CySA Unit 1 2
CySA Unit 1 2
CSC401 – CySA
UNIT 1
UNIT – 1
Risk Responses
• Avoid
• Accept
• Mitigate
• Transfer
Identifying Specifics
Threat Actors
TTPs
Threat Considerations
Different threat groups target different organizations
Prioritize identified threat groups
Build defenses based on threat group
Security Control Category
Control Categories
Technical – Implemented through technology. Automated measures.
Operational – Procedures and practices that are primary carried out by people.
Managerial – Provide oversight and governance over organization’s security
processes and policies.
Protecting assets with a mix of control from each category.
Security Control Functional Types
Preventative Controls: Aim to stop an attack before it happens.
Detective Controls: Identify and log an attack while it's happening.
Corrective Controls: Mitigate or repair the damage after an attack has
occurred.
Compensating Controls: Provide alternative methods of protection when
primary controls aren't available or sufficient.
Responsive Controls: Help manage and respond to security incidents to prevent
them from escalating.
NOTE: No single security control can protect everything on its own. Each control is
like a link in a chain, and together, they form a strong defense. Each type of
control (like prevention, detection, or correction) can be seen as its own chain,
with multiple controls working together to ensure protection.
Managing Attack Surface
Threat Models seek to identify which threat actors are likely to attempt to
exploit the system. The goal of the threat model is to help determine how to
improve a system’s security posture, and part of this exercise often includes
attack surface management and hardening.
Attack Surface describes the level of exposure
Identifying attack surface helps define the weak spots in the
environment
People and processes
Software and devices
An attack surface describes all potential pathways a threat actor could use
to gain unauthorized access or control. Each piece of software, service,
and
every enabled protocol on an endpoint offers a unique opportunity for
attack. Removing or disabling as many of these as possible can significantly
reduce the number of (potentially) exploitable pathways into a system.
Evaluating Attack Surface
Passive Discovery - Methods used to identify systems, services, and
protocols indirectly.
Edge Discovery - Edge is instead composed of every device with Internet
connectivity.
Penetration Testing - Simulating an attack on an organization’s network to
identify vulnerabilities and weaknesses.
Adversary Emulation - Replicates the tactics, techniques, and procedures
(TTPs) of a specific known threat actor. The goal is to closely mimic how a
particular attacker or group operates, based on real-world intelligence.
Reducing Attack Surface
Asset inventory
Access control
Patching and updating
Network segmentation
Removing unnecessary components
Employee training
Software Patching & Host Protection
Patch Management: Ensures systems have the latest security updates to protect
against vulnerabilities, with a plan for timely application and a backup strategy
for disruptions.
Patch Scope: Applies to various systems, software, and devices; can be
manual, automated, or a mix of both, with automation often needing some
manual intervention.
Effective Patch Strategy: Requires software configured based on system risks
and a test environment to check patches before full deployment.
Patch Testing: Tests patches on isolated systems to ensure they don't cause
issues like crashes or instability.
Centralized Configuration Management: Ensures consistency by defining
settings once and applying them across multiple systems, crucial for both
modern and traditional IT environments.
Maintenance Windows: Designated times for preventive maintenance and
noncritical patch deployment, following change management policies.
Maintenance Types: Reactive (in response to issues) and proactive (to prevent
future problems or safely perform work).
Exploring Threat Intelligence & Threat
Hunting Concepts
Types of Threat Actor
Nation-State
Organized Crime
Hacktivist
Insider Threat
Script Kiddie
Supply Chain Access
APT (Advanced Persistent Threat)
Tactic – Motive
Technique – Ways to achieve Motive
Procedure - Method/steps executed
MITRE Framework
OSINT
Open-source intelligence (OSINT) refers to publicly available information and associated
tools for aggregating and searching it.
OSINT Includes
Publicly Available Information – Public Repo, DNS Info, etc
Social Media – User’s personal information.
Website
MetaData – Pictures, Document etc
Defensive OSINT
Defensive OSINT is a type of intelligence gathering that focuses on identifying threats before
they occur. It also helps create a strategy to minimize the impact of an attack before it occurs.
Govt. Bulletins
CERT
CSIRT
Deep/Dark Web
Internal Sources
Threat Intelligence Data
Threat intelligence data refers to information collected, analyzed, and
contextualized to identify and assess potential security threats. Data can
come from various sources, including open-source, human, and technical
intelligence.
Two broad types
Strategic: Provides a high-level view of the threat landscape, including
emerging trends, tactics, and techniques threat actor use
Operational: Provides more granular details about specific threats, such
as indicators of compromise, malware analysis, and network forensics.
Depends on three important attributes timeliness, relevancy, and accuracy
Companies provides commercial service offering, where access to
updates and research is subject to a subscription fee
Confidence Level : Metric helps rank or score threat intelligence to help
isolate highly applicable or highly likely threat intelligence
Threat Intelligence Sources
(Proprietary/Closed-Source)
Closed-source data is derived from the provider’s own research and
analysis efforts, such as data from honeynets that they operate, plus
information mined from its customers’ systems, suitably anonymized.
Most of the commercial feed (sometimes referred to as a paid feed)
providers also market their own platform for processing and disseminating
threat intelligence.
Threat Intelligence Sharing
Active Defense
Using offensive actions to outmaneuver an adversary to make an attack harder
to execute.
An active approach to cyber defense seeks to increase the likelihood that
hackers will make a mistake and expose their existence or methods of attack.
Honeypots
Redirect malicious traffic away (decoys)
Intentionally made vulnerable system, corporate look-a-like, which attacker
upon targeting reveals their presence.
UNIT - 2
Virtualization involves creating multiple virtual machines that run full operating systems on a
single physical host using a hypervisor.
Containerization creates lightweight containers that share the host OS kernel but are isolated
at the application level, allowing for efficient resource use and consistent deployment.
Emulation simulates a different hardware or software environment entirely, enabling software
to run on platforms it wasn't originally designed for, often at the cost of significant performance
overhead.
Containers & Virtual Machines
Federation
Access one account via credentials from account
OpenID
Users participate in an OpenID system
Transitive Trust
If A trusts B, and B trusts C, then A trusts C.
Cloud Access Security Broker
Extended functionality
Additional features
Customize the software
Match the infrastructure being managed
Some additions are free or feature-limited
Many require additional licensing