Welcome Back

to the CISSP
Bootcamp
Your instructor:

Michael J Shannon
CISSP #42221 / #524169,
CCNP-Security, PCNSE7,
AWS Certified Security – Specialty, • Class will begin at
GIAC GSEC, OpenFAIR, and 10:00 A.M. Central
ITIL 4 Managing Professional Standard Time (CST)
• Management access should be limited to secure protocol
alternatives, as in SSH instead of Telnet
• SSH2 is preferable to SSH1 whenever possible
• SSH2 uses symmetric encryption for the bulk data encryption
and asymmetric algorithms in their key management processes
• SSH2 uses DH for key exchange
• Router(config)#hostname CISSP-R1
• CISSP-R1(config)#ip domain-name
example.com
• CISSP-R1(config)#crypto key
generate rsa general-keys
modulus 2048
• The name for the keys will be:
CISSP-R1.example.com
• % The key modulus size is 2048
bits
• % Generating 2048 bit RSA keys,
keys will be non-exportable…
[OK](elapsed time was 0 seconds)
*Apr 9 19:01:50.517: %SSH-5-
ENABLED: SSH 1.99 has been enabled
• CISSP-R1(config)#username admin
secret S3curity3plus5
• CISSP-R1(config)#line vty 0 15
• CISSP-R1(config-line)#login
local
• CISSP-R1(config-line)#transport
input ssh
• SMTP is not natively secure, so it needs an extra security
layer: Secure/Multipurpose Internet Mail Exchanger
• S/MIME v3 has become the standard for email
message security
• Digital signatures are the most common S/MIME service
providing authentication, data integrity, and non-
repudiation
Message Unique Unique Signing
body sender recipient operation
captured information information performed
retrieved retrieved

+ -
Digital Encryption Encryption Message
signature operation message replaces sent
appended performed original
message
• Essentially the File Transfer Protocol over TLS
• Also called FTP over TLS and FTP Secure
• Typically used server-to-server
• Uses AES, RSA/DSA, and X509v3 certificates
• Explicit FTPS
• Selected parts or components for communication are
encrypted

• Implicit FTPS
• All communications are encrypted
• IETF-designed version of FTP that provides secure
data access and transfer over an SSH2 channel
• It is a function of the SSH Protocol and is also called
SSH File Transfer Protocol
• Both the commands and data are encrypted
• Platform-independent
• Slower than SCP
• DNSSEC (DNS Security Extensions) protects users
from DNS attacks and forces systems to detect DNS
attacks
• It adds a layer of trust on top of DNS by providing
authentication while the root DNS name servers
help verify domains
• To facilitate signature validation, DNSSEC adds a few new DNS
record types:
• RRSIG – contains a cryptographic signature
• DNSKEY – contains a public signing key
• DS – contains the hash of a DNSKEY record
• NSEC and NSEC3 – for explicit denial-of-existence of a DNS record
• CDNSKEY and CDS – for a child zone requesting updates to DS
record(s) in the parent zone
VoIP security
• Secure Real-Time Transport Protocol (SRTP) extends
the RTP protocol by providing enhanced security
techniques
• Provides encryption, integrity, and authentication
verification of data and messages transported by RTP
• Released in 2004 by Cisco Systems and Ericsson
• Uses AES as its default encryption cipher in
Segmented Integer Counter Mode and f8-mode to
allow the AES block cipher to be used as a stream
cipher for the RTP data stream
• LDAP was based on X.500 but is a lighter, cross-platform, and
standards-based solution
• LDAP servers are easy to install, maintain, and optimize, but they are
without solid security of the queries, updates, and valuable
information in the LDAP directory
• LDAPS (TCP 636) is LDAP over SSL/TLS
• SASL (Simple Authentication and Security Layer) BIND also offers
authentication services using mechanisms like Kerberos, or a client
certificate sent with TLS
• SNMPv3 can be configured in three modes:
• noAuthNoPriv – no cryptographic hash or
encryption (passwords)
• AuthNoPriv – cryptographic HMAC (SHA1 or SHA2)
to secure authentication credentials and provide
integrity, but no data encryption
• AuthPriv – HMAC for integrity and secure
authentication credentials, and encryption (AES) of
data
• QUIC is a "newish" transport protocol that was originally designed by
Jim Roskind at Google
• It reduces latency compared to using TCP
• Since TCP is implemented in operating system kernels, and middlebox
firmware, making significant changes to TCP is next to impossible
• QUIC is built on top of UDP – it has no such limitations

• QUIC is like TCP+TLS+HTTP/2 implemented over UDP and provides for

• dramatically reduced connection establishment time
• improved congestion control
• multiplexing without head of line blocking, and
• connection migration
• If a web site accepts an HTTP connection and redirects it to
HTTPS, users may initially access the non-encrypted version of the
site before being redirected
• This creates a vulnerability to man-in-the-middle attacks, as the
redirect can be exploited to direct users to a malicious site
instead of the secure version of the original site
• HTTP Strict-Transport-Security (HSTS) allows a TLS web site to
instruct browsers that it should only be accessed using HTTPS,
instead of using HTTP
• The web server employs the HTTP Strict-Transport-Security
header
• Software-defined networking (SDN) virtualizes
network functionality by separating the control
and data planes and implementing the
network intelligence in software – typically
hypervisor or proprietary server solutions
• Micro-segmentation is a method of creating
zones in data centers and cloud environments
to insulate workloads from one another and
secure them independently
 Applications

Control plane
SDN controller

SDN Datapath

Data plane Switches

CDPI

Pool of application servers

• Software Defined Wide Area Network is an SDN
approach that raises network traffic management
away from the hardware and premises to next-
generation software in the cloud for superior agility,
control, and visibility
• Incorporates a centralized control function with user-
defined application and routing policies to deliver
highly secure, robust, application-aware network traffic
management
 VNet VNet
VNet VNet

