to the personnel that would enable them to do so
and existing personnel are overworked due to a shortage of filled headcount.
 Availability and sophistication of attack tools
An adage within the cybersecurity industry is that tools that are only available
to the elite hacking teams of nation state intelligence agencies today will be available
to teenage script kiddies within five years. “Script Kiddie” is a derisive term to
describe an individual who uses sophisticated scripts and applications developed by
experts to attack information systems while having no real understanding of the
underlying functionality of those tools. Put another way, a “script kiddie” is a “point
and click” hacker.

Attack tools are increasingly sophisticated. These automated exploit tools are
relatively straightforward to procure and take little in the way of expertise to use.
Whereas in the past access to basic tools required gaining access to select
communities on hidden bulletin boards or Internet Relay Chat (IRC) channels, today
it doesn’t take an enthusiastic amateur more than a few minutes with the results of
the right search engine queries to get started. Should they need to learn more about
the tools they have acquired, there are hundreds of hours of video tutorials available
on the web to assist them.

While sophisticated attack tools are available often for free, there is a paucity
of similar tools available for defenders. While the process of launching a basic or
even moderately complex attack against an organization’s information systems may
be as simple as a mouse click, the defender’s process of securing the configuration
of those information systems is manual, complex, lengthy, ongoing and requires a
good deal of expertise.

Asymmetry of attack and defense

Within the cybersecurity landscape there is an asymmetry between attacker
and defender. Asymmetric in that the resources required for an organization to be
reasonably assured that they are protected from the vast majority of intrusions vastly
exceed the resources required for a competent attacker to perform a successful
intrusion.

One key understanding of the cybersecurity landscape is that the vast

majority of attackers are unsophisticated and are using automated vulnerability
scanners and exploit tools. Put another way, most attackers by volume are likely
“script kiddies” rather than professional hackers. As the vulnerabilities those
automated tools attempt to exploit are often already addressed by vendor updates, if
an organization is diligent and applies consistent effort to its security posture, it will
be able to protect its information systems against the common attacker.
 Put another way, if you take an ongoing and systematic approach to securing
your organization’s information systems, it’s reasonably unlikely that “script kiddies”
will be able to compromise your system. A diligent well-resourced defender is likely
to be protected against all but the most highly resourced and persistent attacker.

While there is an asymmetry in terms of the effort required to properly secure

information systems, it is possible to reach a stage where your organization’s
systems security posture is such that those systems are impervious to all but the
most skilled and well-resourced attackers. With time and effort, you can protect
yourself against the amateurs, who randomly attack organizations to see if they can
get access. With greater time, effort, resources, and skill you’ll be able to protect
your organization’s information systems against more competent attackers that
deliberately target your organization.

The unfortunate reality is that even when organizations have highly skilled
personnel, those personnel are rarely given the necessary amount of time and
resources to ensure that the organization’s information systems are configured in the
most secure manner possible. The existing problem of asymmetry between attacker
and defender is made worse by organizations not giving their defenders the
resources they need to do their job.

Monetization of Malware

A big change in the recent cybersecurity landscape is coin mining software.

Coin minding software is software that mines cryptocurrency, such as Monero,
Bitcoin, or Ethereum. This is a big change because in the past it was difficult for an
attacker to monetize an intrusion. Coin mining software makes monetizing intrusions
straightforward. An attacker who successfully deploys coin mining software on a
target organization’s information system just has to sit back and wait for the
cryptocurrency to start rolling in.

In the past amateurs may have been motivated to learn how to attack
information systems by a variety of factors including curiosity. With the current mania
around cryptocurrencies and the promise that it may be possible to earn such
currency by running freely available exploit tools, it’s not unreasonable to assume
that amateurs will be even more motivated to attack information systems in the hope
of generating income.
Video

Coin Mining Attacks, as of early 2018 information security professionals are

seeing far more Coin Mining Attacks than any other type of attack that's going on in
people's infrastructure. There is a belief that Coin Mining Attacks may overtake other
common attack types such as ransomware. So why an earth is Coin Mining Attacks
become so prevalent? Well, as we will discuss in another video on ransomware. We
have ransomware when someone's infected you've only got a certain probability that
they're actually going to turn around and actually pay you off to decrypt their files.
With a Coin Mining Attack, as soon as the malware becomes active as soon as it
starts mining coins, the potential for the attacker to get monetary value out of the
attack basically goes up to become a certainty. The longer the attack goes
undetected the more financial reboot there is.

So, where as an attacker with ransomware had to basically accomplish the

same goals as much occur with a coin mining attack that is get the malware onto the
systems in the first place. The advantage of a Coin Mining Attack is it's basically
monetized from the moment it starts running. Now, of course there are many
different cryptocurrencies and that means that it's not just like mining the most
popular cryptocurrency which of course, you would have heard of which is Bitcoin.
And your chances of actually getting a coin when mining Bitcoin, a lot more difficult
but some of the less popular cryptocurrencies there's a lot more bang for the buck
with the malware. There's always new cryptocurrencies and as new cryptocurrencies
come on, there's a bit of a bubble at the moment.
 Now, perhaps should the cryptocurrency bubble deflate we might say, a return
back to ransomware. The other thing about Coin Mining Attacks is that they might be
especially tempting for an insider to consider. Especially an IT staff member who
knows how to run software on internal systems and would be able to hide the
presence of a coin miner. Now, clever Coin Mining software turns itself off, when
there's actual activity on the computer so, several Coin Mining malware will sit there
on a workstation and we'll use the processor when nobody's using the computer. But
the moment someone starts using the computer it basically turns itself off. That way
the operator of the computer doesn't get the impact of that malware. They're not
noticing because their computer isn't running slow for them because the moment
they start doing something their computer operates at normal speed. It's when
they're away from their computer or they're not using it to perform a task that the
Coin Mining malware starts to act.

So, in summary Coin Mining Attacks have become prevalent because they're
perhaps the most easy to monetize of all of these sort of attacks we've talked about.
To an extent attacking has been a field that's been in search of a business model
and to an extent at first ransomware and now Coin Mining Attacks may get that there
is a financial payoff for someone to actually deploy this type of malware on your
infrastructure.

Automation of detection
One aspect of the cybersecurity landscape that has become brighter for
defenders is that it has become easier to detect attacks that would have otherwise
only been apparent through expert analysis of information system’s event log
telemetry. While some attackers are overt and do little to hide their presence on the
network, competent attackers often spend quite some time performing
reconnaissance once they have established a beachhead on the organization’s
network. These attackers leave only subtle traces of their presence that you might
not be alerted to unless you have sophisticated intrusion detection systems that can
recognize signs of the intruder’s activities. If an organization can detect attackers
while the attackers are still performing reconnaissance, they can reduce the amount
of damage done.
 In the past Security Information and Event Management (SIEM) systems
would analyze information and detect suspicious activities based on heuristics
developed by the vendor. While these systems are effective in discovering
suspicious activity, they are only able to detect suspicious activity if the vendor
recognizes the characteristics of that suspicious activity. To recognize new types of
suspicious activity, the SIEM system must be updated with new signatures that allow
it to recognize the characteristics of that activity.

Cloud-based services, such as Azure Security Center, Azure Advanced Threat

Protection, and Windows Defender Advanced Threat Protection, provide
organizations with more effective threat detection functionality than traditional
methods, such as manual telemetry analysis. These cloud-based services have
access to Microsoft’s Security Graph. Microsoft’s Security Graph centralizes the
security information and telemetry that Microsoft collects across all its sources. This
includes telemetry related to attacker activity across all of Microsoft’s customers, as
well as information from Microsoft’s own ongoing security research efforts.

Through machine learning analysis of this vast trove of data, Microsoft can
recognize the subtle characteristics of attacker activities. Once the characteristics of
a specific attack are recognized through analysis of this immense data set, similar
activity will be detected should it occur on customer networks.

The cybersecurity landscape has also changed now that defenders

increasingly have access to tools like Azure Security Center that can highlight and, in
some cases, remediate security configuration problems on monitored information
systems. In the past information security professionals would have to work through
configuration checklists when hardening servers, clients, and other equipment.
Today services such as Azure Security Center can provide recommendations as to
what configuration changes should be made to on-premises and cloud hosted
workloads to make them more secure. Security configuration recommendations
provided by these services can also be updated as new threats emerge. This helps
ensure that an organization’s security posture remains up-to-date.

Defenders also have access to breach and attack simulation tools. Rather
than relying on experienced penetration testers to perform red team exercises to
locate known vulnerabilities in an organization’s information systems configuration,
breach and attack simulation tools simulate an attack and locate known
vulnerabilities. While such tools won’t find every possible vulnerability, they are likely
to detect the vulnerabilities most often exploited by attackers. If defenders remediate
all vulnerabilities found by such tools, their engagement with penetration testers
performing red team exercises is likely to be more valuable. Using such tools before
engaging a red team will certainly reduce the likelihood of expensive penetration
testers discover a list of obvious configuration vulnerabilities that should have been
found by even the most cursory of examinations. When an organization engages
penetration testers, the hope is that they’ll discover something that the organization’s
information security staff couldn’t have seen, not something that they knew about but
didn’t get around to addressing.

Internet of Things
Another big change in the cybersecurity landscape over the past decade has
been the rise of the Internet of Things (IoT). The IoT. is the network of physical
objects, devices, televisions, refrigerators, home climate systems, cars, and other
items, that are increasingly embedded with electronics, software, sensors and
network connectivity that enables these objects to collect and exchange data. While
consumer operating systems, such as Windows 10, OS X, iOS and Android have
increased security features with every release and update, the operating systems of
Internet of Things devices rarely receive long term security update support from their
vendors.

The IoT presents an ongoing challenge on the cybersecurity landscape in that

these devices are likely to remain insecure. This is because even when vendors do
provide updates, unless those updates are installed automatically, few owners of
these devices will bother to apply those updates. While people will apply software
updates to their computers and phones when reminded, most are less diligent when
it comes to applying software updates to their refrigerator, washing machine, or
television.

How does this impact the cybersecurity landscape? Botnets, comprised of IoT
devices have already been used to perform distributed denial of service attacks.
While the processing capability of IoT devices is much less significant than that of
desktop computers or servers, it’s likely only a matter of time before an enterprising
attacker works out how to get rich using a botnet of refrigerators to mine
cryptocurrency.

Transition to the cloud

The cybersecurity landscape has been substantially altered by organizations
moving on-premise workloads to the cloud. Important to note though is that moving
infrastructure, applications, and data to the cloud doesn’t mean that the responsibility
for information security shifts from organizational personnel to the cloud provider.

