- What are the things to consider when determining what level of risk exists:, - How can the attack be performed?, - What is the potential impact to the confidentiality, integrity, and availability of the data?, - How likely is the risk to occur?, - What mitigations are in place?, - Define “ Threat Modeling “:, - This is the process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system., - You need to consider both the defender’s point of view and the attacker’s point of view., - Threat modeling can be used against corporate networks in general at a large scale., - What are the main areas to consider when it comes to threat modeling:

- Adversary Capability:, - This is a formal classification of the resources and expertise available to a threat actor., - What are the types of capabilities:, - Acquired and augmented, - Developed, - Advanced, - Integrated, - Define “ Attack Surface “:, - This is the point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor., - What are some Areas to consider when modeling your attack surfaces:, - The holistic network, - Websites or cloud-services, - Custom software applications.

- Define a “ Attack Vector “:, - This is a specific path by which a threat actor gains unauthorized access to a system., - What are the Types of Attack Vectors:, - Cyber, - Human, - Physical, - What are some additional considerations:, - Likelihood is the chance of a threat being realized which is usually expressed as a percentage., - Impact is the cost of a security incident or disaster scenario which is usually expressed in cost (dollars).

- Define “ Threat Hunting “:, - This is a cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring., - It is potentially less disruptive than penetration testing., - What are the steps of Threat Hunting:, - Hypothesis:, - This is derived from the threat modeling and is based on potential events with higher likelihood and higher impact., - Define “ Profiling Threat Actors and Activities “:, - This Involves the creation of scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be., - Threat hunting relies on the use of the tools developed for regular security monitoring and incident response., - You need to assume that these existing rules have failed when you are threat hunting.

- What is an Example of a process for threat hunting:, - Analyze network traffic, - Analyze the executable process list, - Analyze other infected hosts, - Identify how the malicious process was executed, - Threat hunting consumes a lot of resources and time to conduct, but can yield alot of benefits, like:, - Improve detection capabilities, - Integrate intelligence, - Reduce attack surface, - Block attack vectors, - Identify critical assets

- Define “ Open-Source Intelligence (OSINT) “:, - This is Publicly available information plus the tools used to aggregate and search it., - OSINT can allow an attacker to develop any number of strategies for compromising a target, these include:, - Publicly Available Information, - Social Media, - Dating Sites, - HTML Code, - Metadata

- Define ” Google Hacking “:, - This is Open-source intelligence techniques that uses Google search operators to locate vulnerable web servers and applications., - Define and Categorize “ Methods “:, - Define Quotes “ ”:, - Use double quotes to specify an exact phrase and make a search more precise., - Define “ NOT “:, - Use the minus sign in front of a word or quoted phrase to exclude results that contain that string., - Define “ AND/OR “:, - Use these logical operators to require both search terms (AND) or to require either search term (OR)., - Define “ Scope “:, - Different keywords that can be used to select the scope of the search, such as site, filetype, related, allintitle, allinurl, or allinanchor., - Define “ URL Modifier “:, - Modifiers that can be added to the results page to affect the results, such as &pws=0, &filter=0, and &tbs=li:1, - The Google Hacking Database (GHDB) provides a database of search strings optimized for locating vulnerable websites and services., - Define “ Shodan (shodan.io) “:, - This is a search engine optimized for identifying vulnerable Internet-attached devices).

- Define “ Email Harvesting “:, - This is an Open-Source Intelligence (OSINT) technique used to gather email addresses for a domain., - Once a list has been created, it can be used in social engineering attempts, these includes:, - Pipl.com, - Peekyou.com, - Echosec.net, - Define “ The Harvester “:, - This is a command line tool used by penetration testers.

- Define “ whois “:, - This is a public listing of all registered domains and their registered administrators., - This is a method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack., - If your DNS service is misconfigured, a DNS zone transfer could be allowed., - Define “ DNS Harvesting “:, - This uses Open-Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on., - Define “ Website Harvesting “:, - This is a technique used to copy the source code of website files to analyze for information and vulnerabilities.

