CybersecurITy Assist

Program CAP
Session 14

Topic:
CyberSecurity Skills, Practices
April13, 2019
 Dinesh O Bareja
CISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR

• Researcher Founder: IndiaWatch & Open Security Alliance

• Principal Advisor : Pyramid Cyber Security & Forensic Pvt Ltd
IceWarp Technologies Ltd
Cyber Peace Foundation
Red Team Hacker Academy
• Co-Founder: Indian Honeynet Project
• Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch)

ABOUT ME
Enterprise & Government Policy Development; Cyber Security
Strategy, Design & Architecture; Specialist – GRC, SOC, ERM,
COBIT, ISO, BCP/DR etc;
CAP Session 14: Cyber Security Skills & Practices
Cyber Kill Chain

CAP Session 14: Cyber Security Skills & Practices

• Developed by Lockheed Martin, the Cyber Kill
Chain® framework is part of the Intelligence Driven
Defense® model for identification and prevention of cyber
intrusions activity. The model identifies what the adversaries
must complete in order to achieve their objective.
• The seven steps of the Cyber Kill Chain® enhance visibility
into an attack and enrich an analyst’s understanding of an
adversary’s tactics, techniques and procedures.

CAP Session 14: Cyber Security Skills & Practices

The 7 steps of The Cyber Kill Chain

• Reconnaissance - e.g.: harvest email accounts

• Weaponization - e.g. couple an exploit with a backdoor
• Delivery - e.g. deliver bundle via email or Web
• Exploitation - e.g. exploit a vulnerability to execute code
• Installation - e.g. Install malware on target
• Command and Control - e.g. Command channel for remote manipulation
• Actions on Objectives - e.g. Access for intruder to accomplish goal

CAP Session 14: Cyber Security Skills & Practices

• A kill chain is used to describe the various stages of
a cyber attack as it pertains to network security.
• The actual steps in a kill chain trace the typical stages of
a cyber attack from early reconnaissance to completion
where the intruder achieves the cyber intrusion.
• Analysts use the chain to detect and prevent advanced
persistent threats (APT).

CAP Session 14: Cyber Security Skills & Practices

CAP Session 14: Cyber Security Skills & Practices
Applying the Kill Chain
• Disruption of an attack at any stage breaks the chain
of attack!
• Adversaries must completely progress through all
phases for success;
• This puts the odds in our favor as we only need to block
them at any given one for success.
• Every intrusion is a chance to understand more about
our adversaries and use their persistence to our
advantage.
CAP Session 14: Cyber Security Skills & Practices
 Applying the Kill
Chain
• The kill chain model is
designed in seven steps:
• Defender’s goal: understand
the aggressor’s actions
• Understanding is Intelligence
• Intruder succeeds if, and only
if, they can proceed through
steps1-6 and reach the final
stage of the Cyber Kill Chain®.

CAP Session 14: Cyber Security Skills & Practices

 The Best
The Lockheed Martin Offense
Intelligence Driven Defense® is a Good
Defense
• The intent: stop offensive
maneuvers while maintaining a
defensive posture.
• Every defensive stance or offensive
maneuver launched is driven by
human collection of information.
• Human interaction is the fuel for
cyberthreats
• Events caused by a human must
be resolved by a human
• Harness intelligence from adversary
during the threat life cycle
• Use to minimize impact of an
attack.
• That information is shared across
domains to protect against future
attempts
CAP Session 14: Cyber Security Skills & Practices
 Kill Chain
Kill Chain Phase Adversary Actions Defender Actions
Reconnaissance In planning phase of attack; conduct research to Uses tools to detect reconnaissance before of after attack
(Identify the Targets) understand objective based targets. (later on it is for forensics)
Weaponization (Prepare Prepare staging of the op – create malware possibly using Build capability to detect weaponization and weaponizer
the Operation) automation then deliver payloads using a “weaponizer” artifacts are often the most durable & resilient defenses.
Delivery (Launch the The adversaries convey the malware to the target. They This is the first and most important opportunity for
Operation) have launched their operation. defenders to block the operation.
Exploitation (Gain Exploit a vulnerability to gain access, maybe a “zero day” System hardening adds resiliency, need customized
Access to Victim) capabilities for stopping zero-day.
Installation Install a persistent backdoor or implant to maintain access Endpoint detection and logging using malware analysis as
for an extended period of time. part of mitigation activity.
Command and Control Malware opens a command channel to enable remote Last best chance to block the op: block the C2 channel. No
manipulation. command means no impact.
Actions on Objectives With access intruders accomplish their goal. What happens Longer the access greater the impact. Detect as quickly as
next depends on who is on the keyboard. possible, use forensic evidence for damage assessment.

