CompTIA CASP+ CAS-004 – Chapter 06 – Utilizing Security Assessments and Incident Response

1. Chapter Introduction

In this chapter, we’re going to be looking at utilizing security assessments as well as discussing incident response policies and procedures. In any situation that you are going to be applying security, one of the first steps is going to be performing security assessments. In this chapter, we’ll be discussing those security assessments and the importance of them, as well as different procedures like sandboxing, memory dumping, runtime, Dugging reconnaissance, et cetera.

We’ll also be looking at the different security assessment tools and types of security assessments that exist. And then finally we’ll be looking at incident response and recovery. It’s impossible to have a network that is completely free from security incidents, and so it’s just as important as protecting yourself against them. It’s just as important to understand how to react to them and how to train users to react to them and how to identify that process and those procedures that are involved, as well as constantly review them.

2. Topic A: Security Assessments

In this first topic, though, we’ll be looking at the concept of security assessments, which are just a set of procedures that you’re going to use to give an accurate assessment, hopefully, of the security that you have on your network. There will be a number of different methods and types.

3. Importance of Security Assessments

So before you can secure a network, an organization really needs to determine exactly where these security weaknesses exist. And really, the only way to do that is to make an honest assessment of the current state of the network. There are a multitude of types of weaknesses that can exist in the network. There are also multiple methods of assessment that can be used. And so we’re going to essentially take a look at trying to ferret out those types of weaknesses. And there are some things that can’t be discovered by tools, and so we need to understand how those should be addressed as well.

4. Malware Sandboxing

So a number of different methods can be used to identify security weaknesses. Some do involve determining network shortcomings, but others focus on insecure, web server applications, application configurations on desktops, ETCA. Let’s start here with malware sandboxing. This is an assessment method that attempts to detect malware code code by running it on a computer and doing so in order to analyze it for behavior and traits that indicate malware.

One of the main goals of malware sandboxing is to spot zero day malware. And that’s malware that has not yet been identified by commercial antimalware systems. And there’s not at that point, a cure. The whole concept of zero day is that it’s just come out. You haven’t had any particular number of days to address this type of malware, to understand how to detect it, and to understand how to fix it. One of the examples of commercial malware sandboxing tool is Kaku. That’s an open source automated malware analysis system.

There are cloudbased systems as well. Secure, alerts, elastic sandbox is one of those. And with that particular product, you’ve got customers, partners, vendors, as well as the malware experts at that company that upload suspicious executables to that sandbox using an online platform or API. And then within the sandbox, the behavior of the code is studied. And that includes network communications, it includes metadata in the network, traffic, changes to the host and runtime. But it’s very effective because using all the available, all the available information for analytics, it’s processing code, and it’s determining if that code under investigation is, in fact, malicious. Now, that’s just one example of how malware sandboxing works, but it’s very useful. And so vendors and customers can use that type of environment to test malware, and they can benefit from the results of that analysis. All right, so in quick summary, malware sandboxing can be used to analyze and identify malware that hasn’t yet been identified by your major commercial antimalware vendors.

5. Memory Dumping

A lot of penetration. Testing tools will perform an operation called a core dump or a memory dump. Applications store their information in memory and that information can include all manner of sensitive data passwords, usernames encryption keys, et cetera. And so hackers will often use memory reading tools to analyze the entire memory content that’s used by a particular application. So any vulnerability testing should take that into consideration and should really utilize the same tools to identify issues in the memory of an application.

There are several examples of memory reading tools as well. Memdump is a free tool that runs on Windows, Linux, Solaris. It essentially creates a bit by bit copy of the volatile memory on a system. KNT Tools is a memory acquisition and analysis tool that’s used with Windows systems that captures physical memory, stores it on a removable drive or sends it over a network so that it can be archived on a separate machine.

And then Fat Kit is a very popular memory forensics tool. It automates the process of extracting interesting data from volatile memory and helps the analysts to try to visualize the objects it finds. That really gives us some understanding as to what the application was able to find. So these tools are very useful because they are identifying that information that is accessible to an attacker who might be executing a memory dump.

