effective infosec career planning - yehg.nethax0r/r0lan/effective infosec career planning.pdf ·...
TRANSCRIPT
Effective InfoSec Career Planning
aka
Building InfoSec Professional Life
Purpose
This presentation is dedicated to those who want to
build Information Security Professional Career.
About me
• Currently working at one of CERT Teams
• One bit of YEHG (http://yehg.net)
• Holding Offensive Security (OSCP) + CTG (CED,
CWSE ) + Some InfoSec Certs….
• Doing Vuln Research & Artifact Analysis
• Often participant in Cyber Drills, CTFs & Wargame
Challenges.
Agenda
InfoSec’ Nowaday
InfoSec’ Trend
Security Analyst/Consultant
Incident Handling
Artifact Analysis
Computer Forensics
Security Engineering
Policy Maker
InfoSec’ Hall of Fame
Conclusion
Q & A
InfoSec’ Nowaday
InfoSec’ Nowaday
InfoSec’ Trend
Policy Maker
Incident Handling
Cyber Forensic
Artifact Analysis
Security Analysis
Security Engineering
InfoSec’ Trend
Policy Maker
Incident Handling
- SOC Operation Staff
- Incident Handling Engineer
- Incident Responder
Cyber Forensic
Artifact Analysis
Security Analysis
Security Engineering
Incident Handling
• The preparation, detection,
management and resolution of incidents
or events that may occur in the
information system.
Incident Handling
• Key Responsibilities
– Detect & response to security incidents
– Reduce losses
– Reduce downtime
– Identify Attack vector
– Provide focus & resources for the
documentation, planning, and training of
an incident response capability
Incident Handling• Strong technical expertise in:
– Network protocols including TCP/IP fundamental,
– Operating systems (Windows and UNIX)
– Scripting language (such as python, Perl, Bash, PowerShell
or similar) in incident handling environment
• Knowledge of banking systems, enterprise systems
and infrastructure
• Knowledge of virtual environment (VMware)
• Knowledge of security products such as anti-virus,
IDS, IPS, proxy, SIEM, log management tool etc.
• Knowledge of vulnerability management
• Knowledge of Malware & Hacking techniques, etc.
Incident Handling
• Six Step Approach
1. Preparation
2. Identification & Initial Response
3. Containment
4. Remediation
5. Recovery
6. Follow-up
Incident Handling
• Sample Case Study
– Worm Infection
Incident Handling
• Preparation
– Contact list who will be involved into
crisis cell.
– Make sure that analysis tools are up
– Make sure to have network
architecture map
– Perform a continuous security watch
Incident Handling
• Identification & Initial Response
• Detect the infection
– Information coming from several sources
should be gathered & analyzed.
– Antivirus logs & IDS logs
– Suspicious connection attempts & traffic
– High amount of accounts locked
– High load or system freeze
– High volumes of email sent
Incident Handling
• Identification & Initial Response
• Identify the infection
– Analyze the symptoms to identify the worm, its
propagation vectors and countermeasures.
– Leads can be found from:
• CERT’s bulletins, External Support contacts
(antivirus companies, etc), Security websites
(Secunia, SecurityFocus etc.)
– Notify Chief Information Security Officer.
– Contact your CERT if required.
Incident Handling
• Identification & Initial Response
• Assess the perimeter of the infection
– Define the boundaries of the infection
– Identify the business impact of the infection if
possible
Incident Handling
• Containment
1. Disconnect the infected area from internet
2. Isolate the infected area. Disconnect it
from any network.
3. If business-critical traffic cannot be
disconnected, allow it after ensuring that it
cannot be an infection vector or find
validated circumventions techniques.
Incident Handling• Containment
4 . Neutralize the propagation vectors. A propagation
vector can be anything from network traffic to
software flaw. Relevant countermeasures have to be
applied (patch, traffic blocking, disable devices, etc.)
For example, the following techniques can be used:
– Patch deployment tools,
– Windows GPO,
– Firewall rules,
– Operational procedures.
Repeat steps 2 to 4 on each sub-area of the
infected area until the worm stops spreading.
Incident Handling• Remediation
• The following resources should be
considered:
– Vendor fixes (Microsoft, Oracle, etc.)
– Antivirus signature database
– External support contacts
– Security websites
• Test the disinfection process and make sure
that it properly works without damaging any
service.
Incident Handling• Recovery
• Reopen the network traffic that was used as a
propagation method by the worm.
