Securing IT Infrastructure

CSC401 – CySA
UNIT 1
UNIT – 1

 Understanding Cyber Security leadership Concepts

 Explaining Threat Actor Concepts
Understanding Cyber Security
leadership Concepts
Objectives
 Review policies and governance.
 Explore risk management principles.
 Understand different types of controls.
 Review attack surface management.
 Explore patch and configuration management.
 Review the importance of maintenance windows
 Understand threat actor concepts.
 Explore advanced persistent threats.
 Review tactics, techniques, and procedure (TTP) concepts.
 Understand the importance of identifying active threats.
 Review open-source intelligence and information-sharing concepts.
 Review different types of threat-hunting activities.
 Understand the importance of Indicators of Compromise (IoC).
 Review decoy methods.
 Policy and Governance Topics
• The Role of Governance • Security Operations
• Leadership • Well-defined processes
• Strategy • Service Level Objectives (SLO)
• Policy Development
• The Importance of Policy
• Establish Priorities
• Enforceable Rules
• Form basis of an Audit
Role of Governance
 Technology Management is Key: Spending money on technology alone is ineffective;
proper management and integration are essential to realize its benefits.
 Planning and Management: Success with technology depends on proper planning and
management, regardless of the brand or features.
 Leadership's Role: Leadership teams craft effective responses by adjusting policies and
processes to meet organizational objectives.
 Governance, Risk, and Compliance (GRC) Teams: GRC teams are commonly established
to guide the organization’s direction and manage risks.
 Governance Teams: Responsible for creating and maintaining policies that direct
technical teams and define organizational expectations, especially in cybersecurity.
 Policies as Roadmaps: Policies and procedures serve as roadmaps for technical teams,
ensuring alignment with organizational goals.
 Cybersecurity Service-Level Objectives (SLOs): Leadership must meet cybersecurity SLOs,
such as Mean Time to Detect (MTTD), Mean Time to Recover (MTTR), and time to patch, to
ensure network security
Risk Management Principles
Risk management program works to identify risks and determine
how to minimize their likelihood or impact.

Risk Responses
• Avoid
• Accept
• Mitigate
• Transfer

Example: You drive on road.

Avoid: No Travel
Accept: Need of travel is more than the risk (going office)
Mitigate: Wear seat belt, helmet for safety
Transfer: Insurance
Threat Modelling
 Threat modelling is designed to identify the principal risks and tactics,
techniques and procedures (TTPs) that a system may be subject to by
evaluating the system both from an attacker’s point of view and from the
defender’s point of view.

 Identifying Specifics
 Threat Actors
 TTPs
 Threat Considerations
 Different threat groups target different organizations
 Prioritize identified threat groups
 Build defenses based on threat group
Security Control Category
 Control Categories
 Technical – Implemented through technology. Automated measures.
 Operational – Procedures and practices that are primary carried out by people.
 Managerial – Provide oversight and governance over organization’s security
processes and policies.
 Protecting assets with a mix of control from each category.
Security Control Functional Types
 Preventative Controls: Aim to stop an attack before it happens.
 Detective Controls: Identify and log an attack while it's happening.
 Corrective Controls: Mitigate or repair the damage after an attack has
occurred.
 Compensating Controls: Provide alternative methods of protection when
primary controls aren't available or sufficient.
 Responsive Controls: Help manage and respond to security incidents to prevent
them from escalating.