Virtual v-CPE Office

WAN NVA 365

Enterprise
Enterprise SD-WAN
SD-WAN
controller/
orchestrator
CPE
CPE CPE CPE CPE

SD-WAN branch HQ SD-WAN branch

• VXLAN solutions from a variety of vendors decouple the physical
hardware from the network map in order to support
virtualization
• This uncoupling allows the data center network to be deployed
programmatically
• It allows both Layer 2 and Layer 3 transport between VMs and
bare-metal servers
• Has a much larger scale than traditional VLANs
 CORE

Spine 1 Spine 2 Spine 3 Spine 4

Leaf 1 Leaf 2 Leaf 3 Leaf 4 Leaf 5 Leaf 6 Leaf 7 Leaf 8 Leaf 9 Leaf 10 Leaf 11 Leaf 12 Leaf 96

10G
10G
40G
Ethernet- Ethernet- Ethernet- Ethernet- 40G
connected connected connected connected
end system end system end system end system 100G
IP-connected IP-connected IP-connected 25G
IP-connected
end system end system end system 50G
end system
• Switch port security as a base configuration on all layer 2 devices
• Hard code access and trunk ports
• Mitigate MAC flooding attacks
• Enable PortFast and auto-recovery
• Loop prevention and flood guard techniques

• Deploy VLANs and PVLANs to enforce a Layer 2 trust model and

compartmentalization
• DHCP snooping, DAI, IP SourceGuard
• Protect any dynamic trunking protocol, like VTP
• IEEE 802.1X PNAC and 802.11AE MACsec are critical features
• MACsec uses AES-GCM-128/256 with GMAC – this is an AEAD
• WLCs have a "session level" access control for
management protocols and MFP features
• All interactive management traffic to the controller
will be done through HTTPS/SSH (encrypted)

• Control Plane Policing and CPU ACLs control

the control plane and which devices can talk
to the main controller processor
• Network IDS/IPS solutions
• SIEM and log event correlation
• Locate rogue radios and access points
• Network Address Translation
• Infrastructure Access Control Lists (ACLs)
• Unicast and Multicast Reverse Path Forwarding
• Integrated and modular L2-7 next-generation firewall and intrusion
prevention services (IDS/IPS)
• VPN gateways for TLS and IPsec
• URL filtering and caching
• Integration with various cloud security services (web, email, DLP, anti-
malware)
• Coordinate with Managed Security Service Providers (MSSP)
• A firewall is a metaphor representing
software and/or hardware controls
that can limit the damage
spreading from one subnet, VLAN,
zone, or domain to another
• It is typically deployed as a barrier
(zone interface point) between an
internal (trusted) network and an
external (untrusted) network Authorized
traffic passes
Unauthorized
• They are integrated systems of traffic is
threat defense functioning at layers rejected
2-7 and can be categorized Inbound traffic
as network or application firewalls
Internet
Layer 5-7 policies
Also called DPI and AVC

Authentication proxies
Interactive and transparent

Identity services
For ABAC engines and IdM
Integrated IDS/IPS
Modular and cloud-based IPS

Content security
With data loss prevention (DLP)

Advanced malware
protection
Cloud-based solutions
URL filtering
To enforce AUPs

Botnet filtering
DNS-based Anti-DDoS protection

Cloud correlation and

participation
Sec-as-a-service (MSSP) integration
• An appliance (physical or virtual), server plugin, or filter that
applies a set of rules to an HTTP or HTTPS conversation
• Typically, these rules cover common web attacks, such as cross-
site scripting (XSS) and SQL injection
• Typically deployed as dynamically configured WebACLs and
Anti-DDoS engines with other threat management services
• The AWS WAF can be deployed on an elastic application load
balancer, CDN distribution, or API gateway
 Intrusion detection system Intrusion prevention system
Firewall Firewall
Internet Internet

Attacker Attacker IPS

IDS Switch

Alert

Management station Corporate network Corporate network

• Inline IPS or monitor (passive mode)
• In-band vs. OOB
• Signature-based
• Anomaly-based
• Heuristic/behavioral-based (ML)
• Cloud-based (NGIPS)
• Alerts and alarms
• Verbose dumps
• TCP resets
• Drop packets or addresses
• Blocking (shun) on firewalls and routers
• SNMP traps
• Logging to Syslog and SIEM systems
• Flows to NetFlow collectors
 True positive False positive
True (accurate) + positive (action False (error) + positive (action taken)
taken)

True negative False negative

True (accurate) + negative (action False (error) + negative (action not
not taken) taken
• Honeypots and honeynets are isolated systems, sites, and services with data that
appear to be valuable to an attacker
• Entice potential malicious users to connect (internal or external)
• Track and log all traffic to and from the honeypot
• Run IDS services and other next-generation cloud-based analysis
• Perform active defense procedures

Internet DMZ servers

Outside DMZ VLAN 172.16.1.11

Honeynet Inside Intranet VLAN Data centre

VLAN Corporate VLAN servers
10.0.1.0/24 10.10.10.5
DECEPTION

ATTRIBUTION

COUNTERATTACK
• Deception is the first and most common phase of
active defense used by many organizations
• Fake telemetry involves augmenting existing enterprise
tools to offer critical threat intelligence for early breach
detection and high-fidelity alerting
• Making tools available on honeypots and honeynets for
attackers to use in order to attribute and attack back
• DNS sinkhole (or black hole DNS) is used to spoof DNS
servers to prevent resolving hostnames of specified URLs
• This can be accomplished by configuring the DNS forwarder to
return a false IP address to a specific URL

• It can be used against attackers to slow them down in a

honeynet deployment and then possibly perform active
defense attribution techniques
• Can also be used to prevent access to malicious URLs at
an enterprise level for internal users
 Malicious site server