As has been amply demonstrated by developers leaving cloud storage

containers globally accessible, the security of a deployment in the cloud is as only as
good as it is configured by the cloud tenant to be. Just as with on-premise
information system security, the settings to secure workloads are present, but they
must actually be configured by the information technology professionals responsible
for those workloads.
 For example, a cloud storage container used by a major US newspaper to
host website code allowed read access to anyone in the world. Attackers used this
access to inject coin mining code into the web pages delivered by the newspaper to
its readers. Each time a reader visited the newspaper website, some cycles of their
computer’s CPU worked on generating cryptocurrency for the attackers who had
modified the contents of the cloud storage container.

Increasing regulation
A final aspect of the cybersecurity landscape that is worthy of attention isn’t
strictly technology related, but instead relates to regulation and legislation. For many
years the information technology industry was left to its own devices when it came to
how much energy they put into protecting information systems infrastructure.
Unfortunately, the industry hasn’t been successful enough in containing such
breaches. The public and eventually politicians have noticed that breaches continue
to occur even as all of us move more of our lives and sensitive information online.

This has led an increasing number of jurisdictions to introduce legislation and

regulation mandating the security controls that should be present over certain types
of data hosted in organizational information systems. The cybersecurity landscape
has changed in that IT security staff need today not only to be conversant with the
security controls available for the technologies they are responsible for managing,
but also with the rules and regulations that apply to the organization’s information
systems and responsibilities that must be upheld in the event that an intruder
successfully breaches the organization’s systems.

“Keeping up with trends in Information Security”

Keeping up with trends in Information Security. So one of the things that

would be in your role as someone who is working where cyber security is trying to
keep up with the latest trends, that means that you have got to become as watch one
of my friends at Microsoft once said is a Pull Learner. A Pull learner seeks out
information rather than having information pushed at them. If you are interested in
cybersecurity that means that you can't be in a situation where you're waiting to have
the trained delivered to you, it means that you've got to keep an idea on the ever-
present now to understand what is actually going on. In terms of the way that I've
done it personally I constantly follow new people, interesting people and people that
are providing me with good information on Twitter.

So Twitter turns out to be one of those platforms where there's a lot of

cybersecurity people and they are providing a lot of very useful information. You've
got to curate your feed and you've got to make sure that your feed is representative
of what you need to know but that is a good place to start, there are also good sites
around that you can check out. Sometimes you will be pushed to them by the people
that are on Twitter that are cybersecurity experts and you should be able to once
you've been following people long enough to work out that you know there are a
couple of people that perhaps have an overinflated opinion of their abilities and you
learn very quickly to move those people out of your Twitter feed and you figure out
who is the actual useful people to follow and they will direct you to websites that are
very useful often they have their own websites one that I can't recommend enough
for people in the Windows domain environment field is adsecurity.org.

This is a person that is an extreme expert and actually works with a lot of tools
that show you how to exploit Active Directory but also how to secure Active Directory.
Also once you get an idea of those people, they will direct you to conference
sessions that might be online that allow you to view them talking at length instead of
in the sort of the confined space of a tweet. The other thing is try and read good
books and by that I'm not just talking about books that go on about what the current
threats are? there's books like the Cuckoo's egg or Shane Harris at War that talk
about the current world, the Cuckoo's egg talks about an older historical case. The
Shane Harris at War provides information about sort of the military cyber security
complex as it exists today. So there's people out there that are publishing and that
will again give you a good feel for what's going on in the industry at a higher level
and also consider attending some of the better conferences, listening to people
speak.

b. Assume Compromise Philosophy

Overview
In the best of all worlds our organization’s information systems are in a
pristine state when we start implementing security controls. In this model, intrusions
are something that exist as a future possibility rather than something that may have
happened before you started thinking about how to secure your organization’s
information systems.
 The assume compromise philosophy takes the position that an organization
should build and maintain its security posture based on the idea that the
organization’s information systems have already been compromised. Another part of
the assume compromise philosophy is that the organization should assume that
preventative technologies such as firewalls, anti-virus, and intrusion detection
systems (IDS) will fail. Under the assume compromise philosophy, information
security teams focus instead on detecting and responding to suspicious activity
rather than simply preventing intrusion. Detection of suspicious activity can be
assisted by leveraging cloud-based analytics services that constantly monitor
information systems telemetry for anomalies.

When you design a security posture with assume compromise in mind, you
restrict an attacker’s ability to move laterally between information systems and to
restrict their ability to escalate privileges within those systems. These goals can be
done by implementing technologies such as Just Enough Administration (JEA) and
Just in Time (JIT) administration, segmenting networks, deploying code integrity
policies as well as enforcing good administrative practices as restricting
administrative sessions so that they can only be initiated from specially configured
privileged access workstations.

Compromise examples

Few attackers compromise an organization without having an objective

beyond proving that the organization can be compromised. Attackers target
organizations because they wish to accomplish one or more goals. When an
organization is compromised, the attackers often do one of the following:

 Exfiltrate data
 Deploy ransomware
 Enroll systems in a botnet
 Deploy coin mining software
 Data exfiltration

The attackers extract sensitive data from the organization. This data may
have been stolen for a variety of reasons, from the theft of commercially sensitive
information to exposing organizational secrets to damage the organization’s
reputation. Some of the most famous attacks have involved data exfiltration, such as
gaining access to a substantial number of customer credit card numbers.

Ransomware
 In ransomware attacks, the attackers encrypt the organization’s data and
render the organization’s information systems non-functional. The attackers do this in
the hope that the organization will pay a ransom, usually in the form of a
cryptocurrency. Once the target organization pays the ransom, the attackers will
provide the organization with an unlock key. After inputting this key, the data will be
decrypted and the information systems previously rendered non-functional will be
returned to full functionality.

Botnets

Botnets are collections of computers that can be configured to perform a

specific task, such as performing a distributed denial of service attacks. Botnets can
be monetized in several ways, including extorting money through the performance of
distributed denial of service attacks or used to relay spam (unsolicited commercial
email).

Coin mining attacks

As of early 2018, coin mining attacks are becoming increasingly prevalent due
to their lucrative nature. Coin mining malware deployed in attacks is sophisticated
enough only to use some, not all, of the host systems resources, meaning it isn’t
always obvious when a system is infected. Coin mining attacks have also been
perpetrated by insiders who use their organization’s infrastructure to generate illicit
income.

“Information Security Myths”

Here is several myths about information security, that are especially prevalent
amongst decision-makers that aren't experienced information security professionals.
In many cases decision makers make decisions based on these myths, rather than
the reality of the cybersecurity landscape And these myths, I'm going to cover are
they're not limited to, now attackers need to be quite sophisticated Our organization
would never be a target, well all the attackers exist outside the firewall and our
systems were already secure. So let's talk a little bit about these.
 The first myth, attackers need to be sophisticated. Well one prevalent myth is
that attackers need to be highly skilled individuals, the reality is unskilled individuals
have access to tools where the complex attack chains are coded into the tools, and
all an unskilled individual has to do is point the tool at a specific target and click
attack or whatever is built into the tool. Now these tools continue to evolve greatly
enhancing the capacity of the attacker that uses them, even if the attacker
themselves has only the vaguest grasp on the process the tools employ.

Now, while it's true that successfully compromising a competently secured

information to systems infrastructure does require a high amount of skill and effort
the vast majority of the world's information systems infrastructure has not been
competently secured. The history of information security is full of instances where a
relatively unskilled attacker has managed to compromise a target because they've
had access to excellent automated tools and the targets information systems weren't
competently secured. So the next myth, Our organization isn't a target. Now decision
makers at some organizations assume that because they've got no obvious digital
assets such as commercial secrets but attackers are going to ignore them and select
higher value targets.

Now the rise of ransom-ware in coin mining malware ensures that attackers
can extract value from even the most prosaic of the organizations. In the case of
ransomware it may be a direct payment to allow for the recovery of files, in the case
of coin mining malware running the software on even simple hardware given enough
time can lead to a good financial info. Put it another way everybody's kind of a target
now, the malware is a lot easier to monetize.
 The next myth is that our attackers are outside the firewall and it's a big
information security myth these are the people that want to attack the organization all
external to the organization or as the reality is is a small percentage of people within
an organization are willing to attack the organization, paid by stealing confidential
data or by damaging information systems especially if it's unlikely that they will be
detected there are many cases where people who have been fired from an
organization but haven't had their access terminated have used this access to come
back later on and attack the information.

Now this coin mining malware becomes more prevalent, it's also more likely
that some insiders will use their knowledge's and their privileges on the
organization's information systems. To covertly deploy and run coin mining malware
as a way of you know making some money on the side. The final information security
myth that I want to discuss is the one that our systems are already secure, Now just
because systems are kept up to date with patches and a firewall is in place does not
mean your organization is secure.

You've got to understand that security is an ongoing process and your

organization's security posture needs to be continuously reassessed, Just because
the most recent Red Team penetration test against your organization's systems was
unsuccessful doesn't mean that your organization has a security posture that is
impenetrable to intrusion. Now complacency is a big danger in the information
security industry and the moment and organization assumes that it's attained an
impenetrable security posture is a moment that attackers successfully breached the
network barriers.

c. Cost of a breach

Overview
The cost of a breach is always an estimate. Even after a breach occurs, the
actual cost of the breach may never be accurately determined. On top of the
disruption to the businesses processes, it is difficult to assess the value of
intangibles such as reputational damage, the cost of rehabilitating compromised
systems, the cost of investigating the breach itself and the cost of any fines or
penalties that may need to be paid to the relevant authority.

Some of the factors that contribute to the cost of a breach include, but are not limited
to:

 Breach investigation
 Systems rehabilitation
 Reputational damage
 Destruction of assets
 Compliance costs

Proportional Security
The idea of proportional security is fairly straightforward think of it this way,
don't buy a $20,000 safe if you're only protecting a $1,000 diamond ring. Make sure
that your security spend is proportional to the assets that you are protecting. So one
of the things that can happen very quickly in any security industry is that you can let
your paranoia get the better of you and especially when you've got people coming in
trying to sell your products they will sell you it's like buying insurance, they will sell
you perhaps a policy that you would never need in a million years.

So with proportional security understand the value of the assets that you're
protecting also what you need to have is you need to have a threat model that is
understand that you shouldn't be spending a disproportionate amount on an unlikely
threat while spending little money on obvious things for example don't put in an
extraordinarily expensive external firewall but forget to properly configure your file
system permissions. So that anybody who's inside the organization is able to access
any data that they want.

In fact if we look at some of the most famous hacks and we look at for
example the Manning hack or the Snowden affair, we will see that we had privileged
insiders who are able to get access to things that they weren't or shouldn't have had
access to because the security posture was very much focused on the external
rather than the internal and you can be absolutely sure that these days that security
posture has been improved at those organizations. The other thing that you need to
realize is that perfect is the enemy of good. Often you'll see discussions within the
information security community when someone's talking about using a particular
technique to protect an information system, someone will instantly bring up Oh well
you can get around that, if you blah.