NOTE: No single security control can protect everything on its own. Each control is
like a link in a chain, and together, they form a strong defense. Each type of
control (like prevention, detection, or correction) can be seen as its own chain,
with multiple controls working together to ensure protection.
Managing Attack Surface
 Threat Models seek to identify which threat actors are likely to attempt to
exploit the system. The goal of the threat model is to help determine how to
improve a system’s security posture, and part of this exercise often includes
attack surface management and hardening.
 Attack Surface describes the level of exposure
 Identifying attack surface helps define the weak spots in the
environment
 People and processes
 Software and devices
 An attack surface describes all potential pathways a threat actor could use
to gain unauthorized access or control. Each piece of software, service,
and
every enabled protocol on an endpoint offers a unique opportunity for
attack. Removing or disabling as many of these as possible can significantly
reduce the number of (potentially) exploitable pathways into a system.
Evaluating Attack Surface
 Passive Discovery - Methods used to identify systems, services, and
protocols indirectly.
 Edge Discovery - Edge is instead composed of every device with Internet
connectivity.
 Penetration Testing - Simulating an attack on an organization’s network to
identify vulnerabilities and weaknesses.
 Adversary Emulation - Replicates the tactics, techniques, and procedures
(TTPs) of a specific known threat actor. The goal is to closely mimic how a
particular attacker or group operates, based on real-world intelligence.
Reducing Attack Surface
 Asset inventory
 Access control
 Patching and updating
 Network segmentation
 Removing unnecessary components
 Employee training
Software Patching & Host Protection
 Patch Management: Ensures systems have the latest security updates to protect
against vulnerabilities, with a plan for timely application and a backup strategy
for disruptions.
 Patch Scope: Applies to various systems, software, and devices; can be
manual, automated, or a mix of both, with automation often needing some
manual intervention.
 Effective Patch Strategy: Requires software configured based on system risks
and a test environment to check patches before full deployment.
 Patch Testing: Tests patches on isolated systems to ensure they don't cause
issues like crashes or instability.
 Centralized Configuration Management: Ensures consistency by defining
settings once and applying them across multiple systems, crucial for both
modern and traditional IT environments.
 Maintenance Windows: Designated times for preventive maintenance and
noncritical patch deployment, following change management policies.
 Maintenance Types: Reactive (in response to issues) and proactive (to prevent
future problems or safely perform work).
Exploring Threat Intelligence & Threat
Hunting Concepts
Types of Threat Actor
 Nation-State
 Organized Crime
 Hacktivist
 Insider Threat
 Script Kiddie
 Supply Chain Access
APT (Advanced Persistent Threat)

 Threat Actors  Targets

 Nation State  Large organizations
 Organized Crime  Government
 Tools
 Command and Control
 Rootkits
 Custom Crafted Tools
TTP (Tactics, Techniques & Procedures)

 Tactic – Motive
 Technique – Ways to achieve Motive
 Procedure - Method/steps executed
MITRE Framework
 OSINT
 Open-source intelligence (OSINT) refers to publicly available information and associated
tools for aggregating and searching it.
 OSINT Includes
 Publicly Available Information – Public Repo, DNS Info, etc
 Social Media – User’s personal information.
 Website
 MetaData – Pictures, Document etc
 Defensive OSINT
 Defensive OSINT is a type of intelligence gathering that focuses on identifying threats before
they occur. It also helps create a strategy to minimize the impact of an attack before it occurs.
 Govt. Bulletins
 CERT
 CSIRT
 Deep/Dark Web
 Internal Sources
Threat Intelligence Data
 Threat intelligence data refers to information collected, analyzed, and
contextualized to identify and assess potential security threats. Data can
come from various sources, including open-source, human, and technical
intelligence.
 Two broad types
 Strategic: Provides a high-level view of the threat landscape, including
emerging trends, tactics, and techniques threat actor use
 Operational: Provides more granular details about specific threats, such
as indicators of compromise, malware analysis, and network forensics.
 Depends on three important attributes timeliness, relevancy, and accuracy
 Companies provides commercial service offering, where access to
updates and research is subject to a subscription fee
 Confidence Level : Metric helps rank or score threat intelligence to help
isolate highly applicable or highly likely threat intelligence
Threat Intelligence Sources
(Proprietary/Closed-Source)
 Closed-source data is derived from the provider’s own research and
analysis efforts, such as data from honeynets that they operate, plus
information mined from its customers’ systems, suitably anonymized.
 Most of the commercial feed (sometimes referred to as a paid feed)
providers also market their own platform for processing and disseminating
threat intelligence.
Threat Intelligence Sharing

