L
creating user accounts, 57
monitoring and managing system resources in Windows, 58
using Windows PowerShell, 57
Windows Task Manager, 58
LANs, internal LAN elements, 458
Layer 3 switches, 253
LBM (load balancing manager), 513
lease origination, DHCPv4, 207
lease renewal, DHCPv4, 207
legal department, incident response, 603
lesson-based hardening, post-incident activities, 609–610
lightweight APs (LWAPs), 262
hard links, Linux, 96
Linux, 73
administration
hard links and symbolic links, 96–97
monitoring service logs, 89–91
roles and file permissions, 94–96
service configuration files, 84–88
CLI (command line interface), 74
client-server communications, 82
services and ports, 83
file and directory commands, 79
hard links, 96
paths, 77
penetration testing tools, 76
shell, 77
SOC (Security Operations Centers), 74–75
tools, 76
value of, 74
Linux CLI, 77
GUI (graphical user interface)
installing applications, 100–101
patches, 102
piping commands, 110
LLC (Logical Link Control), 139, 140
load balancing manager (LBM), 513
local AAA authentication, 386–387
local exploits, 298
local host, host forwarding, 158
local loopbacks, pinging, 169
local ports, TCP (Transmission Control Protocol), 187–188
local route interfaces, 243
Local Security Authority Subsystem Service (LSASS), 520
local stacks, testing with ping, 168–169
local TCP/IP stacks, testing, 169
log collection, SIEM (security information and event management), 525–526
log entries, 558
log file analysis, 89
log files, 558
alert data, 514
end device logs
Apache HTTP Server access logs, 522–523
SIEM (security information and event management), 525–526
network logs
AVC (Application Visibility and Control), 529
proxy logs, 532
session data, 515
log managers, SOC (Security Operations Centers), Linux, 75
logical AND operation, IPv4, 151
Logical Link Control (LLC), 139, 140
logical topology, networks, 284
logs, AAA (Authentication, Authorization, and Accounting), 388–390
Logstash, 124
LOIC (Low Orbit Ion Cannon), 353
lookup processes, DNS (Domain Name System), 211–213
loopback addresses, pinging, 54
loss of competitive advantage, 6
Low Orbit Ion Cannon (LOIC), 353
ls command, Linux, 77, 79, 94, 110
LSASS (Local Security Authority Subsystem Service), 520
lusrmgr.msc, 43
LWAPs (lightweight APs), 262
M
MAC (mandatory access control), 385
MAC (Media Access Control), 139, 140
address resolution protocol
destination on remote networks, 178
destination on same network, 176–177
Ethernet, 140
MAC address format, Ethernet, 141–142
MAC addresses, switches, 245–247
MACE (Modify, Access, Create, and Entry Modified), 29
MAC-to-IP address mapping, removing, 181
malicious iFrames, 364
malvertising, 309
adware, 310
phishing, 310
ransomware, 309
rootkits, 310
scareware, 310
spyware, 310
classifications, 307
viruses, 306
malware analysis tools, SOC (Security Operations Centers), Linux, 75
malware protection programs, 63
man ls command, Linux, 77
managed security, SOC (Security Operations Centers), 10
managed security service provider (MSSP), 600
management, incident response, 603
management frames, 256
Management Information Base (MIB), 274
mandatory access control (MAC), 385
man-in-the-middle attacks, 305, 315, 317, 343
master boot record (MBR), 31–32
Linux, 93
Master File Table (MFT), 31
maximum transmission unit (MTU), 147
MBR (master boot record), 31–32
Linux, 93
MD5 (Message Digest 5), hash functions, 412
MDM (Mobile Device Management), 486–487
MDM (Mobile Device Management) software, 383
mechanisms, transport layer protocols, 186
media, network components, 283
Media Access Control (MAC). See MAC (Media Access Control)
media independent, IPv4, 146–147
