Author: Jon Jepma

MITRE TryHackMe Write-up

Posted on by Jon Jepma

 

This is a Write up for the MITRE Room Created by heavenraiza

 

TASK 1 & 2 are simple click and complete tasks

 

TASK 3

Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)

 

Question 2: we need to head over to https://attack.mitre.org/

*Keep in mind it mentions to start your research on the Phishing page

 

Question 3: is found under the Mitigations section on the Phishing page

 

Question 4: can be found under the Detection section of this same page

 

Question 5: Is located on the same page near the top

 

Question 6: click on the Groups link to learn more about them and the information is located under

Associated Group Descriptions

 

Question 7: is located under the Software Section

 

Question 8: is found when we click the hyperlink for PsExec we are led to a page about the tool and who has been known to use it and this will help us answer this question.

 

Question 9: Click on the FIN5 Group hyperlink to be taken to their page to find the next answers

 

Question 10: This located under the software section where we learn that the Windows Credential Editor is used by FIN5

 

And here is our TASK 3 Recap

 

Task 4

Question 1: Splunk search is pseudo

 

Question 2: Head to https://attack.mitre.org/ and click on the search icon on the top right and enter TA0003, if we click on the first link we are then taken to What type of Tactic this is.

 

Question 3: Head to https://car.mitre.org/ and I searched for Zeek

 

Question 4: Head to https://car.mitre.org/analytics/ and I searched for hash ( only 3 results )

 

Question 5: There is a section for Test Cases located on the same page

TASK 4 Recap

 

TASK 5

Question 1 & 2: we need to go tohttps://shield.mitre.org/ > Matrix > this lists all the techniques and we see that Detect has the most.

 

Question 3: all we need to do is a quick search from the search bar shows that DTE0011 is Decoy Content >

 

Question 4: involves continuing your search from the DTE0011

 

Question 5: https://shield.mitre.org/attack_mapping/mapping_all > get here by using the navigation bar and clicking Att&ck Mapping > Overview > then a few lines down there is a hyperlink for the complete mapping.

 

Task 5 Recap

 

TASK 6

Question 1: Click the APT3 hyperlink they provided in the room to find this answer

 

Question 2: This can be located viahttps://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf > Phase 2 > Persistence | utilize the table of contents to find this easily!

 

Question 3: This can be found by reading the First Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow 

 

Question 4: This can be found by reading the Second Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow 

Task 6 Recap

 

TASK7

Question 1 & 2: We need to head back to MITRE and use the navigation bar to search groups ( or here is a link https://attack.mitre.org/groups/ ) a search on the page for Aviation reveals that APT33 is the group who may target us in this scenario

Question 3: Go to the APT33 Group page https://attack.mitre.org/groups/G0064/ > scroll to software

 

Question 4: If we Take a look at what Techniques they use under T1078.004 we find the information below to help us find this answer

 

Question 5: Further on this page we have a Detection writeup that we can use.

 

Question 6: On the top right of the page we will find the ID information to finish up this room!

Task 7 Recap

 

Thanks for stopping by and I hope this is able to help you complete any tasks/questions that were proving difficult to find!

 

 

CISSP Domain 1 Study notes and Resources

Posted on by Jon Jepma

CISSP Domain 1 Study notes and Resources

Security Governance

CIA / DAD

(insert photo)               

 

Parkerian Hexad

(insert photo)

 

Confidentiality

Integrity

Availability

Authenticity

Utility

Possession or Control

 

Confidentiality Terms

sensitivity – The Level of damage or harm that could occur if the asset is revealed or disclosed.

Discretion – The ability for a person to control the level of access to, or disclosure of and asset.

Criticality – The level of importance of an asset to the mission or objective.

Concealment – The act of hiding or preventing disclosure of an asset.

Secrecy – The practice of preventing or limiting information disclosure.

Privacy – The protection of confidential or personal information.

Seclusion – The act of storing something in a location that is out of the way and thus not easily observed or found.

Isolation – The act of keeping something separate from other things that are similar in nature.

 

Integrity Terms

Accuracy – The degree to which the data is correct and precise.

Truthfulness – The quality of a source of information being factual and realistic.

Validity – The quality of an asset being genuine.

Accountability – The condition of a person or entity being held responsible for their actions.

Responsibility – The obligation of a person or entity to take ownership or components.

Completeness – The quality of an asset that has all its necessary parts or components.