 Crucial for cyber defense teams

 Threat intelligence sharing goals
 Identifying indicators of compromise
 Tracking threat actor groups
 Documenting findings
 Discussing strategies
 Distributing knowledge
Threat Hunting Concepts

 "Assume breach" mentality

 Analyze routine activities and network traffic
 Use skills and experience to identify potential threats (in its dwell time) as well as Security
gaps.
 Indicators of Compromise (past)
 Indicators of Attack (present)
 Search for threat actors based on established TTPs
 IoC
 Suggest that a security incident may have occurred
 Sources of IoC
 System and applications logs
 Network monitoring software
 Endpoint protection tools
 Security Information and Event Management (SIEM) platforms
 IoC points to a specific event, pattern, or sequence of events that may indicate
trouble. After identifying an IoC, security analysts must validate it to more
confidently determine if it is a false positive, warrants monitoring, or requires a full
incident response.
 Indicators of compromise (IOCs) can be identified using digital forensics
techniques, which analyze digital artifacts left behind on a compromised system or
network. These artifacts include log files, memory dumps, network traffic, and file
system information.
Decoy Methods and Concepts

 Active Defense
 Using offensive actions to outmaneuver an adversary to make an attack harder
to execute.
 An active approach to cyber defense seeks to increase the likelihood that
hackers will make a mistake and expose their existence or methods of attack.

 Honeypots
 Redirect malicious traffic away (decoys)
 Intentionally made vulnerable system, corporate look-a-like, which attacker
upon targeting reveals their presence.
UNIT - 2

 Explaining Important System and Network Architecture Concepts

 Understanding Process Improvement in Security Operations.
Objectives
 Review system and network architecture concepts.
 Explore important operating system concepts.
 Review Cloud deployment models.
 Review identity and access management concepts.
 Review data protection tools and techniques.
 Explore security operations automation concepts.
 Understand automation technologies.
 Explore the relationship between security information and event management
(SIEM) and security orchestration, automation, and response (SOAR) products.
 Learn about the importance of processes and consistency in security
operations.
System Hardening
 System hardening enhances the security of an operating system,
application, device, or service by reducing its attack surface. Hardening
involves enabling or disabling specific features and restricting access to
sensitive areas of the system, such as protected operating system files,
windows registry, configuration files, and logs.
 Hardening includes
 Disabling unnecessary services
 Limiting user privileges
 Patching the operating system
Windows Registry & File System
 The Windows registry is a database for storing operating system, device,
and software application configuration information.
 HKEY_LOCAL_MACHINE (HKLM) database governs system-wide settings.
 The HKEY_USERS database includes settings that apply to individual user
profiles, such as desktop personalization.
 HKEY_CURRENT_USER is a subset of HKEY_USERS with the settings for a
logged-in user.
 The registry database is stored in binary files called hives.
 A hive comprises a single file (with no extension), a .LOG file (containing a
transaction log), and a .SAV file (a copy of the key as it was at the end of
setup).
Windows Registry & File System
Windows registry files are stored in C:\Windows\System32\Config
Configuration File Format Standards

 Windows have Registry, Linux doesn’t.

 BUT, Linux have Configuration files, containing all settings and preferences.
 Generally, all config files are present in /etc files, but they are also present
in /usr, /opt, /var.
 Common configuration files –
 Initialization File (INI) – Uses key-value pairs associated using “=“
 eXtensible Markup Language (XML) – Uses tag formatting similar to HTML.
 Yet Another Markup Language (XML) – YAML File use “:” and careful
indendation.
 JavaScript Object Notation (JSON) – Similar to YAML with the addition of {} and []
brackets to group settings.
Virtualization,
Containers & Emulation
(Hypervisors)