Fetches content from

malicious server

Routes traffic of malicious IDS sinkhole server

sites to sinkhole and IDS
for alerting
Makes query to DNS
server

Attacker sends
malicious e-mail

Internet
Organization computer gets
email with malicious site link Attacker
The de facto
standard
• The replacement for the temporary WPA (2004)
• Devices require testing and certification from Wi-Fi
Alliance (2006)
• Supports Personal (PSK) and Enterprise modes
• Uses Counter Mode Cipher Block Chaining
Message Authentication Code Protocol
 WPA2 Personal WPA2 Enterprise

• Shared secret key is a static key used • Centralized authentication server is

to add challenge and response during required
AP and client association
• AES used for encryption (replaced
• Manually configured on devices and WPA TKIP)
AP
• RADIUS used for authentication and
• Local access controls key distribution
• AES used for encryption (replaced • EAP-TLS/EAP-TTLS
WPA TKIP) • EAP-FAST
• PEAP
• Used with WPA2 as part of IEEE 802.11i standard
• Designed as the replacement for WEP and any interim
solution (TKIP) using AES
• Provides strong message encryption with CCM
• Uses 48-bit initialization vectors and 128/256-bit keys
• Provides authenticity and integrity checking with CBC-
MAC
 FAST
TITLS PEAP
MDS TLS …
802.1x EAP types … …
… … Flexible
feature/benefit Tunneled transport-level Protected transport-
Message digest 5 Transport-level security authentication via
security level security
secure tunneling

Client-side No
No Yes No No
certificate required (PAC)

Server-side Yes No
No Yes No
certificate required (PAC)

WEP key
No Yes Yes Yes Yes
management

Rogue AP detection No No No No Yes

Provider MS MS Funk MS Cisco

Authentication
One way Mutual Mutual Mutual Mutual
attributes

Deployment Difficult (due to client

Easy Moderate Moderate Moderate
difficulty certificate deployment)

Wi-Fi security Poor Very high High High High

• All WPA3 networks use the latest security methods, disallow outdated
legacy protocols, and require the use of Protected Management
Frames (PMF)
• PMF enhances privacy protections already in place for data frames with
mechanisms to improve the resiliency of mission-critical networks

• Authenticated encryption: GCMP-256

• Key derivation and confirmation: 384-bit HMAC with Secure Hash
Algorithm (HMAC-SHA384)
• Key establishment and authentication: ECDH and ECDSA (384-bit)
• Robust management frame protection: 256-bit Broadcast/Multicast
Integrity Protocol Galois Message Authentication Code (BIP-GMAC-
256)
• Natural password selection – lets users
choose passwords that are easier to
remember with SAE
• Ease of use – provides enhanced
protections with no change to the way
users connect to a network
• Forward secrecy – protects data traffic
even if a password is compromised
after the data was transmitted
Originally implemented as 802.11s

Password-based authentication

Password-authenticated key agreement

WPA3 replaces PSK with SAE

More secure initial key exchange

• Vulnerability in WPA3 discovered by the same researcher
who discovered the KRACK attack on WPA2
• Exploit of the Dragonfly handshake protocol of WPA3
• If successful, an attacker within the range of a victim's
network could recover the Wi-Fi password and infiltrate the
target network
• Is in fact a collective of 5 attacks: 1 DoS, 2 downgrade
attacks, and 2 side-channel information leaks
• LiFi is a mobile wireless technology that uses light instead of the RF
spectrum to transmit data
• Supported by a global consortium of companies driving a next
generation of wireless to integrate into the 5G core
• LiFi is simpler than wireless and uses direct modulation methods akin
to those used in low-cost infrared devices like remote control
components
• LED light bulbs have high intensities and therefore can achieve very
large data rates
Internet
LiFi-enabled
LED light
POE or PLC

Router & switch

Access Uplink
point
Downlink

Internet server

Transmitter Receiver
PAN Technology
• Zigbee components can connect and communicate
using the same IoT language
• Millions of Zigbee products are already deployed in
smart homes and commercial buildings
• The network topology is a self-forming and self-healing
mesh
• Ranges are up to 300+ meters (line of sight) and up to
75-100 meter indoors
• Supports AES-128 at Network Layer and the
Application Layer
• Used in hotels, airports, and other commercial scenarios to
gather credentials or registration profiles before users can
access a public Wi-Fi
• 5G is the next generation of global networking
• All 5G devices in a cell are linked to the Internet and telephone
network by radio waves through a local antenna in the cell
• The goal is to deliver bandwidths up to 10 Gbps by using higher-
frequency radio waves than current cellular networks

• Cell phone and other devices should be part of enterprise

mobility management
• Works with vendors, carriers, and end-users for policy adherence
• Mobility solutions, GPS, unnumbered IoT devices, and even electrical
grids and other power suppliers commonly rely on satellites for
operational continuity
• Uplinks and downlinks are often sent through open telecom network
security protocols that are effortlessly accessed by attackers
• Satellite ground stations are principally vulnerable to threat actors
• All military-grade satellite communications are subject to all
Commercial Solutions for Classified (CSfC) requirements, including
dual tunnel encryption and other packages
• Network security infrastructure authenticates
communications at every phase of data transmission that
gets sent to the earth-bound devices before it goes to the
satellite
• Trusted computing technology can ensure trustworthiness of
devices, device identity and security validity, using
cryptographic keys
• Geofencing and geotagging are facilitated by satellite
technology
• Relates back to edge computing
• A CDN is a highly-distributed platform of servers that reduces delays
in loading web page content
• It reduces the physical distance between the server and the users
around the world
• Without a CDN, origin servers would have to respond to every end
user request, resulting in substantial traffic to the origin and
subsequent load
• By responding to end user requests using modern edge computing
and elastic caching, the CDN offloads traffic from content servers to
metro edge locations
AWS CDN
• Amazon CloudFront is a fast CDN service
• It securely delivers data, videos, applications, and APIs
to customers at metro edge computing locations with
low latency, high transfer speeds, and within a
developer-friendly environment
• CloudFront is often integrated with AWS Redis
ElastiCache at global provider partner locations and
various service endpoints
• Functions seamlessly with Route 53, S3 object storage,
Elastic Load Balancing, EC2 instances, WAF, and AWS
Shield for DDoS protection
• High-level data center physical security is in place
• Uses TLSv1.1 and TLSv1.2 protocols for HTTPS connections
between CloudFront and the custom origin web server
• Cipher suites use the ECDHE protocol on all connections
• Private Content Feature controls who can download
content from CloudFront
• Origin Access Identities can control access to original copies
of objects
• The most important aspect of the written security policy from the
customer perspective is the Acceptable Use Policy (AUP)
• Endpoint security must begin with security awareness of the
employee and contractor responsibility
• An AUP is a document specifying constraints and practices that a
user must agree to for access to a corporate network or the Internet
• It is often divided into different sections based on various categories
of access
• There should always be an enforcement mechanism in place to
support the policy
Lock computers and laptop docking stations