• Reconnect sub-areas together
• Reconnect the mobile laptops to the area
• Reconnect the area to your local network
• Reconnect the area to the Internet
• All of these steps shall be made in a step-by-
step manner and a technical monitoring shall
be enforced by the crisis team.
Incident Handling• Follow-up
• Report: A crisis report should be written and
made available to all of the actors of the crisis
management cell. The following themes
should be described:
– Initial cause of the infection
– Actions and timelines of every important event
– What went right
– What went wrong
– Incident cost
Incident Handling
• Resources & Lab
– https://www.enisa.europa.eu/activities/cert/t
raining/training-resources/setting-up-a-
cert#triage-and-basic-incident-handling
– https://www.enisa.europa.eu/activities/cert/t
raining/training-resources/setting-up-a-
cert#incident-handling-procedure-testing
Incident Handling
• Certification
– GCIH (SANS - Certified Incident Handler)
– GCIA (SANS - Certified Intrusion Analyst)
– C)IHE (mile2 - Certified Incident Handling
Engineer)
– ECIH (EC-Council - Certified Incident
Handler)
Incident Handling
• Book recommendation
– Blue Team Handbook: Incident Response Edition:
– The Computer Incident Response Planning
Handbook
– Computer Incident Response and Forensics Team
Management
InfoSec’ Trend
Policy Maker
Incident Handling
Cyber Forensic
- Network Forensic Expert
- Computer Forensic Expert
- Cyber Forensic Investigator
Artifact Analysis
Security Analysis
Security Engineering
Network Forensics
• Two types of Network Forensics
1. Flow based
2. Packet based
Network Forensics
• Flow based Network Security Analysis
centers around the concept of a network
flow/traffic instead of each packet.
• A flow record is a summarized indicator
that a certain network flow took place and
that two hosts have communicated with
each other at some point in the past.
• Netflow is like a phone bill
– You know who called who, but not what was
said
Network Forensics
• Packet based network security analysis,
unlike flow-based solutions, does not rely
on third-party components to generate
meta or summary information of the
network traffic.
• Instead, all analysis is entirely based on
actually observed raw packets, as they
traverse the network links. It focuses on
each packet or a group of packets.
Network Forensics
Source IP
Dest IP
Source Port
Dest Port
Protocol
Time Info
TCP Flags
Byte Info
Packet Info
NetFlow
Header
Payload
Pcap
=-
ICMP Info
Payload Header
Header
Payload =- Payload Header
Header
Payload =- Payload Header
Header
Payload =- Payload Header
Packet
Headers
Network Forensics
• Some useful tool
– Argus
– Tcpdump
– Snort
– Chopshop
Network Forensics
• Argus
– Converting Pcap to netflow
• argus –r packet.pcap –w packet.argus
• Chopshop
– http://www.github.com/MITRECND/chopsho
p
– MITRE-developed packet framework
Network Forensics
• Sample Case Study
– Forensic on Gh0st RAT
Network ForensicsDetect in wireshark
Network Forensics
Network Forensics
Detect with custom snort rules
Network ForensicsDecode with chopshop
Network ForensicsDecode with chopshop
Network Forensics
• Resources
–Collection of pcap for Forensics
Practise
–http://www.netresec.com/?page=
PcapFiles
Computer Forensic
• Identification
• Extraction
• Documentation
• Preservation
Cyber Forensic
• Key Responsibilities
– Receive, evaluate and initiate the
processing of cyber forensic investigations
– Search and seizure of physical and logical
evidence
– Imaging of hard disk drives, memory and
other digital storage media
– Network packet capture and analysis
– Provision of report and statements
Computer Forensic
Preservation
Presentation
Identification
Seizure
Authentication
Acquisition
Analysis
Scene of
Crime
Forensics
Lab
Computer Forensic
Note Pad ,
Sketch
Pads,
Labels…
Blank
CD/DVD
Pen
DrivesCamera
What to carry ?
Computer Forensics
Storage Container: Anti Static
Bags, Plastic Bubble wrap
Computer Forensics
Write Blocker: A forensic
disk controller or hardware
write-block device is a
specialized type of
computer hard disk
controller made for the
purpose of gaining read-
only access to computer
hard drives without the risk
of damaging the drive's
contents.
Computer Forensics
• Forensic steps: Scene of Crime
– Backup Volatile data in RAM, Router,
etc.