• https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf

CAP Session 14: Cyber Security Skills & Practices

Defense in
Depth

CAP Session 14: Cyber Security Skills & Practices

Defense in Depth
• Multi-layered • Based on the • Components
approach with military principle include AV,
intentional that it is more firewalls, anti-
redundancies for difficult for an spyware programs,
Cybersecurity enemy to defeat a IDS, biometrics,
resilience using complex and multi- SOC, SIEM, DLP,
multiple layered defense physical security,
coordinated security system than to awareness and
countermeasures for penetrate a single training
protection barrier
CAP Session 14: Cyber Security Skills & Practices
CAP Session 14: Cyber Security Skills & Practices
https://blog.knowbe4.com/h
ubfs/Defense_in_Depth.jpg

CAP Session 14: Cyber Security Skills & Practices

https://www.researchgate.
net/profile/Dennis_Mccall
am2/publication/27867654
0/figure/fig1/AS:66953332
9190925@1536640593667
/The-Fan-illustrating-techn
ology-and-process-defense
-in-depth-architectural-pict
orial.jpg

CAP Session 14: Cyber Security Skills & Practices

CyberWar

CAP Session 14: Cyber Security Skills & Practices

Cyberwar
• Threat Modeling
• Kill Chain, Defense in Depth
• Cyber Resiliency
• Cyberwar
• Data Sovereignty,
• Data Localization
• Privacy
• Smart Stuff
CAP Session 14: Cyber Security Skills & Practices
What is… CYBER WAR
CYBER WAR
• Politically motivated hacking to conduct
sabotage / espionage
• Use or targeting in a battlespace or warfare
context of computers, online control systems and
networks. It involves both offensive and
defensive operations pertaining to the threat of
cyberattacks, espionage and sabotage.
CAP Session 14: Cyber Security Skills & Practices
It’s all about data
• Steal IP
• Deletion of data / IP
• Spying on other governments (or companies)
• Destruction (industrial systems, maritime,
aviation)
• Disruption (make data unavailable - ddos attacks,
critical infrastructure)
CAP Session 14: Cyber Security Skills & Practices
This is Not Cyberwar
• Defacements

• In fact it can be termed anti national

CAP Session 14: Cyber Security Skills & Practices

History: First Recorded incident
• The Trans-Siberian Soviet • Results and Resulting was an explosion that
Pipeline Sabotage – ca: 1982 was 1/3 the size of Hiroshima. It even
showed up on NORAD’s nuclear missile
• The pipeline used SCADA launch waring system!
plans stolen from a Canadian • Killed per estimate around 2,500 to 3,000
firm by the KGB souls
• CIA was tipped off before the • Caused black out for 90 days
theft • Power that was cut during the winter of
• CIA had the company insert 1982 that lead to mass electrical and power
“The First” logic bomb into lost cost countless civilian lives that could
their software for sabotage not be counted. ( Cold War politics)
CAP Session 14: Cyber Security Skills & Practices
Who wages War
• Governments (United States & Israel – Stuxnet, China –
F16)
• Nation States –China, Iran, N Korea etc US
• Non-State actors
• Activist Groups
• Religious Groups
• Individuals - Foreign and domestic
• Spies and terror groups
• State and local governments
CAP Session 14: Cyber Security Skills & Practices
https://www.popularmechanics.com/military/aviation/g23303922/china-copycat-air-force/

CAP Session 14: Cyber Security Skills & Practices

History 1
• Kosova War – Date: May 7th 1999 • Estonia – May 2007
• The Famous Bronze statue of a
• A NATO – Jet bombed the Chinese World War II-era Soviet soldier
Embassy in Belgrade , became it was removed from the park
was providing communications • *Allegedly* a combo of Russian
support for the Yugoslav Army
Government organizations and
• 12 hrs. later – The Chinese Red
individuals took down the whole
Hacker Alliance formed ,and
retaliated with thousands of Cyber Estonian internet.
Attacks against US government and • Russian Government denies any
it’s websites. involvement