Screen savers with strong passwords

Disable unused ports and peripherals

Enforce removable device AUP

Use MFA with biometrics if feasible

Implement a clean desk policy

Provide locking cabinets and closets

Remove/disconnect devices at end of day

Protect printers, fax, and multi-function

devices

No piggybacking/tailgating policy
• End users will have varying degrees of participation in
hardware, firmware, and software updates and
upgrades
• If fully automated, the user may only be able to
postpone (snooze) the process for a maximum amount
of time
• OS updates, WSUS, Silverlight, KACE, etc.
Security suites
• These are all-in-one, full-scale security packages that
offer a single, integrated solution
• There is only one vendor to get the upgrades and
updates from
• Depending on the security vendor, the suite may also
include a two-way firewall, parental control system, a
local spam filter, VPN to protect your data in transit,
online backup, and dedicated ransomware
protection
• Best practice is to install two products from different
vendors (e.g., Sophos + Malwarebytes)
 1. Attacker 2. Phishing email 3. Targeted users 4. Compromised system
Attacker sends email with Poorly trained and unaware Target system is Remote Access Trojan (RAT)
malware attachment to use users open the attachment exploited Is installed on the target system

7. Data 6. Internal network 5. Remote Access Trojan

Data is exfiltrated to the Data is stolen from RAT is used to gain access to
attacker in a stealthy manner the compromised additional systems on the
machines internal network
• Use rotating passwords that involve four random words separated by
"-" or "."
• For example, texmex-world-glove-listen

• Implement strong malware scanners and spam filters

• Never reply to spam or click any "unsubscribe" links, as this will only
confirm to the spammer that your email address is real
• Gain expertise in recognizing phishing emails
• Corporate and business email compromise (BEC) is on the rise
• Conduct awareness programs
• Use "two-tier" or multi-factor authentication when logging on to your
email and webmail, if available
• Before opening an attachment, make certain that you
know who it's from and that you are expecting it
• Consider a confirming SMS text or phone call
• Only send personal information over email when
necessary
• Use encrypted email where possible
• Avoid using email over free Wi-Fi
 Backdoors JavaScript exploits

PDF exploits Linux malware

Macros Data leakage and loss

• Evolved from early HIDS solutions
• A "lighter" software agent installed on the host system often
provides the basis for event monitoring and reporting
• EDR tools primarily focus on detecting and investigating suspicious
activities and are indicators of compromise (IoCs) on
hosts/endpoints
• EDR tools monitor endpoint and network events and send
information to a SEIM system or centralized database so further
analysis, investigation, and reporting can take place
• Filtering – reduces alert fatigue and lowers the possibility for real
threats to slip through unnoticed
• Advanced Threat Blocking – prevents threats the moment they
are detected and throughout the lifecycle of the attack
• Incident Response Capabilities - threat hunting and incident
response can help prevent full-blown data breaches (DLP)
• Multiple Threat Protection – cloud-based visibility into many
finding categories
Partner with an MSSP or CASP

Advanced anti-virus with ML and AI

Managed threat hunting (honey tokens)

Cloud-based threat intelligence and User

Behavioral Analytics (UBA)

IT hygiene
• Most NGIPS and anti-virus systems use heuristic and ML
mechanisms to achieve better results than traditional
signature-based and anomaly-based solutions
• Heuristic engine used by an anti-malware/IPS program might
include proactive rules and behavioral analytics to look for
• a program that tries to copy itself into other programs (in other
words, a classic computer virus), or
• a program that tries to remain resident in memory after it has
finished executing
Network Admission Control (NAC)
was an industry initiative
sponsored by Cisco
• Cisco NAC and similar technologies are officially
on the exam but have been replaced by newer
solutions, such as TrustSec and Zero Trust Security
• It was part of the Cisco Self-Defending Network
initiative and is the foundation for enabling NAC
on Layer 2 and Layer 3 networks
• Do not trust anything inside or outside the
perimeter without stringent authentication and
verification
• Helps secure access from users and their
devices, API calls, IoT, microservices, containers
(Dockers, Kubernetes,) and more
 WAP

Guest
server

Campus
network
NAC/EDR
server AD
federation

Identity
NAC/EDR services engine
server
 External
Internal
scanner
scanner

Client vulnerability
data findings Internet

User interface
Servers
User interface
Security vendor network Client network
• IP Security (IPsec) offers security services to traffic crossing untrusted
networks, like the Internet, between two or more trusted devices or
networks
• IPsec VPNs can also be used to protect management traffic as it
crosses an organization's intranet and between front-end and back-
end services
• IPsec is also popular when connecting to cloud service providers
using managed site-to-site and peer-to-site VPN solutions
• IPsec is native to the IPv6 stack through the AH and ESP extension
headers
• IPsec and SSL VPNs are both cryptography-based
VPNs
• In terms of deployment, there are two basic types of
VPNs: site-to-site VPNs and remote-access VPNs Cloud service provider
• Remote access can be full-tunnel or clientless