media relations, incident response, 603
meet-in-the-middle method, 407
memory allocation, Windows, 38–39
Memory tab, Resource Monitor, 51
mesh, WAN topologies, 285
Message Digest 5 (MD5), 412
message multiplexing, 133
message segmentation, 133
ICMPv6 RS and RA messages, 166–168
NA (Neighbor Advertisement) messages, 166
NS (Neighbor Solicitation) messages, 166
RA (Router Advertisement) messages, 166
receiving, 137
RS (Router Solicitation) messages, 166
meta-features, Diamond Model, 589
metric groups, CVSS (Common Vulnerability Scoring System), 474–475
MFT (Master File Table), 31
MIB (Management Information Base), 274
Microsoft Windows, host logs, 519
Mime Types, 568
MITRE Corporation, 391
mkdir command, Linux, 79
Mobile Device Management (MDM), 486–487
Mobile Device Management (MDM) software, 383
access control models, 385
reference models. See reference models
networks. See network monitoring
monitoring systems, SOC (Security Operations Centers), 10
mounting, 93
MPLS (Multiprotocol Label Switching), 281
Msconfig tool, 33
MS-ISAC (Multi-State Information Sharing & Analysis Center), 391
MSSP (managed security service provider), 600
MTU (maximum transmission unit), 147
multicast, communication protocols, 129
multiplexing, 133
Multiprotocol Label Switching (MPLS), 281
Multi-State Information Sharing & Analysis Center (MS-ISAC), 391
MX, DNS (Domain Name System), 214
MySQL log file, 326
N
NA (Neighbor Advertisement) messages, 166
NAC (Network Admission Control), 462
nano text editor, 80
NAT (Network Address Translation), 127, 157, 216–217, 509–510
FTP (File Transfer Protocol), 219–220
PAT (Port Address Translation), 218–219
routers, 217
SMB (Server Message Block), 220–221
TFTP (Trivial File Transfer Protocol), 220
NAT stitching, 338
NAT-enabled routers, 217
national CSIRTs, 600
national security, politics, 6–7
National Vulnerability Database (NVD), 480
nations, sophisticated malware, 3
NBA (Network Behavior Analysis), 517
NBAD (Network Behavior Anomaly Detection), 517
NDP (Neighbor Discovery Protocol), 166
Neighbor Advertisement (NA) messages, 166
Neighbor Discovery Protocol (NDP), 166
Neighbor Solicitation (NS) messages, 166
net accounts, 48
net session, 48
net share, 48
net start, 48
net stop, 48
net use, 48
net view, 48
NetFlow, 275–276, 335, 337–338, 510, 527–529
events, 536
network adapters, configuration management, 51
Network Address Translation (NAT). See NAT (Network Address Translation)
network addresses, IPv4, 151–152
Network Admission Control (NAC), 462
Network and Sharing Center, 51–52
network anomaly detection, 472
network attack surfaces, 467
access attacks, 314
DoS (denial-of-service) attacks, 319–322
network monitoring. See network monitoring
reconnaissance attacks, 312–314
Network Behavior Analysis (NBA), 517
Network Behavior Anomaly Detection (NBAD), 517
network communication, Ethernet. See Ethernet
network devices
STP (Spanning Tree Protocol), 248–252
wireless communications. See wireless communications
network communications processes. See also communication protocols
client-server communications, 119
typical session for gamers, 120
typical session for students, 119–120
typical session for surgeons, 121
STP (Spanning Tree Protocol), 248–252
network discovery events, NGIPS (NextGen IPS), 536
Network File System (NFS), Linux, 92
network intelligence communities, 390–392
network interface card (NIC), 276
network layer, OSI (Open Systems Interconnection) model, 131
AVC (Application Visibility and Control), 529
network maintenance policies, 382
network mode, 257
network monitoring, 333
network security topology, 332–333
TAPs (Terminal Access Points), 333–334
tools, 335
