2019 FRSecure CISSP Mentor Program: Class Nine

2019 CISSP MENTOR
PROGRAM
May 13, 2019
-----------
Class 9 – May 13, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO

Another beautiful weekend in Minnesota! Makes it
harder to study?
• Check-in.
• How many have read Chapter 1 - 6?
• Questions?
CISSP® MENTOR PROGRAM – SESSION NINE
1
WELCOME BACK!
Back to the grind I suppose…
Only 99 slides tonight. We’ll fly through Chapter 7 tonight and
make good progress into Chapter 8.
We’ve made it through some of the toughest parts already.

Another beautiful weekend in Minnesota! Makes it
harder to study?
• Check-in.
• How many have read Chapter 1 - 6?
• Questions?
2
WELCOME BACK!
Back to the grind I suppose…
Only 100 slides tonight. We’ll fly through Chapter 7 tonight and
make good progress into Chapter 8.
We’ve made it through some of the toughest parts already.
Other Updates:
REMINDER: We’ve seen a little more chatter in Slack...
• If you need anything, email us at
cisspmentor@frsecure.com.
• If you’re still here, you’re doing great!

1. What technique would raise the False Accept Rate
(FAR) and Lower the False Reject Rate (FRR) in a
fingerprint scanning system?
A. Decrease the amount of minutiae that is verified
B. Increase the amount of minutiae that is verified
C. Lengthen the enrollment time
D. Lower the throughput time
3
QUIZ…
Questions, questions, questions…

1. What technique would raise the False Accept Rate
(FAR) and Lower the False Reject Rate (FRR) in a
fingerprint scanning system?
A. Decrease the amount of minutiae that is
verified
B. Increase the amount of minutiae that is verified
C. Lengthen the enrollment time
D. Lower the throughput time
4
QUIZ…

2. A policy that states a user must have a business
requirement to view data before attempting to do so is
an example of enforcing what?
A. Least privilege
B. Need to know
C. Rotation of duties
D. Separation of duties
5
QUIZ…

2. A policy that states a user must have a business
requirement to view data before attempting to do so is
an example of enforcing what?
A. Least privilege
B. Need to know
C. Rotation of duties
D. Separation of duties
6
QUIZ…

3. Server A trusts server B. Server B trusts Server C.
Server A therefore trusts server C. What term describes
this trust relationship?
A. Domain trust
B. Forest trust
C. Nontransitive trust
D. Transitive trust
7
QUIZ…

3. Server A trusts server B. Server B trusts Server C.
Server A therefore trusts server C. What term describes
this trust relationship?
A. Domain trust
B. Forest trust
C. Nontransitive trust
D. Transitive trust
8
QUIZ…

4. What protocol provides a common open protocol for
interfacing and querying directory service information
provided by network operating systems, using port 389
via TCP or UDP?
A. CHAP
B. LDAP
C. PAP
D. RADIUS
9
QUIZ…

4. What protocol provides a common open protocol for
interfacing and querying directory service information
provided by network operating systems, using port 389
via TCP or UDP?
A. CHAP
B. LDAP
C. PAP
D. RADIUS
10
QUIZ…

5. Within Kerberos, which part is the single point of
failure?
A. The Ticket Granting Ticket
B. The Realm
C. The Key Distribution Center
D. The Client-Server session key
11
QUIZ…

5. Within Kerberos, which part is the single point of
failure?
A. The Ticket Granting Ticket
B. The Realm
C. The Key Distribution Center
D. The Client-Server session key
12
QUIZ…

6. A type II biometric is also known as what?
A. Crossover Error Rate (CER)
B. Equal Error Rate (EER)
C. False Accept Rate (FAR)
D. False Reject Rate (FRR)
13
QUIZ…

6. A type II biometric is also known as what?
A. Crossover Error Rate (CER)
B. Equal Error Rate (EER)
C. False Accept Rate (FAR)
D. False Reject Rate (FRR)
14
QUIZ…

15
LET’S DO THIS!
And here we go again…

(Designing, Performing, and Analyzing
Security Testing)
• Assessing Access Control
• Software Testing Methods
16
WHAT ARE WE GOING TO COVER?
Agenda – Domain 6: Security Assessment and Testing
Only two objectives?! Piece of cake.
Starting on page 329 this evening

