Not in alphabetical order. Updated regularly. Search with CTRL+F
- Amateurs – Also known as scrips-kiddies. Little or no skills. Uses pre-made programs or scripts to create chaos or show off skills.
- Hacktivists – Driven by political, religious or ideological purposes. Usually destroys, corrupts or steals data, but not for financial gain.
- Criminals – Traditional criminals. Driven by financial gain. ”It’s just business”.
- Nation states – Or criminal organisations paid by nation states. State-sponsored cyberespionage or cyberwarfare.
- Vulnerability brokers – Refers to grey hat hackers who attempt to discover exploits and report them to vendors or companies, sometimes for prizes or rewards.
- Black hats – Criminal hackers. Extremely unethical. For financial gain. Usually don’t distinguish between victims, this is why hospitals and other sensitive functions are somtimes their target.
- Gray hats – Usually hack organisations in a criminal and unethical way buy later reveal their findings publicly or directly to the company so that security can be improved. Are sometimes rewarded financially for their findings.
- White hats – Ethical hacker. Often working for security companies.
- Red Team – Offensive.
- Blue Team – Defensive. Most common.
- Purple Team – SOC (Security Operation Center)
- Botnet – A network of infected computers controlled as a group
- C&C – Command and Control server. Often used to describe the node or controlling computer in botnets.
SOC – Security Operations Centre
Roles in the SOC:
- Tier 1 – Monitor incidents, open tickets, basic threat mitigation
- Tier 2 – Deep investigation
- Tier 3 – In-depth knowledge, threat hunting, preventive measures
- SOC manager – SOC admin overseeing operations.
- Dwell Time –
- Mean Time to Detect (MTTD) –
- Mean Time to Respond (MTTR) –
- Mean Time to Contain (MTTC) –
- Time to Control –
PDU = Protocol Data Units
- Data = PDU at application layer
- Segment = PDU at transport layer
- TCP = Segments
- UDP = Datagram
- Packet = PDU at network layer
- Frame = PDU at data link layer
- Bits = PDU at physical layer
Ensures that data is hidden per default and only accessible to authorized users. This is enforced via encryption when stored, transferred or processed.
Ensures accuracy and completeness of stored data when stored, transferred or processed. Integrity makes sure that data has not been modified or omitted. Is enforced through hashes.
Ensures that data is available when required. Availability is enforced through redundancy and load balancing with multiple servers and several connections, e.g multiple incoming fiber-connections.
Anything of value to an organisation: computers, servers, network. The greatest asset is usually data like company secrets and customer information.
Weaknesses in a system that threat actors can take advantage of.
Any potential danger to an asset.
How network security should be designed. Layered. The threat actor needs to penetrate every layer to get to the protected asset.
This design benefits the threat actor. Only some leaves need to be removed/penetrated for the threat actor to gain a foothold inside the system or access to the asset.
Prove you are who you say you are. Usually password and username.
Based on your authentication, what access do you have? To what systems and information/data?
Traceability and resources used. Login/logout time. Amount of used data. Amount of money on your account. What doors you accessed and so on.
Four elements of secure communication
Data should not be modified, and if modified it should be detected.
Guarantees that the data is from the sender that it appears to be from.
Data should only be read by authorized parties. Achieved by encrypting data.
A sender can not deny having sent a message.
Identify assets, vulnerabilities and threats.
Score, weigh and prioritize risks.
Risk response planning
Determine risk response. Planning.
Monitor and access results
Continuous risk monitoring and response assessment
Stop performing the activities that create risk. It is possible that as a result of a risk assessment, it is determined that the risk involved in an activity outweighs the benefit of the activity to the organization. If this is found to be true, then it may be determined that the activity should be discontinued.
Decrease the risk by taking measures to reduce vulnerability. For example, if an organization uses server operating systems that are frequently targeted by threat actors, risk can be reduced through ensuring that the servers are patched as soon as vulnerabilities have been identified.
Shift some of the risk to other parties. For example, a risk-sharing technique might be to outsource some aspects of security operations to third parties. Hiring a security as a service (SECaaS) CSIRT to perform security monitoring is an example. Another example is to buy insurance that will help to mitigate some of the financial losses due to a security incident.
Accept the risk and its consequences. This strategy is acceptable for risks that have low potential impact and relatively high cost of mitigation or reduction. Other risks that may be retained are those that are so dramatic that they cannot realistically be avoided, reduced, or shared.
Network Security Data
Generated by a network-based IDPS system. Snort is a free and open source IDPS.