 Virtualization involves creating multiple virtual machines that run full operating systems on a
single physical host using a hypervisor.
 Containerization creates lightweight containers that share the host OS kernel but are isolated
at the application level, allowing for efficient resource use and consistent deployment.
 Emulation simulates a different hardware or software environment entirely, enabling software
to run on platforms it wasn't originally designed for, often at the cost of significant performance
overhead.
 Containers & Virtual Machines

 Virtual Machines (VMs) include a full OS

with virtual hardware, providing strong
isolation but with higher resource usage
and slower startup times.
 Containers share the host OS kernel,
offering lightweight, faster, and more
efficient environments with less isolation.
VMs are ideal for running multiple OS
instances, while containers excel in
microservices and DevOps scenarios due
to their portability and efficiency.
 Understanding Cloud Deployment
Models
 Virtualization == Cloud
 Cloud is just someone else’s computer.
 Public Cloud: Services are delivered over the internet by third-party providers (e.g., AWS,
Google Cloud). Resources are shared among multiple users (tenants), making it cost-
effective and scalable.
 Private Cloud is designed, built, and managed in-house using organization-owned hardware
and software. Private clouds provide high levels of control over the infrastructure, but they
typically require more up-front capital and ongoing maintenance than a public cloud.
 Hybrid Cloud generally refers to the combination of resources in both a public and private
cloud. It is a type of cloud computing that combines on-premises infrastructure—or a
private cloud—with a public cloud. By doing this, organizations can benefit from the
scalability and cost-effectiveness of the public cloud while maintaining the security and
control of their private cloud.
Serverless Computing
 Serverless computing is a cloud computing model where the cloud provider
manages the infrastructure, allowing developers to focus solely on writing and
deploying code.
 The term "serverless" means that the server management is abstracted away from the
user—there are still servers involved, but developers do not need to worry about
provisioning, scaling, or managing them.
 Examples of Serverless Platforms:
 AWS Lambda
 Google Cloud Functions
 Azure Functions
 Serverless computing is ideal for applications with variable workloads, allowing
organizations to deploy applications quickly, scale effortlessly, and pay only for the
resources they consume.
Deperimeterization

• Deperimerization: shift away from "inside" and "outside" networks

• Trends Driving Deperimeterization
• Cloud
• Remote Work
• Mobile
• Outsourcing and Contracting
• Wireless Networks (Wi-Fi)
 Zero Trust
• Characteristics of Zero Trust
• Everything is considered "outside"
• Trust nothing, validate everything
• NIST SP 800-207 "Zero Trust Architecture”

• Components of a Zero Trust architecture

• Network and endpoint security
• Identity and access management (IAM)
• Policy-based enforcement
• Cloud security
• Network visibility
• Network segmentation
• Data protection
• Threat detection and prevention
Authentication Mechanism
• Authentication Factors
• Something You Know
• Something You Have
• Something You Are
• Why Use Multiple Factors?
• Improves identity assurance
• Increases difficulty in abusing credentials

 Multifactor Authentication (MFA)

 Two-Factor Authentication (2FA)
 2-Step Verification
 Passwordless Authentication
 Single sign-on (SSO)
Federated Trust Method

 Federation
 Access one account via credentials from account

 OpenID
 Users participate in an OpenID system

 Security Assertion Markup Language (SAML)

 Transitive Trust
 If A trusts B, and B trusts C, then A trusts C.
Cloud Access Security Broker

• Cloud Access Security Broker (CASB) functions

• Enable SSO and enforce access controls
• Scan for malware and rogue or noncompliant device access
• Monitor and audit user and resource activity
• Prevent access to unauthorized cloud services
Data Loss Prevention Concepts

• Data Loss Prevention (DLP) Components

• Policy Server
• Endpoint Agents
• Network Agents
• DLP Examples
• Blocking use of external media
• Print blocking
• Remote Desktop Protocol (RDP) blocking
• Clipboard privacy controls
• Data classification blocking
Different Data Types

 Personally Identifiable Information (PII)