Unique Terms and Definitions
• Dynamic Testing – Tests code while executing it
• Fuzzing – A type of black box testing that submits random,
malformed data as inputs into software programs to determine if
they will crash
• Penetration Testing – Authorized attempt to break into an
organization’s physical or electronic perimeter (and sometimes
both)
• Static Testing – Tests code passively: the code is not running.
• Synthetic Transactions – Also called synthetic monitoring:
involves building scripts or tools that simulate activities normally
performed in an application
17
LECTURE

Assessment and testing are critical.
• Accurately assess real-world security.
• How do you know where to start, unless you’ve
assessed where you are?
• Overall security assessments – including various
controls & testing methods.
• Testing software; static and dynamic
18
LECTURE

Assessing Access Control
• First, determine scope!
• What are we testing?
• Why are we testing it?
• Testing with narrow(er) scope include penetration tests
(“pentests”), vulnerability assessments, and security audits.
• Broad scope assessments often include narrow scope testing.
19
LECTURE

Penetration Testing
• Lots of different types of penetration tests, depending on the what
and why (and a little how).
• Network (Internet)
• Network (internal or DMZ)
• War dialing
• Wireless
• Physical (attempt to gain entrance into a facility or room)
• Simulate client-side attacks, server-side attacks, Web application
attacks, etc.
20
LECTURE

Penetration Testing - Black Hats and White Hats
• Black hat attackers are malicious hackers, sometimes called
crackers.
• “Black” derives from villains in fiction: Darth Vader wore all black
• Lack ethics, sometimes violate laws, and break into computer systems with
malicious intent, and may violate the confidentiality, integrity, or availability of
organization’s systems and data
• White hat hackers are the “good guys”
• Professional penetration testers who break into systems with permission
• Malware researches who research malicious code to provide better
understanding and ethically disclose vulnerabilities to vendors, etc.
• Also known as ethical hackers; they follow a code of ethics and obey laws
21
LECTURE

• Black hat attackers are malicious hackers, sometimes called
crackers.
• “Black” derives from villains in fiction: Darth Vader wore all black
• Lack ethics, sometimes violate laws, and break into computer systems with
malicious intent, and may violate the confidentiality, integrity, or availability of
organization’s systems and data
• White hat hackers are the “good guys”
• Professional penetration testers who break into systems with permission
• Malware researches who research malicious code to provide better
understanding and ethically disclose vulnerabilities to vendors, etc.
• Also known as ethical hackers; they follow a code of ethics and obey laws
22
LECTURE

• Gray hat hackers fall somewhere between black and white hats
• Exploits a security weakness in a computer system or product in order to
bring the weakness to the attention of the owners
• Unlike a black hat, a gray hat acts without malicious intent
• The goal of a gray hat is to improve system and network security
23
LECTURE

• Gray hat hackers fall somewhere between black and white hats
• Exploits a security weakness in a computer system or product in order to
bring the weakness to the attention of the owners
• Unlike a black hat, a gray hat acts without malicious intent
• The goal of a gray hat is to improve system and network security
24
LECTURE

Penetration Testing
• War dialing uses modem to dial a series of phone numbers,
looking for an answering modem carrier tone (the penetration
tester then attempts to access the answering system); the name
derives from the 1983 movie WarGames
• Social engineering uses the human mind to bypass security
controls
• May be used in combination with many types of attacks, especially client-
side attacks or physical tests
• An example of a social engineering attack combined with a client-side attack
is emailing malware with a Subject line of “Category 5 Hurricane is about to
hit Florida!”
• A physical social engineering attack (used to tailgate an authorized user into
a building)
25
LECTURE

Penetration Testing
• War dialing uses modem to dial a series of phone numbers,
looking for an answering modem carrier tone (the penetration
tester then attempts to access the answering system); the name
derives from the 1983 movie WarGames
• Social engineering uses the human mind to bypass security
controls
• May be used in combination with many types of attacks, especially client-
side attacks or physical tests
• An example of a social engineering attack combined with a client-side attack
is emailing malware with a Subject line of “Category 5 Hurricane is about to
hit Florida!”
• A physical social engineering attack (used to tailgate an authorized user into
a building)
26
LECTURE