Network traffic logs – Session and transaction data.
Session data is a record of a connection between two endpoints. Metadata. Session data contains details of network flows including the 5-tuples, the amount of data transmitted and the duration of data transmission. It’s a record of conversation.
Is the actual message exchanged during a network session. But not necessarily the payload. Transaction data includes device-specific server and host logs. It can be a GET request for a website and a response with the file path on the web server.
Full packet capture
This capture includes detailed protocol and payload information for all traffic on a network segment. This is the most detailed network data generally captured. Wireshark is a common tool.
Is used to describe and analyze network flow or performance data.
Includes files that are attached to emails or that were downloaded from the internet.
Generated by IPS or IDS devices when suspicious traffic is detected.
The recovery and investigation of information found on digital devices related with criminal activity.
NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response
Digital evidence forensic process
- Collection (Media)
Identification of potential sources of forensic data, handling and storage of that data. It’s important not to damage, change or lose this data.
- Examination (Data)
Assessing and extracting relevant information from the collected data. May involve decryption of the data. Irrelevant data should be removed. Can be very difficult and time consuming.
- Analysis (Information)
Draw conclusions from the data. Identify and document important people, places, times, devices, events and so on. This step involves correlation of data from multiple sources.
- Reporting (Evidence)
Preparation and presenting the results from the analysis. Reporting should be impartial. Problems and limitations encountered should be included. Suggestions for further investigations should also be made.
Types of evidence
Evidence in its original state.
Evidence that supports an assertion developed from best evidence.
Evidence that in combination with other facts establishes a hypothesis.
Evidence that was indisputably in the possession of the threat actor/accused, or is eyewitness evidence from someone
The most volatile evidence should be collected first, like RAM because this will be cleared when the computer is turned off.
- Memory registers, caches
- Routing tables, ARP cache, process table, kernel statistics, RAM
- Temporary file systems
- Non-volatile media, fixed and removable. HDDs and USBs
- Remote logging and monitoring data
- Physical interconnections and topologies
- Archival media, tape, CDs and other backups.
Determining who the threat actor/adversary is.
Cyber Kill Chain
The adversary gathers intelligence and selects targets.
The adversary uses the vulnerabilities of the asset and builds a tool to exploit them.
The weapon is transmitted/delivered thru email attachment, USB-stick or malware on a website e.g
The adversary exploits and gains control over the target.
- Command & Control
The adversary communicates through a C&C server with IRC or DNS e.g to issue commands to the malware installed on the target.
- Actions on Objectives
Adversary – Represents the threat actor
Capability – The tools and techniques that are used by the adversary
Infrastructure – Represents the network paths that are used during an exploit.
Victim – A person, resource or asset.
Timestamp – The start and stop time of an event.
Phase – Refers the the steps in the Cyber Kill Chain
Result – What the adversary gained from a successful exploit
Direction – The path between parts in the Diamond Model that an exploit uses
Methodology – Classifies the general type of event. Port scan, syn flood etc.
Resources – The adversaries resources used to carry out an exploit.
The process of combining data from a number of data sources into a common format. Data normalization is required to simplify searching for correlated events. IPv6 addresses, MAC-addresses, subnet masks, DNS-records and date formats are examples of data that is displayed differently on different systems.
Sorting out NSM traffic because the amount of log file entries and alerts can be enormous. Encrypted data, traffic generated by routing protocols, broadcast protocols and low severity syslogs are examples of data that can be eliminated.
Long term storage. The amount of time or disk space used for storing NSM data. Sometimes it’s required by law or compliance framework to store some meta-data. For example, the Payment Card Industry Security Standards Council (PCI DSS) requires that an audit trail of user activities related to protected information should be stored for one year.
The science of making and using codes.
Cryptography – The development and use of codes.
Cryptanalysis – The breaking of these codes.
P = Plaintext
C = Ciphertext
K = Key
Cipher is an algorithm. Old technology that has been used for a long time. Enigma, Caesar Cipher and so on.
Plaintext = unencrypted text
Ciphertext = encrypted text
KDE = Key Derivation Function
KDE (password) –> K
Hashing: P –> C
Hashing a document e.g creates a fixed size summary no matter the size of the hashed document. It’s impossible to recreate a document based on hash. Different documents/input should create different hashes. It’s called collison when the hash is the same.
The sender/source calculates a hash and attaches it to the file. Then the destination/reciver independently generates a hash on the same file and compares it. Hash is only used for detecting accidental message change. A hacker can still modify a file and recalculate the hash.