6. Runtime Debugging

An alternative to that is runtime debugging. This is a bit different because it’s the process of using a programmatic tool to not only identify syntactical errors in the code, but also to discover weaknesses that can lead to memory leaks and buffer overflows, which we know are fairly common types of attacks. So these tools operate by examining and monitoring the use of memory. So very similar, but looking for a little bit different. We have some examples here as well. Address sanitizer, which runs on Linux and Mac, written in CNC. Sharp, the Deleeaker program running on Windows. Also CNC Sharp, the languages that it can analyze. That’s what we’re talking about there.

Software Verify is a Windows program, and it can verify runtime information for a number of different programs. Net programs java, Python, Ruby, C and C Sharp. Essentially, memory dumping. Runtime Debugging, they can all help determine exactly what a hacker might learn if they were able to cause a memory dump or, excuse me, memory dumping is doing that. Runtime Debugging is slightly different because it would be the approach for how we find syntactical problems in the application code and that can be identified, that will show me what’s going to happen, or the possibility of a memory leak or potential buffer overflow.

7. Reconnaissance

A network attack is typically preceded by an information gathering phase called reconnaissance. We’re all familiar with the term reconnaissance. If we watch any sort of spy movies or read those types of books, we’re scoping out the area. We’re trying to look for a way in. Well, in computer networking, it is no different. When an attacker is trying to get into your network, they have to try to find some information out about the network, and that is called reconnaissance.

There are both technical tools as well as non technical approaches that can be used to identify targets and then piece together helpful information that may make a target easier to attack. So you can compare this stage of the hacking process to a bank robber casing a bank location before launching a robbery, the spies taking a look at how they’re going to get into a location or infiltrate certain data from another government.

Fill in your analogy. Again, we all kind of understand. But reconnaissance doesn’t have to be limited to just the attacker. It can certainly be performed by network security personnel as a form of security assessment.

8. Fingerprinting

One of the types of tools that we’ll use for network reconnaissance are fingerprinting tools. These are tools that are designed to scan a network, identify host on the network, identify services and applications that are available to that host. And so they help an attacker to weed through all the uninteresting items in the network and really zone in on what is particularly of interest host. So by fingerprinting or identifying the operating system of a host, it gives me a lot of advantages. By doing that, I’m able to identify exploits that may work on that host.

If I know you’re running IIS that runs on a Windows Server, and I know your version is the version that’s running on Windows Server 2012 R two, well, I’ve got a leg up in the game. I can then search out vulnerabilities or even recall vulnerabilities of those systems, and that’s a way in. And the same is true for other pieces of software, particular ports and services, et cetera. There’s two major types of fingerprinting. The first is active fingerprinting. These tools would transmit packets to remote host and then just analyze the replies.

So I’m looking for clues about the replying system. Port scanners are typically these active fingerprinting tools. So you do a port scan, you hit port 25 on a remote computer and then you can analyze the result of what’s coming back and you can identify some information about that system. Now, the other types of fingerprinting is passive. It is possible to simply capture packets from a network and then just take a look at them. Instead of sending packets on the network to a remote machine, I’m just doing some packet capture and analysis.

Network Minor is an example of that kind of tool whereby scanning and capturing traffic, you’re able in some cases to identify the operating system and see additional information about a particular host. And all of that is without actually communicating with that host. So network reconnaissance in general is very important and these fingerprinting tools can give us a lot of that information.

9. Code Review

Code review is another reconnaissance type. This is a systematic investigation of the code for security and functional problems. It can take a lot of different forms from simple peer review to formal code review. But there are two main types formal and lightweight. Formal is extremely thorough. We’re going line by line expectation. It’s usually performed, formed by multiple participants, usually includes multiple phases, and is typically a very time consuming type of code review. However, even though it’s time consuming, it is the most effective in trying to find defects in the code.

Then you have lightweight review. That’s a type of review that’s much more cursory than the formal review, hence the name. It’s usually just done as a normal part of the development process and it can have several different forms. So pair programming would be coders just working side by side and they’re checking one another’s work as they go.

Email review is code being emailed around to other individuals in the department for them to review when they get time to do that. Over the shoulder, probably self-explanatory coworkers reviewing the code while the author is showing them the code. And that gives the advantage of the author of the code being able to explain his or her reasoning behind certain decisions and then tool assisted.

And this is probably the most efficient method because it involves using automated tools. And automated tools have a tendency of being able to look and identify problems that the human eye potentially could not. Okay? Now code review is typically performed on in house applications, but it is possible that it’s warranted in other scenarios as well.