Penetration Testing
• A zero-knowledge (also called black box) test is “blind”; the
penetration tester begins with no external or trusted information,
and begins the attack with public information only
• A full-knowledge test (also called crystal-box) provides internal
information to the penetration tester, including network diagrams,
policies and procedures, and sometimes reports from previous
penetration testers
• Partial-knowledge tests are in between zero and full knowledge:
the penetration tester receives some limited trusted information
• Most penetration tests have a scope that includes a limitation on
the time spent conducting the test
27
LECTURE

Penetration Testing Tools and Methodology
• Penetration testing tools:
• Open source Metasploit (http://www.metasploit.org)
• Closed source Core Impact (http://www.coresecurity.com)
and Immunity Canvas (http://www.immunitysec.com)
• Top 125 Network Security Tools (http://sectools.org/)
• Custom tools
28
LECTURE

• Penetration testing tools:
• Open source Metasploit (http://www.metasploit.org)
• Closed source Core Impact (http://www.coresecurity.com)
and Immunity Canvas (http://www.immunitysec.com)
• Top 125 Network Security Tools (http://sectools.org/)
• Custom tools
29
LECTURE

• Penetration testers use the following methodology:
• Planning
• Reconnaissance
• Scanning (also called enumeration)
• Vulnerability assessment
• Exploitation
• Reporting
• Black hat hackers typically follow a similar methodology
• Black hats will also cover their tracks (erase logs and other signs
of intrusion), and frequently violate system integrity by installing
back doors (in order to maintain access)
30
LECTURE

• Penetration testers use the following methodology:
• Planning
• Reconnaissance
• Scanning (also called enumeration)
• Vulnerability assessment
• Exploitation
• Reporting
• Black hat hackers typically follow a similar methodology
• Black hats will also cover their tracks (erase logs and other signs
of intrusion), and frequently violate system integrity by installing
back doors (in order to maintain access)
31
LECTURE

Assuring Confidentiality, Data Integrity, and System
Integrity
• Penetration testers must ensure the confidentiality of any
sensitive data that is accessed during the test
• Testers will often request that a dummy file containing no
regulated or sensitive data (sometimes called a flag) be placed in
the same area of the system as the credit card data, and
protected with the same permissions
• If the tester can read and/or write to that file, then they prove they
could have done the same to the credit card data
• Penetration testers must be sure to ensure the system integrity
and data integrity of their client’s systems
• The risk of encountering signs of a previous or current successful
malicious attack (discuss this before starting a test)
32
LECTURE

Vulnerability Testing
• Vulnerability scanning (also called vulnerability testing) scans a
network or system for a list of predefined vulnerabilities such as
system misconfiguration, outdated software, or a lack of patching
• Nessus (http://www.nessus.org), OpenVAS
(http://www.openvas.org), Qualys, and Rapid 7/Nexpose
• Missing patches and configuration errors
• Common Vulnerability Scoring System (CVSS) -
https://nvd.nist.gov/cvss.cfm
33
LECTURE

Vulnerability Testing
• Vulnerability scanning (also called vulnerability testing) scans a
network or system for a list of predefined vulnerabilities such as
system misconfiguration, outdated software, or a lack of patching
• Nessus (http://www.nessus.org), OpenVAS
(http://www.openvas.org), Qualys, and Rapid 7/Nexpose
• Missing patches and configuration errors
• Common Vulnerability Scoring System (CVSS) -
https://nvd.nist.gov/cvss.cfm
34
LECTURE

Security Assessments
• A holistic approach to assessing the effectiveness of
access control
• Broad scope
• Security assessments view many controls across
multiple domains, and may include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative
controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits
35
LECTURE

• Key words… “assessing the effectiveness”
• Where there are gaps in control (weakness/vulnerability), what
are the applicable threats?
• Vulnerabilities + Threats = Likelihoods & Impacts = RISK
• FRSecure specializes in assessments – FISA™ and
FISASCORE®
36
LECTURE

• Remember our definition of information security?
• Administrative Controls – policies, procedures,
training & awareness, etc.
• Physical Controls – the things we can touch; locks,
cameras, etc.
• Technical Controls – the effectiveness of the
technology we employ to protect assets.
37
LECTURE

