Endpoint Vulnerability Assessment

 Definition: Endpoint Vulnerability Assessment is the process of identifying

weaknesses or flaws in devices (endpoints) that connect to a network.
These endpoints may include computers, servers, mobile devices,
workstations, and even IoT (Internet of Things) devices.
 Process:
1. Discovery: Identifying all endpoints on the network.
2. Scanning: Using vulnerability scanners (e.g., Nessus, OpenVAS) to
find security flaws in operating systems, applications, and
configurations.
3. Analysis: Assessing the severity of each vulnerability based on the
potential impact on the system and network.
4. Remediation: Applying patches, updating software, and adjusting
configurations to mitigate or eliminate vulnerabilities.
5. Reporting: Documenting the findings and actions taken to secure
the endpoints.
 Tools: Common tools include Tenable Nessus, Qualys, Rapid7 Nexpose,
and OpenVAS.

Network and Server Profiling

 Definition: Network and Server Profiling is the practice of mapping out
and analyzing the infrastructure of an organization’s network and its
servers. This allows you to detect vulnerabilities, misconfigurations, or
performance issues before they are exploited.
 Key Activities:
1. Network Topology Mapping: Understanding how devices are
connected within the network, identifying key routers, switches, and
other critical infrastructure.
2. Port Scanning: Discovering open ports on network devices and
servers to ensure they are necessary and secure (using tools like
Nmap).
3. Server Configuration Review: Analyzing server configurations,
software versions, and patch levels to ensure they follow security
best practices.
4. Traffic Analysis: Monitoring network traffic for unusual patterns
that could indicate an attack (e.g., using Wireshark or Splunk).
 Tools: Tools like Nmap (network scanning), Wireshark (traffic analysis),
and Nessus (vulnerability scanning) are commonly used.

Common Vulnerability Scoring System (CVSS)

  Definition: CVSS is a standardized system for evaluating the severity of
security vulnerabilities. It helps prioritize which vulnerabilities should be
addressed first, based on their risk.
 Components:
1. Base Score: Represents the intrinsic characteristics of the
vulnerability (e.g., how easy it is to exploit). This is calculated using
metrics like exploitability (e.g., remote vs. local access) and impact
(e.g., loss of confidentiality, integrity, or availability).
2. Temporal Score: Adjusts the base score over time, accounting for
factors such as the availability of exploits or patches.
3. Environmental Score: Customizes the score based on the specific
environment in which the vulnerability exists (e.g., impact on a
particular organization's assets).
 Scale: The score is typically between 0 and 10, where:
o 0.0 to 3.9 = Low

o 4.0 to 6.9 = Medium

o 7.0 to 8.9 = High

o 9.0 to 10.0 = Critical

 Use: CVSS scores help prioritize remediation efforts and allocate resources
to the most critical vulnerabilities.

Information Security Management Systems (ISMS)

 Definition: An ISMS is a systematic approach to managing sensitive
company information to keep it secure. It involves a set of policies,
processes, and controls that address security risks.
 Key Components:
1. Risk Assessment: Identifying and evaluating risks to the
confidentiality, integrity, and availability of information.
2. Controls: Implementing controls (technical, administrative, and
physical) to mitigate identified risks.
3. Policies: Establishing clear security policies and procedures.
4. Monitoring: Continuously monitoring the effectiveness of security
measures and conducting periodic reviews (e.g., internal audits).
5. Improvement: Ensuring continuous improvement in the security
posture through corrective actions.
 Frameworks: ISO/IEC 27001 is the most widely adopted framework for
implementing an ISMS. Other frameworks include NIST and COBIT.
  Certification: Organizations can be certified against these standards
(e.g., ISO/IEC 27001) to demonstrate their commitment to information
security.

Network Security Data

 Definition: Network Security Data refers to the data generated from
network devices and security tools that help in detecting and defending
against network-based threats.
 Types:
1. Traffic Data: Captures information about the data passing through
the network, including source, destination, protocols, and payloads
(e.g., using tools like Wireshark).
2. Event Logs: Logs from firewalls, IDS/IPS, servers, and other devices
that document network activity (e.g., using SIEM systems like
Splunk, LogRhythm).
3. Alerts: Security alerts generated by devices like intrusion detection
systems (IDS), firewalls, and anti-malware systems when suspicious
activity is detected.
 Use: This data helps security analysts to understand threats, identify
intrusions, investigate incidents, and comply with regulations.

