Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Cybersecurity - Attack and Defense Strategies
Cybersecurity - Attack and Defense Strategies

Cybersecurity - Attack and Defense Strategies: Infrastructure security with Red Team and Blue Team tactics

Arrow left icon
Profile Icon Yuri Diogenes Profile Icon Dr. Erdal Ozkaya
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (33 Ratings)
Paperback Jan 2018 384 pages 1st Edition
eBook
$27.98 $39.99
Paperback
$49.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Yuri Diogenes Profile Icon Dr. Erdal Ozkaya
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (33 Ratings)
Paperback Jan 2018 384 pages 1st Edition
eBook
$27.98 $39.99
Paperback
$49.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$27.98 $39.99
Paperback
$49.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Cybersecurity - Attack and Defense Strategies

Security Posture

Over the years, the investments in security moved from nice to have to must have, and now organizations around the globe are realizing how important it is to continually invest in security. This investment will ensure that the company stays competitive in the market. Failure to properly secure their assets could lead to irrepairable damage, and in some circumstances could lead to bankruptcy. Due to the current threat landscape, investing only in protection isn't enough. Organizations must enhance their overall security posture. This means that the investments in protection, detection, and response must be aligned.

In this chapter, we'll be covering the following topics:

  • The current threat landscape
  • The challenges in the cybersecurity space
  • How to enhance your security posture
  • Understanding the roles of the Blue Team and Red Team in your organization

The current threat landscape

With the prevalence of always-on connectivity and advancements in technology that are available today, the threats are evolving rapidly to exploit different aspects of these technologies. Any device is vulnerable to attack, and with Internet of Things (IoT) this became a reality. In October 2016, a series of Distributed Denial of Service (DDoS) attacks were launched against DNS servers, which caused some major web services to stop working, such as GitHub, Paypal, Spotify, Twitter, and others (1).

This was possible due to the amount of insecure IoT devices around the world. While the use of IoT to launch a massive cyber attack is something new, the vulnerabilities in those devices are not. As a matter of fact, they've been there for quite a while. In 2014, ESET reported 73,000 unprotected security cameras with default passwords (2). In April 2017, IOActive found 7,000 vulnerable Linksys routers in use, although they said that it could be up to 100,000 additional routers exposed to this vulnerability (3).

The Chief Executive Officer (CEO) may even ask: what do the vulnerabilities in a home device have to do with our company? That's when the Chief Information Security Officer (CISO) should be ready to give an answer. Because the CISO should have a better understanding of the threat landscape and how home user devices may impact the overall security that this company needs to mitigate. The answer comes in two simple scenarios, remote access and Bring your Own Device (BYOD).

While remote access is not something new, the number of remote workers are growing exponentially. Forty-three percent of employed Americans are already working remotely according to Gallup (4), which means they are using their own infrastructure to access company's resources. Compounding this issue, we have a growth in the number of companies allowing BYOD in the workplace. Keep in mind that there are ways to implement BYOD securely, but most of the failures in the BYOD scenario usually happen because of poor planning and network architecture, which lead to an insecure implementation (5).

What is the commonality among all technologies that were previously mentioned? To operate them, you need a user and the user is still the greatest target for attack. Humans are the weakest link in the security chain. For this reason, old threats such as phishing emails are still on the rise, because it deals with the psychological aspects of the user by enticing the user to click on something, such as a file attachment or malicious link. Usually, once the user performs one of these actions, their device becomes compromised by either malicious software (malware) or is remotely accessed by a hacker.

A spear phish campaign could start with a phishing email, which will basically be the entry point for the attacker, and from there other threats will be leveraged to exploit vulnerabilities in the system.

One example of a growing threat that uses phishing emails as the entry point for the attack is ransomware. Only during the first three months of 2016, the FBI reported that $209 million in ransomware payments were made (6). According to Trend Micro, ransomware growth will plateau in 2017; however, the attack methods and targets will diversify (7).

The following diagram highlights the correlation between these attacks and the end user:

This diagram shows four entry points for the end user. All of these entry points must have their risks identified and treated with proper controls. The scenarios are listed as follows:

  • Connectivity between on-premises and cloud (1)
  • Connectivity between BYOD devices and cloud (2)
  • Connectivity between corporate-owned devices and on-premises (3)
  • Connectivity between personal devices and cloud (4)

Notice that these are different scenarios, but all correlated by one single entity-the end user. The common element in all scenarios is usually the preferred target for cybercriminals, which appears in the preceding diagram accessing cloud resources.