• FRSecure specializes in assessments – FISA™ is at our core.
38
LECTURE

Internal and 3rd-Party Audits
• Internal audit
• Structured audits – external audience, validate compliance,
etc.
• Unstructured audits – internal audience, improve security,
etc.
• 3rd-Party audits
• Experts (hopefully)
• Adds credibility
• Teach
39
LECTURE

Log Reviews - Security Audit Logs
• Reviewing security audit logs within an IT system is one of the
easiest ways to verify that access control mechanisms are
performing adequately
• Reviewing audit logs is primarily a detective control
• Remember; we cannot prevent all bad things from happening, so
we must be able to detect and respond. – NOT risk elimination,
but risk management.
40
LECTURE

Log Reviews - Security Audit Logs
• According to NIST Special Publication 800-92
(http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf),
the following log types should be collected:
• Network Security Software/Hardware:
• Antivirus logs
• IDS/IPS logs
• Remote Access Software (such as VPN logs)
• Web proxy
• Vulnerability management
• Authentication servers
• Routers and firewalls
41
LECTURE

Security Audit Logs – Centralized Logging
• Assists in log retention (sufficient for legal/regulatory
compliance and investigation)
• Assists in log protection (integrity & availability) –
attackers delete logs, destroying evidence.
• SIEM
• Log protection
• Log aggregation
• Log correlation
• Dashboard reporting
42
LECTURE
SIEM isn’t plug and play.

Software Testing Methods
• Static testing tests the code passively: the code is not running. This
includes walkthroughs, syntax checking, and code reviews.
• Dynamic testing tests the code while executing it.
• White box software testing gives the tester access to program source
code, data structures, variables, etc.
• Black box testing gives the tester no internal details: the software is
treated as a black box that receives inputs.
• Traceability Matrix (sometimes called a Requirements Traceability
Matrix, or RTM) can be used to map customer’s requirements to the
software testing plan: it “traces” the “requirements,” and ensures that
they are being met.
• Fuzzing (also called fuzz testing) is a type of black box testing that
enters random, malformed data as inputs into software programs to
determine if they will crash.
• Combinatorial software testing is a black-box testing method that
seeks to identify and test all unique combinations of software inputs.
43
LECTURE

• Static testing tests the code passively: the code is not running.
This includes walkthroughs, syntax checking, and code reviews.
• analysis of computer software that is performed without actually
executing programs
• In most cases the analysis is performed on some version of the
source code, and in the other cases, some form of the object
code
• List of tools for static code analysis
(https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analy
sis)
44
LECTURE

• Static testing tests the code passively: the code is not running.
This includes walkthroughs, syntax checking, and code reviews.
• analysis of computer software that is performed without actually
executing programs
• In most cases the analysis is performed on some version of the
source code, and in the other cases, some form of the object
code
• List of tools for static code analysis
(https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analy
sis)
45
LECTURE

• Traceability Matrix (or
Requirements Traceability
Matrix or RTM)
• Map customer
requirements to the
software testing plan.
46
LECTURE

Software Testing Levels
• Synthetic Transactions (aka synthetic monitoring):
• Scripts and/or tools to simulate “normal” activities.
• Establish baselines and performance metrics
(usually)
47
LECTURE

• Unit Testing: Low-level tests of software components, such as
functions, procedures or objects
• Installation Testing: Testing software as it is installed and first
operated
• Integration Testing: Testing multiple software components as they
are combined into a working system. Subsets may be tested, or
Big Bang integration testing tests all integrated software
components
• Regression Testing: Testing software after updates,
modifications, or patches
• Acceptance Testing: testing to ensure the software meets the
customer’s operational requirements. When this testing is done
directly by the customer, it is called User Acceptance Testing.
48
LECTURE

Fuzzing
• Black box testing that enters random, malformed data as inputs
into software programs to determine if they will crash.
• Typical causes are boundary checking issues, leading to possible
buffer overflows
• Typically automated, repeatedly presenting random input strings
as command line switches, environment variables, and program
inputs attack
• List of good fuzzers; http://sectools.org/tag/fuzzers/.
• Burp Suite https://portswigger.net/burp/
49
LECTURE