Understand that you're not going to be able to protect against everything, but
what you can do you can make it substantially harder for the average attacker to
compromise your organization. You are never going to build an impenetrable barrier,
but what you can do is you can make it so hard that the average attacker unless
they're really really really after you, is going to take their bat and ball and go home
and look for another target to compromise.

So it's not that you need to have impenetrable security I am at just being so
difficult to attack that everybody goes and chooses an easier target because the
internet and the world is full of much easier targets to hit .

Breach investigation
After the attacker has been successfully ejected from the organization’s
information systems, an organization should perform a thorough investigation to
determine as much as it can about the particulars of the breach. Performing this
investigation will cost the organization as it takes personnel away from their day to
day work tasks. It may also be necessary to bring in outside expertise so that the full
extent of the compromise can be ascertained, which will again cost money and time.

The benefit of these costs will be that the organization has a clear picture of
how the breach occurred, how long the intruder was present within the organization’s
information systems, and the steps that can be taken to ensure that attackers will not
be successful leveraging similar techniques in the future.

Systems rehabilitation
Once the attacker has been successfully ejected from the organization’s
information systems, it’s then necessary to ensure that those systems are
rehabilitated. Not only is it necessary to remediate the vulnerabilities that allowed the
attacker to compromise the system, it is also necessary to ensure that any
modifications that the attacker may have made to the system are located and
removed. Rehabilitating a system isn’t just a matter of reverting to the last backup as
it may be that the attacker compromised the system some time ago. Reverting to the
last backup won’t remove the tools that the attacker placed on the system to retain
persistence if those tools have been included in the system backups for some time.
In many cases the only way to ensure that a system is rehabilitated is to deploy it
again from the beginning and then address the vulnerabilities that allowed the
attacker to gain access.

Reputational damage
Sometimes the biggest cost of a successful breach is to reputation.
Reputational damage doesn’t just occur when sensitive internal documents are
leaked to the media. For example, consider an ecommerce site that suffers a breach
where customer payment information is compromised. Customers of the site may be
wary of using the site again in the future, especially if they’ve had to cancel an
existing credit card as a result of the breach. When customers lose faith in an
organization’s ability to protect their information, they are less likely to interact with
that organization.

Destruction of assets
Some attackers plant malware that is designed to destroy the systems of the
target organization. Some malware works by reconfiguring hardware to work beyond
its safe specification. For example, overclocking a processor until it overheats and
fails. Other malware erases data on target systems or renders them inoperable. In
some cases, the malware is deployed deliberately, destroying sensitive systems
either to inflict financial damage or as a way of forcing the target organization’s
information systems to become inoperative.

Compliance costs
Another change in the cybersecurity landscape in recent years has been how
regulation has encroached on the industry. Depending on the type of breach that
occurs and the type of industry the target organization is in there may be fines that
must be paid to specific authorities as well as investigations and reports that must be
generated, all of which cost money and other organizational resources. In some
cases, an organization that suffers a breach may be subject to ongoing reporting
requirements for a period of several years. In some jurisdictions this can include
paying for periodic external audits to ensure that the organization has correctly
implemented the necessary security controls to minimize the chance of a similar
breach occurring in future.

EXAM
13/15 – 25th August 2019
Module 2 : Red Team: Penetration, lateral movement, escalation,
and exfiltration
a. Red Team versus Blue Team

Overview
Red team versus blue team exercises involve the simulation of an attack
against an organization’s information system. The red team simulates and, in some
cases, performs proof of concept steps taken in the attack against the organization’s
IT systems. The blue team simulates the response to that attack. This adversarial
approach not only allows for the identification of security vulnerabilities in the way
that the organization’s IT systems are configured, but also allows members of the
organization’s information systems staff to learn how to detect and respond to
attacks.

Red Team
At a high level the red team plays the role of an attacker against the
organization. Red teams can consist of people inside the organization, an external
penetration testing team, or a mix of both.

A red team exercise often involves a proof of concept demonstration that the
vulnerabilities that they have found are practically, rather than theoretically,
exploitable. For example, proving domain dominance by creating accounts that are
members of the Domain Admins group in an Active Directory environment. Or
showing control of an individual machine by creating an account with local
administrative privileges on a standalone system. When defining the objectives of
the exercise, it is important to clearly define as to what counts as a red team victory
rather than allowing ambiguity about whether vulnerabilities exist when performing
the post-mortem exercise.

Blue Team
The blue team play the role of your existing information security and IT
administration staff. The aim of red team versus blue team exercises is both to
determine if vulnerabilities are present in the existing security configuration as well
as to train organizational staff how to detect and respond to attacks against
organizational IT infrastructure. You’ll learn more about the role of a blue team and
how to construct an effective blue team in the next module.
As a part of your ongoing security preparations, you should rotate members of staff
between red and blue teams when conducting subsequent exercises. This allows
your staff to learn, develop, and appreciate both the attacker and defender mindsets.

Exercise structure
Initial exercises should be white boarded as a role-playing exercise. This
allows both the red and blue teams to develop a good understanding of the
parameters of the exercise. Without a strict understanding of the parameters of the
exercise, red team and blue team exercises can quickly spiral out of scope.

Later exercises should move beyond white boarding and role playing to
practical proof of concept. In these later phases the red team’s activities should
never place the information systems of the target organization at risk. A red team
shouldn’t need to deploy coin mining malware on a domain controller to demonstrate
that the domain controller is vulnerable to attack. There are other, less deleterious
ways of making this point, such as installing a harmless application on the server.
Installing a harmless application demonstrates the ability of the attacker to install
software on a sensitive server, which is all that the red team needs to accomplish,
without going to the point of having every domain controller running coin mining
software.

The overarching aim of the red team is to provide a proof of concept that the
target organization is vulnerable to a specific type of attack. The overarching aim of
the blue team is to be able to detect and respond to that attack in an effective
manner.

Management Approval
It is critical that management be kept informed of red team versus blue team
exercises, especially when those exercises move beyond role playing and
whiteboarding to taking actions that directly impact infrastructure. For example, it is
possible that infrastructure functionality might be disrupted by the exercise.
Management should approve of the exercise goals and be made aware of what
achieving those goals means in terms of modification to existing information
systems. Management should also be involved when engaging red teams that are
external to the organization in penetration testing exercises.

Internal versus external red teams

When initially working on your organization’s security configuration and
incident response strategies, you might choose to start with internal red and blue
teams. You could continue to run exercises pitting red team against blue team until a
point is reached where the security configuration of the organization is at a level
where it is beneficial to subject it to a professional penetration testing attempt. It’s
likely that until several red team versus blue team exercises have been run, there will
be obvious and potentially embarrassing holes in the existing security configuration.

A disadvantage of having members of the red team be exclusively from within

the organization is that they will bring some of the organization’s assumptions with
them. Outsiders bring their own assumptions, and systems that a member of the
organization from the Red Team might believe to be so secure that they are
unassailable may have faults that are obvious and exploitable for someone
approaching those systems from outside the organizational mindset.

As reputable professional penetration testers will have extensive experience

and knowledge, they are likely to find vulnerabilities that might not be apparent to
security engineers who haven’t explicitly specialized in organizational penetration.

As red team versus blue team exercises should be ongoing, many

organizations use internal teams for most exercises, punctuating with occasional
exercises where the red team is made up of professional penetration testers who
specialize in this type of exercise. This allows for the organization’s security
configuration to be periodically exposed to people that aren’t inculcated in the
organizational security culture.

LESSON REVIEW
b. The Attacker's Objective

Overview
When developing a red team versus blue team exercise it is important to
specify the red team’s objective. The objective is the overall aim of the exercise and
red teams may have more than one objective in an exercise. When organizations are
starting out with red team/blue team exercises, they should limit objectives so that
the exercise does not become overly complicated. Once the red team/blue team
exercises become more established, the outcome of exercises with more complex
and difficult objectives will become clearer. If both the red team and blue team are
inexperienced and the red team is pursuing a set of complex objectives, it will be
difficult to conclude whether the organizational infrastructure is indeed secure, or if
the red team wasn’t organized or capable enough to be able to exploit vulnerabilities.

Attackers, and red teams, can have more than one objective in an exercise.
When engaging red teams as penetration testers from outside the organization
ensure that the objectives are clearly stated before the exercise begins. A red
team/blue team exercise is different from a security audit, where an external group of
penetration testers examines an organization’s configuration and generates a report
detailing vulnerabilities and problems.
There are a set of common objectives that attackers pursue:

1. Persist presence
2. Steal data
3. Hackstortion
4. Ransomware
5. Coin miners
6. Destroy systems

We will define these common objectives below.

What is the Attackers Objective? what the objective of the attacker is really
depends on the attacker and sort of like asking how long's a pace of strength. First
thing is to try and understand you are dealing with amateurs that is people aren't
doing it because that's their profession or a team that actually does this for a living.
That is - is it a disinterested person that's doing a one-off attack or someone that's
actually trying to monetize their attack and is doing it professionally and the vast
majority of attackers are not doing it professionally. Now their initial objective might
be to just get in and see what's available, that is they reconnoitering your network,
they get persistent presence and then they figure-out what they're going to do from
there. Is this organization a good ransomware target and as we learned earlier when
we were discussing ransomware it could be that we know that organizations that
have an effective backup strategy make poor ransomware targets because they
were unlikely to py.

So maybe the attacker decides to disrupt the backup process or maybe not or
it might be that there's a whole lot of powerful CPUs and GPUs just sitting there in
the organization's data center that really aren't being taxed and you know, might
make a good little earner of cryptocurrency. If their objective is to steal data, well
most of the time when someone wants to steal data they actually know what the data
is it they want to steal and this type of attack is much more frequent with insiders that
is the insider knows what the data is that they want and then is going to go and steal
that data, it might be some sales information, it might be some confidential
information that they sell it to our competitor, but if you're outside the organization
and you don't know anything about the organization you're not going to have a really
good idea about the sort of data that they're hosting.

It is possible that they might just attack an organization, get in and then you
know needle in a high stack they find somethi g interesting but most attackers don't
have that sort of time. There's so many targets out there, unless you've got a really a
targeted attack, stealing data is something that you usually know what the data is
before you try and steal it. With Hackstortion attacks it's things like the person who
pulled the infidelity websites credentials and was using that as a threat against the
website and saying look you need to close down or we're going to basically spy your
customer data all over the internet, so they were trying to achieve a particular
objective and they were going to achieve that objective through threats. Another
example of Hackstortion was when attackers got access to unaired episodes of
Game of Thrones and threatened to release them unless they were paid a particular
fee and the way that the company dealt with it is they refused to go and pay the fee.

