Cybersecurity - Attack and Defense Strategies

Book description

Updated edition of the bestselling guide for planning attack and defense strategies based on the current threat landscape

Key Features

  • Updated for ransomware prevention, security posture management in multi-cloud, Microsoft Defender for Cloud, MITRE ATT&CK Framework, and more
  • Explore the latest tools for ethical hacking, pentesting, and Red/Blue teaming
  • Includes recent real-world examples to illustrate the best practices to improve security posture

Book Description

Cybersecurity – Attack and Defense Strategies, Third Edition will bring you up to speed with the key aspects of threat assessment and security hygiene, the current threat landscape and its challenges, and how to maintain a strong security posture.

In this carefully revised new edition, you will learn about the Zero Trust approach and the initial Incident Response process. You will gradually become familiar with Red Team tactics, where you will learn basic syntax for commonly used tools to perform the necessary operations. You will also learn how to apply newer Red Team techniques with powerful tools. Simultaneously, Blue Team tactics are introduced to help you defend your system from complex cyber-attacks. This book provides a clear, in-depth understanding of attack/defense methods as well as patterns to recognize irregular behavior within your organization. Finally, you will learn how to analyze your network and address malware, while becoming familiar with mitigation and threat detection techniques.

By the end of this cybersecurity book, you will have discovered the latest tools to enhance the security of your system, learned about the security controls you need, and understood how to carry out each step of the incident response process.

What you will learn

  • Learn to mitigate, recover from, and prevent future cybersecurity events
  • Understand security hygiene and value of prioritizing protection of your workloads
  • Explore physical and virtual network segmentation, cloud network visibility, and Zero Trust considerations
  • Adopt new methods to gather cyber intelligence, identify risk, and demonstrate impact with Red/Blue Team strategies
  • Explore legendary tools such as Nmap and Metasploit to supercharge your Red Team
  • Discover identity security and how to perform policy enforcement
  • Integrate threat detection systems into your SIEM solutions
  • Discover the MITRE ATT&CK Framework and open-source tools to gather intelligence

Who this book is for

If you are an IT security professional who wants to venture deeper into cybersecurity domains, this book is for you. Cloud security administrators, IT pentesters, security consultants, and ethical hackers will also find this book useful. Basic understanding of operating systems, computer networking, and web applications will be helpful.