Passwords should be stored in hashed format. During the login process, the hash for the entered password is compared with the stored hash. If hackers gain access to the database, only the hashed passwords are leaked, which are useless.
HMAC – Hash Message Authentication Code
HMAC can be used to add an additional secret key as input to the hash function, to ensure that the message is not altered in transit by a hacker, therefore protecting against man-in-the-middle.
Requires a pre-shared key.
Same key is used at both the sender and receiver for both encryption and decryption. Key length determines strength, longer is better. E.g AES, Twofish, DES/3DES, SEAL and RC (River Cipher).
- Block ciphers: Encrypts data in blocks, usually 64 or 128 bits.
- Stream ciphers: Encrypts bits one-by-one
- Substitution (disposition) cipher – Character change x stages in the alphabet.
- Transposition – Letters are rearranged rather than changed.
- Polyalphabetic – Based on substitutions but uses different substitution alphabets.
Public key is used for encryption at the source/sender. When decrypting, a private key is used at the destination/receiver. Eg: Diffie-Hellman (DH), TLS/SSL and RSA.
Private and public keys are different. If a sender uses a private key to encrypt it’s not for privacy but for digitally signing.
In practicality, both symmetric and asymmetric encryption is used.
The art of breaking codes.
Try every possible key.
Crack the crypto using different ciphertext.
Leverage some knowledge about plaintext corresponding to ciphertext.
Choose plaintext and observe ciphertext.
Use different ciphertext and observe the decrypted plaintext.
Know a portion of the plaintext and corresponding ciphertext.
Key length – The size of the key in bits.
Key space – The number of possible keys given the key length.
Key length examples:
- Len 2: 4
- Len 3: 8
- Len 4: 16
- Len 40: 1 000 000 000 000 (Not that long)
Key is derived from the password.
PKI – Public Key Infrastructure
Digital signatures – To sign stuff.
Authenticity – Who someone is.
Integrity – Downloaded executables for example. Assure that they haven’t been altered.
Trusted third-parties validate the authenticity of public keys using digital certificates.
PKI is such a third party.
PKI is a framework that Certificate Authorities (CA) use to issue digital certificates.
Code signing is used to verify the integrity of executable files downloaded from a vendor website. Code signing uses digital certificates to authenticate and verify the identity of a website.
SOC – Security Operations Centre
Tier 1 Alert Analyst
AKA Cyber Operations Analyst. Verifies that an alert from a SIEM and/or SOAR is a true security incident. If tier 1 can’t resolve, then the alert is escalated in a ticketing system.
Tier 2 Incident Responder
Responsible for deep investigation of incidents.
Tier 3 Threat Hunter/SME (Subject Matter Expert)
Works preventive. Hunts for potential threats and implements/updates threat detection tools.
This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.
The automated process of clients requesting IP-addresses and handing them out. If the DHCP server resides outside the router it can be programmed to be a DHCP-relay.
DORA – A four step process.
- Discover message – Is broadcasted from the device when connected to a new network.
- Offer message – Sent from the DHCP server
- Request – DHCP server formally allocated the IP-address to the client.
- Acknowledgement –
There is two types of allocation:
- Dynamic allocation – Automatic
- Static allocation – IP-addresses are pre-programmed by a network-administrator.
Unicast – Data is sent from one host to another.
Broadcast – Data is sent to all hosts on a network.
Multicast – Data is sent to a specific group of hosts.
Iptables is an application that allows Linux system administrators to configure network access rules. Default gateway is the closest router. Usually your home router which also functions as your switch and wireless access point WAP.
MAC – Media Access Control
MAC addresses are physical and fixed. They are “burned in” at the manufacturer. Bound to the NIC = Network Interface Controller
Resides at the data link layer and the link header contains both the source MAC and the destination MAC.
Two applications can not use the same port. Total of 65,000 ports. 1024 first ports are reserved. The rest are unreserved and to be used by anyone.
ICMP – Internet Control Message Protocol
Resides at the same network layer as the IP-protocol. Used for error reporting. Used for ping and traceroute. Ping is a series of packets/requests for troubleshooting. Collets network statistics like delay and packet loss.
Ping is often used for DDoS attacks that overwhelms the destination host with requests and choke the network. Some firewalls block ping-traffic.
Traceroute is a ICMP that pings and lists all hops a packet takes to reach its final destination. Used to identify issues. Discovers the route between two systems. Leverages the TTL (Time To Live) field in the IP-header. The process is repeated until the destination is reached.