Then we've got ransomware and ransomware of course goes and encrypts
data, but we also know from when we had our earlier discussion on ransomware that
only 37 percent of organizations paid the ransom, of that 37 percent only half of that
37 percent actually gotaccess to the files in the end. But that In the past ransomware
has been lucrative enough that there are assumed to be several ransomware
billionaires in the world so, that could be the attackers objective because to a certain
extent there's never going to be every organization that gets its backup house in
order. But you would think aftersuffering several ransomware attacks that they'd
figure out how to recover from one without paying the ransom itself.

Persist presence
When an attacker can persist their presence on a target organization’s
information systems, it means that they have reliable remote access via a back door
to the target organization’s systems. This compromised system is also termed a
beachhead or foothold as it is the initial location through which the attacker gains
access to the target organization’s network.

Rather than executing the attack the moment that a foothold has been
reached, competent attackers often set up the digital equivalent of a base camp from
which they are able to reconnoitre the target organization’s infrastructure and
systems. Many attackers spend months examining a network to determine what
existing security and monitoring systems are in place before they begin to take the
actions that will achieve their objectives.

Once a beachhead is established and the attackers have an accurate picture

of the target organization’s infrastructure, the attacker can then upload and deploy
their exploit toolkit to a location on the target organization’s network. The attacker
can then use the tools in this toolkit to move laterally across the target organization’s
network, compromising further system and elevating privileges.

Steal data
One of the oldest types of attacks is the theft of data. In the case of the 2013
Target data breach, attackers were able to successfully exfiltrate credit card data
from the merchant and sell those credit card numbers on the dark web. Other well-
known breaches involving the stealing of data have involved the internal
communication of political parties that have later been publicly released as a method
of discrediting the authors of that communication.
 There are a variety of methods that can be used to steal data, from being able
to extract information from databases using SQL injection attacks, through to the
exfiltration of entire virtual machines when attackers gain control of virtualization
infrastructure, export production virtual machines, and then upload the exported
virtual machine files to the internet.

Hackstortion
Hackstortion is a term for the process that occurs when an attacker
compromises a target’s network and then requests payment for a specific action to
be taken. This action might be for the attackers to destroy sensitive data they
exfiltrated rather than exposing that data to the public. Another action might be to
return command and control target organization’s infrastructure to the original owner.
Hackstortion can include data theft, though specifically involves a financial demand
being placed on the organization, rather than having the data sold or released to the
public without such a demand being made. The red team might simulate an attack
where hackstortion is the objective pursued, either by exfiltrating data or taking
control of the target organization’s infrastructure as proof that the organization was
vulnerable to this approach.

One recent example of hackstortion occurred when a group of attackers

compromised the information systems of a popular television production company
and threatened to release digital copies of unaired episodes of popular shows to file
sharing sites unless an extortion payment was made. Another example of
hackstortion involved attackers who attacked dating sites, extracted personal data,
and then threatened to expose that personal data to the public unless payments
were made, or certain actions were taken.

Yet another form of hackstortion occurs when administrative accounts of cloud

service providers are compromised. When this occurs, the attacker threatens to
delete all infrastructure hosted in the account unless a ransom is paid within a
certain short period of time. This period usually being less time than it would take for
the attacked organization to recover administrative control through the cloud service
provider’s support mechanisms.

Ransomware
Ransomware, also known as cryptoware, encrypts files and sometimes entire
operating systems so that they are inaccessible unless a special decryption key is
provided. The attackers will provide a decryption key that can be used to recover the
encrypted systems for a fee, usually in a cryptocurrency like BitCoin. The red team’s
goal might be to install ransomware as a method of demonstrating that the
organization’s infrastructure was vulnerable to this attack.
 Ransomware is effective because many organizations do not have
comprehensive data backup and recovery strategies. Organizations are faced with
the choice of losing almost all their data or paying the ransomware fee to have the
data readily recoverable. Recent surveys indicate that approximately 60% of
organizations suffered some form of ransomware attack in 2016. Reports also
indicate that ransomware can be very lucrative to the attacker, which is one reason
why ransomware attacks have become more prevalent.

Coin Miners
Coin mining malware is software that is used to perform calculations
associated with crypto-currencies such as BitCoin. Rather than run coin mining
software on their own infrastructure, with its attendant costs in hardware and
electricity, coin mining attacks involve attackers running crypto currency mining
software on the infrastructure of the compromised organization. The red team’s goal
in an exercise might be to install coin mining malware, simulating this type of attack.

The payoff for the attacker is that they can generate crypto currency using the
compromised infrastructure, with the attacked organization providing CPU resources.
Another advantage of this type of attack is that unless an organization has a
comprehensive and effective monitoring solution, it’s possible for the coin miners to
run quietly in the background generating income for the attackers for some time
without the target organization becoming aware that anything is amiss.

Destroy Systems
The objective of some attackers is to destroy the infrastructure of the target
organization. This is possible because certain types of malware can execute code
that causes harm to storage, memory, CPU, and networking hardware devices. This
code functions by pushing these devices beyond their tolerances; for example,
causing memory or CPU to overheat and fail. This type of attack has also been used
by state actors against industrial equipment; for example, when Stuxnet was used to
attack centrifuges in Iranian nuclear facilities.

LESSON REVIEW

c. Red Team kill chain

Overview
Kill Chains are an idea originally taken from military strategy, which describe
the structure of an attack against an objective. The company Lockheed Martin
applied this idea to information security and it is now used as an industry standard
framework for describing the progression of attacks against information systems.
 The Red Team kill Chain, an example I'm not going to walk through a specific
case study but what I'm going to do here, is provide you with some examples with
the Red Team kill chain or actions mode occur at that level sometimes referring
incidents that have actually occurred. So in the text I provide you with probably a bit
more of a sterile example, so let's talk about the first part of the Red Team kill Chain
Reconnaissance.

So what are some examples of the way that Reconnaissance works, now one
clever one is using LinkedIn.You can use LinkedIn and other social media platforms
to determine a lot of information about an organization for example who works in the
company's IT department and then when you look at who works in the company's IT
department you have a look at their profile, you can learn more about the systems
and the applications that they work with. Obviously someone who is a windows
server expert and doesn't have any experience we say Linux or UNIX and you're
looking at the IT department of this organization and they all seem to have windows
certifications well you can start to make some assumptions about the type of
systems that are running at that organization. You can also, let's say that they've got
a Twitter account they don't have a look at who they follow what are they interested
in with regards to their job, for example are they following people that talk about ffice
365 are they following people that talk about another type of mail product. Who are
they following and what their technology interest and through that you can start to
build up a profile of the profile and then indirectly a profile of the organization's
information systems. Figure out, what you can figure out by looking at an external IT
presence, for example do I have a VPN gateway where is a mail system hosted is it
up in office 365 are they hosting mail on Prem. How is their DNS, external DNS
infrastructure configured try and figure out as much as you can by looking at those
things that are public about the organization this is what Reconnaissance about.

Now one of the other things, that you can dois if you know where to look you
can find out organizational credentials have been exposed in password data
breaches, for example you may remember a couple of years ago, there was a
breach of an infidelity . One of the very interesting things that came out of that was
that a lot of people on that infidelity website a site where you would assume people
were looking for a degree of anonymity was that they were actually using their
business email address or their government email address or even their military
email address. So what we know or what we can gather from this is the people
generally are not that good when it comes to the sanitation and care of their work
email credentials. The other thing we know is that people reuse password, so it's not
unreasonable to think that someone who is used a specific password for an infidelity
website might actually use that same password for their VPN credentials or thier
domain admin account or the email account. Okay, so the next stage of the Red
Team Kill Chain is Weaponization. Now weaponization is where you choose the tool
for the attack and the reality, the boring reality is that when most attackers are
looking to attack they're not sitting there and writing custom,attack tools to do it.
What they're probably doing 95% of the time is using stuff that's off-the-shelf in terms
of how off-the-shelf these attack tools are that is someone else has build them
they're using tools that already exists they're not going out and creating special tools.

And weaponization is about determining the most appropriate tool for what
can be determined about the infrastructure that's being attacked, for example if you
know that they run a particular distribution of Linux then you are going to tailor your
tool, when you're attacking to that particular distribution of Linux. If you know that
your an organization is using, Azure then you're going to be looking at tools that
helping you to compromise what they're running in Azure. Now in terms of delivery
phase of the Red Team kill Chain well it really does depend a lot on the target one
technique that's common when a Red Team has access to the premises that is I
know where the location of the business or the organization they're attacking this is
to basically just go out and scatter USB keys in places where the smokers at the
organization congregate.

So make it look like, someone has gone out for cigarette and they might have
dropped their USB key and of course what you do is that you then put malware on
the USB key. Because what you're hoping is that someone's trying to figure out
whose USB key it is and they plug it in and them they run the malware or it could be
that delivery occurs, using you know how I was talking before about exposed
credentials and breaches well think about what's going on now with office 365. Let's
say that someone lives there office 365 credentials as their sign up for the infidelity
website or the because people apparently do that well you might be able to do that
username and password and then sign in to office 365 and that might give you
access to for example the organizational SharePoint site which you could then use to
plant malware in a watering hole attack a watering hole attack, of course as you'll
remember from the text of the course is going to a site where people visit regularly
and of course people regularly visit SharePoint sites.

Now there are ways that you can protect against this if you're on office 365
administrator but it does involve you actually lighting up those security features, and
one of the very interesting things about office 365 security is how much of it actually
isn't implemented by most organizations. Okay, so the exploitation phase the Red
Team kill Chain that's getting the code to run well how do you do that well it was
certainly a lot easier with USB attacks where the USB auto-run was enabled. There's
other ways you basically go and hide the exploit code in a document that you want
someone to open and it again depends on the people that you're attacking. Attackers
have a lot of ways of getti g people to execute code, what they're trying to avoid is
having that trigger anti-malware defenses within the organization. So the next phase
of the kill chain is where the code has been executed and that means that the code
runs and then goes and does a whole lot of other things mostly what the attacker is
trying to do is trying to get persistence.
 They're trying to get more software down there so that they can properly
compromise the machine because just getting someone to run malware isn't going to
do anything what you want to do is get them to run malware and then the malware
goes and installs a remote-access backdoor to that person system and then you can
remote into that system and then you can start to move around the organization. So
often this initial code extends itself the initial code is small and then it will pull down
the tools from a location on the Internet. So the the compromise and then bang then
comes down all the tools that the attacker is going to re-used start moving through
the network, so,once installations occurred once persistence has been achieved.
Once see attacker has remote access to the network, we move on to the next phase
which is the Command and Control phase that's where the attacker has got
persistence and they're going out and they're trying to head for Domain dominance.