- Define “ AbuseIPDB “:, - This is a community-driven database that keeps track of IP addresses reported for abusive behavior., - Define “ Benefits for organizations “:, - It enables the organization to take a proactive approach to its cybersecurity., - The database is constantly being updated with new information from a global community of users., - The organization can also use the AbuseIPDB to monitor their logs for any suspicious activity., - Individuals can also benefit by using this database., - The information in the AbuseIPDB is not considered to be 100% reliable:, - It’s important that you use the AbuseIPDB and combine it with other security measures., - This database is constantly being updated with new information.

- The deep web and the dark web are both parts of the Internet that are not easily accessible through traditional search engines., - Define the “ Deep Web “:, - This is a Portion of the Internet not indexed by search engines, which includes private databases, subscription-based websites, and other content that is not publicly accessible, this includes:, - Medical and Scientific Research , - University Libraries , - Government Databases, - The deep web can contain sensitive information that is not meant to be searchable by the general public., - Can be used as a source of information to gather intelligence on potential threat., - Helps gather intelligence on potential threats.

- Define the “ Dark Web “:, - This Refers to a specific part of the deep web that's used for illegal activities, such as the buying and selling of drugs, weapons, and stolen personal information, such as credit card data., - The dark web is considered a criminal haven and a high-risk area where hacking and illicit activities occur., - Accessing the dark web without proper knowledge and precautions can put the user at risk of encountering illegal activities, malware, or being targeted by cyber criminals., - Can be used to monitor stolen data or information related to the organization., - Can also be used to track the activities of known or suspected cybercriminal groups, to identify any patterns or trends in their methods and techniques., - Can also track the prices and availability of tools and services commonly used in cyber attacks., - Monitors for stolen data and tracks the activities of cybercriminals.

- Define “ Bug Bounty “:, - This is a way for companies to crowdsource security testing of their software services and applications to identify and address potential security issues., - What are ways to participate:, - You can participate in your own company by finding and reporting problems in your own systems., - You can use bug bounty to show your skills and gain recognition in the cyber security community., - You should approach testing in a responsible and ethical manner, avoid causing harm or disruption to systems, applications, or services., - Obtain necessary permissions (legal agreements like NDAs), and use a robust system for tracking, triaging, and remediating vulnerabilities., - Register with the company ahead of time, otherwise you could be considered a malicious hacker.

- Here's how various controls contribute to enabling threat hunting capabilities:, - Organizational Controls:, - A.5.7 Threat Intelligence:, - This is the most relevant control. It mandates that organizations collect, analyze, and produce threat intelligence regarding information security threats. , - Threat hunting is a direct outcome of leveraging threat intelligence to proactively search for threats that might evade standard security controls. , - By understanding the threat landscape, attack tactics, and indicators of compromise (IOCs), organizations can formulate hypotheses for threat hunting activities., - Example:., - If threat intelligence indicates a rise in ransomware attacks targeting organizations in a specific sector using particular TTPs, a threat hunting team can proactively search their environment for evidence of these TTPs., - A.5.12 Classification of Information:, - Understanding the value and sensitivity of information assets helps prioritize threat hunting efforts. , - Critical assets that would have a significant impact if compromised become prime targets for proactive hunting activities., - Example:.., - Threat hunting efforts might focus on systems storing highly classified customer data to ensure no sophisticated threats are present.

- A.5.36 Compliance with legal and contractual requirements:, - Certain regulations or contractual obligations might necessitate proactive measures to detect specific types of threats or ensure a certain level of security monitoring, which can drive the need for threat hunting., - Example:, - Compliance with data breach notification laws might prompt proactive hunting for indicators of data exfiltration attempts., - Technological Controls:, - A.8.15 Logging and Monitoring:, - Robust logging and monitoring capabilities are essential prerequisites for effective threat hunting. , - Without comprehensive logs from various systems and network devices, threat hunters lack the raw data needed to identify suspicious activities., - Example:., - Threat hunters rely on security information and event management (SIEM) systems that aggregate logs to look for patterns and anomalies indicative of malicious behavior., - A.8.16 Monitoring activities:, - This control emphasizes the continuous monitoring of networks, systems, and applications for unusual or suspicious behavior. , - Threat hunting activities complement this by actively seeking out anomalies that might not trigger automated alerts., - Example:.., - While automated monitoring might flag a high number of failed login attempts, a threat hunt could involve manually analyzing login patterns from specific geographical locations or during unusual hours.