First hop: TTL 1
Second hop: TTL 2
Third hop: TTL 3
ARP – Address Resolution Protocol
ARP table is a list of known local computers. ARP maps destination MAC to destination IP in ARP-cache.
Common attacks modify the ARP-table. Hackers can replace the default gateway at the victim computer with the hackers IP. ARP poisoning is a man in the middle attack.
A hub was used before switches and is not used anymore. A hub forwards traffic to all ports, for example a ping request, but also ping replies.
DNS – Domain Name System
Used to translate domain names e.g Google.com to an IP-address. DNS always use UDP to avoid TCP overhead, but that is not an issue.
Humans understand: www.google.com
Computers understand: 126.96.36.199
DNS server hierarchy
- DNS root: Lists top level domain (TLD) servers. 13 of them.
- Top level domain: .com .edu .net .se and so on.
- Authoritative: Has the specific domain. Auth servers.
Mail Exchange (MX) records are DNS records that are necessary for delivering email.
IP – Internet Protocol
Routes packets from source to destination using IP-addresses. IP protocol is a connection-less protocol, considered unreliable in terms of end-to-end delivery. It does not provide error control in the cases where receiving packets are out-of-order or in cases of missing packets. It relies on upper layer services, such as TCP, to resolve these issues.
- No retransmission. That’s the application-layers responsibility.
- Packets can take multiple routes.
- Packets can arrive out of order.
Types of IP-addresses:
- Public IP-address 188.8.131.52
- Private IP-address: 192.168.0.1
- Loopback: 127.0.0.1
- IP-multicast: 184.108.40.206
IP addresses (32 bits total) have one network part and one host part:
- Network part is fixed.
- Host past is changeable.
- Class A: Network part: 8 bits – Host part: 24 bits.
- Class B: Network part: 16 bits – Host part: 16 bits.
- Class C: Network part: 24 bits – Host part: 8 bits.
PDU = Protocol Data Units
- Data = PDU at application layer
- Segment = PDU at transport layer
- TCP = Segments
- UDP = Datagram
- Packet = PDU at network layer
- Frame = PDU at data link layer
- Bits = PDU at physical layer
OSI and TCP/IP: Network models
TCP/IP (5 layers)
- Application layer – HTTPS e.g. User layer. The last layer.
- Transport layer – TCP or UDP. Sockets and ports (segments).
- Network layer – IP addresses and router (packets) IPv4/IPv6
- Data link layer – MAC addresses and switches (Frame)
- Physical layer – Ethernet cables
Two extra layers at application layer:
Encapsulation – Think envelope inside envelope.
Decapsulation – Open the envelope and look at the next layer.
All layers consider the layers above its own as data or payload.
TCP – Transmission Control Layer
A stateful protocol. Reliable. Most common.
Used for mail, files, browsing, messaging when you can’t lose files. TCP is very reliable because every packet is acknowledged and resent if not delivered. TCP tolerates delay, but not loss. TCP will keep resending packages until acknowledged.
The handshake uses flags in the TCP header. After a handshake, data can be sent.
- SYN (Synchronize)
- SYN/ACK (Acknowledgement)
- ACK –
- URG – Urgent pointer field significant
- ACK – Acknowledgment field significant
- PSH – Push function
- RST – Reset the connection
- SYN – Synchronize sequence numbers
- FIN – No more data from sender
UDP – User Datagram Protocol
A stateless protocol. Unreliable but fast. Losses are acceptable. No acknowledgement. Used for multimedia, streaming, video, audio calls, zoom and so on.
Socket = IP+port
IP = destination
Port = Port on destination
HTTP status code
- 1xx – Informational
- 2xx – Success
- 3xx – Redirection
- 4xx – Client Error
- 5xx – Server Error
Key Security Protocols
HTTP transfers data in plain text which is susceptible to eavesdropping. HTTPS encrypts data.
SSL – Secure Sockets Layer. Phased out.
TLS – Transport Layer Security. Used instead of SSL.
Uses port 443 = MEaning HTTPS uses 443.
HTTPS = HTTP+TLS/SSL
IPSEC – Network layer encryption. Very popular for tunnels e.g VPN.
IPSEC provides CIA.
VPN – Virtual Private Network
A VPN extends a private network over the public network.
- Transport mode: Encapsulates only the data/payload.
- Tunnel mode: Encapsulates the entire IP-packet.
Uses two different protocols:
- AH (Authentication header)
- ASP (Encapsulation Security Payload)
NAT – Network Address Translation
NAT is used on network gateways (routers). NAT enables a single public IP to handle thousands of internal systems. Hides private IP of internal systems and network structures. Prevents connections from outside.