Table of contents

  1. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Get in touch
  2. Security Posture
    1. Why security hygiene should be your number one priority
    2. The current threat landscape
      1. Supply chain attacks
      2. Ransomware
      3. The credentials – authentication and authorization
      4. Apps
      5. Data
    3. Cybersecurity challenges
      1. Old techniques and broader results
      2. The shift in the threat landscape
    4. Enhancing your security posture
      1. Zero Trust
      2. Cloud Security Posture Management
      3. Multi-cloud
    5. The Red and Blue Teams
      1. Assume breach
    6. Summary
    7. References
  3. Incident Response Process
    1. The incident response process
      1. Reasons to have an IR process in place
      2. Creating an incident response process
      3. Incident response team
      4. Incident life cycle
    2. Handling an incident
      1. Incident handling checklist
    3. Post-incident activity
      1. Real-world scenario 1
      2. Lessons learned from scenario 1
      3. Real-world scenario 2
      4. Lessons learned from scenario 2
    4. Considerations for incident response in the cloud
      1. Updating your IR process to include the cloud
      2. Appropriate toolset
      3. IR process from the Cloud Solution Provider (CSP) perspective
    5. Summary
    6. References
  4. What is a Cyber Strategy?
    1. How to build a cyber strategy
      1. 1 – Understand the business
      2. 2 – Understand the threats and risks
      3. 3 – Proper documentation
    2. Why do we need to build a cyber strategy?
    3. Best cyber attack strategies
      1. External testing strategies
      2. Internal testing strategies
      3. Blind testing strategy
      4. Targeted testing strategy
    4. Best cyber defense strategies
      1. Defense in depth
      2. Defense in breadth
    5. Benefits of having a proactive cybersecurity strategy
    6. Top cybersecurity strategies for businesses
      1. Training employees about security principles
      2. Protecting networks, information, and computers from viruses, malicious code, and spyware
      3. Having firewall security for all internet connections
      4. Using software updates
      5. Using backup copies
      6. Implementing physical restrictions
      7. Securing Wi-Fi networks
      8. Changing passwords
      9. Limiting access for employees
      10. Using unique user accounts
    7. Conclusion
    8. Further reading
  5. Understanding the Cybersecurity Kill Chain
    1. Understanding the Cyber Kill Chain
      1. Reconnaissance
        1. Footprinting
        2. Enumeration
        3. Scanning
      2. Weaponization
      3. Delivery
      4. Exploitation
        1. Privilege escalation
        2. Examples of attacks that used exploitation
      5. Installation
      6. Command and Control
      7. Actions on Objectives
        1. Data exfiltration
      8. Obfuscation
        1. Examples of attacks that used Obfuscation
    2. Security controls used to stop the Cyber Kill Chain
      1. Use of UEBA
      2. Security awareness
    3. Threat life cycle management
      1. Forensic data collection
      2. Discovery
      3. Qualification
      4. Investigation
      5. Neutralization
      6. Recovery
    4. Concerns about the Cybersecurity Kill Chain
    5. How the Cyber Kill Chain has evolved
    6. Tools used during the Cyber Kill Chain
      1. Metasploit
      2. Twint
      3. Nikto
      4. Kismet
      5. Sparta
      6. John the Ripper
      7. Hydra
      8. Aircrack-ng
      9. Airgeddon
      10. Deauther Board
      11. HoboCopy
      12. EvilOSX
    7. Comodo AEP via Dragon Platform
      1. Preparation phase
        1. Intrusion phase
        2. Active Breach phase
    8. Summary
    9. Further reading
    10. References
  6. Reconnaissance
    1. External reconnaissance
      1. Scanning a target’s social media
      2. Dumpster diving
      3. Social engineering
        1. Pretexting
        2. Diversion theft
        3. Water holing
        4. Baiting
        5. Quid pro quo
        6. Tailgating
        7. Phishing
        8. Spear phishing
        9. Phone phishing (vishing)
    2. Internal reconnaissance
    3. Tools used for reconnaissance
      1. External reconnaissance tools
        1. SAINT
        2. Seatbelt.exe
        3. Webshag
        4. FOCA
        5. PhoneInfoga
        6. theHarvester (email harvester)
        7. Open-source intelligence
        8. Keepnet Labs
      2. Internal reconnaissance tools
      3. Airgraph-ng
        1. Sniffing and scanning
        2. Prismdump
        3. tcpdump
        4. Nmap
        5. Wireshark
        6. Scanrand
        7. Masscan
        8. Cain and Abel
        9. Nessus
      4. Wardriving
      5. Hak5 Plunder Bug
        1. CATT
        2. Canary token links
    4. Passive vs. active reconnaissance
    5. How to combat reconnaissance
    6. How to prevent reconnaissance
    7. Summary
    8. References
  7. Compromising the System
    1. Analyzing current trends
      1. Extortion attacks
      2. Data manipulation attacks
