CompTIA Security+ (SY0-601): Security Overview

When a person’s identity is established with proof and confirmed by a system

Something you know

Something you are

Something you have

Something you do

Somewhere you are

Occurs when a user is given access to a certain piece of data or certain areas of a building

Tracking of data, computer usage, and network resources

Non-repudiation occurs when you have proof that someone has taken an action

Alarm systems, locks, surveillance cameras, identification cards, and security guards

Smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication

Policies, procedures, security awareness training, contingency planning, and disaster recovery plans

User training is the most cost-effective security control to use

White Hats
Non-malicious hackers who attempt to break into a company’s systems at their request

Black Hats
Malicious hackers who break into computer systems and networks without authorization or permission

Gray Hats
Hackers without any affiliation to a company who attempt to break into a company’s network but risk the law by doing so

Blue Hats
Hackers who attempt to hack into a network with permission of the company but are not employed by the company

Elite
Hackers who find and exploit vulnerabilities before anyone else does
1 in 10,000 are elite

Script Kiddies
Hackers with little to no skill who only use the tools and exploits written by others

Hacktivists
Hackers who are driven by a cause like social change, political agendas, or terrorism

Organized Crime
Hackers who are part of a crime group that is well-funded and highly sophisticated

Advanced Persistent Threats
Highly trained and funded groups of hackers (often by nation states) with covert and open-source intelligence at their disposal

Timeliness
Relevancy
Accuracy
Confidence Levels

Proprietary
Threat intelligence is very widely provided as a commercial service offering,
where access to updates and research is subject to a subscription fee

Closed-Source
Data that is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized

Open-Source
Data that is available to use without subscription, which may include threat feeds similar to the commercial providers and may contain reputation lists and malware signature databases

Open-Source Intelligence (OSINT)
Methods of obtaining information about a person or organization through public records, websites, and social media

A cyber security technique designed to detect presence of threat that have not been discovered by a normal security monitoring

Threat Hunting is potentially less disruptive than penetration testing

Establish a hypothesis
Profiling threat actors & activities

Consumes a lot of resources & time, but can yield a lot of benefits

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion

Kill chain analysis can be used to identify a defensive course-of action matrix to counter the progress of an attack at each stage

1) Reconnaissance
The attacker determines what methods to use to complete the phases of the attack

2) Weaponization
The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system

3) Delivery
The attacker identifies a vector by which to transmit the weaponized code to the target environment

4) Exploitation
The weaponized code is executed on the target system by this mechanism

5) Installation
This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system

6) Command & Control (CC)
The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

7) Actions on Objectives
The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)

The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization phases of the kill chain

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

Adversary

Infrastructure Capabilities

Victim