network protocol analyzers, 335–339
traffic monitoring and SPAN, 334
network packet capture software, SOC (Security Operations Centers), Linux, 74
network penetration tests, 303
network protocol analyzers, 335–339
network protocol communication, 123
network protocol suites, 124–125
Address Resolution Protocol. See Address Resolution Protocol (ARP)
communication processes
client-server communications, 119
typical session for gamers, 120
typical session for students, 119–120
typical session for surgeons, 121
connectivity verification. See connectivity verification
TCP/IP protocol suite, 126–128
transport layer protocols. See transport layer protocols
network representations, network topologies
common security architectures, 288–289
logical topology, 284
three-layer network design model, 286–287
WAN topologies, 285
network resources, accessing, 56–57
network scanning tools, 303
attacks. See attacks
cyber threat indicators, 300–301
cybercriminals, 300
cybersecurity tasks, 300
threat actor tools. See threat actor tools
threat actors, evolution of, 299–300
ELSA (Enterprise Log Search and Archive), 554, 564
investigating
processes or API calls, 567–568
event handling, 563
network security infrastructure
security devices
intrusion protection and detection devices, 267
next-generation firewalls, 266
packet filtering firewalls, 265–266
specialized security appliances, 271–272
stateful firewalls, 266
security services
NTP (Network Time Protocol), 277–279
packet tracers, 274
port mirroring, 276
SNMP (Simple Network Management Protocol), 274
syslog servers, 277
traffic control with ACLs, 272–273
VPNs (virtual private networks), 280–282
network security monitoring (NSM), 502
network security organizations, 390
network security topology, 332–333
DHCP (Dynamic Host Configuration Protocol), 206–208
DHCPv4 message format, 208–209
DNS (Domain Name System), 209–210
email. See email
HTTP (Hypertext Transfer Protocol), 225–226, 227
HTTP URL, 227
HTTPS (HTTP Secure), 228
NAT. See NAT (Network Address Translation)
Network tab, Resource Monitor, 51
network TAPs (Terminal Access Points), 333–334
Network Time Protocol (NTP), 277–279
security monitoring, 503
common security architectures, 288–289
logical topology, 284
three-layer network design model, 286–287
WAN topologies, 285
network transactions, encrypting, 447–448
network vulnerability testing, 473
CVSS (Common Vulnerability Scoring System), 473–474
network-based malware protection, 461–462
networking accounting, 389
networking devices, ARP tables, 181–182
networks, 153
stub networks, 217
New Technology File System. See NTFS (New Technology File System)
next-generation firewalls, 266
nfdump, 527
NFS (Network File System), Linux, 92
nftables, 464
Nginx web server configuration, Linux, 85–86
NIC (network interface card), 276
NIDS (network-based IDS), 514
NIST 800-61r2, 599
incident response capabilities, 594–601
incident response life cycle, 603–604
containment, eradication, and recovery, 607–609
detection and analysis, 605–607
post-incident activities, 609–610
incident response stakeholders, 602–603
objective assessments of incidents, 610–611
plans, 602
procedures, 602
reporting requirements and information sharing, 612
NIST Cybersecurity Framework, 493–495
non-blind spoofing, 348
non-discretionary access control, 385
non-repudiation, 402
normalization, 558
NS, DNS (Domain Name System), 214
NS (Neighbor Solicitation) messages, 166
nslookup command, 55
NSM (network security monitoring), 502
NTFS (New Technology File System), 29
ADSs (Alternate Data Streams), 29–31
formatting, 31
Ntoskrnl.exe, 33
NTP (Network Time Protocol), 277–279
security monitoring, 503