• Operates in tunnel or transport modes

• Two main protocols are AH and ESP Untrusted network
RO/BO
• IPsec provides five essential security functions:
• confidentiality (3DES, AES-128/256) Headquarters
• data integrity (SHA1, SHA2/3)
• origin authentication using pre-shared keys Small office/
or RSA/ECDSA signatures
home office (SOHO)
• anti-replay protection, and
Mobile worker
• key management (IKEv1/2, DHKE, ECDHE)
 ESP
ESP AH
IPsec protocol +AH

Confidentiality DES 3DES AES

Data integrity MD5 SHA-1 SHA-2

Origin authentication PSK RSA ECDSA

Key management DH ECDH IKE IKEv2

SSL/TLS is the most ubiquitous certificate-based peer
authentication in use on the Internet (HTTPS)
Transport Layer Security (TLS) is standardized by IETF
TLS 1.3 is the most recent published version
It is also used with SMTP, LDAP, and POP3
The only mandatory cipher suite includes RSA for
authentication, AES for confidentiality, and SHA for integrity and
digital signatures
 TLS VPN tunnel

1 User makes a connection to TCP port 443

3
User software
verifies signature on
identity certificate, The server response contains server's public key 2
validating
authenticity of
public key
Shared-secret key, encrypted with public key
5 of the server, is sent to the server
4
User software
create a shared-
secret key Bulk encryption occurs using the shared-secret
key with a symmetric encryption algorithm 6
• Prevent downgrade attacks from web clients
• Use HTTP Strict Transport Security (HSTS)
• Use the most recent security suites (no RC4 or DES/3DES)
• Do not let vendor-installed code intercept traffic
• Verify encryption
• Perform OCSP stapling from browsers to enforce certificate
expirations
• Implement Certificate Pinning to trusted CAs
• Network or application load balancing
• Represents virtual network to the public
• Performs health checks on instances
• Produces flow logs
• Runs the TLS listener
• Can also have layer 3/4 and web application firewall
(WebACL)
 Need-to-know
• Originated in military and intelligence
operations and pertains to data
access and information flow
• Can be implemented using different
access control models although MAC
is the most secure
• Lattice models are effective
• Bell-LaPadula for confidentiality
• Biba or Clark-Wilson for integrity
Least privilege
• Subjects are only given access to the
objects they need and nothing else unless
they go through/pass a strict approval
process"
• Can be implemented using different
access control models although MAC is the
most secure
• Can use network operating system controls
or ABAC for different scenarios
• Processes where more than one entity is required to
complete a particular task
• Often involves dual operator principles as well SQL SQL
Backup
where two subjects are needed to modify a
particular object
• Automation and orchestration can help enforce
this principle
• Rotation of duties is also a related principle SQL SQL
Restore
• Example: forced (mandatory) vacations
• This principle involves avoiding direct client-to-server access
whenever feasible
• Uses various proxies for
• authentication (interactive or transparent)
• translation services (NAT)
• bastion (jump) hosts and CSP services
• web proxies for content and URL filtering, and
• using managed security service providers (MSSP) and cloud access security
brokers (CASB)
 Service-level
agreement
• Defines the precise responsibilities of
the service provider and sets customer
expectations
• Also clarifies the support system
(service desk) response to problems or
outages for an agreed level of service
• Should be used with new third-party
vendors or cloud providers (SaaS, IaaS,
PaaS) for 24-hour support
Organizational-level
agreement
• Documents the pertinent information
for regulating the relationship between
internal service recipients and an
internal IT area (service provider)
• Difference is what the service provider
is promising the customer (SLA) vs.
what the functional IT groups promise
each other (OLA)
• An OLA often corresponds to the
structure of an SLA, with a few specific
differences based on the enterprise
• The goal of configuration management is to
ensure that accurate and meaningful
information is readily available regarding the
configuration of applications and services
along with the configuration items (CI) that
support them
• Includes all relationships and dependencies
between the CIs
• Objects include hardware, software, networks,
sites, vendors, suppliers, and people
• CM is a governance and systems life cycle process for
ensuring consistency among all assets (configuration
items, or CIs) in an operational environment
• Classifies and tracks individual CIs
• Documents functional capabilities and interdependencies
• Verifies the effect a change to one configuration item has on
other systems
Directory Services tools

Diagrams and topologies

Inventory baselines

Naming and tagging schemas

• A configuration management system (CMS) is a set of data,
tools, utilities, and processes used to support configuration
management
• All information should be tagged and labeled with a
common unified schema, preferably using key-value pairs
• This data will populate a database system known as a
CMDB
• Relational databases have been used historically
• NoSQL/document databases are emerging as a common solution
• Could leverage a CSP service, such as AWS DynamoDB
• Change management is also called the "change control
practice"
• The goal is to maximize the amount of successful service
and product changes
• Should make certain that risks have been adequately
assessed, authorized, and managed with a change
schedule
• Operates with the configuration database to track all
possible dependencies and repercussions of changes
• Involves a change log or change database
 Standard
• Low-risk changes
• Pre-authorized and well-
documented
• Can be automated
• Service requests that don't
need additional authorization
• Example: changing directory
password
Normal
• Changes follow a specific
process for scheduling,
assessment, and
authorization
• They are lower risk, but they
do go through an approval
process
• Example: onboarding a new
phone or laptop; installing an
application
Emergency
• Changes that must be
implemented immediately
• Often a result of problem
management or after-action
reporting
• May involve escalation or an
emergency advisory board if
the amount of resources or
disruption is significant
1. Submitting 2. Approving 3. Documenting

