book

Cybersecurity – Attack and Defense Strategies - Third Edition

by Yuri Diogenes, Dr. Erdal Ozkaya

September 2022

Intermediate to advanced

570 pages

15h 59m

English

Packt Publishing

Read now

Unlock full access

Who this book is forWhat this book coversTo get the most out of this bookGet in touch
Why security hygiene should be your number one priorityThe current threat landscapeSupply chain attacksRansomwareThe credentials – authentication and authorizationAppsDataCybersecurity challengesOld techniques and broader resultsThe shift in the threat landscapeEnhancing your security postureZero TrustCloud Security Posture ManagementMulti-cloudThe Red and Blue TeamsAssume breachSummaryReferences
The incident response processReasons to have an IR process in placeCreating an incident response processIncident response teamIncident life cycleHandling an incidentIncident handling checklistPost-incident activityReal-world scenario 1Lessons learned from scenario 1Real-world scenario 2Lessons learned from scenario 2Considerations for incident response in the cloudUpdating your IR process to include the cloudAppropriate toolsetIR process from the Cloud Solution Provider (CSP) perspectiveSummaryReferences
How to build a cyber strategy1 – Understand the business 2 – Understand the threats and risks 3 – Proper documentationWhy do we need to build a cyber strategy?Best cyber attack strategiesExternal testing strategiesInternal testing strategiesBlind testing strategyTargeted testing strategyBest cyber defense strategiesDefense in depthDefense in breadthBenefits of having a proactive cybersecurity strategyTop cybersecurity strategies for businessesTraining employees about security principlesProtecting networks, information, and computers from viruses, malicious code, and spywareHaving firewall security for all internet connectionsUsing software updatesUsing backup copiesImplementing physical restrictionsSecuring Wi-Fi networksChanging passwordsLimiting access for employeesUsing unique user accountsConclusionFurther reading
Understanding the Cyber Kill ChainReconnaissanceFootprintingEnumerationScanningWeaponization Delivery Exploitation Privilege escalationExamples of attacks that used exploitation Installation Command and Control Actions on Objectives Data exfiltrationObfuscationExamples of attacks that used ObfuscationSecurity controls used to stop the Cyber Kill ChainUse of UEBA Security awarenessThreat life cycle managementForensic data collectionDiscoveryQualificationInvestigationNeutralizationRecoveryConcerns about the Cybersecurity Kill ChainHow the Cyber Kill Chain has evolvedTools used during the Cyber Kill ChainMetasploitTwintNiktoKismetSpartaJohn the RipperHydra Aircrack-ngAirgeddonDeauther BoardHoboCopyEvilOSXComodo AEP via Dragon PlatformPreparation phaseIntrusion phaseActive Breach phaseSummaryFurther readingReferences
External reconnaissanceScanning a target’s social mediaDumpster divingSocial engineeringPretextingDiversion theftWater holingBaitingQuid pro quoTailgatingPhishingSpear phishingPhone phishing (vishing)Internal reconnaissanceTools used for reconnaissanceExternal reconnaissance toolsSAINTSeatbelt.exeWebshagFOCAPhoneInfogatheHarvester (email harvester)Open-source intelligenceKeepnet LabsInternal reconnaissance toolsAirgraph-ng Sniffing and scanningPrismdumptcpdumpNmapWiresharkScanrandMasscan Cain and AbelNessusWardrivingHak5 Plunder Bug CATT Canary token links Passive vs. active reconnaissanceHow to combat reconnaissanceHow to prevent reconnaissanceSummaryReferences
Analyzing current trendsExtortion attacksData manipulation attacksCountering data manipulation attacksIoT device attacksHow to secure IoT devicesBackdoorsHow you can secure against backdoorsHacking everyday devicesHacking the cloudCloud hacking tools Cloud security recommendations PhishingExploiting a vulnerabilityZero-dayWhatsApp vulnerability (CVE-2019-3568)Chrome zero-day vulnerability (CVE-2019-5786)Windows 10 privilege escalationWindows privilege escalation vulnerability (CVE20191132)FuzzingSource code analysisTypes of zero-day exploitsPerforming the steps to compromise a systemDeploying payloadsCompromising operating systemsCompromising a remote systemCompromising web-based systemsMobile phone (iOS/Android) attacksExodusSensorIDiPhone hack by Cellebrite Man-in-the-diskSpearphone (loudspeaker data capture on Android) Tap ‘n Ghost iOS Implant Teardown Red and Blue Team tools for mobile devicesSnoopdroidAndroguardSummary Further readingReferences
Identity is the new perimeterCredentials and automationStrategies for compromising a user’s identityGaining access to the networkHarvesting credentialsHacking a user’s identityBrute forceSocial engineeringPass the hashIdentity theft through mobile devicesOther methods for hacking an identitySummaryReferences
InfiltrationNetwork mappingScan, close/block, and fixBlocking and slowing downDetecting Nmap scansUse of clever tricksPerforming lateral movementStage 1 – User compromised (user action)Malware installsBeacon, Command & Control (C&C)Stage 2 – Workstation admin access (user = admin)Vulnerability = admin Think like a hackerWhat is the graph?Avoiding alertsPort scansSysinternalsFile sharesWindows DCOMRemote DesktopRemote Desktop Services Vulnerability (CVE-2019-1181/1182)PowerShellPowerSploit Windows Management InstrumentationScheduled tasksToken stealingStolen credentialsRemovable mediaTainted shared contentRemote RegistryTeamViewer Application deploymentNetwork sniffingARP spoofingAppleScript and IPC (OS X)Breached host analysisCentral administrator consolesEmail pillagingActive DirectoryAdmin sharesPass the TicketPass-the-Hash (PtH)Credentials: Where are they stored?Password hashes Winlogon lsass.exe process Security Accounts Manager (SAM) database Domain Active Directory Database (NTDS.DIT) Credential Manager (CredMan) storePtH mitigation recommendations SummaryFurther readingReferences
InfiltrationHorizontal privilege escalationVertical privilege escalationHow privilege escalation worksCredential exploitationMisconfigurationsPrivileged vulnerabilities and exploitsSocial engineeringMalwareAvoiding alertsPerforming privilege escalationExploiting unpatched operating systemsAccess token manipulationExploiting accessibility featuresApplication shimmingBypassing user account controlPrivilege escalation and Container Escape Vulnerability (CVE-2022-0492) DLL injectionDLL search order hijackingDylib hijackingExploration of vulnerabilitiesLaunch daemonHands-on example of privilege escalation on a Windows targetDumping the SAM fileRooting AndroidUsing the /etc/passwd fileExtra window memory injectionHookingScheduled tasksNew servicesStartup itemsSudo cachingAdditional tools for privilege escalation 0xsp Mongoose v1.70xsp Mongoose RED for Windows Hot Potato Conclusion and lessons learnedSummaryReferences