NTP configuration file, Linux, 86
numbered ACLs, 274
NVD (National Vulnerability Database), 480
O
ocatal values, for permissions, Linux, 95
OCSP (online certificate status protocol), 446
octets, 148
online certificate status protocol (OCSP), 446
open authentication, 258
open mail relay server, 366
open revolvers, 357
Open Shortest Path First (OSPF), 127
Open Systems Interconnection model (OSI) model, 130, 131
stateful firewalls, 266
versus TCP/IP model, 130
open web proxies, 533
operating system vulnerabilities, Windows, 26–27
transport layer protocols
UDP (User Datagram Protocol), 204–205
wireless network operations, 256–258
OPTIONS, HTTP (Hypertext Transfer Protocol), 227
origin authentication, 402
OS updates, Linux, 102
OSI (Open Systems Interconnection) model, 130, 131
stateful firewalls, 266
versus TCP/IP model, 130
OSPF (Open Shortest Path First), 127
OSSEC (Open Source HIDS SECurity), 466, 519, 544, 568
outbound message control, ESA (Email Security Appliance), 272
output of mount in the CyberOPS VM, 93–94
output of /var/log/syslog, 91
Overview tab, Resource Monitor, 51
P
P2P (peer-to-peer) networking, 511–512
ATP (Advanced Packaging Tool), 99–101
packet analyzers, 276
packet crafting tools, 303
packet filtering firewall, 264, 265–266
packet format, ICMP (Internet Control Message Protocol), 175–176
packet forwarding, 241
routers, 239
packet sniffers, 276, 303, 335–336
packet tracers, ACLs (access control lists), 274
de-encapsulating, 240
encapsulating, 240
PADS, 563
parameters, wireless parameters, 257–258
Partition Boot Sector, 31
formatting, 31
mounting, 93
passive mode, wireless devices, 258
passive network monitoring, patch management, 490
Passive Real-time Asset Detection System (PRADS), 562–563
pass-the-hash, 315
passwd command, Linux, 79
password attacks, 315
password crackers, 303
password guidelines, 62
password policies, 382
password-based attacks, 304–305
passwords, wireless devices, 258
PAT (Port Address Translation), 218–219, 509–510
patches, 60
Linux, 102
path determination, routers, 239
Linux, 77
testing with traceroute, 172–175
tracing, communication processes, 121–122
PCI DSS (Payment Card Industry Data Security Standard), 480–481
PDU (protocol data unit), 134
peer authentication, 446
peer-to-peer (P2P) networking, 511–512
penetration testing, 473
penetration testing tools, Linux, 76
pentesting, Linux, 76
people, SOC (Security Operations Centers), 8
octal values, Linux, 95
viewing for Linux files, 94
personally identifiable information (PII), 5–6
PGP (Pretty Good Privacy), 422
pharming, 318
PHI (protected health information), 6
social engineering attacks, 318–319
phreaking, 299
physical layer, OSI (Open Systems Interconnection) model, 131
physical security and facilities management, incident response, 603
physical topology, networks, 283–284
PIDs, displaying, 59
PII (personally identifiable information), 5–6
connectivity to local LAN, 169–170
connectivity to remote hosts, 170–171
ping command, 53–54, 55, 168, 343–344
Ping of Death, 322
local loopbacks, 169
loopback addresses, 54
piping commands, Linux, 110
across Diamond Model, 589
PKCS (public key cryptography standards), 432
PKI (public key infrastructure), 438–439
applications, 447
certificate enrollment, 444–446
interoperability of different PKI vendors, 442–443
public key cryptography
digital signatures for code signing, 432–435
digital signatures for digital certificates, 435–437
public key management, 437–438
PKI certificates, 439
Plan-Do-Check-Act cycle, ISO-27001, 492–493
plans, NIST 800-61r2, 602
PLC (programmable logic controllers), 3
podcasts, security blogs and podcasts, 392