So for example, let’s say you’re contracting with a third party company to develop a web application because you need to process credit cards. That’s pretty sensitive information. So considering the sensitive nature of the application, it wouldn’t typically be unusual for you to request your own code review to assess the security of the product. In a lot of cases we should be trying to use more than one tool in testing an application.

Okay? For example, you get an online banking application that has had its source code updated. It really should be going through both penetration testing with accounts of different privilege levels as well as a code review of the critical modules just to make sure that you don’t have any defects. So as thorough as we can be in this process, the less likely we’re going to have undetected vulnerabilities when the application is live.

10. Social Engineering

Let’s discuss social engineering, which is a fairly large topic and can be somewhat interesting. Unfortunately, the weakest link in most of our networks is going to be the human element and the fact that we have human beings that use our network on a day to day basis and are open to social engineering attacks. Social engineering is the essentially the process of attacking humans.

Attackers are going to use believable language, they’re going to leverage user gullibility, and they’re going to try to obtain sensitive information, whether it’s usernames and passwords or other confidential information. That’s what social engineering does. And there are a number of different threats that we need to understand. Fishing, farming, shoulder surfing, dumpster diving, pivoting, the use of social media, all of those. The problem with social engineering is that it is difficult to actually combat because it’s not as if in many cases you can put controls in place that will automatically protect you against social engineering attacks. Instead, the best defense is security awareness training. The training should be mandatory and we need to have the training occur on a regular basis because these social engineering techniques are constantly evolving. But you’re still dependent on the user. You’re still dependent on the user actually learning in the security awareness training and not thinking it’s silly and actually going through the steps to identify these types of attacks.

So the onus is on the employee, but we just need to put all, everything in place that should be in place and ensure that everybody’s gone through the training and somewhat try to monitor. There can be some attempts to social engineer users just to look at the results and then review that. That’s about all you could do to be proactive. Okay, so having said that, let’s go through these different kinds of attacks and just make sure that we understand what they are. The first one is generally familiar to most at this point. Fishing with a PH. This is a social engineering attack where attackers try to learn personal information.

 A lot of times it’s credit card information, financial data, usernames and passwords. Typically the recipient is sent the link to a particular site. That site is generally not the real site, it’s a fake website, but it looks exactly like or nearly like the site that they think they’re going to PayPal bank sites, credit card sites, and they’re being prompted to enter in their login credentials. If the user uses that link and enters in data, then the attackers will be able to capture any information that is entered. All right, and so phishing typically will leverage the email system, although sometimes Im and SMS text messaging can be used for phishing attempts and users are just usually there’s a fear element as well. So a user will be told that their account has been compromised or they’re told that their credit card has been disabled and in order to turn it back on, they need to follow this link and put in their username and password. And so the user is trying to be helpful and they follow these links and they don’t identify that it’s an actual phishing attempt.

A few things you can look at and maybe that should be part of the user awareness training is a lot of times there’s something that’s off on these pages. If you really study them, there’s typically a little bit of broken English or things that don’t look exactly right. Sometimes you look at the URL and if users would really focus on the URL, then they would realize that there are letters or numbers that are off. Maybe it’s an IP address that’s being used instead of a domain name. A pretty infamous one years ago was a phishing attempt that went out that was trying to collect PayPal user login credentials. And if you looked on the page that you went to, it was extremely similar until you got down into the disclaimer area at the bottom where they really weren’t using complete and correct English. So it became a little bit more obvious at that point.

Once I saw that, then I went up to the URL and looked, I had glanced at it earlier but hadn’t really noticed that instead of pal. com it was Paypa one which at a quick glance I think you can give me the benefit of the doubt. Exactly. Those two look very familiar. So difficult to defeat this user awareness training. Telling them never to respond to email address or telling them never to respond to emails, asking them for usernames and passwords, that’s hopefully enough. There are a couple of different variants of this. So there’s spearfishing, spear phishing. And just visualize that in your mind is a phishing attack carried out against a particular target.

And it’s done by learning that target’s habits and likes. These take longer to carry out because you have to gather more information about them in order for the spear fishing to be successful. So for regular fishing, think I’m baiting a hook, I’m just throwing it out there and whoever bites they’re going to come back. For spear fishing, I have a particular target.