– Photograph and video the scene of
crime
– Identifying Digital storage media
– Draw Network Topology
Computer Forensics
Question to be asked:
• Login Details
– Username
– Passwords
• Encryption
• Files of interest
• E-mail accounts
• Internet Service
Providers
• Off site storage
• Hidden storage
devices
Computer Forensics
Labeling:
Computer ForensicsSeizure:
• Seizure is the process of
capturing the suspect computer or
storage media for evidence
collection.
• The case related reference
documents should also be seized
from the crime scene.
Computer ForensicsSeizure Example:
• In case of Economical Crime:
• Account Book Details
• Passbook details
• Bank Transaction Details
• ATM Credit/Debit Card
Details, etc.
Computer ForensicsSeizure Example:
• In case of Forged Documents:
–Academic Certificates
–Bill Receipts
–Passport
–Legal Property Papers etc.
Computer ForensicsPacking and Transportation:
• Properly document and label the
evidence before packaging.
• Use anti-static wrap or bubble wrap for
magnetic media.
• Avoid folding, bending or scratching
the computer media.
Computer ForensicsPacking and Transportation:
• While transporting, place the computer
securely on the floor of the vehicle
where the ride is smooth.
• Avoid radio transmissions,
electromagnetic emissions, moisture in
the vicinity of digital evidence.
Computer Forensics
Acquisition:
• Use of Write Blocker
devices
• Thumbscrew
• FAST BLOC
• Tableau
Computer Forensics
Acquisition:
• Making Forensic Duplicate copy of the
suspect storage media is acquisition.
• A Forensic Duplicate is a file that
contains every bit of information from
the source disk.
• By using Software/Hardware
Computer Forensics
Acquisition:
• Using Software Tool requires a
hardware write blocker at source
end.
– FASTBloc FE
– Tablue
– Software EnCase
– FTK Imager
Computer Forensics
Authentication:
• Hash Value
–Verify the integrity of Forensic
Duplicate.
–It is also known as Message
Digest or Fingerprint is basically a
digital signature.
Computer Forensics
Analysis:
• The Process of searching for crime
relevant data and extract it.
• The analyst has to search data in
– Deleted Files, Unallocated Space, Log
Entries, System Files, Cookies, Slack
Space, Free Space, Registry Entries,
Printer Spool Files, Keywords
Computer Forensics
Free Digital Forenics Tool
• SAN SIFT
• ProDiscover Basic
• Volatility
• The Sleuth Kit (+Autopsy)
• FTK Imager
• DEFT
Cyber Forensics
• Book Recommendation
– Guide to Computer Forensics and Investigations
– Kingpin: How One Hacker Took Over the Billion-
Dollar Cybercrime Underground
– Digital Forensics with Open Source Tools
Cyber Forensics
• Certification
– CHFI (EC Council)
– Certified Computer Forensics Examiner
(CCFE) (IACRB)
– Global Information Assurance Certification
Forensic Examiner (GCFE)
InfoSec’ Trend
Policy Maker
Incident Handling
Cyber Forensic
Artifact Analysis
- Malware Analyst
- Reverse Engineering Specialist
Security Analysis
Security Engineering
Artifact Analysis
• Key responsibilities
– Perform Malware Analysis
– Perform Attack Analysis
Artifact Analysis
• Type of Malware Analysis
– Static Malware Analysis
– Dynamic Malware Analysis
Artifact Analysis
• Static Malware Analysis
– dissecting the different resources of the binary file
and studying each component.
– The binary file can also be disassembled (reverse
engineered) using a disassembler such as IDA.
– A malware analyst can then make sense of the
Assembly instructions and have an image of what
the program is supposed to perform.
Artifact Analysis
• Static Malware Analysis
– Some useful tools
• PEview
• Depends
• PEBrowse Pro
• Objdump
• IDA Pro
• Resource Hacker
• Strings
Artifact Analysis
• Dynamic Malware Analysis
– watching and logging the behavior of the malware
while running on the host. Virtual machines and
Sandboxes are extensively used for this type of
analysis.
– The malware is debugged while running using a
debugger such as GDB or Windbg to watch the
behavior of the malware step by step while its
instructions are being processed by the processor
and their live effects on RAM.