Evaluating Alerts
 Definition: Evaluating alerts involves analyzing security alerts generated
by various tools to determine if they represent a real threat or a false
alarm.
 Steps in Evaluation:
1. Alert Triage: Sorting alerts based on severity and relevance.
2. Contextual Analysis: Investigating the context of the alert,
including the affected system, the source of the alert, and any
recent network activity.
3. False Positive Reduction: Identifying and filtering out non-
threatening alerts to reduce noise and focus on actual threats.
4. Incident Response: If the alert indicates a real threat, the security
team initiates the incident response process to mitigate the issue.
 Tools: Security Information and Event Management (SIEM) platforms like
Splunk, IBM QRadar, or ArcSight provide tools for managing and analyzing
alerts.

Cyber Kill Chain

  Definition: The Cyber Kill Chain is a model that breaks down the stages of
a cyber attack into specific phases. It helps defenders understand the
tactics and techniques used by attackers, enabling them to interrupt
attacks at various stages.
 Stages:
1. Reconnaissance: The attacker gathers information about the
target, such as open ports, employee details, etc.
2. Weaponization: The attacker prepares malicious payloads (e.g.,
malware, exploits).
3. Delivery: The attack is delivered to the target system, often via
phishing emails, malicious downloads, or physical access.
4. Exploitation: The attacker exploits a vulnerability in the target
system to gain access.
5. Installation: The attacker installs malware or establishes persistent
access.
6. Command and Control (C2): The attacker communicates with the
compromised system to direct actions.
7. Actions on Objectives: The attacker achieves their ultimate goals,
such as data theft, system manipulation, or destruction.
 Purpose: By understanding these phases, defenders can deploy
countermeasures to stop the attack at any stage, improving their chances
of detection and mitigation.