Fuzzing
• Black box testing that enters random, malformed data as inputs
into software programs to determine if they will crash.
• Typical causes are boundary checking issues, leading to possible
buffer overflows
• Typically automated, repeatedly presenting random input strings
as command line switches, environment variables, and program
inputs attack
• List of good fuzzers; http://sectools.org/tag/fuzzers/.
• Burp Suite https://portswigger.net/burp/
50
LECTURE

Other Software Testing Terms
• Misuse Case Testing - derived from and is the inverse of use
case testing; describes the process of executing a malicious act
against a system, while use case can be used to describe any
action taken by the system
• Test Coverage Analysis
• Interface Testing – testing of all interfaces exposed by the
application.
• Combinatorial software testing - a black-box testing method that
seeks to identify and test all unique combinations of software
inputs.
51
LECTURE

And now we’re done…
52
LECTURE

Or are we?!
53
LECTURE

Or are we?!
54
LECTURE
Let’s get a jump start on Domain 7: Security Operations.

Or are we?!
55
LECTURE
Let’s get a jump start on Domain 7: Security Operations.

Domain #7: Security Operations (a lot of them…)
• Administrative Security
• Forensics
• Incident Response Management
• Operational Preventive and Detective Controls
• Asset Management
• …
56
LECTURE
The next domain…

Domain #7: Security Operations (a lot of them…)
• Continuity of Operations
• BCP and DRP Overview and Process
• Developing a BCP/DRP
• Backups and Availability
• DRP Testing, Training and Awareness
• Continued BCP/DRP Maintenance
• Specific BCP/DRP Frameworks
57
LECTURE
The next domain…

• Business Continuity Plan (BCP)—a long-term plan to ensure the
continuity of business operations
• Collusion—An agreement between two or more individuals to
subvert the security of a system
• Continuity of Operations Plan (COOP)—a plan to maintain
operations during a disaster.
• Disaster—any disruptive event that interrupts normal system
operations
• Disaster Recovery Plan (DRP)—a short-term plan to recover
from a disruptive event
58
LECTURE
Domain #7: Security Operations

• Mean Time Between Failures (MTBF)—quantifies how long a
new or repaired system will run on average before failing
• Mean Time to Repair (MTTR)—describes how long it will take to
recover a failed system
• Mirroring—Complete duplication of data to another disk, used by
some levels of RAID.
• Redundant Array of Inexpensive Disks (RAID)—A method of
using multiple disk drives to achieve greater data reliability,
greater speed, or both
• Striping—Spreading data writes across multiple disks to achieve
performance gains, used by some levels of RAID
59
LECTURE

Administrative Security
• Administrative Security provides the means to control people's
operational access to data
Least Privilege or Minimum Necessary Access
• Dictates that persons have no more than the access that is
strictly required for the performance of their duties
• May also be referred to as the principle of minimum necessary
access
• Discretionary Access Control (DAC) – most often applicable
60
LECTURE

Need to know
• Mandatory Access Control (MAC)
• Access determination is based upon clearance levels of subjects
and classification levels of objects
• An extension to the principle of least privilege in MAC
environments is the concept of compartmentalization:
• A method for enforcing need to know goes beyond the reliance
upon clearance level and necessitates simply that someone
requires access to information.
61
LECTURE

Separation of Duties
• Prescribes that multiple people are required to complete critical
or sensitive transactions
• Goal of separation of duties is to ensure that in order for
someone to be able to abuse their access to sensitive data or
transactions; they must convince another party to act in concert
• Collusion is the term used for the two parties conspiring to
undermine the security of the transaction
62
LECTURE

Rotation of Duties/Job Rotation
• Also known as job rotation or rotation of responsibilities
• Provides a means to help mitigate the risk associated with any
one individual having too many privileges
• Requires that critical functions or responsibilities are not
continuously performed by the same single person without
interruption
• “hit by a bus” or “win the lottery” scenario
Exam Warning: Though job or responsibility rotation is an important control,
this, like many other controls, is often compared against the cost of
implementing the control. Many organizations will opt for not implementing
rotation of duties because of the cost associated with implementation. For the
exam, be certain to appreciate that cost is always a consideration, and can
trump the implementation of some controls.
63
LECTURE