CAP Session 14: Cyber Security Skills & Practices

History 2
• Stuxnet – June 2010 • Trapwire – June 2010
• Targeted Iranian nuclear weapons • Global facial and tracking system –
enrichment centrifuges in Natanz closed circuit cameras
• Took down 2/3rds of the program – set • Maps users across Global ship tp shore
them back 7 years networks
• “Leaked” widely beyond intended • 1st program used of its kind to use
targerts on the net – From Semans biometrics and facial recognition
• Authors still unknown at this time software to track users in mass – Used
at Olympic Games twice
• Computer believed to be used was the
• Local and State ( use Trapwire) – used
1st quantum computer hack by DHS in 18 major markets
coordinated between Israel and The
United States. • https://www.trapwire.com/

CAP Session 14: Cyber Security Skills & Practices

 Hello India !
Are We Ready

CAP Session 14: Cyber Security Skills & Practices

Hum to
MAAN hi
NAHI
SAKTEY

(we cant The leak of more than 22,000 pages exposes

secrets about the combat capabilities of

believe this)
Scorpene-class vessels.

CAP Session 14: Cyber Security Skills & Practices

Indian history
• CERT-In created in 2004 country's reputation of being an IT and
• That year, there were 23 reported cyber software powerhouse
security breaches. • 04 December 2010, Pakistan Cyber Army
• In 2011, there were 13,301. National Critical hacked the website of CBI (more than 3
Information Infrastructure Protection Centre months to recover)
(NCIIPC) created • Plus our share of many other incidents – big
• Fen 2013 - Nuclear Power Corporation of and small
India (NPCIL) stated that they were forced to • March 2019 – BJP website defaced by
block up to ten targeted attacks a day. Pakistanis (more than 2 weeks to recover)
• Cyber attack reported 12 July 2012 email • Indane Gas Leak was no gas but about
accounts of about 12,000 people, breached thousands of user data (Aadhaar, etc) leaked
including those of officials from the MEA, and available online – they said all izz well
MHA, DRDO, ITBP hamara leak nahi hua !
• *470,000 shortfall of such experts despite the
CAP Session 14: Cyber Security Skills & Practices
If you take more than 1 day to
restore a defaced website we
can suspect that much more than
a blackened face has happened

CAP Session 14: Cyber Security Skills & Practices

Hello India! Are We Ready
• Budget == secret bad word
• Capability == Fragmented
• Capacity == Lots of noise
• Organization == chaotic
• Future Plan == Future! It’s top secret
• Core Cybersecurity Strategy == knee jerks based
on ignorance or pompousness
CAP Session 14: Cyber Security Skills & Practices
CAP Session 14: Cyber Security Skills & Practices
Connected Warrior

• Wearables
• Communication
• Quick & Accurate response
• Always connected
• Real time information
• Gesture controls

CAP Session 14: Cyber Security Skills & Practices

DATA SOVERIGNITY &
LOCALIZATION
• Data Localization calls for Sovereign Data to be
stored on servers located within the country

CAP Session 14: Cyber Security Skills & Practices

Data Sovereignty & localization

Data Localization calls for Sovereign

Data to be stored on servers located
within the country

CAP Session 14: Cyber Security Skills & Practices

Data Sovereignty
• Data sovereignty is the concept that information which
has been converted and stored in binary digital form is
subject to the laws of the country in which it is located.

• Many of the current concerns that surround data

sovereignty relate to enforcing privacy regulations and
preventing data that is stored in a foreign country from
being subpoenaed by the host country’s government.
CAP Session 14: Cyber Security Skills & Practices
Data Localization
• On 08 April 2018, the Reserve Bank of India
(RBI) issued a notification to mandate the
storage of all end-to-end transaction data within
India
• RBI requires unrestricted supervisory access to
all the payment data and hence this mandate