Point of Presence (PoP), 122
point-to-point, WAN topologies, 285
Point-to-Point Protocol (PPP), 127
AUP (acceptable use policy), 382
business policies, 381
BYOD (Bring Your Own Device) policies, 382–383
company policies, 381
employee policies, 381
identification and authentication policies, 382
network maintenance policies, 382
password policies, 382
remote access policy, 382
policy-based HIDS, 466
politics, national security, 6–7
polyalphabetic ciphers, 406–407
PoP (Point of Presence), 122
POP3 (Post Office Protocol version 3), 126, 223–224
security monitoring, 507
Port Address Translation (PAT), 218–219, 509–510
port allocation, TCP (Transmission Control Protocol), 196–198
port redirection, 315, 316–317
port scanning, 205
destination (SPAN) port, 334
Linux, 83
routed ports, 253
source (SPAN) port, 334
TCP (Transmission Control Protocol), 187–188
POST (power-on self-test), 31–32
HTTP (Hypertext Transfer Protocol), 227
Post Office Protocol version 3 (POP3), 126, 223–224
security monitoring, 507
post-incident activities, 609–610
power-on self-test (POST), 31–32
commands, 45
PowerShell functions, 45
PowerShell scripts, 45
PPP (Point-to-Point Protocol), 127
PR (Privileges Required), 475
PRADS (Passive Real-time Asset Detection System), 562–563
Preamble field, Ethernet frames, 141
precursors, 606
preferred uptime, 11
prefix length, IPv6, 163
preparation, incident response life cycle, NIST, 604–605
presentation layer, OSI (Open Systems Interconnection) model, 131
preservation, digital forensics, 574–575
pretexting, 318
Pretty Good Privacy (PGP), 422
principle of least privilege, 385
private IPv4 addresses, 156
NAT (Network Address Translation), 217
privilege escalation, 385
Privileges Required (PR), 475
probabilistic analysis, alert evaluation, 552–553
probing, web servers, with telnet, 105–106
procedures, NIST 800-61r2, 602
CVSS (Common Vulnerability Scoring System), 476–478
digital forensics, 572
SOC (Security Operations Centers), 8–9
Task Manager, 49
Windows Task Manager, 37
processor-sharing P2P networks, 511
profiling, 606
programmable logic controllers (PLC), 3
properties, of hash functions, 411
Properties dialog box, 52
prosecution, 611
protected health information (PHI), 6
protocol data unit (PDU), 134
TCP/IP protocol suite, 126–128
protocol-level misinterpretation, 323
protocols, 123
address resolution protocol. See Address Resolution Protocol
BGP (Border Gateway Protocol), 244
BOOTP (bootstrap protocol), 126
communications protocols. See communications protocols
DHCP. See DHCP (Dynamic Host Configuration Protocol)
dynamic routing protocol, 243–244
EIRGRP (Enhanced Interior Gateway Routing Protocol), 127
Hypertext Transfer Protocol. See HTTP (Hypertext Transfer Protocol)
ICMP. See ICMP (Internet Control Message Protocol)
IMAP. See IMAP (Internet Message Access Protocol)
IP. See IP (Internet Protocol)
network protocols. See network protocols
NTP. See NTP (Network Time Protocol)
POP3. See POP3 (Post Office Protocol version 3)
PPP (Point-to-Point Protocol), 127
RDP (Remote Desk Protocol), 56
SMTP (Simple Mail Transfer Protocol), 126, 223
SNMP (Simple Network Management Protocol), 274, 335
STP (Spanning Tree Protocol), 248–252
TCP. See TCP (Transmission Control Protocol)
TFTP (Trivial File Transfer Protocol), 127, 220
transport layer protocols. See transport layer protocols
UDP. See UDP (User Datagram Protocol)
for wireless communications, 254–256
proxy logs, 532
proxy servers, 532
proxy Trojan horses, 307
PSH, 195
public affairs, incident response, 603
public IPv4 addresses, 156
public key cryptography, digital signatures, 430–432
for digital certificates, 435–437