Mandatory Leave/Forced Vacation
• Also known as forced vacation
• Can identify areas where depth of coverage is lacking
• Can also help discover fraudulent or suspicious behavior
• Knowledge that mandatory leave is a possibility might deter
some individuals from engaging in the fraudulent behavior in the
first place
64
LECTURE

Non-Disclosure Agreement (NDA)
• A work-related contractual agreement that ensures that, prior to
being given access to sensitive information or data, an individual
or organization appreciates their legal responsibility to maintain
the confidentiality of sensitive information.
• Often signed by job candidates before they are hired, as well as
consultants or contractors
• Largely a directive control
65
LECTURE

Background Checks
• Also known as background investigations or preemployment
screening
• Majority of background investigations are performed as part of a
preemployment screening process
• The sensitivity of the position being filled or data to which the
individual will have access strongly determines the degree to
which this information is scrutinized and the depth to which the
investigation will report
• Ongoing, or postemployment, investigations seek to determine
whether the individual continues to be worthy of the trust required
of their position
• Background checks performed in advance of employment serve
as a preventive control while ongoing repeat background checks
constitute a detective control and possibly a deterrent.
66
LECTURE

Privilege Monitoring
• Heightened privileges require both greater scrutiny and more
thoughtful controls
• Some of the job functions that warrant greater scrutiny include:
account creation/modification/deletion, system reboots, data
backup, data restoration, source code access, audit log access,
security configuration capabilities, etc.
67
LECTURE

Digital Forensics
• Provides a formal approach to dealing with investigations and
evidence with special consideration of the legal aspects of the
process
• Forensics is closely related to incident response
• Main distinction between forensics and incident response is
that forensics is evidence-centric and typically more closely
associated with crimes, while incident response is more
dedicated to identifying, containing, and recovering from
security incidents
• The forensic process must preserve the “crime scene” and the
evidence in order to prevent unintentionally violating the integrity
of either the data or the data's environment
68
LECTURE

Digital Forensics
• Prevent unintentional modification of the system
• Antiforensics makes forensic investigation difficult or impossible
• One method is malware that is entirely memory-resident, and not
installed on the disk drive. If an investigator removes power from a
system with entirely memory-resident malware, all volatile memory
including RAM is lost, and evidence is destroyed.
• Valuable data is gathered during the live forensic capture
• The main source of forensic data typically comes from binary
images of secondary storage and portable storage devices such
as hard disk drives, USB flash drives, CDs, DVDs, and possibly
associated cellular phones and mp3 players
• A binary or bit stream image is used because an exact replica of
the original data is needed
• Normal backup software will only capture the active partitions of
a disk, and only that data which is marked as allocated
69
LECTURE

Digital Forensics
The four types of data that exist:
• Allocated space—portions of a disk partition which are marked as
actively containing data.
• Unallocated space—portions of a disk partition that do not
contain active data. This includes memory that has never been
allocated, and previously allocated memory that has been
marked unallocated. If a file is deleted, the portions of the disk
that held the deleted file are marked as unallocated and available
for use.
70
LECTURE

Digital Forensics
The four types of data that exist:
• Slack space—data is stored in specific size chunks known as
clusters. A cluster is the minimum size that can be allocated by a
file system. If a particular file, or final portion of a file, does not
require the use of the entire cluster then some extra space will
exist within the cluster. This leftover space is known as slack
space: it may contain old data, or can be used intentionally by
attackers to hide information.
• “Bad” blocks/clusters/sectors—hard disks routinely end up with
sectors that cannot be read due to some physical defect. The
sectors marked as bad will be ignored by the operating system
since no data could be read in those defective portions. Attackers
could intentionally mark sectors or clusters as being bad in order
to hide data within this portion of the disk.
71
LECTURE

Digital Forensics
• Numerous tools that can be used to create the binary backup
including free tools such as dd and windd as well as commercial
tools such as Ghost (when run with specific nondefault switches
enabled), AccessData's FTK, or Guidance Software's EnCase.
• The general phases of the forensic process are:
• the identification of potential evidence;
• the acquisition of that evidence;
• analysis of the evidence;
• production of a report
• Hashing algorithms are used to verify the integrity of binary
images
• When possible, the original media should not be used for
analysis
72
LECTURE