        1. Countering data manipulation attacks
      3. IoT device attacks
        1. How to secure IoT devices
      4. Backdoors
        1. How you can secure against backdoors
      5. Hacking everyday devices
      6. Hacking the cloud
        1. Cloud hacking tools
        2. Cloud security recommendations
      7. Phishing
      8. Exploiting a vulnerability
      9. Zero-day
        1. WhatsApp vulnerability (CVE-2019-3568)
        2. Chrome zero-day vulnerability (CVE-2019-5786)
        3. Windows 10 privilege escalation
        4. Windows privilege escalation vulnerability (CVE20191132)
        5. Fuzzing
        6. Source code analysis
        7. Types of zero-day exploits
    2. Performing the steps to compromise a system
      1. Deploying payloads
        1. Compromising operating systems
        2. Compromising a remote system
        3. Compromising web-based systems
    3. Mobile phone (iOS/Android) attacks
      1. Exodus
      2. SensorID
      3. iPhone hack by Cellebrite
      4. Man-in-the-disk
      5. Spearphone (loudspeaker data capture on Android)
      6. Tap ‘n Ghost
        1. iOS Implant Teardown
      7. Red and Blue Team tools for mobile devices
        1. Snoopdroid
        2. Androguard
    4. Summary
    5. Further reading
    6. References
  8. Chasing a User’s Identity
    1. Identity is the new perimeter
      1. Credentials and automation
    2. Strategies for compromising a user’s identity
      1. Gaining access to the network
      2. Harvesting credentials
      3. Hacking a user’s identity
      4. Brute force
      5. Social engineering
      6. Pass the hash
      7. Identity theft through mobile devices
      8. Other methods for hacking an identity
    3. Summary
    4. References
  9. Lateral Movement
    1. Infiltration
    2. Network mapping
      1. Scan, close/block, and fix
      2. Blocking and slowing down
      3. Detecting Nmap scans
      4. Use of clever tricks
    3. Performing lateral movement
      1. Stage 1 – User compromised (user action)
        1. Malware installs
        2. Beacon, Command & Control (C&C)
      2. Stage 2 – Workstation admin access (user = admin)
        1. Vulnerability = admin
      3. Think like a hacker
        1. What is the graph?
      4. Avoiding alerts
      5. Port scans
      6. Sysinternals
      7. File shares
      8. Windows DCOM
      9. Remote Desktop
        1. Remote Desktop Services Vulnerability (CVE-2019-1181/1182)
      10. PowerShell
        1. PowerSploit
      11. Windows Management Instrumentation
      12. Scheduled tasks
      13. Token stealing
      14. Stolen credentials
      15. Removable media
      16. Tainted shared content
      17. Remote Registry
      18. TeamViewer
      19. Application deployment
      20. Network sniffing
      21. ARP spoofing
      22. AppleScript and IPC (OS X)
      23. Breached host analysis
      24. Central administrator consoles
      25. Email pillaging
      26. Active Directory
      27. Admin shares
      28. Pass the Ticket
      29. Pass-the-Hash (PtH)
        1. Credentials: Where are they stored?
        2. Password hashes
      30. Winlogon
      31. lsass.exe process
        1. Security Accounts Manager (SAM) database
        2. Domain Active Directory Database (NTDS.DIT)
        3. Credential Manager (CredMan) store
        4. PtH mitigation recommendations
    4. Summary
    5. Further reading
    6. References
  10. Privilege Escalation
    1. Infiltration
      1. Horizontal privilege escalation
        1. Vertical privilege escalation
        2. How privilege escalation works
        3. Credential exploitation
        4. Misconfigurations
        5. Privileged vulnerabilities and exploits
        6. Social engineering
        7. Malware
      2. Avoiding alerts
      3. Performing privilege escalation
        1. Exploiting unpatched operating systems
        2. Access token manipulation
        3. Exploiting accessibility features
        4. Application shimming
        5. Bypassing user account control
        6. Privilege escalation and Container Escape Vulnerability (CVE-2022-0492)
        7. DLL injection
        8. DLL search order hijacking
        9. Dylib hijacking
        10. Exploration of vulnerabilities
        11. Launch daemon
        12. Hands-on example of privilege escalation on a Windows target
      4. Dumping the SAM file
      5. Rooting Android
      6. Using the /etc/passwd file
      7. Extra window memory injection
      8. Hooking
      9. Scheduled tasks
      10. New services
      11. Startup items
      12. Sudo caching
        1. Additional tools for privilege escalation
        2. 0xsp Mongoose v1.7
        3. 0xsp Mongoose RED for Windows
        4. Hot Potato
      13. Conclusion and lessons learned
    2. Summary
    3. References
  11. Security Policy
    1. Reviewing your security policy
      1. Shift left approach
    2. Educating the end user
      1. Social media security guidelines for users
      2. Security awareness training
    3. Policy enforcement
      1. Policies in the cloud
      2. Application whitelisting