Artifact Analysis
• Dynamic Malware Analysis
– Some useful tools
• Sysinternal Suite
• Process Explorer
• Regshot
• UN-Pack
• Olly-dbg
• Port Explorer
Artifact Analysis
• Sample Case Study
– Memory Analysis on Gh0st RAT
(Continues of Network Forensic Case Study)
Artifact Analysis
• C2 client at 58.64.132.141 was
communicating with 172.16.150.20 that the
localhost name was ENG-USTXHOU-148
• Loading the memdump.bin file into
Volatility's imageinfo module confirms what
we saw in the Gh0st data; this machine is
running Windows XP Service Pack 3.
Artifact Analysis
Artifact AnalysisTaking a look at the output of connscan
Artifact AnalysisOutput of pstree show the process with the PID 1024 is
svchost.exe
Artifact AnalysisDig into svchost a little more by running the dlllist
module against it.
Artifact Analysis
There is an abnormal dll named 6to4ex.dll listed
Artifact Analysis
Dump the suspect file out using the dlldump module
Artifact AnalysisGet the md5 of the file
Search in virustotal.
Artifact Analysis
if VirusTotal has seen this before
Artifact Analysis
how did this machine become compromised in the first
place?
strings memdump.bin | grep -C 30 58.64.132.141
Artifact Analysis
• Analysis Environment
– Santoku (https://santoku-linux.com/)
• a platform for mobile forensics, mobile
malware analysis and mobile application
security assessment.
– REMnux (https://remnux.org/)
• A Linux Toolkit for Reverse-Engineering and
Analyzing Malware
Artifact Analysis
• Book Recommendation
– Malware Analyst's Cookbook
– Pratical Malware Analysis
Reverse Engineering
• Need to familiar with IDA Pro/Free,
OllyDbug,
• Focus on a single architecture initially:
x86, x86_64, or ARM
• Try some crackme exercises
(http://www.crackmes.de/)
Reverse Engineering
• Book recommendations
– Practical Reverse Engineering
– Reversing: Secrets of Reverse
Engineering
– The IDA Pro Book
Artifact Analysis
• Resources
– http://www.opensecuritytraining.info/Mal
wareDynamicAnalysis.html
– http://www.opensecuritytraining.info/Life
OfBinaries.html
– http://www.opensecuritytraining.info/Rev
erseEngineeringMalware.html
Artifact Analysis
• Certification
• CREA:Certified Reverse Engineering
Analyst (IACRB)
• GREM:GIAC Malware Analysis
Certification (SANS-FOR610)
InfoSec’ Trend
Policy Maker
Incident Handling
Cyber Forensic
Artifact Analysis
Security Analysis
- Penetration Tester
- Vulnerability Researcher
- Application Security Expert
- Mobile App Security Expert
Security Engineering
Vulnerability Assessment
• Key Responsibilities
– Perform application and infrastructure
penetration tests, as well as physical
security review and social engineering tests
for our global clients
– Review and define requirements for
information security solutions
– Participate in Security Assessments of
networks, systems and applications
Vulnerability Research
• Go through reverse engineering before
jumping into it.
• For Starter - Stack overflows, Heap
overflows, and Format String bugs.
• Practice on bypass SEH, ASLR,
DEP,etc…
Vulnerability Research
• Some useful tools
– RATS - Rough Auditing Tool for
Security
– RIPS - A static source code analyzer
– Immunity Debugger
– Burpsuite
– Peach Fuzzer
– Metasploit Framework
Vulnerability Research
• Sample Case Study
• Exploit EFS Software Easy Chat
Server 2.2
CVE-2004-2466
Vulnerability Research
• First Step
• Running
Easy Chat on
Win XP3
Vulnerability Research
• Use wireshark to make fuzzer
Vulnerability Research
• Fuzzer
Vulnerability Research• Attach app with debugger
Vulnerability Research• Run fuzzer & check EIP
Vulnerability Research• EIP is not overwrite, we check SEH Chain
(Alt+S)
• we get EIP was over flow by 41414141 this
is character .
Vulnerability Research
• Structured Exception Handling (SEH) is
a Windows mechanism for handling
both hardware and software exceptions
consistently.