public key cryptography standards (PKCS), 432
public key infrastructure. See PKI (public key infrastructure)
public key management, 437–438
PulledPork rule management utility, 550
PUT, HTTP (Hypertext Transfer Protocol), 227
pwd command, Linux, 78
Python programming, 13
Q
ELSA (Enterprise Log Search and Archive), 565–567
Query Builder, Sguil, 560, 561
R
r-- (group permissions), 95
RA (Router Advertisement) messages, 166
radio frequencies (RF), 255
RADIUS (Remote Authentication Dial-in User Service), 205, 279–280
AAA (Authentication, Authorization, and Accounting), 388
ransomed companies, 3
ransomware, 309
RBAC (role-based access control), 385
RDP (Remote Desk Protocol), 56
reassembling segments, transport layer protocols, 185
messages, 137
reconnaissance, Cyber Kill Chain, 583–584
reconnaissance attacks, 312–314
record types, DNS (Domain Name System), 214
recovery, NIST incident response life cycle, 609
recursion, DNS (Domain Name System), 211
recursive resolvers, DNS (Domain Name System), 211
redirection 3xx, 363
redundancy, STP (Spanning Tree Protocol), 248–249
reference models, 130
OSI (Open Systems Interconnection) model, 131
REG_BINARY, 40
REG_DWORD, 40
REG_SZ, 40
Regional Internet Registries (RIRs), 160
registry keys, 40
regular expressions, 569
regulations. See compliance regulations
regulatory compliance, 383
remediation, NIST incident response life cycle, 609
remote access policy, 382
Remote Authentication Dial-in User Service (RADIUS), 205, 279–280
Remote Desk Protocol (RDP), 56
remote exploits, 298
host forwarding, 158
testing connectivity with ping, 170–171
remote ports, TCP (Transmission Control Protocol), 187–188
remote routes, 242
Remote SPAN (RSPAN), 334
remote-access Trojan horses, 307
entries from ARP tables, 181
MAC-to-IP address mapping, 181
digital forensics, 572
SIEM (security information and event management), 339
reporting requirements, NIST 800-61r2, 612
reports, CVSS (Common Vulnerability Scoring System), 478–479
Request Tracker for Incident Response (RTIR), 545
reserved private addresses, IPv4, 156–157
resolvers, DNS (Domain Name System), 211
resource accounting, 390
resource exhaustion, 323
retrieving CA certificates, 444
retrospective security analysis (RSA), 552
revocation, PKI (public key infrastructure), 444–446
RF (radio frequencies), 255
ring, LAN topologies, 286
RIRs (Regional Internet Registries), 160
risk acceptance, 298
risk analysis, 473
risk assessment, 483
risk limitation, 298
risk reduction, 484
risk retention, 484
risk sharing, 484
risk transfer, 298
Rivest, Ron, 412
Rivest-Shamir-Adleman Algorithm (RSA), 431
rm command, Linux, 79
transport layer protocols, 184–185
role-based access control (RBAC), 385
roles of, people at SOC, 8
root CA, 441
rootkit detectors, 303
round-trip time (RTT), testing paths with traceroute, 172
routed ports, 253
Router Advertisement (RA) messages, 166
Router Solicitation (RS) messages, 166
internal routers, 379
NAT (Network Address Translation), 217
packet forwarding, 241
routers sharing path information, role of protocols, 125
routing protocol classification, 244
RR, DNS (Domain Name System), 211
RS (Router Solicitation) messages, 166
RSA (retrospective security analysis), 552
RSA encryption algorithms, 423
RSPAN (Remote Span), 334
RST, 195
RTIR (Request Tracker for Incident Response), 545
RTT (round-trip time), testing paths with traceroute, 172
rule headers, Snort, 548
rule location, 548
rule options, Snort, 549
for compressing IPv6 addresses, 163
Run as Administrator, Windows, 41–42
runbook automation, 570
running applications on Linux hosts, 100–101
runt frames, 140
rw- (group permissions), 94
rwx (user permissions), 94