      3. Hardening
    4. Monitoring for compliance
      1. Automations
    5. Continuously driving security posture enhancement via security policy
    6. Summary
    7. References
  12. Network Security
    1. The defense-in-depth approach
      1. Infrastructure and services
      2. Documents in transit
      3. Endpoints
      4. Microsegmentation
    2. Physical network segmentation
      1. Discovering your network with a network mapping tool
    3. Securing remote access to the network
      1. Site-to-site VPN
    4. Virtual network segmentation
    5. Zero trust network
      1. Planning zero trust network adoption
    6. Hybrid cloud network security
      1. Cloud network visibility
    7. Summary
    8. References
  13. Active Sensors
    1. Detection capabilities
      1. Indicators of compromise
    2. Intrusion detection systems
    3. Intrusion prevention system
      1. Rule-based detection
      2. Anomaly-based detection
    4. Behavior analytics on-premises
      1. Device placement
    5. Behavior analytics in a hybrid cloud
      1. Microsoft Defender for Cloud
      2. Analytics for PaaS workloads
    6. Summary
    7. References
  14. Threat Intelligence
    1. Introduction to threat intelligence
    2. Open-source tools for threat intelligence
      1. Free threat intelligence feeds
      2. Using MITRE ATT&CK
    3. Microsoft threat intelligence
      1. Microsoft Sentinel
    4. Summary
    5. References
  15. Investigating an Incident
    1. Scoping the issue
      1. Key artifacts
    2. Investigating a compromised system on-premises
    3. Investigating a compromised system in a hybrid cloud
      1. Integrating Defender for Cloud with your SIEM for investigation
    4. Proactive investigation (threat hunting)
    5. Lessons learned
    6. Summary
    7. References
  16. Recovery Process
    1. Disaster recovery plan
      1. The disaster recovery planning process
        1. Forming a disaster recovery team
        2. Performing risk assessment
        3. Prioritizing processes and operations
        4. Determining recovery strategies
        5. Creating the disaster recovery plan
        6. Testing the plan
        7. Obtaining approval
        8. Maintaining the plan
      2. Challenges
    2. Live recovery
    3. Contingency planning
      1. IT contingency planning process
        1. Development of the contingency planning policy
        2. Conducting business impact analysis
        3. Identifying the preventive controls
        4. Developing recovery strategies
        5. Plan maintenance
      2. Risk management tools
        1. RiskNAV
        2. IT and Cyber Risk Management software
    4. Business continuity plan
      1. Business continuity planning
      2. How to develop a business continuity plan
      3. 7 steps to creating an effective business continuity plan
    5. Best practices for disaster recovery
      1. On-premises
      2. On the cloud
      3. Hybrid
    6. Summary
    7. Further reading
    8. References
  17. Vulnerability Management
    1. Creating a vulnerability management strategy
      1. Asset inventory
      2. Information management
      3. Risk assessment
        1. Scope
        2. Collecting data
        3. Analysis of policies and procedures
        4. Vulnerability analysis
        5. Threat analysis
        6. Analysis of acceptable risks
      4. Vulnerability assessment
      5. Reporting and remediation tracking
      6. Response planning
    2. Elements of a vulnerability strategy
    3. Differences between vulnerability management and vulnerability assessment
    4. Best practices for vulnerability management
      1. Strategies to improve vulnerability management
    5. Vulnerability management tools
      1. Asset inventory tools
        1. Peregrine tools
        2. LANDesk Management Suite
        3. Foundstone’s Enterprise (McAfee)
      2. Information management tools
      3. Risk assessment tools
      4. Vulnerability assessment tools
      5. Reporting and remediation tracking tools
      6. Response planning tools
      7. Intruder
      8. Patch Manager Plus
      9. Windows Server Update Services (WSUS)
      10. Comodo Dragon platform
      11. InsightVM
      12. Azure Threat and Vulnerability Management
      13. Implementing vulnerability management with Nessus
      14. OpenVAS
      15. Qualys
      16. Acunetix
    6. Conclusion
    7. Summary
    8. Further reading
    9. References
  18. Log Analysis
    1. Data correlation
    2. Operating system logs
      1. Windows logs
      2. Linux logs
    3. Firewall logs
    4. Web server logs
    5. Amazon Web Services (AWS) logs
      1. Accessing AWS logs from Microsoft Sentinel
    6. Azure Activity logs
      1. Accessing Azure Activity logs from Microsoft Sentinel
    7. Google Cloud Platform Logs
    8. Summary
    9. References
  19. Other Books You May Enjoy
  20. Index

Product information

  • Title: Cybersecurity - Attack and Defense Strategies
  • Author(s): Yuri Diogenes, Dr. Erdal Ozkaya
  • Release date: September 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781803248776