Live Forensics
• Forensics investigators have traditionally removed power from a
system, but the typical approach now is to gather volatile data.
Acquiring volatile data is called live forensics.
• The need for live forensics has grown tremendously due to non-
persistent tools that don’t write anything to disk
• One example from Metasploit…
73
LECTURE

Live Forensics - Metasploit
• Popular free and open source exploitation framework
• Metasploit framework allows for the modularization of the
underlying components of an attack, which allows for exploit
developers to focus on their core competency without having to
expend energy on distribution or even developing a delivery,
targeting, and payload mechanism for their exploit
• Provides reusable components to limit extra work
• A payload is what Metasploit does after successfully exploiting a
target
74
LECTURE

Live Forensics – Metasploit & Meterpreter
• One of the most powerful Metasploit payloads
• Can allow password hashes of a compromised computer being
dumped to an attacker's machine
• The password hashes can then be fed into a password cracker
• Or the password hashes might be capable of being used directly
in Metasploit's PSExec exploit module, which is an
implementation of functionality provided by Sysinternal's (now
owned by Microsoft) PSExec, but bolstered to support Pass the
Hash functionality.
Information on Microsoft's PSExec can be found at
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx.
Further details on Pass the Hash techniques can be found at
http://oss.coresecurity.com/projects/pshtoolkit.htm
75
LECTURE

• Dumping password hashes with Meterpreter.
• In addition to dumping password hashes, Meterpreter
provides features such as:
• command execution on the remote system
• uploading or downloading of files
• screen capture
• keystroke logging
• disabling the firewall
• disabling antivirus
• registry viewing and modification
• Meterpreter's capabilities are updated regularly
76
LECTURE

• Dumping password hashes with Meterpreter.
• In addition to dumping password hashes, Meterpreter
provides features such as:
• command execution on the remote system
• uploading or downloading of files
• screen capture
• keystroke logging
• disabling the firewall
• disabling antivirus
• registry viewing and modification
• Meterpreter's capabilities are updated regularly
77
LECTURE

• Dumping the registry with Meterpreter.
• Meterpreter was designed with detection evasion in
mind
• Meterpreter can provide almost all of the
functionalities listed above without creating a new file
on the victim system
• Runs entirely within the context of the exploited victim
process, and all information is stored in physical
memory rather than on the hard disk.
78
LECTURE

• Dumping the registry with Meterpreter.
• Meterpreter was designed with detection evasion in
mind
• Meterpreter can provide almost all of the
functionalities listed above without creating a new file
on the victim system
• Runs entirely within the context of the exploited victim
process, and all information is stored in physical
memory rather than on the hard disk.
79
LECTURE

• If the forensic investigator removed the power supply
from the compromised machine, destroying volatile
memory: there would be little to no information for the
investigator to analyze
80
LECTURE

Network Forensics
• The study of data in motion.
• Focus on gathering & preservation of
evidence for presentation in court.
• Email contents, online conversations, Web
activities, and file transfers.
81
LECTURE

Forensic Software Analysis
• De-constructing malware and other software.
• Most use a VM to detonate malware, also
reverse engineering is used.
Embedded Device Forensics
• IoT devices and handheld devices
• Specialized tools are required.
82
LECTURE

Electronic Discovery (eDISCOVERY)
• legal counsel gaining access to pertinent electronic
information during the pre-trial discovery phase of civil
legal proceedings
• seeks ESI, or electronically stored information
• ESI does not need to be conveniently accessible or
transferable
• Data Retention Policy (IMPORTANT)
• Legal/Regulatory reasons?
• Business reasons?
83
LECTURE

Incident Response Management
• Every organization faces information security incidents
• Regimented and tested methodology for identifying and
responding to incidents is critical
• Computer Security Incident Response Team (CSIRT) is a term
used for the group that is tasked with monitoring, identifying, and
responding to security incidents
• Overall goal of the incident response plan is to allow the
organization to control the cost and damage associated with
incidents, and to make the recovery of impacted systems quicker
84
LECTURE

Incident Response Management – Methodology
Different books and organizations may use different terms and
phases associated with incident response; this section will mirror
the terms associated with the examination.
Step 0 - Preparation
• Incidents are inventible.
• What is an event vs. an incident.
• Who does what, how will they do it, and when?
85
LECTURE

