To find out which attacker tools in use we required process creation logs (Event 4688 & 592) . Collect these from every host in the domain Search all process creation log entries and look for: svchost.exe processes that are not children of services.exeProcesses created by binaries in unsual locations, such as%windows%\fonts%windows%\help%windows%\wbem%windows%\addins%windows%\debut%windows%\system32\tasks*:\RECYCLER\*:\SystemVolumeInformation\%windir%\Tasks\%systemroot%\debug\Known attacker tool names, such asrar.exepsexec.exewhoami.exeProcesses that launched very few times durin ..read more

To use EMET first we need Windows Application Event logs (which contain EMET logs) Window’s Enhanced Mitigation Experience Toolkit (EMET) is a set of technologies that monitor for and block certain conditions that commonly arise as the result of common exploit patterns. It’s commonly used on endpoints (but is also available on servers). The idea here is to examine the EMET logs to find things that it has blocked (processes it has killed before they could become dangerous). These may be simple bugs in legit applications, or they could be indications of exploit attempts. The post How ..read more

Sourcefire Next-Generation IPS sets a new standard for advanced threat protection. Real-time Contextual Awareness—See and correlate extensive amounts of event data related to IT environments—applications, users, devices, operating systems, vulnerabilities, services, processes, network behaviours, files and threats Advanced Threat Protection—Protecting for the latest threats, Sourcefire delivers the best threat prevention . Intelligent Security Automation—Automated event impact assessment, IPS policy tuning, policy management, network behaviour analysis. Unparalleled Performance an ..read more

Web application hacking is not just about using automated tools to find common vulnerabilities. It is indeed a methodological approach that, if followed, would help reveal many more flaws and potential security vulnerabilities. The following section describes the systematic approach and process to be followed for testing the security of web applications. Analyzing web applications: The first step is to understand and analyze the target application. Unless and until sufficient details about the target application are known, one cannot proceed with further testing. Some of the informatio ..read more

Confidentiality, integrity, and availability, often known as CIA, are the building blocks of information security . Any attack on an information system will compromise one, two, or all three of these components. Based on which of these components is being compromised the most, efficient security controls can be designed accordingly. Confidentiality In layman’s terms, something that is confidential is secret and is not supposed to be disclosed to unintended people or entities. What’s the first thing that comes to your mind that needs to be kept confidential? Probably your pass ..read more

The three devices commonly used to provide security are the firewall, the IDS, and the IPS. Firewall A firewall is a network security system that actively monitors and regulates the inbound and outbound network traffic based on a predefined security ruleset. A firewall typically acts a barrier between a trusted, secure internal network and an outside network, such as the Internet, which may not be secured enough. A firewall helps screen out malicious users, viruses, and worms that try to access your network from the Internet. Some firewalls are simply software that runs on your ..read more

Two important files in the Linux system are responsible for storing user credentials: /etc/passwd Is a text file that stores all the account information (except the password) required for user login. The following sample entry from an /etc/passwd file will help clarify its components: 1. User Name: This is the username used to log in. 2. Password: The X character implies that encrypted password for this user is stored in the /etc/shadow file. 3. User ID (UID): Each user on the system has a unique ID. UID 0 (zero) is reserved for the root user. 4. Group ID (GID ..read more

The post Why there is a need to think like an Attacker in the Cyber World appeared first on Cyber Knowledge Base ..read more

Create a security policy that includes a section about password guidelines (key length, use of special characters, periodical expiration of keys, account blocking policy, etc.) Enable auditing services at the operating system level in end-user devices, servers and communications equipment and use log correlation software to perform event monitoring. Restrict access to the Administrator and root account so that it cannot perform logon through the network, but only physically in the computer console. Use port security and admission control (NAC) on networking devices so that only aut ..read more

Multiple protocols are susceptible of enumeration, we should ask our client which ones are really needed in the network. The obvious preventive measure is to disable those insecure protocols that are not required in the network. However, this is not always feasible, especially if there are legacy applications in the organization that depends on insecure protocols to operate and for which there is no migration scheduled in the short term. Some defensive measures that you can suggest to your client are: Configure filter rules on the perimeter firewall(s) to prevent that protocols susc ..read more