So, to give an example of this I've talked about a particular retailer, attack that
occurred several years ago, and if you know your history you'll be able to figure out
which retailer it is? Anyway the attacker in that case did something very interesting,
they've got persistence through getting some air conditioning vendor credentials, so
that's how they got onto the Internal network.Then they did their reconnaissance of
the network and they found out basically how that organization's IT infrastructure
worked and they did a lot of clever things for example, they worked at you know what
controller software was being used. What monitoring tools were being used but
perhaps what I thought was the most clever thing about this attack was, what they
did you say compromised the image deployment servers used to this organization?
So to give you a very high-level overview of the way that this worked, there's a way
of maintaining security what this organization did, was every night it would basically
what the operating system deployed on each cash register and drop a fresh image
there. So, the idea being ofcourse if one of the cash register is added out retail outlet
had become compromised in some way.

It didn't matter because every 24 hours, that cash register would be wiped
and a fresh assumingly secure operating system image would be dropped on the
cash register. What the attackers did was very clever. They basically modified the
image that was being dropped on the cash register and baked the malware in. So in
their command and control what they were able to do was basically here ensure that
every cash register in the nation, every 24 hours ended up with malware on there
that would be able to intercept credit card transactions that passed through the cash
register. So that also moves into the action on objective phase of the Red Team Kill
Chain and that's what the attack is there to do.

So they put the malware into the image they dropped it onto the cash
registers or made it, so that the image was dropped onto the cash registers every 24
hours and then they had all of that credit card data finaled back onto a location on
the internal network was a file server or something like that and every 24 hours that
accumulated credit card data from all of the cash registers around the nation was
uploaded to a server in Central Europe. The final part of that story is that they
weren't actually properly found out until the Secret Service started noticing
similarities in credit card numbers and where that been used. Now the other thing
that was interesting was the attackers had-- had their malware detected. But had--
had the detection signature modified so that it looked like another bit of software that
was already present on the network. So it was put away as a false positive. Anyway,
that's an example of the Red Team Kill Chain.

Reconnaissance
Sophisticated attackers don’t randomly attack organizations. Sophisticated
attackers spend a significant amount of time researching their target. An attacker will
use the reconnaissance phase to determine whether a target is worth attacking, the
objectives of an attack, and the characteristics of the target.

For example, an attacker might spend time examining LinkedIn to determine

which staff hold specific roles within an organization. Before they’ve taken any overt
action against the target organization, a sophisticated attacker may have a detailed
understanding of the structure of an organization’s information systems and security
teams. Using tools like LinkedIn, not only could an attacker determine who the senior
information systems staff are, but they’d also be able to deduce the likely nature of
those systems based on the experience of the staff in question. An organization
whose IT department is staffed by professionals that hold an extensive variety of
Microsoft certifications likely uses Microsoft products. An organization whose
database administrators who all have extensive prior experience working with a
specific database product such as MySQL are likely using that product to host their
production databases.

During the reconnaissance phase, attackers examine external services, such

as web applications provided to customers, web sites as well as email and DNS to
determine the characteristics of those services. For example, does an organization
host its email infrastructure in Office 365 or is it using an on-premises solution? The
answers to these questions will determine the attacker’s strategy as they progress
through the kill chain.

An internal red team is at an advantage because they already know which

information systems are in use at the organization. An exercise that an internal red
team might engage in is trying to ascertain, from external sources such as LinkedIn,
as well as other public information, such as DNS registration records and passive
monitoring, exactly how much information about the nature of the organization’s
information systems could be determined by a diligent investigator who only had
access to external sources of data.

Weaponization
Weaponization involves creating, or selecting existing, remote access
malware. This malware, when deployed, will allow the attacker to gain a foothold or
beachhead in the target organization. The selection of malware will be determined by
information gained during the reconnaissance phase and will target vulnerabilities
that are likely to exist within the target organization’s information systems
infrastructure. For example, the malware selected for attacking a website will be
substantially different if the organization’s website is hosted on IIS with a SQL Server
backend compared to a website hosted on Apache with a MySQL backend. The
better tailored the malware or exploit is to the target organization, the more likely it is
to succeed.

Delivery
The delivery phase involves having the target of the attack execute the
malware on the target organization’s information systems infrastructure. Some
attacks require user intervention for the remote code to execute; other attack types
can be performed remotely.

There are a variety of delivery methods that may be leveraged to meet the
objectives of the delivery phase that include, but are not limited to:

1. Phishing attacks
2. Crafted file attacks
3. Remote code execution
4. Watering hole attacks
5. Found USB stick attack
6. Exposed VPN credentials
7. Phishing attacks

A phishing attack uses a specially crafted email sent to users in the hope that
they will open the email. Depending on the sophistication of the attack, the user may
have to click on a link to trigger the next stage of the attack. There are several
varieties of phishing attack that require differing levels of user interaction. Simply
opening the email may, in some scenarios, trigger remote code execution. Clicking
on a link in the email may download remote code that executes directly on the
target’s system or may take the user to a website, which triggers remote code
execution.

Another common form of phishing attack involves phishing of credentials. In

this type of attack the target user is sent an email that looks legitimate, asking them
to navigate to a site where they need to sign in with their organizational credentials
to perform a task. For example, an email reminding the user that they must change
their email account password that directs them to a site that has been configured to
look the same as their normal webmail site. Unless the user is paying attention, it is
possible that they may enter their credentials, which end up being harvested for later
use by the attacker.
A. Crafted file attacks

In this type of attack a specially crafted file is emailed to a target user. This
file, when opened, executes malicious code that installs the attacker’s software on
the recipient’s computer. If the file is crafted well enough, or the configuration of the
user’s computer allows untrusted code to run, it’s possible that simply opening the
document will trigger the execution of the attacker’s code

B. Remote code execution

This type of attack involves sending specially crafted data to an information

system, such as an application or service running on a server. For example, sending
specially crafted traffic to computers running the obsolete SMB1 storage protocol
can allow attackers to execute code on those computers. Other types of remote code
execution vulnerabilities allow attackers to inject code into a remote system’s
memory and have the system execute that code.

C. Watering Hole attack

An attack where malware is planted on an insecure site that people at the

target organization are known to frequent. For example, people at a specific
organization may be patrons of a specific golf club. By compromising and planting
malware on the golf club’s website it’s possible that the malware hosted on the
website might be downloaded and installed on work computers when people within
the organization visit the website during office hours.

D. Found USB stick attack

In this type of attack, USB sticks are dropped casually on the ground outside
the front entrance of the building or in areas outside the building where employees
are known to frequent, such as the area used for cigarette breaks. Some of the
employees will plug these USB sticks into their work computer, which allows the
malware to be installed on that computer giving the attacker internal network access.

E. Exposed VPN credentials

Credential breach websites, such as Troy Hunt’s HaveIBeenPwned.com,

provide users with notifications when websites where they’ve created accounts suffer
data breaches, which indicate that the credentials of those accounts have been
compromised. Those that have investigated the properties of these data breaches
have found that many users of third party websites sign up to those websites using
work, rather than private, email accounts. As many users that have poor information
security practices are likely to use the same password for their work account as they
do for third-party websites, attackers that get access to breach data potentially have
access to the work credentials of the users that signed up for the breached sites. Of
the work credentials that are exposed when sites account databases are breached, it
is not unreasonable to assume some will work with organizational VPN systems. So,
it is possible that some attackers will gain access to an organization through a VPN
because a person within an organization signed up to an external website using their
organizational email address and password and those credentials were later
exposed.

Exploitation
In this phase, the attacker’s malware code successfully triggers, leveraging
the targeted vulnerability. Depending on how well the attacker was able to ascertain
the properties of the target information systems, this may occur quickly or may take
several tries before the code successfully runs.

Installation
In the installation phase, the original malware code is leveraged to deploy an
access point, also known as a back door, through which the attacker can access the
compromised beachhead system. This usually occurs through the original malware
code downloading and running exploit tools remotely, which eventually provide the
attacker with a remote access point into the target organization’s network.

Command and Control

In the command and control phase, the attacker has achieved persistent
access to the target organization’s information systems. In reaching this phase the
attacker will likely have leveraged the following:

1. Lateral movement
2. Privilege escalation
3. Domain dominance

A. Lateral movement

It is highly likely that the first system that an attacker compromises isn’t the
one that allows the attacker to achieve their objective. Lateral movement is where an
attacker begins to compromise other systems on the network, increasing the number
of compromised systems as they move laterally towards accomplishing their goal.

An example of lateral movement might be where a member of the accounting

team responds to a phishing email and has malware installed on their computer. This
malware can extract the cached credentials of a member of the organization’s first
level support team as well as to provide the attackers with remote access to the
target organization’s network. The attacker is then able to use the credentials of the
first level support team to gain access to other systems. In doing so the attackers
eventually can capture the credentials of a member of the domain administration
team and they are able to leverage these credentials to gain domain dominance.
B. Privilege escalation

Privilege escalation is the process of an attacker leveraging a compromised

unprivileged account, such as that of a standard user or service, into control over an
account that is able to perform actions beyond those original privileges. In the
previous example the attacker was able to start with access to the computer of a
user with no administrative privileges. By running specially crafted software, they
were able to capture the credentials of a user that had greater network privileges.
Once they had access to these privileges, the were then able to eventually escalate
until they had full administrative permissions.

C. Domain dominance/Administrative privilege

A common goal of the command and control phase is to get administrative

privileges, also termed “root privileges,” on the target organization’s information
systems. For example, control of an organization’s domain controllers provides
domain dominance. Once an attacker has control of an organization’s domain
controllers, they most likely can perform any action that they desire on the network.
There are exceptions to this rule, but they require separation of administrative
privileges and the deployment of technologies such as Just in Time and Just Enough
Administration.

Actions on Objective
In this phase, the attacker, or red team in the exercise, carries out its
objective. As mentioned earlier, this could be to steal data, deploy ransomware,
deploy coin mining software, extort the organization, or destroy systems. The Actions
on Objective phase is the attacker’s endgame.

LESSON REVIEW

d. Document Vulnerabilities

Overview
A substantive difference between a properly functioning red team and
penetration by an attacker of nefarious intent is that as part of the penetration
process, the Red Team is documenting the vulnerabilities that they find in the
systems that they are attacking. This will allow the organization to remediate those
vulnerabilities after the exercise concludes so that the organization is no longer
vulnerable to that specific set of vulnerabilities.
 The red team should also ensure that any modifications that they make to the
organization’s information systems during the exercise can either be rolled back or
remediated by implementing a better security configuration. Overall success in the
exercise will mean that the red team will have to institute completely different steps
in their kill chain when the next red team versus blue team exercise occurs, because
the issues raised by the previous exercise will all have been addressed.