In all scenarios, there is also another important element that appears constantly, which is cloud computing resources. The reality is that nowadays you can't ignore the fact that many companies are adopting cloud computing. The vast majority will start in a hybrid scenario, where Infrastructure as a Service (IaaS) is their main cloud service. Some other companies might opt to use Software as a Service (SaaS) for some solutions. For example, Mobile Device Management (MDM), as shown in scenario (2). You may argue that highly secure organizations, such as the military may have zero cloud connectivity. That's certainly possible, but commercially speaking, cloud adoption is growing and will slowly dominate most of the deployment scenarios.

On-premise security is critical, because it is the core of the company, and that's where the majority of the users will be accessing resources. When an organization decides to extend their on-premise infrastructure with a cloud provider to use IaaS (1), the company needs to evaluate the threats for this connection and the countermeasure for these threats through a risk assessment.

The last scenario (4) might be intriguing for some skeptical analysts, mainly because they might not immediately see how this scenario has any correlation with the company's resources. Yes, this is a personal device with no direct connectivity with on-premise resources. However, if this device is compromised, the user could potentially compromise the company's data in the following situations:

  • Opening a corporate email from this device
  • Accessing corporate SaaS applications from this device
  • If the user uses the same password (8) for his/her personal email and his corporate account, this could lead to account compromise through brute force or password guessing

Having technical security controls in place could help mitigate some of these threats against the end user. However, the main protection is continuous use of education via security awareness training.

The user is going to use their credentials to interact with applications in order to either consume data or write data to servers located in the cloud or on-premise. Everything in bold has a unique threat landscape that must be identified and treated. We will cover these areas in the sections that follow.

The credentials – authentication and authorization

According to Verizon's 2017 Data Breach Investigations Report (9), the association between threat actor (or just actor), their motives and their modus operandi vary according to the industry. However, the report states that stolen credentials is the preferred attack vector for financial motivation or organized crime. This data is very important, because it shows that threat actors are going after user's credentials, which leads to the conclusion that companies must focus specifically on authentication and authorization of users and their access rights.

The industry agreed that a user's identity is the new perimeter. This requires security controls specifically designed to authenticate and authorize individuals based on their job and need for specific data within the network. Credential theft could be just the first step to enable cybercriminals to have access to your system. Having a valid user account in the network will enable them to move laterally (pivot), and at some point find the right opportunity to escalate privilege to a domain administrator account. For this reason, applying the old concept of defense in depth is still a good strategy to protect a user's identity, as shown in the following diagram:

Here, there are multiple layers of protection, starting with the regular security policy enforcement for accounts, which follow industry best practices such as strong password requirements, a policy requiring frequent password changes, and password strength. Another growing trend to protect user identities is to enforce MFA. One method that is having increased adoption is the callback feature, where the user initially authenticates using his/her credentials (username and password), and receives a call to enter their pin. If both authentication factors succeed, they are authorized to access the system or network. We are going to explore this topic in greater detail in Chapter 6, Chasing User's Identity.

Apps

Applications (we will call them apps from now on), are the entry point for the user to consume data and to transmit, process, or store information onto the system. Apps are evolving rapidly and the adoption of SaaS-based apps is on the rise. However, there are inherited problems with this amalgamation of apps. Here are two key examples:

  • Security: How secure are these apps that are being developed in-house and the ones that you are paying for as a service?
  • Company-owned versus personal apps: Users will have their own set of apps on their own devices (BYOD scenario). How do these apps jeopardize the company's security posture and can they lead to a potential data breach?

If you have a team of developers that are building apps in-house, measures should be taken to ensure that they are using a secure framework throughout the software development lifecycle, such as the Microsoft Security Development Lifecycle (SDL) (10). If you are going to use a SaaS app, such as Office 365, you need to make sure you read the vendor's security and compliance policy (11). The intent here is to see if the vendor and the SaaS app are able to meet your company's security and compliance requirements.

Another security challenge facing apps is how the company's data is handled among different apps, the ones used and approved by the company and the ones used by the end user (personal apps). This problem becomes even more critical with SaaS, where users are consuming many apps that may not be secure. The traditional network security approach to support apps is not designed to protect data in SaaS apps, and worse. They don't give IT the visibility they need to know how employees are using them. This scenario is also called Shadow IT, and according to a survey conducted by Cloud Security Alliance (CSA) (12), only 8 percent of companies know the scope of shadow IT within their organizations. You can't protect something you don't know you have, and this is a dangerous place to be.