6. Reporting 5. Implementing 4. Testing

The proposed change is analyzed and validated. If
necessary, the submitter may be required to
provide more information before it is approved or
escalate the change to a higher authority
The proposed change request should first be
delivered to the individual or group responsible for
change management in the organization
After approval, the change needs to be inputted
into a change log or configuration management
database (CMDB). This log or database must be
updated regularly as each change progresses
through the various phases
Before implementing the change, there may need
to be a formal testing and verification process. This
allows for modifications to be made if any issues
arise. There can also be a determination if any
other processes are affected by the change
After the change is tested and approved, it can be
deployed based on a schedule that has been
determined. The schedule needs to document the
projected phases of the change and define the
milestones for the change process
After the change has been implemented, a full
report should be submitted to management. If
there are any negative consequences to
implementing the change, this should trigger an
iterative move to an earlier phase of the lifecycle
A critical control
• Many organizations do not consider or continually
improve their patch management plan
• Vulnerability/exposure reviews and gap analysis are not
performed or done properly
• A configuration management database (CMDB) of all
configuration items (CIs) should be maintained
• Only certain personnel should have the authority to test,
apply, and determine the urgency of patching activities
• Agreements with any applicable vendors should also be
made to address any potential issues before patch
deployment
 Baseline and
harden

Maintenance Collect and

evaluate

Patch
management

Patch rollout Testing

Develop
rollback
plans
 Assess and classify
Perform assessment the risk based on
of existing controls analysis methods
and configurations and risk treatment

Develop inventory Conduct a gap Apply the tested

and patch analysis against the patch either manually
management plan inventory and or automated with
control lists rollback mechanism
in place
• Syslog is a standard and well-established system logging
protocol defined in RFC 5424
• It typically sends system informational or event messages to
a designated syslog server or SIEM system
• It is predominantly used to gather various device logs from
different systems in a centralized fashion for monitoring,
visibility, and analysis
• It traditionally uses UDP 514 or TCP 1468
Code Severity Description
0 Emergency System is unusable
1 Alert Action must be taken immediately
2 Critical Critical conditions
3 Error Error conditions
4 Warning Warning conditions
5 Notice Normal but significant condition
6 Information Informational messages
7 Debug Debug-level messages
 Workstations Workstations

Syslog server
Applications Devices

Syslog
messages

Servers Servers
SIEM
• The term SIEM is a combination of security information
management (SIM) and security event management
(SEM)
• Centralize the storage and analysis of logs and other
security-related documentation to perform near real-
time analysis
• Can send filtered data to mining, big query, and data
warehousing servers in a data center or at a cloud
service provider
• Allow security and network professionals to take
countermeasures, perform rapid defensive actions,
and handle incidents
Log collection and aggregation Automated real-time alerting

Log analysis User activity monitoring

Correlation and deduplication Time synchronization

Log forensics Reporting

SIEM
IT compliance File integrity monitoring

Application log monitoring System and device log monitoring

Object access auditing Log retention (WORM)

 Automation
IT automation involves generating a
single task to run automatically without
any human intervention
Automation could involve sending alerts
to a SIEM system, dynamically triggering
a serverless function at a cloud provider,
or adding a record to a database when
a batch job is run
Enterprises often automate both cloud-
based and on-premises tasks
Orchestration
Orchestration involves managing several
or many automated tasks or processes
As opposed to focusing on one task,
orchestration combines all the individual
tasks
Orchestration occurs with various
technologies, applications, containers,
datasets, middleware, systems, and more
• SOAR is an assortment of software services and
tools
• It allows organizations to simplify and aggregate
security operations in three core areas:
• Threat and vulnerability management
• Incident response
• Security operations automation
Security automation Can be defensive You should automate
involves performing detection, response, if the process is
security-related tasks and remediation, or routine, monotonous,
without the need for offensive vulnerability and time-intensive
human intervention assessment and
penetration testing
Define first!
• It should be quantified as a percentage of
probability and not just a vague list of "scary
things"
• The likelihood that a threat agent's actions will
result in a loss (frequency and magnitude)
• It can be a derived value from threat capability
of actors combined with the resistance of
existing security controls
• All assets and asset classes must first be valued, prioritized,
categorized, classified, and labeled accurately
• Recognize who has the role of Asset Manager (digital as well)
• Use all available tools and proven methodologies:
• Inventory systems and various logs (system, application, firewall, etc.)
• Simple Network Management Protocol (SNMP) traps
• NetFlow collection
• Security information and event management (SIEM) systems
• Next-Generation Intrusion Prevention System (NGIPS) alerts and logs
• Cloud-based visibility tools
• Machine learning and artificial intelligence data analysis
• Internal subject matter experts
• Risk register and lessons learned (LL) database
• Historical documentation
• Compliance experts
• External expert judgment
• Third-party consultants
• Cyber insurance providers
• Legal expertise
Automated Indicator Sharing (AIS) is a DHS
system for data sharing about cyber
observables with the goal to maximize the
near-real-time distribution of all relevant and
actionable cyber threat indicators among the
private sector and federal agencies for
network defense
Structured Threat Information eXpression
(STIX) is a structured language developed
by MITRE for a collaborative way to
represent cyber threat intelligence and
observable data

Trusted Automated exchange of Indicator Predictive analysis and threat maps are
Information (TAXII) is a free and open generated by AI-driven and ML analysis
transport mechanism that standardizes the
automated exchange of cyber threat tools, often working with cloud service
information. Push and pull messages are provider managed services or MSSPs
supported – supporting both subscription
feeds and on-demand queries. TAXII
leverages existing protocols when possible –
with native support for HTTP and HTTPS
• Any data or information concerning an individual or
organization that can be collected legally from free, public
sources
• Is usually information found on the Internet but can be
sourced from books or reports in a public library, articles in a
newspaper/magazine, statements in a press release, and
FOIA reports
• Can be gathered using tools like Maltego, sharing centers,
and code repositories, like GitHub, among others
 Vendor web sites Vulnerability feeds

Conferences Academic journals

Request for Comments (RFC) Local industry groups

Social media Threat feeds

Adversary tactics, techniques, and

OSINT tools
procedures (TTP)