EXAM
EXAM
EXAM

Module 3 : Blue Team Detection, Investigation, Response, and

Mitigation
a. Blue team role

The blue team represents and is comprised of your organization’s existing

information security and IT administration staff. While part of the purpose of red team
exercises is to explore how an organization is vulnerable to digital infiltration by an
external attacker and to remediate those vulnerabilities, another important part of red
team exercises is to train organizational staff on how to detect, investigate, and
respond to attacks against the organization’s information systems.

Red team exercises function as a practical drill for an organization’s existing

information security and IT administration staff. They also function as a practical drill
for an organization’s existing security response policies and procedures. Just as a
disaster recovery drill tests the adequacy of an organization’s disaster recovery
policies and procedures, a red team exercise tests an organization’s security incident
response policies and procedures.

Blue team goals

When conducting a red team / blue team exercise, the blue team has several
overarching goals. These include:

 Stopping the red team from successfully achieving its goals. The best blue team
outcome is to block the red team from gaining a foothold in the target
organization. Depending on how this scenario plays out, it could be because the
organization’s existing security posture makes it extremely difficult to digitally
infiltrate. However, it is important to note with this outcome that just because the
organization wasn’t infiltrated this time doesn’t mean that vulnerabilities don’t exist
 in the organization’s security configuration or incident response policies, it just
means that the red team wasn’t able to successfully exploit them this time. One
response when this goal is achieved is for the organization to engage with a new
and separate organization to provide red team penetration testing services for the
next red team exercise. The new organization may have a red team approach that
exposes vulnerabilities that weren’t uncovered by the previous red team.

 Early detection and effective response to red team activities. When this outcome
occurs, the blue team quickly detects and responds to red team activities. While
the red team makes some progress towards its goals, the blue team has enough
information to detect and respond to their activities and to evict the red team from
the target organization’s information systems.

 Post-exercise report. This report should detail blue team successes and failures.
Independent of the outcome, this report will assist in improving the processes that
the internal teams follow when a real, rather than simulated, attack occurs. It also
gives members of the blue team a formal chance to reflect on what they did well
and what they could do better. For example, if a bottleneck occurred because
event logs from a system were not accessible to the investigators during the
exercise or the investigators missed critical evidence in the event logs, the report
would highlight this problem.
 Revise the incident response strategy. The outcome of red team exercises
shouldn’t only involve remediating hardware, software, and configuration
vulnerabilities in an organization’s security configuration, but procedural
vulnerabilities in the way that personnel respond to the attack simulation. The
incident response strategy provides organizations with a formal process for
responding to incidents. This goes beyond the phases of the blue team’s kill chain
and will include what responses at an organizational level, for example when it is
necessary to notify external stakeholders about a potential breach, are required.
Based on the results of the red team exercise, it may be necessary to adjust the
incident response strategy so that the organization is more effectively able to
respond to future incidents.

Red team gains complete dominance of the network. The worst outcome from
the perspective of the blue team and indicative that the current information systems
configuration and incident response policies need revision and remediation.

b. Blue team kill chain

Overview
In the information security lexicon, a kill chain describes the structure of an
attack against an objective. While usually used to describe the phases of a red
team’s operation, it’s also common in the information security literature for blue
teams to have their own kill chain. Rather than describing the structure of an attack
against an objective, the blue team kill chain describes the phases of detecting and
responding to an organizational attack. Although there are a variety of different kill
chain phases discussed in the information security literature, blue team kill chains
generally include the following phases:

1. Gather baseline data

2. Detect
3. Alert
4. Investigate
5. Plan a response
6. Execute

Gather baseline data

Having adequate amounts of baseline data allows you to understand what your
environment looks like when it is not under attack. It is difficult to know what is
unusual for your network unless you have a good idea what usual looks like. To
analogize, it’s easier to find needles in a haystack, if you have an extremely good
understanding of the characteristics of a haystack that has no needles present.

Gathering good baseline data means configuring effective logging, monitoring,

and auditing for your organization. When configuring how you will collect baseline
data, consider enabling all auditing and logging options. The more telemetry that you
have, the better picture you’ll be able to generate of what normality looks like in your
organization’s environment. If you haven’t configured all telemetry options, it is
possible that you won’t have a clear enough picture that will allow you to accurately
distinguish normal from abnormal activity. Collect telemetry over a sustained period
that represents your organization’s normal operations. Baseline data should also be
regenerated as changes are made to information systems on the network, so it
reflects the current operation of the network, rather than only representing the
organization’s information systems as they existed at a fixed point in the past.

Detect
Detecting an intruder is often a case of noticing abnormal activity on your
organization’s information systems. For example, one may notice that a server,
where for the last few months connections via remote desktop protocol (RDP) have
only been made during business hours is suddenly servicing RDP requests late at
night on weekends or where a computer is transmitting unusually large amounts of
data to hosts on the internet where previously the amount of traffic it transmitted was
negligible.

Detection can be difficult as competent intruders will attempt to leave minimal

trace of their activities in the telemetry logs of your organization’s information
systems. Rather than detecting abnormalities by manually examining event logs,
many organizations today rely upon Intrusion Detection Systems (IDS) and Security
Information and Event Management (SIEM) systems to identify suspicious anomalies
in the telemetry generated by information systems.

Alert
When does a series of unusual events correlated across multiple logs reach the
stage of being worthy of further investigation? Correlation with other events is
important. A series of failed attempts at remote RDP access by themselves are
suspicious, but don’t indicate a problem. A series of failed attempts at remote RDP
access, a successful remote logon via RDP, and then suspicious failures of the
lsass.exe service occurring in succession is worthy of investigation.

Alerting is the process of bringing suspicious anomalies in the telemetry

generated by information systems to the attention of the blue team. It is important
though that the members of the blue team tune their IDS and/or SIEM systems to
provide an appropriate level of alerting. If an alert system provides too many false
positives, that is it triggers too many alerts that aren’t associated with attacker or red
team activity, then the blue team may miss an alert that is associated with red team
activity through alert fatigue. For example, during a recent breach at a famous
retailer, alerts were generated by the retailer’s internal monitoring about the
attacker’s activity but were discounted at the time as false positives because the
internal systems generated so many alerts for innocuous activity that it wasn’t clear
to the security team whether any individual alert indicated a problem or misclassified
routine events.

Some IDS and/or SIEM systems will provide recommendations as to which

activity requires further investigation and may even suggest further ways to find
evidence to validate the hypothesis that an intruder is present within organizational
systems and that the organization is under attack.

Investigate
Once the blue team has verified the presence of an intruder on the network they
need to determine the degree to which the intruder has infiltrated the network. A
detailed and thorough investigation should determine which systems the intruder has
compromised, when those systems were compromised and how those systems were
compromised. These steps are important because the scope of many intrusions
often exceeds the initial assessment of the severity of the intrusion. Only by
understanding where, how, and when systems were compromised is it possible to
begin to effectively remediate vulnerabilities that led to the compromise and to
achieve the goal of ejecting the intruder from the organizational network.
 Plan a response
Organizations shouldn’t attempt to evict an intruder until they have a good
working understanding of the topology of the intrusion. Similarly, the method through
which an intruder is evicted, and vulnerabilities remediated should be planned rather
than executed in an ad hoc manner.

The red team most likely has fallback strategies. A well-planned response
counters attacker fallback strategy. A purely reactive response can turn into “whack a
mole” where the attacker has a counter move up their sleeve, including becoming
stealthier to make it seem as though they have been evicted to the network when
what they’ve done in reality is moved laterally to a new compromised host and
temporarily ceased activities while they wait out the blue team’s countermeasures.

From an organizational perspective while time is of the essence in terms of

evicting the intruder, in most real-world situations the intruder is only detected long
after they have infiltrated the network. This means that it’s unlikely that substantively
more harm will occur in the time it takes for the blue team to formulate an effective
response than would occur if the blue team responded in an immediate and ad hoc
manner.
Measured Response
The need for a measured response your organization should plan and then
execute a response but it shouldn't be doing is playing Whack-a-mole with the
intruder. Intruders have usually been present for a long time so have likely built in fail
safes that won't be the case in a red team exercise because obviously the red team
won't have been present for that long. But when you are thinking about a real
exercise the reality is that the intruders probably been there for some time before
you've detected them. So what you want to make sure is getting rid of the intruder
doesn't trigger something worse, it's sort of picking up a snake you've got to be very
careful in how you pick up a snake.

Otherwise you're going to get bitten. The first time that the intruder should know
that you're aware of them is when they've been ejected from the network because if
they're aware that you're aware of them. They're going to start putting in place
countermeasures and they're going to be a lot harder to clean out of your
infrastructure. Whereas if you get rid of them in one fell swoop because you've got a
measured response you've figured out the scope of their intrusion and you deal with
that all at once and it might you know even involve cutting yourself off for the internet
effective at a certain point in time. Just so you can clean them out, fix the problems
and then bring yourself back online.
 Execute
During the execution phase, the blue team enacts the response plan to evict the
intruder from the organization’s information systems and to remediate the
vulnerabilities in the security configuration that the intruder leveraged when
infiltrating the network. If completed successfully, the intruder will no longer be
present within the organization’s information systems and the process of performing
a more detailed post incident analysis can occur.

Blue Team Post Mortem!

Blue Team Post Mortem!

After the attack, the Blue team needs to do a couple of things. If got to ask
themselves why?

Where the vulnerabilities there we found by the red team present within the
infrastructure. This is difficult because its really coming to way the organization has
filed to workout how to improve or how to run and type security poster. Because
remember I've talked a couple of times about Infrastructure Security against a
competitor attacker. And what you're hoping in a red team exercise? Is such, the
attacker is either not going to get in the red team, not going to get in or if the red
team does get in its not because you haven't done something obvious. Its because
of some weird, obscure, ninja attacks have been done it's shown which you've
competently secured the infrastructure and they've to do something extraordinary to
get in.

So, find out and discover yourself why the vulnerabilities found by the red team
were actually present in your infrastructure. And hopefully something like well, you
know what it's because we're six months late with our update management. Figure
out during the process or after the process what could have been done during the
process that was better. People's stepping on one anothers choice was a
miscommunication. Does it need to be a better set of protocols written that allow
your organization when they discover that breaches occurred to respond to that
breach more effectively. The other thing to look at is to determine where the
organizations detection mechanisms are lacking. Remember that under the assume
breach philosophy you should focus on detection with the assumption in the
protective measures we're going to file. So, if the red team is successful its because
the organization didn't pick up the penetration earlier enough.
c. Restrict Privilege Escalation

Overview
Privilege escalation is the process by which an attacker acquires the ability to
perform a greater variety of tasks on the organization’s information systems from
those that they were able to perform when they gained an initial beachhead on the
network. An example of privilege escalation would be for the attacker to start with
access to the credentials of a standard user account and to use a variety of
techniques to end up with local administrator or greater privileges. The end goal of
privilege escalation is to acquire full administrative privileges. In an Active Directory
environment this would be the equivalent of the attacker gaining domain admin
privileges.