PAT – Port Address Translation
Traditional NAT was one-to-one mapping of public to private IP. PAT is what we actually use today. Both provide some security.
First line of defence.
Can be software, hardware or both. Blocks or allows traffic based on set rules. Host-based or network-based. A list of firewall rules is called Access Control List (ACL) which filters packets.
Rules can block or allow traffic based on:
- Source IP: Blocks known malicious addresses. Public databases are available.
- Destination IP: Used for internal databases, PLCs or servers.
- Source port
- Destination port: Vulnerable ports like HTTP or TELNET.
- Protocols: Vulnerable like ICMP/PING.
Example of an ACL table:
10 Permit tcp any any 443
20 Permit tcp 10.0.0.0
30 Deny tcp any any 80
40 Deny ip any
50 Permit icmp any any
The first match in the ACL “wins” and the packet is either approved or denied. All ACL ends with a deny since packets not included in the ACL should be denied. Permit is also sometimes referred to as “FORWARD” and denied as “DROP”.
Uses software on the end user’s computer, Microsoft Defender e.g. Protects only this computer.
Protects the entire network. Firewalls can be stand alone or be built into the computer.
A combination of both host-based and network-based is typically used.
Stateless vs stateful firewalls
Stateless: Packet filtering firewalls. Faster than stateful. Blocks or denies traffic based on layer 3 and 4 information.
Stateful: More intelligent and common than stateless. Allows incoming traffic based on traffic initiated by packets moving out of the network. Blocks or denies traffic on layer 3-5 information.
Next Generation Firewalls:
Operate at the application layer. Inspects data/payload and not just network headers. Can detect if the traffic is Skype, Torrents, Youtube and so on. Can detect payloads, patterns and block specific malicious domain names, malware and spam.
Can block these specific applications, like Skype. But also specific parts of an application, like downloading files inside of Skype.
IPS – Intrusion Prevention Systems
Actually blocks traffic compared to IDS that only detects it and informs the owner or network administrator.
Host-based IPS = HIPS
IDS – Intrusion Detection Systems
Older. Not real time.
Host-based malware protection
- Signature-based recognize malware based on known malware files. Only old and already known malware can be stopped.
- Heuristic-based recognize malware based on characteristics shared by several other malware types. (Tveksamt om rätt)
- Behaviour-based uses analysis of suspicious behaviour. A process behaving out of place e.g
- Policy-based compares the operations of a host against well-defined security rules. With the anomaly-based intrusion detection approach, a set of rules or policies are applied to a host. Violation of these policies is interpreted to be the result of a potential intrusion.
Describes when firewalls are implemented on all hosts (host-based) on a network. It’s a coordinated, centrally managed firewall.
Five values that comprise a TCP/IP connection
- Source and destination IP
- Source and destination port
- Protocol in use
A way to observe malware or potential malware in an isolated environment where it can’t do any harm. VMs are a type of sandboxing environment. Sandboxes can also be used by threat actors to hide their traces.
Cuckoo is a free and open source sandbox. Cisco Threat Grid Glovebox is also a sandbox.
Addresses all phases of a malware attack, from breach prevention to detection, response and remediation. It’s a threat intelligence.
Identifies and stops latent malware on files.
Identifies and stops email threat actors.
Blocks attacks across the web.
To detect abnormal network behaviour, we need to establish a baseline or what is normal behaviour. Wireshark and NetFlow can assist with understanding what ports and IP-addresses are normally used.
Same as network profiling. Listening ports, running processes and tasks, user accounts and so on.
Analysis on potential impacts of an attack on core assets and functionality.
Host scans, port scans, IP scans and other vulnerability scans with Kali Linux e.g
Ethical hacking, metasploit, Core Impact and so on.
CVSS – Common Vulnerability Scoring System
Risk assessment on a network and endpoints. CVSS 3.0 is the latest framework and an industry standard for weighing risks.
NIST Security framework
ISO27000 -> 27005
WAP – Wireless Access Point
WAP connects wireless clients like laptops and mobile phones to a wired network.
Criminals place a WAP and connect it to the wired network. Usually done by former employees or employees with criminal intentions.
Sniffs wireless traffic. Steals MAC-addresses to trick the WAP into sending packets the the wrong person.
Wireless Man In The Middle attack
Replays traffic after copying or modifying the traffic.
Ways to protect WLAN
WAP normally broadcasts the SSID as a beacon every 30 seconds. Hiding SSID means disabling the beacon. Not considered safe.