Comprehensiveness – The quality of an asset being complete in scope, and fully inclusive or all relevant elements.

 

Availability Terms

Usability – Learned, understood, utilized or controlled by a subject

Accessibility – Under a wide range of circumstances an asset can be used by a subject regardless of capabilities or limitations.

Timeliness – Asset ( for example information ) needs to be prompt and available within a reasonable frame of time with low latency.

 

Auditing and Accounting

  • Auditing – internal process of providing a manual or systematic, measurable technical assessment of a system or application
  • Accounting – logging of access and use of information resources.
  • Accountability – tracing actions to the source
  • Non-Repudiation – the assurance that an action taken cannot be denied
  • Identification – Claiming an identity – ie username
  • Authentication – Proving your identity – ie password, fingerprint, pin number
  • Authorization – What are you allowed to do / have access to after you are Authenticated

 

Security Terms – P4 and P5

Asset – Anything of Value

Threat – event or action that could potentially cause damage to an asset or an interruption of service.

Threat Actor – Person/group or other entity that could potentially damage attack or compromise a system resource.

  • ||| Finish this section |||

 

IT Governance Institutewww.itgi.org

 

Security Control Frameworks

 

ISO/IEC 27000 Series

  • Security program Development standard on developing and maintaining an Information Security Management System (ISMS)
  • 27000:2018 – Overview of ISMSs and vocabulary
  • 27001:2013 – ISMS Requirements
  • 27002:2013 – Code of Practice for IS controls
  • 27003:2017 – Guidance on the requirements for an ISMS
  • 27004:2016 – ISMS monitoring, measurement, analysis, and evaluation guidelines

 

Zachman Framework

  • Six Communications Questions
  • What
  • Where
  • When
  • Why
  • Who
  • How
  • Perspectives
    • Executive
    • Business Management
    • Architect
    • Engineer
    • Technician
    • Enterprise

 

TOGAF – The open architecture group framework

  • Technology
  • Applications
  • Data
  • Business

 

DoDAF – Department of Defense Architecture Framework

  • AV – All Viewpoint
  • CV – Capability Viewpoint
  • DIV = Data and Information Viewpoint
  • OV – Operation ViewPoint
  • PV – Project Viewpoint
  • SvcV – Services Viewpoint
  • STDV – Standards Viewpoint
  • SV – Sytems Viewpoint

 

MODAF

  • Strategic StV
  • Operational OV
  • Service-Oriented SOV
  • Systems Viewpoint SV
  • Acquisition AcV
  • Technical TV
  • All Viewpoint AV

 

SABSA

  • Sherwood Applied Business Security Architecture

(insert photo)

 

COBIT – Control Objectives for Information and Related Technology

  • Five Principles

o             Meeting Stakeholder Needs

o             Covering the Enterprise end-to-end

o             Applying a single integrated framework

o             Enabling a holistic approach

o             Separating governance from management

  • Seven Enablers

o             Principles, Policies, and frameworks

o             Processes

o             Organization Structures

o             Culture, Ethics, and behavior

o             Information

  • Services, infrastructure, and applications
  • People, skills, and competencies

 

 

 

 

NIST – National Institute of Standards and Technology – 800 Special Publication Series

 

HITRUST CSF (Common Security Framework)

  • 14 control categories

o             0.0: Information Security Management Program

o             1.0: Access Control

o             2.0: Human Resources Security

o             3.0: Risk Management

o             4.0: Security Policy

o             5.0: Organization of Information Security

o             6.0: Compliance

o             7.0: Asset Management

o             8.0: Physical and Environmental Security

o             9.0: Communications and Operations Management

o             10.0: Information Systems Acquisition, Development, and Maintenance

o             11.0: Information Security Incident Management

o             12.0: Business Continuity Management

o             13.0: Privacy Practices

 

 

Center for Internet Security – CIS – Critical Security Controls

  1. Inventory and control of hardware assets
  2. Inventory and control of software assets
  3. Continuous vulnerability management
  4. Controlled use of administrative privileges
  5. Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
  6. Maintenance, monitoring, and analysis of audit logs
  7. Email and web browser protections
  8. Malware defenses
  9. Limitation and control of network ports, protocols, and services
  10. Data recovery capabilities
  11. Secure configurations for network devices, such as firewalls, routers, and Switches
  12. Boundary defense
  13. Data protection
  14. Controlled access based on the need to know
  15. Wireless access control
  16. Account monitoring and control
  17. Implement a security awareness training program
  18. Application software security
  19. Incident response and management
  20. Penetration tests and red team exercises