Restricting privilege escalation is about limiting the ways in which an attacker can
take a compromised unprivileged account. Methods of reducing the probability of
privilege escalation include:

1. Privileged access workstations

2. Just enough administration
3. Just in time administration
4. Restrictions on administrative accounts

Privileged access workstations

A privileged access workstation (PAW) is a computer that is only used to
perform administrative tasks. This computer has a locked down configuration
compared to computers used for day-to-day activities on the network. PAWs have
the following characteristics:

 Access is limited to staff that perform administrative tasks. PAWS are specially
locked down computers that should only be used for administrative tasks. PAWs
should be able to connect to sensitive servers on your organization’s network but
should be unable to browse the internet or perform non-administrative tasks,
such as responding to email. Administrative accounts used to manage sensitive
servers should be configured so that they can only be used on PAWs and not on
typical end user computers used for day-to-day organizational tasks.
 Restrictions on software that can run on the PAW. The software configuration of
the PAW is hardened so that only specifically authorized software can run on the
PAW. This means that malware that might be deployed on the PAW to capture
the credentials of an administrator or to elevate privileges will be unable to run
because it will not be on the list of applications of scripts that are specifically
authorized for the PAW. Windows Defender Device Guard and Windows
Defender Application Control are technologies that you should deploy on PAWs
to control code that can be executed on the computer.
 Protected by secure technologies. PAWs are configured with secure boot,
BitLocker and technologies including Credential Guard. This reduces the chance
that malware can take control of the computer during the boot process.
Credential Guard is a technology that protects credentials stored on the
computer by storing them in a special virtualized container that is only accessible
to authorized processes within the operating system. Credential Guard
minimizes the chance of successful pass-the-hash or pass-the-ticket attacks.

Privileged Access Workstations

Privileged Access Workstations. So, privileged access workstations as we

discussed in the course text, it's a special computer that is configured to only be
used for administrative duties. Now, why should you force this into your organization
you know a lot of organizations IT uses the same workstations as the standard user
they're still using the same SOE.

SOE, of course, being Standard Operating System environment. There are

reasons why you want to enforce the use of privileged access workstations in your
organization and why administrators at your organization shouldn't be using the
same SOE as everybody else. Okay, so the first thing about a dedicated privileged
access workstation that is separate, remember if you've got privileged access
workstation, it means that IT personnel actually have two computers. They've got
the computer that they do their day-to-day stuff on like interacting with the internet,
reading email, writing documents and so on. And then they've got a dedicated
administrative computer. But what using a dedicated Privileged Access Workstation
does is the first thing it does, is it actually putsan administrative user into a specific
security mindset, when they interact with sensitive systems.

If you know that you've got to go across to this particular computer and use
this particular computer only to interact with your sensitive systems. You instantly
have an understanding that you are performing secure tasks. And that can actually
adjust make a difference just thinking about security, makes you more secure in the
way that you interact with a system. The other reason or another reason for needing
Privileged Access Workstation is that it means that you can apply the most stringent
security policies without impacting day-to-day users. There's the old joke that the
more secure something becomes the more inconvenient it becomes. If you go and
have very secure policies that apply to every computer, the people in the accounting
department use, well you are going to get pushback because you've made it too
secure for them, but when it comes to the systems interact with the most sensitive
systems on your network.
 Yeah! turn it on make that system as secure as possible turn on code integrity
policies, so that only whitelisted applications can run. So that you can't discover and
install an application should you need it that there's a whole process that you need
to go through to modify the configuration of that system. You can also if you've got
dedicated privileged access workstations you can even put them on their own
VLAN, you can segment the network. So that your sensitive systems will only accept
communication on administrative protocols from those privileged access
workstations. So that someone can't log in to their laptop that they take home every
night and use that to Remote Desktop into your Domain Controllers. That the only
way that you can remote desktop into Domain Controllers is from a Privileged
Access Workstation.

Just enough administration

Just Enough Administration (JEA) allows organizations to create special
PowerShell endpoints that limit which PowerShell cmdlets, functions, parameters,
and values can be used during a connection to the endpoint. Rather than having to
use a specially configured administrator account to perform an administrative task,
just enough administration allows for a standard user account to leverage a special
virtual account when connected to the PowerShell endpoint. JEA minimizes the
chance of privilege escalation by allowing standard accounts to perform extremely
limited privileged tasks only when connected to specific PowerShell endpoints.

Just in time administration

Just in time administration is a technology where administrative privileges are
provided only for a limited amount of time. When not granted administrative
privileges, accounts only have standard user privileges. It is also possible to have
those limited time privileges only granted subject to approval by another person.
Just in time administration makes privilege escalation difficult because privileges are
time limited, subject to request and approval where necessary, and can be limited in
scope. Just in time administration can be combined with JEA.

Restrictions on administrative accounts

One way of limiting the possibility of privilege escalation is by restricting where
administrative accounts can be used. For example, only allow administrative
accounts for sensitive servers to be used on PAWs or those sensitive servers, do
not allow those accounts to be used to sign on to servers or workstations that aren’t
sensitive. You can also configure sensitive administrative accounts so that they can
only be used at certain times of the day.
 In highly secure environments, administrative accounts can be further limited
by implementing an Enhanced Security Administrative Environment (ESAE) forest.
In this model, the only accounts with administrative privileges in the production
forest are standard user accounts that are stored in the privileged forest.

The production forest has a one-way trust relationship with the privileged
forest. This means that accounts from the production forest cannot interact with the
privileged forest. An attacker that compromises an account in the production forest
cannot elevate privileges as that would require the ability to create or modify
accounts stored in the privileged forest, which is impossible because the privileged
forest does not trust the production forest.

d. Restrict Lateral Movement

Overview
Lateral movement occurs when an attacker who has compromised one
system is able to compromise another system on the network by using an existing
compromised system as a jump off point. For example, a standard user’s
workstation is compromised, and the attacker runs a tool to extract locally cached
credentials. One of these sets of cached credentials allows the attacker to gain
access to a file server. Once the attacker gains access to the file server, cached
credentials stored on that server give them access to a domain controller.

There are a variety of methods that you can use to restrict lateral movement.
Some of the techniques that can be used to guard against privilege escalation can
also be used to reduce the chances that an attacker can perform lateral movement.
Techniques that you can use to restrict lateral movement include but are not limited
to:

1. Code integrity policies

2. Network segmentation
3. No common accounts or passwords
4. Logon script sanitation
5. Apply software updates and patches

Code Integrity policies

Code Integrity (CI) policies allow you to restrict which applications and scripts
can run on a computer. There are a variety of methods that you can use to enforce
code in Windows environments including AppLocker policies on pre-Windows 10 and
pre-Windows Server 2016 systems or Windows Defender Application Guard and
Windows Defender Device Guard on Windows 10 and Windows Server 2016
systems configured with appropriate hardware. By restricting which code and scripts
can run, you can restrict the toolset attackers can make use of to perform lateral
movement.
 Code Integrity Policies

Why you should implement code integrity policies on servers. Code integrity
policies which in the old days would have been Applocker and Software restriction
policies and in these days Windows Defender device guard, perhaps the most
effective easy step that you can take to protect servers from untrusted code. The
way that they work is that, you say I will only allow code that I have specifically
trusted to run on this server and code includes scriptsas well as applications, if this
application is not explicitly trusted do not let it run. If you've got this sort of application
whitelisting implemented on your servers then your servers are instantly a lot more
secure than those servers that don't have it. You'll occasionally see discussions
within the information security community that are well you know don't use that
particular implementation because there's a theoretical workaround for it.

As I've mentioned elsewhere there are theoretical workarounds for a lot of

things but by implementing code integrity policies you are substantially improving the
security posture of your servers. So why am I talking about servers specifically well
you can also of course do code integrity policies on workstations, it's just at
workstations generally need to run a lot more and a higher variety of applications
than your servers need to, so the primary cost of code integrity policies is a time that
it comes to come up with your whitelist of applications in code that you want to allow
to run.

So obviously doing that for servers which need to run a much more limited
subset of code is a lot easier than doing it for workstations, in the best of whole
worlds you run code integrity policies everywhere, in reality running it on
workstations is a great deal of work, running it on servers is less work and the more
work something is the more it costs your organization's even though the technology
is basically built into Windows 10 and Windows Server 2016, but if you can restrict
the code that runs on your server you are really limiting what an attacker can do
should they actually get access to the server because I'll only be able to basically do
I won't be able to run their own tools because those tools won't be trusted.

Network segmentation
You can restrict lateral movement by segmenting critical workloads onto
separate networks and VLANS and then controlling which traffic can cross those
boundaries. Network segmentation allows you to limit which hosts can communicate
with sensitive servers.

For example, you might block traffic from workstations on your organization’s
internal network to servers except on the specific ports required by the workstations.
You could also configure segmentation through firewalls so that you allow a file
server to communicate with workstations on the ports required by file sharing, but not
allow communication between the file servers and workstations on any other port,
including those used for administrative activities such as the ports used by RDP,
PowerShell Remoting, or SSH. You can also segment the network so that sensitive
servers can only allow communication using administrative protocol from a select set
of computers that are locked down and configured as PAWs.

No common accounts or passwords

Organizations should avoid common local accounts being created on
systems. This not only includes disabling the built-in administrator account and
instead using a unique alternative, but also ensuring that a common account isn’t
added to multiple systems with the same credentials. For example, a standard
account created across all systems that have a specific application installed.

Organizations should avoid using a common password for separate accounts.

For example, audits of the security configurations of some organizations have found
that even though they create separate custom accounts to be used for services on
separate computers, those custom accounts are configured with a single common
password. A red team or attacker who can determine that password will have an
easier time performing lateral movement than an attacker or red team in an
environment where every password is complex and unique.

Local Administrator Password Solution (LAPS) can be used to ensure that the
passwords of the local administrator accounts on all computers in an Active Directory
environment have a unique password. This allows organizations to avoid the
common trap of having a standard local administrator account password across all
computers in the organization.

Logon script sanitation

Logon scripts can often include sensitive information, with some logon scripts
even including passwords in clear text. An attacker that gains access to a computer
may have access to any scripts that run on that computer as those scripts may be
accessible over the network using non-privileged credentials. Logon scripts should
not contain sensitive information such as account passwords. Where possible, logon
scripts should be replaced by group policy or configuration management tools such
as System Center Configuration Manager or Microsoft Intune.

Apply software update and patches

Attackers will use any technique available to perform lateral movement within
an organization. This includes exploiting vulnerabilities in operating systems and
applications that have been patched by the vendor but haven’t yet been patched by
the organization.
 While exploit code exists for some vulnerabilities before those vulnerabilities
are patched by vendors, exploit code is more commonly available for vulnerabilities
after those vulnerabilities are patched by the vendor. This is partly because security
researchers and attackers can reverse engineer a software update to determine
what vulnerability the software update addresses and are then able to build a tool to
exploit that vulnerability, rather than having to discover the vulnerability through their
own research.