According to Kaspersky Global IT Risk Report 2016 (13), 54 percent of businesses perceive that the main IT security threats are related to inappropriate sharing of data via mobile devices. It is necessary for IT to gain control of the apps and enforce security policies across devices (company-owned and BYOD). One of the key scenarios that you want to mitigate is the one described in the following diagram:

In this scenario, we have the user's personal tablet that has approved applications as well as personal apps. Without a platform that can integrate device management with application management, this company is exposed to a potential data leakage scenario. In this case, if the user downloads the excel spreadsheet onto his/her device and uploads it to a personal Dropbox cloud storage and the spreadsheet contains the company's confidential information, the user has now created a data leak without the company's knowledge or the ability to secure it.

Data

As we finished the previous section talking about data, we should ensure that data is always protected regardless of its current state (in transit or at rest). There will be different threats according to the data's state. The following are some examples of potential threats and countermeasures:

State

Description

Threats

Countermeasures

Security triad affected

Data at rest on the user's device.

The data is currently located on the user's device.

The unauthorized or malicious process could read or modify the data.

Data encryption at rest. It could be file-level encryption or disk encryption.

Confidentiality and integrity.

Data in transit.

The data is currently being transferred from one host to another.

A man-in-the-middle attack could read, modify, or hijack the data.

SSL/TLS could be used to encrypt the data in transit.

Confidentiality and integrity.

Data at rest on-premise (server) or cloud.

The data is located at rest either on the server's hard drive located on-premise or in the cloud (storage pool).

Unauthorized or malicious processes could read or modify the data.

Data encryption at rest. It could be file-level encryption or disk encryption.

Confidentiality and integrity.

 

These are only some examples of potential threats and suggested countermeasures. A deeper analysis must be performed to fully understand the data path according to the customer's needs. Each customer will have their own particularities regarding data path, compliance, rules, and regulations. It is critical to understand these requirements even before the project is started.

Cybersecurity challenges

To analyze the cybersecurity challenges faced by companies nowadays, it is necessary to obtain tangible data, and evidence of what's currently happening in the market. Not all industries will have the same type of cybersecurity challenges, and for this reason we will enumerate the threats that are still the most prevelant across different industries. This seems to be the most appropriate approach for cybersecurity analysts that are not specialized in certain industries, but at some point in their career they might need to deal with a certain industry that they are not so familiar with.

Old techniques and broader results

According to Kaspersky Global IT Risk Report 2016 (14), the top causes for the most costly data breaches are based on old attacks that are evolving over time, which are in the following order:

  • Viruses, malware, and trojans
  • Lack of diligence and untrained employees
  • Phishing and social engineering
  • Targeted attack
  • Crypto and ransomware

Although the top three in this list are old suspects and very well-known attacks in the cybersecurity community, they are still succeeding, and for this reason they are still part of the current cybersecurity challenges. The real problem with the top three is that they are usually correlated to human error. As explained before, everything may start with a phishing email that uses social engineering to lead the employee to click on a link that may download a virus, malware, or Trojan. In the last sentence, we covered all three in a single scenario.

The term targeted attack (or advanced persistent threat) sometimes is not too clear for some individuals, but there are some key attributes that can help you identify when this type of attack is taking place. The first and most important attribute is that the attacker has a specific target in mind when he/she starts to create a plan of attack. During this initial phase, the attacker will spend a lot of time and resources to perform public reconnaissance to obtain the necessary information to carry out the attack. The motivation behind this attack is usually data exfiltration, in other words, stealing data. Another attribute for this type of attack is the longevity, or the amount of time that they maintain persistent access to the target's network. The intent is to continue moving laterally across the network, compromising different systems until the goal is reached.

One of the greatest challenges in this area is to identify the attacker once they are already inside the network. The traditional detection systems such as Intrusion Detection Systems (IDS) may not be sufficient to alert on suspicious activity taking place, especially when the traffic is encrypted. Many researchers already pointed out that it can take up to 229 days between the infiltration and detection (15). Reducing this gap is definitely one of the greatest challenges for cybersecurity professionals.

Crypto and ransomware are emerging and growing threats that are creating a whole new level of challenge for organizations and cybersecurity professionals. In May 2017, the world was shocked by the biggest ransomware attack in history, called Wannacry. This ransomware exploited a known Windows SMBv1 vulnerability that had a patch released in March 2017 (59 days prior to the attack) via MS17-010 (16) bulletin. The attackers used an exploit called EternalBlue that was released in April 2017, by a hacking group called Shadow Brokers. According to MalwareTech (18), this ransomware infected more than 400,000 machines across the globe, which is a gigantic number, never seen before in this type of attack. One lesson learned from this attack was that companies across the world are still failing to implement an effective vulnerability management program, which is something we will cover in more detail in Chapter 15, Vulnerability Management.