Farming is similar to fishing but it involves polluting the contents of the computer’s DNS cache so that requests to a legitimate site are actually routed to an alternate site. Everything we do today uses DNS. Nobody, typically nobody is using an IP address to communicate with a remote computer. So it makes DNS a target for some of these attacks and in this case it’s corrupting those cache entries because if your client thinks it has the answer for a DNS question, then it’s never going to go out and request that answer from another server. So we need to caution users against using any links embedded in email messages really, even if it appears to have come from a legitimate entity. Always review the address bar. I mentioned that every time they access a site. So those are your couple of defenses. All right, let’s move on to the next one, shoulder surfing.

Shoulder surfing is when an attacker watches when a user enters login or confidential information. It’s pretty self explanatory. Users should be encouraged to always just be conscious of their surroundings and who might be observing their actions. If this is a bigger issue in organizations, then we might have some implementation of privacy screens to make sure that data entry can’t be recorded. But you can typically tell if somebody’s looking over your shoulder and trying to watch you on your computer, on your mobile device, those kinds of things. So that’s a user awareness as well. Identity theft. Everybody’s probably familiar with this. This occurs when somebody obtains personal information about you driver’s license number, bank account number, Social Security and then they take and leverage that information to assume the identity of the individual from whom the information was stolen. Now, once the identity is assumed, an attack can go in any direction.

Most cases, this is financial. Either we open financial accounts in the user’s name, or we make purchases. We gain access to existing valid accounts. Any manner of things can happen through identity theft, but typically, what is being sought is financial gain. Dumpster diving is another social engineering mechanism. Attackers examine the contents of physical garbage and recycling bins to try to obtain confidential information. This could include information about personnel. org charts, account login information, network diagrams, financial data, you name it. So we got to be careful throwing any of those away. An organization should really have policies for shredding documents that contain that type of information. Pivoting is the next technique we want to talk about, and that’s a technique that is used both by attackers as well as penetration testers to advance from the initially compromised host to other hosts on the same network. It allows the leveraging of Pen test tools installed on a compromised machine to then route traffic through other hosts on the subnets, and particularly or potentially allow access to those other subnets.

So, I mean, an example that you compromise a client, that would be step one. Step two, you could utilize a program like Metasploit, which is looking for exploits. Step three choose an exploit and then actually get IP addresses by scanning the network, get Mac addresses by scanning the IP addresses that you find, and then adding a route to compromise systems so that you can actually get those. We’re not going through those steps, but that would be sort of the process that’s involved with Pivoting. Open Source Intelligent OSINT is data collected from publicly available sources. In a lot of cases, the information that you can get from publicly available sources makes an attack possible.

This is what the attacker would do as a part of the reconnaissance. Okay? An attacker would look in a number of different places, because today there is a lot of information that’s online, and that information can be leveraged in an attack. Social media is one of those places. Organizations are increasingly using social media to reach out, connect with customers, the public in general. So this has advantages, of course, the use of Twitter, Facebook, LinkedIn, other social media, they can enhance customer engagement, they can help to build the brand, communicate information to the rest of the world, but they can also inadvertently expose proprietary information. So there are some dangers presented by social media one mobile apps on company devices.

We can’t completely blame social media for its use with mobile applications on company devices, but the availability and ease with which these apps can be downloaded and installed does present the danger of malware. And that’s an increasing danger. Unwarranted trust in social media is a problem. I mean, trade secrets, company plans, they may be innocently disclosed to a friend and it’s because I have this misplaced expectation of privacy. And it’s complicated even further by poorly misunderstood, frequently changing security and privacy settings of social media sites, not understanding who’s going to see the post and whatnot.

And so to be careful there, there’s malware in social media sites, lots of malicious code that can be lurking behind advertisements and third party applications. And hackers benefit from that kind of thing a lot because users are reposting links and they’re performing the distribution process for a hacker and often there’s just a lack of policies. Every organization should have a social media policy and it should expressly define the way in which users may use social media. In some organizations, you may even have a social media director or coordinator and training should be delivered to define exactly what users are allowed to say on behalf of the company.

That’s the best way to prevent information leaks through social media is to just adopt a social media policy that defines exactly what people can say and then hold employees to that policy. So all of these are attacks against the human element of the network or social engineering and can be best combated against by using user security awareness training.