Organizations should ensure that operating systems, applications, device

drivers and firmware have all appropriate software updates applied in a timely
manner as this will restrict attackers from using known exploits to perform lateral
movement.

d. Attack Detection

Overview
When information systems are properly configured, all attacks, even those
that are unsuccessful, leave some trace that they occurred. Clever attackers will
attempt to remove those traces once they have gained access to a system. If
telemetry monitoring is configured properly within an organization, monitoring
systems will alert the blue team to potential intrusion activity before the attackers
have a chance to remove that telemetry from the compromised systems.

Logging and monitoring

Unless there is a system to record events as they happen on a computer,
finding evidence about how and when something happened will be difficult.
Therefore, the collection of system event telemetry is important to detecting and
understanding how an attacker is infiltrating and compromising a system.

One way of securing event telemetry from deletion by an attacker who has
compromised a system is to move event telemetry off systems to a centralized
location as quickly as possible. Centralizing event logs provides the benefit of
placing many data sources in a single location where events can be correlated.
Attackers who compromise a system will also be unable to remove event log
evidence of their activities if those events are recorded on a separate system.

SIEM systems
SIEM systems perform analysis of event log data as it is generated. SIEM
systems can aggregate data from a variety of sources, correlate that data, and
generate events based on determinations made about that correlated data. SIEM
systems can be software that runs on Windows or Linux server operating systems
and are also available as hardware or virtual appliances. Some SIEM systems
provide compliance, retention, and forensic analysis functionality. They can be used
in conjunction with, or as a replacement for, other event log management systems in
an organization.

IDS
An IDS is a software application, hardware or virtual appliance, that monitors
an organization’s information systems for problematic activity or violations of policy.
There are multiple types of IDS including network intrusion detection systems (NIDS)
that monitor networks for suspicious activity or host-based intrusion detection
systems (HIDS) that monitor a specific system. Multiple IDS can report to a central
SIEM system. This central SIEM system would then provide centralized telemetry
storage, correlation, analysis, alerts, and security recommendations based on
telemetry data. An intrusion protection system (IPS) is a special type of IDS that
includes functionality that allows for an automated response to occur when an
intrusion is detected.

Attack detection and machine learning

Recognizing the characteristic evidence of an attack in hundreds of
thousands, if not millions, of event log entries spread across a multitude of different
event sources is like finding the proverbial needle in a haystack. An advantage of big
data and machine learning is that they are very good at finding patterns and
anomalies that may not have been apparent using older analysis techniques.

Big data and machine learning techniques allow the characteristic traces of
attacks that are present in an organization’s event logs to be recognized and
surfaced. This occurs because while the characteristics of a single attack may be
subtle, when the characteristics of thousands of attacks are analyzed across tens of
thousands of organizations, commonalities are more easily identified. Cloud services
ingest data constantly. This means that the identifying characteristics of a newly
recognized attack will become known to all customers almost immediately.

Microsoft attack detection products

Microsoft has several products that can be used to detect suspicious activity
on an organization’s information systems based on collection and analysis of
telemetry. These products can be used individually or together depending on the
organization’s need. Some of these products can run locally on an organization’s
network and other products use Microsoft’s cloud infrastructure for management and
analytic functionality.

Advanced Threat Analytics

Advanced Threat Analytics (ATA) is a solution that you can deploy in on-
premises environments to detect threats. ATA uses behavioral analytics to determine
what constitutes abnormal behavior on your organization’s network based on its
understanding of prior behavior of security entities. For example, noticing when an
account has suspicious sign-on activity that differs from normal sign-on activity, when
an account performs an enumeration of the membership of sensitive groups, or
when a computer appears to be participating in attacks, such as a golden ticket
attack.

For more information on Advanced Threat Analytics, consult the following

documentation:

https://www.microsoft.com/en-au/cloud-platform/advanced-threat-analytics

Azure Advanced Threat Protection

Azure Advanced Threat Protection (ATP) has very similar functionality to ATA,
except all of the telemetry is funneled for analysis into the cloud rather than that
analysis being performed on-premises. Similar to ATA, Azure ATP uses behavioral
analytics to determine what constitutes abnormal behavior on your organization’s
network based on learning the prior behavior of security entities. Azure ATP can
ingest telemetry data from SIEM systems, Windows Event Forwarding, directly from
Windows Event Collector as well as RADIUS accounting from VPN endpoints.

For more information on Azure ATP, consult the following documentation:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp

Azure Security Center

Originally deployed as a tool to analyze and report on the security of

resources in Azure, Azure Security Center agents can be deployed to on-premises
servers. Azure Security Center can analyze event telemetry from servers running
both on-premises both bare metal or virtualized as well as servers running as IaaS
virtual machines, correlating events so that administrators are able to view the
timeline of a specific attack as well as steps that can be taken to mitigate that attack.

For more information on Azure Security Center, consult the following documentation:
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection is a product for Windows 10

endpoints that provides the following functionality:

 Endpoint behavioral sensors. Monitors a Windows 10 computer’s telemetry,

including gathering data from event logs, running processes, registry, file, and
network communications data. This data is forwarded to the organization’s
Windows Defender ATP cloud instance.
 Cloud security analytics. Cloud security analytics takes the telemetry gathered at
the endpoint level and analyzes that data, providing threat detections and
recommended responses back to the organization. This analysis occurs against
information available to Microsoft across the Windows ecosystem as well as
cloud products such as Office 365 and Azure. For example, Microsoft may learn
about and resolve a specific threat from the telemetry of one set of Windows
Defender ATP customers. This insight allows Windows Defender ATP to make
recommendations when the same threat is detected in the endpoint telemetry of
another Windows Defender ATP customer.
 Threat intelligence. Windows Defender ATP doesn’t just rely on telemetry
collected with customer’s consent across the Microsoft ecosystem. Microsoft
also has security researchers and engages with partner organizations to identify
attacker tools and techniques and to raise alerts when evidence of these tools
and techniques surfaces in customer telemetry.

For more information on Windows Defender Advanced Threat Protection, consult the
following web page: https://docs.microsoft.com/en-us/windows/security/threat-
protection/windows-defender-atp/windows-defender-advanced-threat-protection

Office 365 ATP

Office 365 ATP is a service that you can add to an existing Office 365
subscription. Office 365 provides functionality around email messaging and files that
are used with an Office 365 subscription, such as those stored in a SharePoint
Online or Teams site. Office 365 ATP provides the following functionality:

1. Scan email attachments to find malware

2. Scan email messages and office documents to locate malicious web addresses
3. Locate spoof email messages
4. Determine when an attacker attempts to impersonate your users or
organization’s custom domains

Tools and Anomaly Detection

Microsoft Security Tools and Behavioral Anomaly Detection. So one of the

biggest changes that's occurred in information security is the real rapid development
of behavioral anomaly detection. This has become possible because of advances in
machine learning in fact with the most recent Windows 10 update we actually have
the ability to run a lot of machine learning stuff on a Windows 10 workstation as well
as on Server 2016. But also by the accessibility of the public cloud where a lot of
information can be stored.So Microsoft's got a thing called the Microsoft Security
Graph and the Microsoft Security Graph records all of the information that people
opt-in to about their security that is where certain anomalous behavior might be
detected in one particular endpoint and that customers opt-to into Microsoft security
graph.

Once that the characteristics of that anomalous behavior understood for that
one endpoint every other Microsoft customer benefits because suddenly those
characteristics are understood across all of the endpoints. So this is very big change.
In the old days with anti-virus signatures what would hate to happen was the anti-
virus vendor would need to be sent a copy of the virus or would need to see a copy
of the virus that have to building the signatures you'd have to update your signatures
and when you updated your signatures then you'd be able to sort of recognize the
virus. Well, this works a lot more quickly especially when all of this analysis and data
is basically this telemetry is going up into the cloud. So that as soon as it's identified
somewhere you're not waiting for you know, the weekly definition update, those
definitions are basically going down straight ahead.

So there's several products that we need to talk about. We've got Advanced
Threat Analytics or the very newly released Azure Advanced Threat Protection. In a
lot of ways these two products do very similar things. Advanced Threat Analytics you
see On-prem only version Azure Advanced Threat Protection is the cloud-based
version. So you'd choose ATA or Advanced Threat Protection and what they do is
that they do behavioral based detection and they also detect you know stuff like
normal viruses that would turn up that will be detected by Windows Defender, but
they also look at how users and how entities within Active Directory interact on a
regular basis with Active Directory. And then they flag anomalous behavior. So, if
you've got an account that has only ever been used for particular tasks and then
suddenly it's being raised to become a domain admin that would be flagged.

You've got Windows Defender Advanced Threat Protection, so there's a lot of

these products that have good Advanced Threat Protection in their name. So what
do Windows Defender ATP does?Is it basically normally with Windows Defender
each Windows Defender endpoint is an endpoint and to itself, which means that one
computer doesn't share information with another. The idea with Windows Defender
ATP is it all hooks into the cloud into that Microsoft security graph. So that you get
telemetry across all of your organizations. And things not just the detection of
malware but suspicious changes to registry files, suspicious activity in event logs that
will be flagged for you again because when all of this telemetry is going up into the
cloud and is being analyzed there.

It's easier to flag that rather than you know the way they do we do it in the old
days where we'd be going and searching through event logs for specific IDs that
we're alerting us to something. What happens here, is this telemetry just goes up into
the cloud and we get a load because it knows what to look for with event IDs with
changes to registries which changes to files and so on. There's a Azure security
Center. Azure Security Center primarily designed for if you are running all of your
workloads in Azure and it'll also find problems with Software as a Service
configuration, so if you're running websites within azure it will make
recommendations on for example putting firewalls in place in front of those websites,
application, gateways and so on. It will also flag problems that you might have with
your Virtual Machine configuration with your Azure SQL configuration.

You can also put an On-prem agent for servers with Azure Security Center but
to a certain extent you'd probably say if you are worrying about your On-prem
security and you wanted that data so that telemetry going up into Azure you'd be
probably thinking more with Azure Advanced Threat Protection which as I said is as
of March 2018 now generally available. Now analytics in the cloud is going to be the
way forward in terms of detection. Because it's a very very good way of picking up
anomalous activity. Just hoping that you can run a box On-prem and that-- that's
going to pick up all of the anomalous activity.

Well, it can only know what it's going to know and if you're hooking into
Microsoft security graph directly and again you opt in it's not like Microsoft's stealing
your data and asking you without information.then you've got the advantage of
everything that they know about security being able to be detected within your
environment.

EXAM
EXAM
EXAM