Maintain a whitelist of known and approved MAC-addresses. Only approved MAC-addresses can connect. Not considered safe.
SMTP (Simple Mail Transfer Protocol)
Used to send email. Then the client retrieves emails using IMAP or POP. Uses port 25.
IMAP (Internet Message Access Protocol)
Requires a larger amount of disk space. Downloads only copies of email messages to the client. Original messages must be manually deleted.
POP3 (Post Office Protocol)
Mail is downloaded from the server and then deleted. Does not require a centralized backup solution. Desirable for an ISP or large business.
STP – Spanning Tree Protocol
Prevents layer 2 loops that might occur on a redundant network. STP closes physical links to achieve this. TTL also helps.
Three-Layer network design
Also called a three-tier or campus network.
- Core Layer – Connects to the internet
- Distribution Layer – Connects the core and access layer. Houses multilayer switches that can operate at both layer 2 and 3. Normally only routers operate at level 3.
- Access Layer – Where devices are connected.
Smaller networks use a two-tier design called Collapsed core where the core and distribution layer are combined.
Routing protocols can be divided into two categories, distance vector and link state protocols:
Distance vector routing protocols
BGP – Border Gateway Protocol (Used to exchange routes between ISPs)
EIGRP – Enhanced Interior Gateway Routing Protocol
RIP – Routing Information Protocol
Unique routing table for every router. Collects info about routes and nearby hops. Works like sign posts.
Link state routing protocols
OSPF – Open Shortest Path First
IS-IS – Intermediate System to Intermediate System
Builds a full map. Same on every router. Has info on all routes and hops. Works like a map rather than directions like distance vector protocols.
DMZ – Demilitarized zone
DMZ is used when internal servers need to be available by the internet/public. Having public servers connected to the same network as employees at a company poses a risk to the internal devices. DMZ can be configured with software in a very small network, but a large network uses two firewalls. One before the public servers, and one after, before entering the internal network.
NTP – Network Time Protocol
Used because we need:
Timestamp on logs. For security applications. For scheduling events.
NTP servers are divided into layers.
Stratum 0 – Uses atomic clocks
Stratum 1 – NTP servers based on stratum 0
Stratum 2 – NTP servers based on stratum 1
The lower the level, the more accurate time. Windows has a NTP server built in. NTP uses UDP to communicate. Usually both a primary and a backup server is used.
All network devices generate syslogs. Logs can be stored locally on devices or stored externally.
0 – Emergency.
1 – Alert.
2 – Critical.
3 – Error.
4 – Warning.
5 – Notice.
6 – Informational.
7 – Debug.
Syslog servers are used to centralize log collection. Use UDP port 514. Servers can be exfiltrated to gather intelligence by threat actors.
802.11 = Wireless LAN
Collision avoidance. Has signal interference.
WLAN requires more information in the header than LAN. WLAN is half duplex, which means only one client can transmit or receive at the same time.
- Passive mode – Access point sends a beacon every 30 seconds or so with SSID, supported standards and security settings.
- Active mode – Client must know SSID. Client broadcast request with SSID and supported standards. Then AP sends a probe response.
CSMA/CA – Carrier Sense Multiple Access with Collision Avoidance
WLANs are half-duplex, meaning that only one client can send or receive at any given moment.
Lightweight AP. In a wireless deployment that is using lightweight access points (LWAPs), the LWAP forwards data between the wireless clients and the wireless LAN controller (WLC).
When an Ethernet switch receives a frame with an unknown Layer 2 address, the switch records that address in the address table.
Cisco switches assign an IP address to a routed port.
FTP – File Transfer Protocol
FTP uses TCP to avoid packet loss on port 20/21.
SFTP – Secure FTP
TFTP – Trivial FTP
For users within a LAN. Uses UDP on port 69.
SMB – Server Message Blocks
Is a client/server file sharing protocol. Uses a request/response protocol.
A routine to keep the computer updated, remove trash and downloaded files, changing/updating passwords, unsubscribing to unwanted newsletters, deleting unused accounts, using multi-factor authentication, shutting down the computer when it’s not used and so on. Should be used both personally and at organizations.
Linux terminal commands
- man – Provides documentation.
- | – In the Linux shell, several commands can be combined to perform a complex task. This technique is known as piping. The piping process is indicated by inserting the character “|” between two consecutive commands.
- chmod – Modifies file permission.
- ps – Process Status. List the currently running processes and their PID.
- top – Lists processes like ps but keeps displaying them.
- kill – Remove, restart or pause a process.