Reviewing your security policyShift left approachEducating the end userSocial media security guidelines for usersSecurity awareness trainingPolicy enforcementPolicies in the cloudApplication whitelistingHardeningMonitoring for complianceAutomationsContinuously driving security posture enhancement via security policySummaryReferences
The defense-in-depth approachInfrastructure and servicesDocuments in transitEndpointsMicrosegmentationPhysical network segmentationDiscovering your network with a network mapping toolSecuring remote access to the networkSite-to-site VPNVirtual network segmentationZero trust networkPlanning zero trust network adoptionHybrid cloud network securityCloud network visibilitySummaryReferences
Detection capabilitiesIndicators of compromiseIntrusion detection systemsIntrusion prevention systemRule-based detectionAnomaly-based detectionBehavior analytics on-premisesDevice placementBehavior analytics in a hybrid cloudMicrosoft Defender for CloudAnalytics for PaaS workloadsSummaryReferences
Introduction to threat intelligenceOpen-source tools for threat intelligenceFree threat intelligence feedsUsing MITRE ATT&CK Microsoft threat intelligenceMicrosoft SentinelSummaryReferences
Scoping the issueKey artifactsInvestigating a compromised system on-premisesInvestigating a compromised system in a hybrid cloudIntegrating Defender for Cloud with your SIEM for investigationProactive investigation (threat hunting)Lessons learnedSummaryReferences
Disaster recovery planThe disaster recovery planning processForming a disaster recovery teamPerforming risk assessmentPrioritizing processes and operationsDetermining recovery strategiesCreating the disaster recovery planTesting the planObtaining approvalMaintaining the planChallengesLive recoveryContingency planningIT contingency planning processDevelopment of the contingency planning policyConducting business impact analysisIdentifying the preventive controlsDeveloping recovery strategiesPlan maintenanceRisk management toolsRiskNAVIT and Cyber Risk Management softwareBusiness continuity planBusiness continuity planningHow to develop a business continuity plan7 steps to creating an effective business continuity planBest practices for disaster recoveryOn-premisesOn the cloudHybridSummaryFurther readingReferences
Creating a vulnerability management strategyAsset inventoryInformation managementRisk assessmentScopeCollecting dataAnalysis of policies and proceduresVulnerability analysisThreat analysisAnalysis of acceptable risksVulnerability assessmentReporting and remediation trackingResponse planningElements of a vulnerability strategyDifferences between vulnerability management and vulnerability assessmentBest practices for vulnerability managementStrategies to improve vulnerability managementVulnerability management tools Asset inventory toolsPeregrine toolsLANDesk Management SuiteFoundstone’s Enterprise (McAfee)Information management toolsRisk assessment toolsVulnerability assessment toolsReporting and remediation tracking toolsResponse planning toolsIntruderPatch Manager PlusWindows Server Update Services (WSUS)Comodo Dragon platformInsightVMAzure Threat and Vulnerability ManagementImplementing vulnerability management with NessusOpenVASQualysAcunetixConclusionSummaryFurther reading References
Data correlationOperating system logsWindows logsLinux logsFirewall logsWeb server logsAmazon Web Services (AWS) logsAccessing AWS logs from Microsoft SentinelAzure Activity logsAccessing Azure Activity logs from Microsoft SentinelGoogle Cloud Platform LogsSummaryReferences