Emerging social media tools Word of mouth

 Common Vulnerabilities and
Exposures (CVE)
• A list of entities from MITRE.org
that represent publicly known
cybersecurity vulnerabilities
• Consists of an ID number,
description, and public
references
• Used by the National Vulnerability
Database (NVD)
Common Vulnerability Scoring
System (CVSS)
• Open standard for weighing the
severity of computer system
vulnerabilities
• Uses a uniform and consistent
scoring method ranging from 0
to 10, with 10 being the highest
severity
• Vulnerability scanning is the process of using tools to identify known
and unknown weaknesses in systems, applications, services, and
policies
• Vulnerability scanning is an easier and often more focused process
of looking for unpatched systems, misconfigurations, and open ports
• It is typically automated and done on a routine basis (weekly,
quarterly,) taking at most a few hours
• HTTP/S is the most common traffic by far, and web application
vulnerability scanners like Burp Suite and OWASP ZAP are popular
• Cross-site scripting; cross-site request forgery; SQL, LDAP, and command
injection; path traversal; insecure server configuration
• Devices that capture and analyze network
traffic between two or more systems
• Traffic can be filtered and decoded to visualize
what processes are occurring
• Can be used to find network bottlenecks,
troubleshoot, and analyze malware behavior
• Advanced analyzers also generate statistics for
trend analysis and network optimization
• Crackers can use them to gather information or
even clear-text usernames and passwords,
among other things
• Exploitation kits used by penetration testers and
crackers to find vulnerabilities and attack vectors

• Often specialize in certain components, like routers,

browsers, embedded devices, PowerShell, etc.

• Often open-source initiatives with broad cooperation

from white, gray, and black hat hackers

• Can be used to prioritize vulnerabilities

and threats in the enterprise
• RIG EK and RIG-v EK
• GrandSoft EK
• GreenFlash Sundown
• Carrying out a compliance audit is different from performing a
vulnerability scan, although there will often be some overlap
• A compliance audit decides if a system is configured in agreement
with a recognized governance policy
• Sometimes compliance involves auditing more sensitive data and
systems
• There are many diverse forms of financial and government
compliance requirements
• Typically, the compliance requirements are minimal baselines that
can be taken differently depending on the goals of the organization
• Compliance requirements must be in line with business goals to ensure
that risks are correctly recognized and alleviated
 • Internal vs. external
• In-house vs. third-party
• Vulnerability assessment
• Penetration testing
• Log reviews
• Synthetic transactions
May be for • Code review and testing
compliance or to
measure maturity • Misuse case testing
against a model like
CMM • Test coverage analysis
• Interface testing
• Account management
• Management review and
approval
• Key performance and risk
indicators
• Backup verification data
• Training and awareness
• Disaster recovery (DR) and
business continuity (BC)
Will involve vulnerability
assessments • A more elaborate test in which assessors simulate real-
world attacks to identify methods for evading the
security features of an application, system, or network
• Often involves launching real attacks on real systems
and data using attack tools and techniques
• Also be useful for determining the following:
• How well the system tolerates real-world style attack patterns
• The likely level of sophistication an attacker needs to
successfully compromise the system
• Additional countermeasures that could mitigate threats
against the system
• The defenders' abilities to detect attacks and respond
1: Rules of engagement
agreement 3: Privilege escalation 5: Persistence

2: Reconnaissance and 4: Lateral movement

initial engagement and pivoting
• Also called "Hunt Teams" 7. Revise
the hunt
• Threat hunting involves groups of cyber analytic
investigators aggressively seeking out 1. Gain and
6. Investigate
threats on a network or system and expand
follow up visibility
• They are often compliance or regulatory
auditors
• They attempt to quickly recognize Threat hunting
anomalies and discover historic patterns in 5. Execute lifecycle
data and Indicators of Compromise (IoCs) 2. Analyze
the hunt
to counter cybercriminals and mitigate
threats
• Can also be Red Team vs. Blue Team 4. Create
3. Form a
exercises the hunt
hypothesis
analytic
 Sets up
Dropper
• Involves creating an abstraction of a system Decrypt and execute
to identify risk and probable threats (private STAGE 1
next stage

cloud/sandboxing) Loader

STAGE 2 Decrypt and execute

• When cyberthreat modeling is applied to Loader next stage
systems being developed, it can lower
vulnerabilities and risk STAGE 3
Kernel
Framework
• With the widespread adoption of threat
intelligence technologies, most enterprises
are trying to adopt a threat-focused STAGE 4 STAGE 4 STAGE 4
approach to risk management User Kernel … Kernel
Framework Module 1 Module N
• Provides visibility, increased security
awareness and prioritization, and
understanding of posture STAGE 5
Payload
STAGE 5
Payload …
STAGE 5
Payload
Module 1 Module 2 Module N
• Reports should have as much information as necessary but not
a "data overload"
• May need to express in simpler terms or have different reports
for different target audiences
• Dashboards are very effective (R programming)
• Understand components of visual communications
• Avoid three-dimensional representation
• Use a palette of sequential colors
• Avoid pie charts for scatterplots, bars and bubble charts, histograms,
density plots, and boxplots
• Steps taken when a negative event disrupts normal operations
• Primary goal is to reduce the immediate impact
• Should have documented incident types/category definitions
based on risk assessments, risk registers, and business impact analysis
(BIA)
• Know roles and responsibilities of the first responders, including
reporting requirements and escalation processes
• Collect contact lists, public relations people, and legal teams
• Best practice is to have pre-performed exercises, drills, and
simulations
Preparation
• Involves all information gathering, missions, charters,
and project initiation tasks
• Get buy-in and funding from executive management
in order to know the scope of the response plan
• Establish incident response teams
• Determine the roles and responsibilities of internal
employees on incident response teams