CAP Session 14: Cyber Security Skills & Practices

Data Localization
Data Localization Laws in other • LinkedIn refused to co-operate with • Australia My Health Records Act,
countries the new regulations and was formerly called Personally
blocked, WeChat in May 2017 Controlled Electronic Health
• China - China’s Cybersecurity
Records Act prohibits the transfer
Law not only seeks to control data • Kazakhstan Law No. 94-V on
of personal health data outside the
within its territory but also control Personal Data and Protection 2013
country.
Chinese language and media mandated the need to store all the
external to its borders. Has blocked personal data by the owner or • Turkey enforced law on Payment
many U.S based internet companies operator or a third party on and Security Reconciliation
to assist local competitors to expand databases located in the country. Systems, Payment Services, and
and so increasing China’s influence Electronic Money Institutions,
• Canada does not have a federal
on the internet and data. against the payment service
data localization regulation but
providers, requiring them to process
• Russia In 2015, enacted the Federal provinces such as British Columbia
all the data locally. PayPal has lost
Law No. 242-FZ which requires all and Nova Scotia have laws which
its license to do business in Turkey
the personal information of Russian restrict data transfer outside the
because it failed to comply with the
citizens to be stored and processed borders of the country. PIPEDA is
policy.
on the servers located in the used in a number of states to direct https://cyberblogindia.in/reserve-bank-of-india
s-data-localization-policy/
country. localization.

CAP Session 14: Cyber Security Skills & Practices

Data Localization
• Argument against Data Localization • World class facilities exist in the country and
more area coming up
are usually as follows
• It will open up the need for many more data
• India cannot secure the data and the data will be centers and this translates into more jobs and
at risk if stored here facilities
• Things will become expensive for consumers as • Law enforcement agencies will be able to get
the cost for storage will be high quick access to data in case of any security
• There will be bad economic fallout as business incident (this takes months / years now)
will move out of India • All entities operating in India are answerable to
• Companies will have to invest in hardware / Indian laws
software and will not get world class • Foreign companies are using / misusing Indian
maintenance data
• etc
• Arguments For Data Localization are
the following
CAP Session 14: Cyber Security Skills & Practices
Threat
MOdeling

CAP Session 14: Cyber Security Skills & Practices

Threat Modeling
• Threat = a potential or adverse event that assets
can compromise the assets of an enterprise • Identifying what each application does with
• malicious like DoS attack respect to these assets,
• incident like device • Creating a security profile for each
• Procedure for optimizing network security application,
• Identifying potential threats,
by
• Prioritizing potential threats, and
• Identifying objectives and vulnerabilities,
• Documenting adverse events and the
• Then define countermeasures to prevent, or
mitigate the effects of, threats to the system actions taken in each case
• Determine prioritization • Not easy to carry out as it is expected to be
• Identify focus areas to apply most effort for dynamic and iterative .. this means
system security • Variable, changes as IT infra grows
• Process consists of defining enterprise • Add, remove, or upgrade applications
• User requirements evolve

CAP Session 14: Cyber Security Skills & Practices

Microsoft
• The Threat Modeling Tool is a core modeling easier for developers
element of the Microsoft Security • Provides clear guidance on creating
Development Lifecycle (SDL) and analyzing threat models.
• Software architects can identify and • The tool enables anyone to:
mitigate potential security issues at •
Communicate about the security
early stage in the SDL
design of their systems
• At early stage it is relatively easy and
• Analyze those designs for potential
cost-effective to resolve helping
security issues using a proven
reduce costs
methodology
• Tool can be used easily by non-
• Suggest and manage mitigations for
security experts making threat
security issues
CAP Session 14: Cyber Security Skills & Practices
Microsoft
• Some tooling capabilities and innovations:
• Automation: Guidance and feedback in drawing a model
• STRIDE per Element: Guided analysis of threats and mitigations
• Reporting: Security activities and testing in the verification phase
• Unique Methodology: Enables users to better visualize and understand threats
• Designed for Developers and Centered on Software: many approaches are
centered on assets or attackers. Microsoft is centered on software, building on
activities that software developers and architects are familiar with -- such as
drawing pictures for their software architecture
• Focused on Design Analysis: The term "threat modeling" can refer to either a
requirements or a design analysis technique. Sometimes, it refers to a complex
blend of the two. The Microsoft SDL approach to threat modeling is a focused
design analysis technique
CAP Session 14: Cyber Security Skills & Practices
MITRE ATT&CK™
• ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE
started this project in 2013 to document common tactics, techniques, and procedures (TTPs)
that advanced persistent threats use against Windows enterprise networks. ATT&CK was
created out of a need to document adversary behaviors for use within a MITRE research
project called FMX. FMX’s objective was to investigate use of endpoint telemetry data and
analytics to improve post-compromise detection of adversaries operating within enterprise
networks