- pwd – One of the most important commands in Linux is the pwd command, which stands for print working directory. It shows users the physical path for the directory they are working in.
- sudo – Allows a user to execute commands as a superuser.
- ren – Renames a file.
- mkdir – Creates a new directory.
- cd – Changes the current directory.
- dir – Lists files in a directory.
- ls – Lists the files in the current directory. -l lists the permission of a file.
- ln – Creates a hard link.
- rm – Removes files, links and so on from the file system.
- netstat – When used by itself (without any options), the netstat command will display all the active TCP connections that are available.
- netsh – The netsh.exe tool can be used to configure networking parameters for the PC from a command prompt.
- net accounts – Sets password and logon requirements for users. When used without options, the net accounts command displays the current settings for password, logon limitations, and domain information.
- net start – Starts a network service or lists running network services
- net use – Connects, disconnects, and displays information about shared network resources.
- net view – Shows a list of computers and network devices on the network.
- nslookup – Is a tool for testing and troubleshooting DNS servers.
A hierarchical database of all system and user information
Selectively denies traffic on specified interfaces
A CLI environment used to run scripts and automate tasks
Maintain system logs.
The Services console in Windows OS allows for the management of all the services on the local and remote computers. The setting of Automatic in the Services console enables the chosen service to start when the computer is started.
Local Security Policy
Windows systems that are not part of an Active Directory Domain can use the Windows Local Security Policy to enforce security settings on each stand-alone system.
- cmdlets – perform an action and return an output or object to the next command that will be executed
- HFS+ (Hierarchical FIle System Plus)
- EXT (Extended File System)
- NTFS (New Technology File System)
- ext2 (second EXTended file system)
- ext3 (third)
- ext4 (fourth)
- NFS (Network File System)
- CDFS (Compact Disk File System)
- Swap File System
- HFS+ (Hierarchical File System Plus)
- APFS (Apple File System)
- MBR (Master Boot Record)
Linux roles and file permission
On a Linux system, everything is treated as a file. That file carries file permissions. Possible file permissions are Read, Write and Execute (rwx).
The dash indicated it’s a file, “d” instead of a dash would indicate a directory.
- First set of rwx indicates user permission.
- Second set indicates group permission.
- Third set indicates permission for other or group.
|011||3||-wx||Write and Execute|
|101||5||r-x||Read and Execute|
|110||6||rw-||Read and Write|
Abbreviations and acronyms
- SOC – Security Operations Center
- SIEM – Security Information and Event Management software
- SOAR – Security Orchestration, Automation and Response
- UEBA – User Entity Behaviour Analytics
- KPI – Key Performance Indicators
- APT – Advanced Persistent Threat
- DOS – Denial Of Service
- DDOS – Distributed Denial Of Service
- RaaS – Ransomware as a Service
- IOT – Internet Of Things
- GDPR – General Data Protection Regulation
- OVF – Open Virtualization Format
- SecOps – Security Operations
- TacOps – Tactical Operations
- OpSec – Operational Security
- OSINT – Open Source Intelligence
- WMI – Windows Management Instrumentation
- NIDS – Network Intrusion Detection System
- BYOD – Bring Your Own Device
- FTP – File Transfer Protocol
- SMB – Server Message Blocks
- SSH – Secure Shell Protocol
- DNS – Domain Name System
- MX – Mail Exchange
- TLD – Top Level Domain
- SNMP – Simple Network Management Protocol
- DHCP – Dynamic Host Configuration Protocol
- AES – Advanced Encryption Standard
- VPN – Virtual Private Network
- DaaS – Desktop as a Service
- CLI – Command Line Interface
- API – Application Programming Interface
- OLE – Object Linking and Embedding
- MBR – Master Boot Record
- ICMP – Internet Control Message Protocol
- TCP – Transmission Control Protocol
- UDP – User Datagram Protocol
- ISP – Internet Service Provider
- NIC – Network Interface Controller
- MAC – Media Access Control
- ARP – Address Resolution Protocol
- NAT – Network Address Translation
- NTP – Network Time Protocol
- TLL – Time To Live
- FCS – Frame Check Sequence
- CAM – Content-Addressable Memory
- IP – Internet Protocol
- OS – Operating System
- IDS – Intrusion Detection Systems
- IPS – Intrusion Prevention Systems
- HIPS – Host-based Intrusion Prevention Systems
- HIDS – Host-based Intrusion Detection Systems