 Protected Health Information (PHI)
 Personal Identifiable Financial Information (PIFI)
 Cardholder data (CHD)
 Intellectual property (IP)
PKI

 Secure Sockets Layer (SSL) Inspection

• Inspecting encrypted HTTPS traffic
• Administrators cannot monitor encrypted traffic for threats
• HTTPS traffic can allow attackers to avoid detection
• Ensure employees comply with acceptable use policies
• Visibility to restricted content access or share/upload restricted
data
 Logging Concepts
• Log Ingestion
• Storing logs in a central location for simplified analysis
• Authentication servers
• Application servers
• Web servers
• Databases
• Logging Level
• DEBUG: used for debugging purposes
• INFO: used for informative messages
• WARNING: used to indicate a potential problem
• ERROR: used to indicate a serious problem
• CRITICAL: used to indicate a critical problem
 Logging Concepts (Syslog)
• Syslog uses eight logging levels
• 0 Emergency (emerg)
• 1 Alert (alert)
• 2 Critical (crit)
• 3 Error (error)
• 4 Warning (warn)
• 5 Notice (notice)
• 6 Informational (info)
• 7 Debug (debug)
Security Operation through
Automation
• Automation streamlines security operations
• Initiatives seek to make operations more
• Efficient
• Consistent
• Reliable
• Cost-effective
Security Operation through
Automation
• Two popular tools anchoring security automation
• Security Information and Event Management (SIEM)
• Automates the collection, analysis, and response to security-
related data
• Security Orchestration, Automation, and Response (SOAR)
• Automate the response to security threats
• Typically integrated with SIEM platforms
Identifying Tasks Suitable for Automation
1. Analyze workflows
• Identify repetitive or time-consuming tasks
2. Evaluate time-to-detection
• Tasks that contribute to delays in detection or response are good
candidates
3. Identify high-risk areas
• Identify areas at high risk of a cyber attack
4. Consider the frequency of tasks
• Tasks performed frequently are good candidates
5. Evaluate the benefits of automation
• Focus on increased accuracy, faster response times, and reduced
manual effort
Streamlining Operations
 Continuously monitor threat intelligence feeds
 Automatically detect new threats in real time
 Indicators of Compromise (IOCs)
 Reduce time to identify & respond to security incidents
 Orchestrating threat intelligence data for threat hunting
 Comprehensive view of the threat landscape
 Emerging threats
 Attack trends
Streamlining Operations cont.
 Aggregating threat intelligence data
 Support prioritization efforts
 Where to allocate resources
 Which security controls to implement
 Sharing threat intelligence data across different teams
 Improve collaboration
 Work together more effectively
 Orchestrating Threat Intelligence Data
 Data enrichment  Correlating data
• Combine and analyze data • Network logs
from disparate sources • Endpoint data
• Greater understanding of the • Threat intelligence feeds
threat landscape • Identify and prioritize issues
 Combine different threat feeds
• Complete picture of attackers
• Threat actors
• Tools
• Methods
Understand Single Pane of Glass
• Describes a unified view of a computer network or systems
• Allows teams to centrally monitor and control systems and services
• Identify and respond to threats quickly
• Focus on responding to threats
• Real-time visibility into security incidents
Explore Customization Features

• Application Programming Interface (API)

• Two or more applications communicate with each other
• The API Defines:
• The types of requests available
• How to make requests
• Data format requirements
• Conventions to follow (usage rules)
• Application Programming
Interface (API)
• Example: VirusTotal
• Integrate scanning and
analysis capability
directly into a security
tool
WebHooks
 Automated messages sent between applications
 Contain event information
 Time it occurred
 Data associated with the event
 Any other relevant information
 Trigger automated actions
 Send an email
 Update a database, etc.
Plugins & Apps

 Extended functionality
 Additional features
 Customize the software
 Match the infrastructure being managed
 Some additions are free or feature-limited
 Many require additional licensing