• Establish first responders and processes for

communication to relevant stakeholders
• Conduct IR exercises and drills based on budget
Detection
• Also referred to as "Identification"
• Separate an event from an incident or breach
immediately, using pre-defined metrics and experience
• Categorize and prioritize the incident based on an
established risk register or risk ledger
• When did it occur?
• How were you alerted?
• Who made the discovery?
• What is the scope of impact?
• Does it qualify for escalation or disaster recovery?
• Can you quickly identify the root cause?
Response
• Main goal is containment of the outbreak or malware
exploit
• Implement short-term processes, such as
disconnecting devices from the network
• Use firewalls, NG-IPS, ML algorithms, and other forensic
tools to maintain separation, containment, and
segregation
• Evaluate backups and snapshots for future recovery
Mitigation
• This step is also called "eradication" and is often
integrated with the previous phase,
Containment/Response, as opposed to being a
separate action
• Involves determining the root cause of the incident
and applying immediate remedies if available
• Involves removing all indicators of compromise and
any action, artifacts, remnants, or fingerprints
associated with the attack
Recovery
• The process of restoring negatively affected data,
applications, systems, and devices to an established
baseline performance level or, if possible, the original
state
• This often involves only remediation to a certain
operational point and not total recovery
• During this process, it is vital to establish that you are
not in danger of another incident or breach
• Will often involve business impact analysis (BIA) metrics
and indicators like RTO, RPO, and MTTR
Remediation
• This is more elaborate than recovery, as it involves a
remedy that puts the application or system into a state
before the incident occurred
• Remediation may take hours or weeks depending on
the fact that the incident may rise to the state of a
disaster or catastrophe and business continuity is
occurring
• Recovery and remediation are often combined into
the same phase or stage of incident response
Reporting
• Reports should be generated from physical, digital,
and/or audio notes taken throughout the entire
process
• Final reports should meet these requirements:
• Be concise and comprehensive
• Generate with different audiences in mind
• Use newer graphical representation with Python and R
programming tools
• Include recommendations to prevent future incidents
• Take problem management into consideration
Lessons learned
• Knowledge gained from the process of conducting
the program
• Sessions usually held at the response close-out
• To share and use knowledge derived from an
experience
• Endorse the recurrence of positive outcomes
• Prevent the recurrence of negative outcomes
• Try to avoid "blamestorming," although someone may
be ultimately held accountable if expected due care
and diligence were not performed
 Weaponization Exploitation Command
and control

Recon Delivery Installation Exfiltration

• Laws have been violated
• Organizational policies have been violated
• Systems have been attacked
• Data and identity have been breached
• Intellectual property has been exfiltrated
• Privileged insiders are suspected of crimes
• Next phase of incident response
• The focus of this certification is on cyber forensics
• Innovative technologies have emerged to lower the risks and costs
associated with big data, especially in litigation and internal
corporate/government investigations
• The e-discovery process includes four phases:
• identifying and collecting documents
• sorting through data by relevance
• creating production sets, and
• data management
 Collection of Analysis of the
evidence real evidence

Identification of Examination of the Reporting on the

the crime evidence data findings of the
analysis
Detecting the incident
• Once you have determined this is not an event but
rather an incident that needs forensics, you will need
to identify and classify
• Forensics may not occur until later in the incident
response lifecycle (remediation or reporting)
• The notification can come from
• personal complaint by phone or text
• monitoring system alarm or alert
• audit result
• IDS/IPS/EDR sensor alarm, or
• notification from trusted or anonymous source
 Order of volatility sets
the priority
1. CPU, cache, and register • Forensic toolkits (EnCase
content from Guidance) and write-
blockers
2. Routing table, ARP cache,
process table, and kernel Common utilities include:
statistics
Forensic toolkits (EnCase from Guidance) • Tcpdump and dd
3. Memory
• nbtstat and netstat
Write-blockers 4. Temporary file system/swap
space • nc (Netcat)

5. Data on hard disk • memcopy

6. Remotely logged data • tshark

7. Data on archival media • foremost

Maintain the chain of
custody
• Imaging technologies (create copies)
• Memory dumps from write blockers
• HDD bit-level copy, sector-by-sector
• Include deleted files, slack spaces, and
unallocated clusters
• Look for encrypted volumes and files

• Digital pictures and interviews

• Provide a history of the handling of the evidence to
maintain integrity, provide accountability, prohibit
tampering, and provide assurance through the entire
life cycle
 Chain of custody

Registered mail Date/Time Released by Received by Reason

Date Name/Agency/Organization Name/Agency/Organization

Time Signature Signature

Date Name/Agency/Organization Name/Agency/Organization

Time Signature Signature

Date Name/Agency/Organization Name/Agency/Organization

Time Signature Signature

Date Name/Agency/Organization Name/Agency/Organization

Time Signature Signature

Media management
• Should have a software inventory system for
configuration items and a category for components
removed for investigative and forensic purposes
• Collected media (all types) must be classified and
labelled
• Secure storage facilities with dual operators include
• locked rooms
• locked cabinets
• safes, and
• offsite storage facilities
 Where data
becomes information
• Examination involves finding the relevant data in order
to have the proper information to analyze in the next
step
• Use tested techniques for
• validation
• filtering (i.e., user SIDs)
• pattern matching
• tracing
• hidden data discovery, and
• data extraction
Building a solid
forensic case
• Operating on the relevant data, facts, and artifacts from
collection and examination phases
• May determine that more work should be done in earlier
steps
• If more information is needed, then iterate back to
collection and examination

• Answer the 'who, what, where, when, why, and how?'

• Infer motive, opportunity, means
• Is a combination of an art and science that can take
years to master
• Use expert judgment of others
Communicate results
effectively
• Track people hours and expenses in case software
• Provide electronic and physical documents of all
findings
• Meet with proper authorities and possibly prepare to
offer expert testimony
• Provide any needed clarification
• Identify overall impact on business and recommend
any countermeasures
• Who, what, when, and how – important for court and
other proceedings