Overview

"Cybersecurity - Attack and Defense Strategies, Third Edition" serves as a comprehensive guide to mastering the art of defending and securing network infrastructures against a wide array of cyber threats. Through practical examples and expert insight, you'll gain a deeper understanding of attack techniques, effective defense tactics, and strategies to strengthen your security posture.

What this Book will help me do

You will be able to recognize and mitigate cybersecurity risks using state-of-the-art tools like the MITRE ATT&CK Framework.
Gain an understanding of the Zero Trust approach to enhance load protection and prevent unauthorized access.
Learn Red Team and Blue Team strategies to anticipate potential threats and effectively counter cyber-attacks.
Discover how to perform detailed threat analysis and incident response to address security breaches effectively.
Familiarize yourself with modern defenses and practices such as network segmentation and security monitoring in cloud environments.

Author(s)

Yuri Diogenes and Dr. Erdal Ozkaya are seasoned cybersecurity experts with years of field experience and consulting. Their approach to cybersecurity is informed and practical, aiming to apply theoretical concepts directly to real-world scenarios. Known for their clear educational and practical writing style, their guidance is geared towards empowering readers to safeguard digital assets effectively.

Who is it for?

This book is targeted primarily at IT security professionals aiming to expand their expertise in advanced cybersecurity strategies. It is also highly relevant for cloud security administrators, pentesting professionals, and ethical hackers desiring to deepen their methodology. Beginners can also gain foundational insights into the cybersecurity domain with basic prior knowledge of networking and web technologies.