- ISP – Internet Service Providers
- ACL – Access Control List
- PLC – Programmable Logic Controller
- BSS – Basic Service Set
- PDU – Protocol Data Units
- DAD – Duplicate Address Detection
- DLP – Data Loss Prevention
- RTS – Ready To Send
- CTS – Clear To Send
- AP – Access Point
- WAP – Wireless Access Point
- SSID – Service Set IDentifier
- WLAN – Wireless Local Area Network
- VLAN – Virtual Local Area Network
- LAN – Local Area Network
- WAN – Wide Area Network
- OSPF – Open Shortest Path First
- RIP – Routing Information Protocol
- LPM – Longest Prefix Match
- IOC – Indicators Of Compromise
- IOA – Indicators Of Attack
- STP – Spanning Tree Protocol
- DMZ – Demilitarized Zone
- ZFW – Zone-based policy Firewall
- CISA – US Cybersecurity Infrastructure and Security Agency
- AIS – Automated Indicator Sharing
- NCSA – National Cyber Security Alliance
- ENISA – European Union Agency for Cybersecurity
- IETF – Internet Engineering Task Force
- SQL – Structured Query Language
- AIS – Automated Indicator Sharing
- CVE – Common Vulnerabilities and Exposures
- SID – Security Identifier
- CTI – Cyber Threat Intelligence
- STIX – Structured Threat Information Expression
- TAXII – Trusted Automated Exchange of Indicator Information
- FIRST – Forum of Incident Response and Security Teams
- MISP – Malware Information Sharing Platform
- CIS – Centre for Internet Security
- TIP – Threat Intelligence Platform
- NIST – National Institute of Standards and Technology
- CSIRT – Computer Security Incident Response Team
- CSIRC – Computer Security Incident Response Capability
- HMAC – Hash Message Authentication Code
- KDE – Key Derivation Function
- CVSS – Common Vulnerability Scoring System
- NVD – National Vulnerability Database
- PKI – Public Key Infrastructure
- CA – Certificate Authority
- ISMS – Information Security Management System
- NSM – Network Security Monitoring
- AAA – Authentication, Authorization and Accounting
- RADIUS – Remote Authentication Dial-In User Service
- TACACS – Terminal Access Controller Access-Control System
- AMP – Advanced Malware Protection
- ESA – Email Security Appliance
- WSA – Web Security Appliance
- NAC – Network Admission Control
- TTP – Tactics, Techniques and Procedures
- ATT&CK – Adversary Tactics, Techniques & Common Knowledge
- RSA – Retrospective Security Analysis
- SOP – Standards Operation Procedures
- SME – Subject Matter Expert
- PID – Process ID (Unique)
- HAL – Hardware Abstraction Layer
- CTF – Capture The Flag
- PII – Personally Identifiable Information
- PHI – Protected (Personal) Health Information
- PSI – Personal Security Information
Types of malwares and exploits
- Malware – Collective name for different types of viruses, worms and trojans.
- Worm – Designed to be replicated and to spread across networks. Stuxnet was a worm.
- Virus – Designed to inject itself into regular programs or processes.
- Metamorphic – A metamorphic virus is a virus that is rewritten with every iteration so that every succeeding version of the code is different from the proceeding one.
- Polymorphic – A polymorphic virus is a harmful, destructive or intrusive type malware that can change, making it difficult to detect with anti-malware programs.
- Trojan horse – A malware embedded in a normal file or program.
- Spyware – Usually a trojan. Can be a keylogger. Spies on users browsing history and or/credit card information.
- Adware – Virus that displays illicit/unwanted advertisements.
- Keylogger – Logs keystrokes. Can be a spyware virus, USB stick or a hijacked bluetooth keyboard.
- Ransomware – Encrypts the computer and forces the user to pay a ransom to unlock. Often in Bitcoin or other cryptocurrency.
- Root-kit – A virus, trojan, keylogger e.g that is hidden ”deep” inside the computer without detection with comprehensive admin privileges. Hard to find. Usually mask itself as a legitimate program or as a part of the OS.
- SQL injection – Threat actors can exploit vulnerabilities in databases using string query to gain access to passwords, social security numbers, phone numbers and so on.
- Zero Day Exploit – Vulnerabilities not yet detected and/or patched for. A virus can use the exploit to gain access to the machine.
- Man in the middle attack – (MiTM) A MiTM attack occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.
- Data exfiltration – Unauthorized data transfer. Is considered data theft. Can be made by a malware or a threat actor.
- Daemon – An operating system program running in the background designed to perform a specific task when certain conditions or events occur. A daemon is a background process that runs without the need for user interaction.