It is very important to mention that phishing emails are still the number one delivery vehicle for ransomware, which means that we are going back to the same cycle again, educate the user to reduce the likelihood of successful exploitation of human factor via social engineering, and have tight technical security controls in place to protect and detect.

The shift in the threat landscape

In 2016, a new wave of attacks also gained mainstream visibility, when CrowdStrike reported that it had identified two separate Russian intelligence-affiliated adversaries present in the United States Democratic National Committee (DNC) network (19). According to their report, they found evidence that two Russian hacking groups were in the DNC network: Cozy Bear (also classified as APT29) and Fancy Bear (APT28). Cozy Bear was not a new actor in this type of attack, since evidence has shown that in 2015 (20) they were behind the attack against the Pentagon email system via spear phishing attacks.

This type of scenario is called Government-sponsored cyber attacks, but some specialists prefer to be more general and call it data as a weapon, since the intent is to steal information that can be used against the hacked party. The private sector should not ignore these signs.

Nowadays, continuous security monitoring must leverage at least the three methods shown in the following diagram:

This is just one of the reasons that it is becoming primordial that organizations start to invest more in threat intelligence, machine learning, and analytics to protect their assets. We will cover this in more detail in Chapter 12, Threat Intelligence.

Enhancing your security posture

If you carefully read this entire chapter, it should be very clear that you can't use the old approach to security facing today's challenges and threats. For this reason, it is important to ensure that your security posture is prepared to deal with these challenges. To accomplish this, you must solidify your current protection system across different devices regardless of the form factor.

It is also important to enable IT and security operations to quickly identify an attack, by enhancing the detection system. Last but certainly not least, it is necessary to reduce the time between infection and containment by rapidly responding to an attack by enhancing the effectiveness of the response process.

Based on this, we can safely say that the security posture is composed of three foundational pillars as shown in the following diagram:

These pillars must be solidified and if in the past, the majority of the budget was put into protection, now it's even more imperative to spread that investment and level of effort across the other pillars. These investments are not exclusively in technical security controls, they must also be done in the other spheres of the business, which includes administrative controls.

It is recommended to perform a self-assessment to identify the gaps within each pillar from the tool perspective. Many companies evolved over time and never really updated their security tools to accommodate the new threat landscape and how attackers are exploiting vulnerabilities.

A company with an enhanced security posture shouldn't be part of the statistics that were previously mentioned (229 days between the infiltration and detection). This gap should be drastically reduced and the response should be immediate. To accomplish this, a better incident response process must be in place, with modern tools that can help security engineers to investigate security-related issues. Chapter 2, Incident Response Process will cover incident response in more detail and Chapter 13, Investigating an Incident, will cover some case studies related to actual security investigations.

The Red and Blue Team

The Red/Blue Team exercise is not something new. The original concept was introduced a long time ago during World War I and like many terms used in information security, originated in the military. The general idea was to demonstrate the effectiveness of an attack through simulations.

For example, in 1932 Rear Admiral Harry E. Yarnell demonstrated the efficacy of an attack on Pearl Harbor. Nine years later, when the Japanese attacked Pearl Harbor, it was possible to compare and see how similar tactics were used (22).

The effectiveness of simulations based on real tactics that might be used by the adversary are well known and used in the military. The University of Foreign Military and Cultural Studies has specialized courses just to prepare Red Team participants and leaders (23). Although the concept of read eaming in the military is broader, the intelligence support via threat emulation is similar to what a cybersecurity Red Team is trying to accomplish. The Homeland Security Exercise and Evaluation Program (HSEEP) (24) also uses red teaming in the preventions exercise to track how adversaries move and create countermeasures based on the outcome of these exercises.

In the cybersecurity field, the adoption of the Red Team approach also helped organizations to keep their assets more secure. The Red Team must be composed of highly trained individuals, with different skill sets and they must be fully aware of the current threat landscape for the organization's industry. The Red Team must be aware of trends and understand how current attacks are taking place. In some circumstances and depending on the organization's requirements, members of the Red Team must have coding skills to create their own exploit and customize it to better exploit relevant vulnerabilities that could affect the organization.

The core Red Team workflow takes place using the following approach:

The Red Team will perform an attack and penetrate the environment by trying to breakthrough the current security controls, also known as penetration testing. The intent of the mission is to find vulnerabilities and exploit them in order to gain access to the company's assets. The attack and penetration phase usually follows the Lockheed Martin approach, published in the paper, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (25). We will discuss the kill chain in more detail in Chapter 3, Understanding the Cybersecurity Kill Chain.