CAP Session 14: Cyber Security Skills & Practices

Learning New
Stuff

CAP Session 14: Cyber Security Skills & Practices

 Mitre Center, Bedford

MITRE – a L’IL History

• MITRE maintains the Common Vulnerabilities and Exposures (CVE) system
and the Common Weakness Enumeration (CWE) project.
• Since 1999, the Mitre Corporation functions as editor and primary CAN (CVE
Numbering Authorities) of the Common Vulnerabilities and Exposures)
• CVE is now the industry standard for vulnerability and exposure names Mitre building in
• Was formed in 1958 to provide overall direction to the companies and workers McLean, Virginia
involved in the U.S. Air Force SAGE project.
• In April 1959, a site was purchased in Bedford, Massachusetts, near Hanscom
Air Force Base, to develop a new Mitre laboratory
• Developed and supported military Command, Control, Communications and
Intelligence (C3I) projects and most DoD early warning communications
projects and worked on a number of projects with ARPA, like
• Airborne Warning and Control System (AWACS)
• Advanced Research Projects Agency Network (ARPANET)
• Joint Tactical Information Distribution System (JTIDS)
• Joint Surveillance and Target Attack Radar System (JSTARS)

CAP Session 14: Cyber Security Skills & Practices

MITRE ATT&CK™
• ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE started this
project in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced
persistent threats use against Windows enterprise networks. ATT&CK was created out of a need to
document adversary behaviors for use within a MITRE research project called FMX. FMX’s objective
was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection
of adversaries operating within enterprise networks.
• ATT&CK is an open knowledgebase available to any person or organization for use at no charge
• It is a library of adversary tactics and techniques on real-world observations
• Can be used as a foundation for the development of specific threat models and methodologies
• Extensively used in private sector, government, cybersecurity product development and services
community
• MITRE’s Cyber Analytics Repository (CAR). MITRE launched CAR as a repository of analytics,
which we take to mean a way of identifying or detecting an adversary technique. CAR also contained
a data model for describing the observable behavior that can be used to detect those techniques, and a
list of sensors to collect that data.

CAP Session 14: Cyber Security Skills & Practices

MITRE ATT&CK™

CAP Session 14: Cyber Security Skills & Practices

CAP Session 14: Cyber Security Skills & Practices
Cyber Resiliency
a. Threat Modeling
b. Kill Chain, Defense in Depth
c. Cyber Resiliency
d. Cyberwar
e. Data Sovereignty,
f. Data Localization
g. Privacy
h. Smart Stuff
CAP Session 14: Cyber Security Skills & Practices
Privacy
a. Threat Modeling
b. Kill Chain, Defense in Depth
c. Cyber Resiliency
d. Cyberwar
e. Data Sovereignty,
f. Data Localization
g. Privacy
h. Smart Stuff
CAP Session 14: Cyber Security Skills & Practices
Smart Stuff
a. Threat Modeling
b. Kill Chain, Defense in Depth
c. Cyber Resiliency
d. Cyberwar
e. Data Sovereignty,
f. Data Localization
g. Privacy
h. Smart Stuff
CAP Session 14: Cyber Security Skills & Practices
Online
• Reading – Data Centers, DR Sites
• Review examples of risk tools (frameworks,
registers, data classification etc
• Read up on ISO31000, BIA, RTO/RPO
• Security architecture, threat modeling

CAP Session 14: Cyber Security Skills & Practices

 Thank you – practice well
• This PPT will be uploaded to the CAP
website and the download link will be
shared on the WhatsApp group
• Please avoid sharing outside the group
at this stage as we want to have your
opinion first for any enhancements
• Please share your feedback

CAP Session 14: Cyber Security Skills & Practices

End Session 14
• Session 15 – Next Saturday April 20, 2019
• IT Operations
• Backup
• Device Configuration and hardening
• Patch Management
• BCP/DR
• Presented by CAP team
CAP Session 14: Cyber Security Skills & Practices
CAP Session 14: Cyber Security Skills & Practices
 Information Security professional

ABOUT working hard to stay abreast of

&
technology, risks, threats,
opportunities and looks forward to
ME the excitement of the future..

[email protected]
@bizsprite
linkedin.com/in/dineshbareja
+91.9769890505
dineshobareja

MY CONTACT dineshobareja
indiawatch.in

INFORMATION
dineshbareja.com

CAP Session 14: Cyber Security Skills & Practices