 

 

COSO – Committee of Sponsoring Organizations of the Treadway Commission Framework

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and communication
  • Monitoring Activities

 

OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation

(insert photo)

 

ITIL – Information Technology Infrastructure Library

  • These certifications are GREAT add-ons for CISSP
  • Currently at v4

 

Six Sigma

(insert photo) and example

 

CMMI – Capability Maturity Model Integration

 

CRAMM – CCTA Risk Analysis and Management Method

  • Qualitative Risk Analysis Management tool
  • Three Steps
  • Identify and Value Assets
  • Identify threats and vulnerabilities and calculate risks
  • Identify and prioritize countermeasures

 

 

Due Care vs Due Diligence

[write definitions]

https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-and-risk-management/due-care-vs-due-diligence/

 

Major Legal Systems

  • Civil Code Law
    • Napoleonic
  • Common Law
    • Criminal Law
    • Civil Tort Law
    • Administrative Law
  • Customary Law
  • Religious
  • Mixed

 

US Information Privacy Law – page 19  

  • FERPA
  • ECPA
  • HIPAA
  • GLBA
    COPPA
  • USA PATIOT Act
    • USA Freedom Act
  • SOX
  • FCRA

 

Licensing and Intellectual Property

Patents

Trademarks

Copyright

Trade Secrets

2 Issues

  • Piracy / Licensing
  • DRM – Digital Rights Management

 

 

CCCA – Comprehensive Crime Control Act of 1984

 

CFAA – Computer Fraud and Abuse Act – 1986

Raised threshold of damage from $1000 to $5000

  • Any computer used exclusively by the US gov
  • Any computer used exclusively by a financial institution
  • Any computer .., when the offense impedes the ability of the gov or inst. To use that system
  • Any combination of computers used to commit an offense when they are not all located in the same state
  • Amended in 1986, 1994 (Computer Abuse Amendments), 1996, 2001, 2002, 2008

 

Federal Sentencing Guidelines

  • Formalized the Prudent Man Rule
  • Minimize punishment by demonstrating due diligence
  • Three burdens of proof for negligence
    • Legally recognized obligation
    • Failed to comply with recognized standards
    • Causal relationship between the negligent act and damages

 

National Information Infrastructure Protection Act of 1996 -NIIPA

                Set of amendments to CFAA

 

 

FISMA – Federal Information Security Management Act – 2002

Replaced and Repealed

  • Computer Security Act of 1987 (CSA)
  • GISRA – General Information Security Reform Act of 2000

 

FISMA – Federal Information Systems Modernization Act – 2014

 

Cybersecurity Enhancement Act – 2014

                NIST SP 800-53

                NIST SP 800-171

                NIST CSF

National Cybersecurity Protection Act – 2014

 

Risk Terminology

  • Asset
  • Asset Valuation
  • Threats
    • Threat Agent – usually people – intentional
    • Threat Event – Accidental (but could be intentional)
  • Vulnerability
  • Exposure
  • Risk
    • Risk = threat * vulnerability
  • Safeguard
  • Attack
  • Breach

 

Quantitative Risk Analysis

 

AV – Asset Value

EF – Exposure Factor

SLE – Single Loss Expectancy

ARO- Annualized Rate of Occurrence

ALE – Annualized Loss Expectancy

 

Single Loss Expectancy

SLE = AV x EF

SLE = $20,000 X 25%

SLE = 20000 x .25 = 5000

SLE = $5,000

 

Annualized Loss Expectancy

ALE = SLE x ARO

ALE = 5000 x .5 = 2500

ALE= $2,500

 

Value of the Safeguard

(ALE before Safeguard) – (ALE After Safeguard) – (Annual Cost of the Safeguard) = Value of Safeguard

 

(ALE1 – ALE2) – ACS = Cost Benefit / Value

(2500 – 500) – 1000 = 1000

 

Residual Risk = Inherent Risk – Countermeasures

Residual Risk = Total Risk x Controls gap

Residual risk = total risk – security controls

 

A Great Resource for Risk Analysis by Thor – https://thorteaches.com/cissp-certification-quantitative-risk-analysis/