• The concept is quite simple — try to
execute a block of code and if an
error/exception occurs, do whatever the
“except” block (aka the exception
handler) says
Vulnerability Research
Vulnerability Research
Vulnerability Research
• So to recap, we need the following for our
basic SEH exploit:
– offset to Next SEH
– jump code for Next SEH to hop over SHE
– address for a usable POP+POP+RET
instruction
– shellcode
Vulnerability ResearchCreate Pattern & edit fuzzer to know exact location
Vulnerability ResearchCheck SEH Chain & EIP
Vulnerability ResearchTo find an appropriate memory location for an SEH bypass
by using the “!mona seh” command of Mona.py function
Vulnerability ResearchPayload generate & add to fuzzer
Vulnerability Research
Vulnerability ResearchOur fuzzer modified as
Buffer += “A”*216 + [nSEH] + [SEH] + Payload
Vulnerability Research
Rooted !!!
Security Analysis
• Book recommendations
– Hacking: The Art of Exploitation
– The Shellcoders Handbook
– The Art of Software Security
Assessment
Security Analysis
• Certification
• OSCP ( Offensive Security Certified
Professional )
• OSCE ( Offensive Security Certified
Expert)
• GPEN ( GIAC Penetration Tester )
• GPEX ( GIAC Exploit Researcher and
Advanced Penetration Tester )
Security Analysis
• Resources
• http://www.opensecuritytraining.info/Exp
loits2.html
• http://www.opensecuritytraining.info/Exp
loits1.html
• http://www.opensecuritytraining.info/Inte
rmediateX86.html
InfoSec’ Trend
Policy Maker
Incident Handling
Cyber Forensic
Artifact Analysis
Security Analysis
Security Engineering
- Network Security Engineer
- Computer Security Engineer
- Security Architect
InfoSec’ Trend• Responsibilities of Security Engineer
– Develop, review, and update Information Security
Policies, processes, guidelines, hardening
standards.
– Develop and execute annual information security
assessment plans.
– Develop and maintain Information Security Risk
Register.
– Performing the Network Security operations for all
related systems: Firewalls, IDS/IPS, VPN, PKI,
Content Security, SIEM, Identity and Authentication
Management Systems, DLP etc.
InfoSec’ Trend
• Certification
– CCNA/CCNP ( Security )
– Comptia Security+
– ENSA ( EC-council )
– CISM
– CISA
InfoSec’ Trend
Policy Maker
( CISO/ InfoSec Manager / Director of InfoSec )
Incident Handling
Cyber Forensic
Artifact Analysis
Security Analysis
Security Engineering
InfoSec’ Trend
• Responsibilities of CISO– Establishing and implementing security-related policies.
– Overseeing regulatory compliance.
– Ensuring data privacy.
– Managing the company's CERT Team.
– Supervising identity and access management.
– Establishing and overseeing the organization's security
architecture.
– Conducting electronic discovery and digital forensic
investigations.
– Working with other high-level executives to establish disaster
recovery and business continuity plans.
InfoSec’ Trend
• Top Penetration Testing Method
– ISSAF
• Information Systems Security Assessment
Framework
– OSSTMM
• Open Source Security Testing Methodology
Manual (ISECOM)
– OWASP
• Open Web Application Security Project
InfoSec’ Trend
• Certification
• CISSP
– Architecture (CISSP-ISSAP®)
– Engineering (CISSP-ISSEP®)
– Management (CISSP-ISSMP®)
• CISO ( EC-council )
• CISSO ( mile2 )
• PCI DSS
InfoSec’ Hall of Fame
• Bug Hunting
• CTF/Wargame
• CVE Disclosure
• Opensource InfoSec Tool Development
Bug hunting
https://bugcrowd.com/
Bug hunting
https://hackerone.com
Bug hunting
https://technet.microsoft.com/en-us/security/dn425036
CTF & Wargame
• An introductory CTF like CSAW, Pico
CTF, Microcorruption, or any of the
other dozens available.
• CTF competitions archive
(http://captf.com/)
CTF & Wargame
• Difficulty is subjective based on your
individual skill set.
• CTF competitions generally focus on
the following skills: Reverse
engineering, Cryptography,
Programming challenge, Web
vulnerabilities, Binary exercises,
Networking, and Forensics.
CTF & Wargame
https://ctftime.org/
CTF & Wargame
https://ctftime.org/
CTF & Wargame
http://captf.com/calendar/
Practice Lab
• https://www.vulnhub.com/
• https://exploit-exercises.com/
• http://captf.com/practice-ctf/
Conclusion
• CSOs and CISOs need to continually
monitor the evolving threat landscape, and
to replace an "if we get hacked" mindset
with a "when we get hacked" one.
• InfoSec: one of Art
– Think out of box
– Try harder
Thank You For Your Attention !