Different books and organizations may use different terms and
phases associated with incident response; this section will mirror
the terms associated with the examination.
Step 1 - Detection (what I can’t prevent, can I detect?)
• Events are analyzed in order to determine whether
these events might comprise a security incident
• Emphasis on detective controls
86
LECTURE

Step 2 - Containment (OK I’ve detected it, now what?)
• The point at which the incident response team
attempts to keep further damage from occurring
• Might include taking a system off the network,
isolating traffic, powering off the system, or other
items to control both the scope and severity of the
incident
• Typically where a binary (bit by bit) forensic backup is
made of systems involved in the incident
87
LECTURE

Step 3 - Eradication
• Involves the process of understanding the cause of
the incident so that the system can be reliably cleaned
and ultimately restored to operational status later in
the recovery phase
• The cause of the incident must be determined
BEFORE recovery
• Root cause analysis is key
88
LECTURE

Step 4 - Recovery
• Involves restoring the system or systems to
operational status
• Typically, the business unit responsible for the system
will dictate when the system will go back online
• Close monitoring of the system after it is returned to
production is necessary
89
LECTURE

Step 5 - Reporting
• Most likely to be neglected in immature incident
response programs
• If done right, this phase has the greatest potential to
effect a positive change in security posture
• Goal is to provide a final report on the incident, which
will be delivered to management
90
LECTURE

• NIST Special Publication 800-61r2: Computer Security
Incident Handling Guide (see:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NI
ST.SP.800-61r2.pdf
• 4 Step Lifecycle
• Preparation
• Detection & Analysis
• Containment, Eradication, and Recovery
• Post-incident Activity
91
LECTURE

• Exam lists a 7-step lifecycle; book calls for 8-step
(adding “Preparation):
• 1. Preparation
• 2. Detection (aka Identification)
• 3. Response (aka Containment)
• 4. Mitigation (aka Eradication)
• 5. Reporting
• 6. Recovery
• 7. Remediation
• 8. Lessons Learned (aka Post-incident Activity, Post Mortem,
or Reporting)
92
LECTURE

1. Preparation
• training, writing incident response policies and
procedures, providing tools such as laptops with
sniffing software, crossover cables, original OS media,
removable drives, etc.
• Everything that you do to prepare for an incident
• Policy and procedures
• Incident handling checklist and other forms for
tracking
• Classification
• Impact
93
LECTURE

NOTE to Brad. Show something…
94
LECTURE

95
LECTURE

96
LECTURE

2. Detection (aka Identification)
• What are all of the inputs into my incident response process?
• Events  Incidents
3. Response (aka Containment)
• Step-by-step, depending upon classification & severity
• Forensic response? Protection of evidence, while containing
damage
• Start root cause analysis
97
LECTURE

4. Mitigation (aka Eradication)
• Root cause analysis completed (mostly/hopefully)
• Get rid of the bad things
5. Reporting
• Actually not really a step (happens throughout)
• More formal here; include incident responders (technical and
non-technical)
98
LECTURE

6. Recovery
• Restore systems and operations
• Increase monitoring
7. Remediation – broader in context
8. Lessons Learned (aka Post-incident Activity, Post
Mortem, or Reporting) – there’s always lessons
99
LECTURE

We made it through Class 9!
For real. Much of this class was educational AND practical.
Please try to catch up in your reading.
• We left off on page 363 in the book.
• Wednesday (5/15) we’ll start again with “Operational
Preventive and Detective Controls”
• Come with questions!
Have a great evening, talk to you Wednesday!
100
LECTURE

We made it through Class 9!
For real. Much of this class was educational AND practical.
Please try to catch up in your reading.
• We left off on page 363 in the book.
• Wednesday (5/15) we’ll start again with “Operational
Preventive and Detective Controls”
• Come with questions!
Have a great evening, talk to you Wednesday!
101
LECTURE
Let’s do some more quiz questions!
After all, you’ll need to get used to it.

2019 FRSecure CISSP Mentor Program: Class Nine

More Related Content

What's hot

Similar to 2019 FRSecure CISSP Mentor Program: Class Nine

Recently uploaded

2019 FRSecure CISSP Mentor Program: Class Nine