Threat Hunting Flashcards
(29 cards)
Threat Modeling
What kind of question we should ask ourself?
- How can the attack be performed?
- What is the potential impact to the confidentiality,
integrity, and availability of the data? - How likely is the risk to occur?
- What mitigations are in place?
What is Threat Modeling ?
The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system
You need to consider both the defender’s point of view and the attacker’s point of view
What is Adversary Capability?
A formal classification of the resources and expertise available to a threat actor
Types of capabilities
o Acquired and augmented
o Developed
o Advanced
o Integrated
What is an Attack Surface ?
The point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.
Areas to consider when modeling your attack surfaces
o The holistic network
o Websites or cloud-services
o Custom software applications
What is an Attack Vector?
A specific path by which a threat actor gains unauthorized access to a system
Types of Attack Vectors
o Cyber
o Human
o Physical
What is a Threat Hunting ?
A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.
It is potentially less disruptive than penetration testing
Derived from the threat modeling and is based on potential events with higher likelihood and higher impact
Threat hunting relies on the use of the tools developed for regular security monitoring and incident response
You need to assume that these existing rules have failed when you are threat hunting, like: Analyze network traffic,
Analyze the executable process list, Analyze other infected hosts and Identify how the malicious process was executed.
What are the benefits from Threat hunting?
▪ Improve detection capabilities
▪ Integrate intelligence
▪ Reduce attack surface
▪ Block attack vectors
▪ Identify critical assets
What is an Open-Source Intelligence (OSINT)
Publicly available information plus the tools used to aggregate and search it.
OSINT can allow an attacker to develop any number of strategies for compromising a target: Publicly Available Information, Social Media, Dating Sites, HTML Code
and Metadata
Is Metadata considers OSINT?
Yes!!
What is Google Hacking ?
Open-source intelligence techniques that uses Google search operators to locate vulnerable web servers and applications
What is The Google Hacking Database (GHDB) ?
Provides a database of search strings optimized for locating vulnerable websites and services
What is Shodan (shodan.io) ?
a search engine optimized for identifying vulnerable Internet-attached devices
Google Hacking - search q:
What does Quotes “ ” mean?
Use double quotes to specify an exact phrase and make a search more precise
Google Hacking - search q:
What does NOT mean?
Use the minus sign in front of a word or quoted phrase to exclude results that contain that string
Google Hacking - search q:
What does AND/OR mean?
Use these logical operators to require both search terms (AND) or to require either search term (OR)
Google Hacking - search q:
What does Scope mean?
Different keywords that can be used to select the scope of the search, such as site, filetype, related, allintitle, allinurl, or allinanchor
Google Hacking - search q:
What does URL Modifier mean?
Modifiers that can be added to the results page to affect the results, such as:
&pws=0 dont give me personalize results
&filter=0 dont filter the results
and &tbs=li:1 do not auto- correct my search
What is a whois?
A public listing of all registered domains and their registered administrators
What is a DNS Zone Transfer ?
a method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack.
If your DNS service is misconfigured, a DNS zone transfer could be allowed
What is a DNS Harvesting ?
Using Open-Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on.
What is Website Harvesting ?
A technique used to copy the source code of website files to analyze for information and vulnerabilities
What is AbuseIPDB ?
A community-driven database that keeps track of IP addresses reported for abusive behavior.
The information in the AbuseIPDB is not considered to be 100% reliable
- It’s important that you use the AbuseIPDB and combine it with other security measures
- This database is constantly being updated with new information
What are the Benefits of AbuseIPDB ?
- It enables the organization to take a proactive approach
to its cybersecurity
*The database is constantly being updated with new
information from a global community of users - The organization can also use the AbuseIPDB to monitor
their logs for any suspicious activity - Individuals can also benefit by using this database
What is Deep Web ?
Part of the Internet that are not easily accessible through traditional search engines.
Portion of the Internet not indexed by search engines, which includes private databases, subscription-based websites, and other content that is not publicly accessible-
like university db search , government search
**Its usage is legal!! **
The deep web can contain sensitive information that is not meant to be searchable by the general public
Can be used as a source of information to gather intelligence on potential threat
Helps gather intelligence on potential threats