Diamond Model of Intrusion Analysis

The Diamond Model of Intrusion Analysis is a structured framework
designed to aid in the analysis of cyber intrusions. By understanding and
mapping out the relationships between key elements in an attack, the model
helps defenders and analysts identify patterns, gain insights into attack
strategies, and predict future threats. It was developed by Richard Bejtlich and
is widely used by security professionals, particularly in incident response, threat
intelligence, and forensics.
Key Elements of the Diamond Model:
The Diamond Model focuses on four core elements that are central to every
intrusion:
1. Adversary:
o Definition: The entity responsible for carrying out the attack. This
could be a cybercriminal, hacktivist, nation-state actor, or other
types of attackers.
o Purpose: Understanding the adversary helps to identify the
motivations, capabilities, and tactics used during the attack. For
example, a nation-state actor might have more resources and
advanced techniques compared to an opportunistic cybercriminal.
 o Key Questions: Who is conducting the attack? What is their
objective (espionage, financial gain, disruption)? Are there any
known links to groups or activities (e.g., APT groups)?
2. Capability:
o Definition: The tools, techniques, and procedures (TTPs) that the
adversary uses to carry out the attack. These include malware,
exploits, social engineering, and other methods.
o Purpose: The capability element is important for understanding
how the adversary executes the attack and what vulnerabilities they
exploit. It gives insight into the sophistication and effectiveness of
the attack methods used.
o Key Questions: What tools and techniques does the adversary use
(e.g., phishing, zero-day exploits, malware)? How are these tools
developed or sourced? Are these tools publicly available or custom-
built by the adversary?
3. Infrastructure:
o Definition: The physical or virtual infrastructure that the adversary
uses to launch and control the attack. This includes command-and-
control (C2) servers, compromised machines, remote servers, and
other infrastructure that supports the attack.
o Purpose: Infrastructure helps to identify how the adversary
communicates with the compromised systems, delivers payloads,
and executes commands. By mapping the infrastructure, defenders
can track the adversary's activity and potentially disrupt their
operations.
o Key Questions: What infrastructure does the adversary control or
rely on (e.g., C2 servers, proxy systems, compromised networks)?
How does this infrastructure interact with the victim? Are there
patterns or indicators that can help identify this infrastructure?
4. Victim:
o Definition: The target of the attack, which could be an individual,
organization, or system. The victim element focuses on the
compromised systems, stolen data, or affected networks.
o Purpose: Understanding the victim element helps to identify what
the adversary is targeting, why they chose this target, and how the
attack impacts the victim. It also enables defenders to understand
the scope of the damage and the nature of the compromise.
o Key Questions: Who is being targeted (specific individuals,
organizations, sectors)? What information or resources are being
targeted (e.g., intellectual property, personal data, network
access)? What is the adversary’s goal in targeting this victim?
The Diamond Model's Relationships:
The model highlights not only the elements but also the relationships between
them. Each element is interconnected and can influence the other elements.
Here's how:
 Adversary ↔ Capability: The adversary's goals and motivations drive
the choice of tools and techniques. For example, an attacker motivated by
espionage might use custom malware designed to exfiltrate data quietly.
 Capability ↔ Infrastructure: The capability of an adversary often
dictates the infrastructure needed to carry out the attack. For example,
advanced persistent threats (APTs) may need multiple C2 servers spread
across different regions to avoid detection.
 Infrastructure ↔ Victim: The infrastructure used by the adversary is
closely related to the victim. For example, the attacker might exploit
vulnerabilities in the victim's firewall or use spear-phishing emails to gain
access to specific systems within the target network.
 Adversary ↔ Victim: The adversary’s choice of victim is influenced by
their objectives (e.g., stealing intellectual property, disrupting operations)
and the available capabilities.
Analysis Process in the Diamond Model:
The Diamond Model is typically used for intrusion analysis, where the goal is to
investigate a specific cyber attack or series of attacks. Here’s a step-by-step
approach to using the Diamond Model for analysis:
1. Identify the Elements:
o Start by gathering all available data related to the intrusion, such as
logs, alerts, forensic evidence, and reports. You will map out the
adversary, capability, infrastructure, and victim elements based on
this data.
2. Map Relationships:
o Once the elements are identified, begin analyzing how they
interact. For example, determine how the adversary’s capabilities
(e.g., a specific malware type) interacted with the victim’s network
infrastructure (e.g., a compromised server).
3. Link Indicators:
o During the analysis, you will generate indicators of compromise
(IOCs), such as IP addresses, domain names, hashes, and other
metadata related to the attack. These IOCs can be tied to the
infrastructure and capability elements.
4. Look for Patterns:
o By connecting multiple intrusions or attacks, the Diamond Model
can help uncover patterns of behavior. For instance, an attacker
using similar infrastructure or capabilities across multiple victims
may indicate a repeatable attack methodology or an APT group’s
ongoing campaign.
 5. Derive Insights:
o Once the relationships are mapped and the attack context is clear,
draw conclusions about the adversary’s behavior, objectives, and
potential future targets. This can help with proactive defense
measures, such as updating defenses or blocking certain
infrastructure.
Example: Using the Diamond Model for Intrusion Analysis
Let’s walk through a simplified example using the Diamond Model:
Scenario: A financial institution is targeted by a cybercriminal who is trying to
steal customer account details through a phishing attack.
1. Adversary: The attacker is a cybercriminal group motivated by financial
gain. They have used phishing emails with malicious attachments to
compromise employee accounts.
2. Capability: The cybercriminals used a well-known banking Trojan,
"BankBot," that was delivered through the phishing email. The malware
collects sensitive banking information when installed on the victim’s
machine.
3. Infrastructure: The attacker controls several compromised servers acting
as C2 for the malware. These servers are located in countries with weak
cybercrime laws, which makes them difficult to trace.
4. Victim: The victim in this case is the financial institution, which suffers a
data breach when employees unwittingly download the malicious
attachment. The breach leads to the exposure of customer account
details.
Analysis: By mapping the relationships between these elements, the security
team can identify potential new targets of the cybercriminals (other financial
institutions), track the C2 infrastructure, and develop countermeasures to
prevent further attacks, such as blocking malicious IP addresses or deploying
advanced email filtering to block phishing attempts.
Benefits of the Diamond Model:
1. Holistic View: It offers a comprehensive view of the attack by considering
the adversary, their capabilities, the infrastructure they use, and the
victim. This helps in understanding not just the “how” but the “why” and
“who” behind an attack.
2. Pattern Recognition: It helps identify recurring attack patterns, which is
useful for detecting new threats or preventing similar attacks in the future.
3. Actionable Intelligence: By connecting attack elements, defenders can
generate actionable intelligence that can be used for mitigating current
threats and preventing future ones.
4. Flexibility: The Diamond Model can be applied to various types of cyber
attacks, from simple malware infections to complex, multi-stage APT
attacks.