The Red Team is also accountable to register their core metrics, which are very important for the business. The main metrics are as follows:

  • Mean Time to Compromise (MTTC): This starts counting from the minute that the Red Team initiated the attack to the moment that they were able to successfully compromise the target
  • Mean Time to Privilege Escalation (MTTP): This starts at the same point as the previous metric, but goes all the way to full compromise, which is the moment that the Red Team has administrative privilege on the target

So far, we've discussed the capacity of the Red Team, but the exercise is not completed without the counter partner, the Blue Team. The Blue Team needs to ensure that the assets are secure and in case the Red Team finds a vulnerability and exploits it, they need to rapidly remediate and document it as part of the lessons learned.

The following are some examples of tasks done by the Blue Team when an adversary (in this case the Red Team) is able to breach the system:

  • Save evidence: It is imperative to save evidence during these incidents to ensure you have tangible information to analyze, rationalize, and take action to mitigate in the future.
  • Validate the evidence: Not every single alert, or in this case evidence, will lead you to a valid attempt to breach the system. But if it does, it needs to be cataloged as an Indication of Compromise (IOC).
  • Engage whoever is necessary to engage: At this point, the Blue Team must know what to do with this IOC, and which team should be aware of this compromise. Engage all relevant teams, which may vary according to the organization.
  • Triage the incident: Sometimes the Blue Team may need to engage law enforcement, or they may need a warrant in order to perform the further investigation, a proper triage will help on this process.
  • Scope the breach: At this point, the Blue Team has enough information to scope the breach.
  • Create a remediation plan: The Blue Team should put together a remediation plan to either isolate or evict the adversary.
  • Execute the plan: Once the plan is finished, the Blue Team needs to execute it and recover from the breach.

The Blue Team members should also have a wide variety of skill sets and should be composed of professionals from different departments. Keep in mind that some companies do have a dedicated Red/Blue Team, while others do not. Companies put these teams together only during exercises. Just like the Red Team, the Blue Team also has accountability for some security metrics, which in this case is not 100% precise. The reason the metrics are not precise is that the true reality is that the Blue Team might not know precisely what time the Red Team was able to compromise the system. Having said that, the estimation is already good enough for this type of exercise. These estimations are self-explanatory as you can see in the following list:

  • Estimated Time to Detection (ETTD)
  • Estimated Time to Recovery (ETTR)

The Blue Team and the Red Team's work doesn't finish when the Red Team is able to compromise the system. There is a lot more to do at this point, which will require full collaboration among these teams. A final report must be created to highlight the details regarding how the breach occurred, provide a documented timeline of the attack, the details of the vulnerabilities that were exploited in order to gain access and to elevate privileges (if applicable), and the business impact to the company.

Assume breach

Due to the emerging threats and cyber security challenges, it was necessary to change the methodology from prevent breach to assume breach. The traditional prevent breach approach by itself does not promote the ongoing testing, and to deal with modern threats you must always be refining your protection. For this reason, the adoption of this model to the cybersecurity field was a natural move.

When the former director of the CIA and National Security Agency Retired Gen. Michael Hayden said in 2012(26):

"Fundamentally, if somebody wants to get in, they're getting in. Alright, good. Accept that."

During an interview, many people didn't quite understand what he really meant, but this sentence is the core of the assume breach approach. Assume breach validates the protection, detection, and response to ensure they are implemented correctly. But to operationalize this, it becomes vital that you leverage Red/Blue Team exercises to simulate attacks against its own infrastructure and test the company's security controls, sensors, and incident-response process.

In the following diagram, you have an example of the interaction between phases in the Red Team/Blue Team exercise:

It will be during the post breach phase that the Red and Blue Team will work together to produce the final report. It is important to emphasize that this should not be a one off exercise, instead, must be a continuous process that will be refined and improved with best practices over time.

References

You can refer to the following articles:

  1. Refer to http://www.darkreading.com/attacks-breaches/new-iot-botnet-discovered-120k-ip-cameras-at-risk-of-attack/d/d-id/1328839
  2. Refer to https://www.welivesecurity.com/2014/11/11/website-reveals-73000-unprotected-security-cameras-default-passwords/
  3. Refer to https://threatpost.com/20-linksys-router-models-vulnerable-to-attack/125085/
  4. Refer to https://www.nytimes.com/2017/02/15/us/remote-workers-work-from-home.html
  5. Read the vendor-agnostic guidelines to adopt BYOD published at the ISSA Journal https://blogs.technet.microsoft.com/yuridiogenes/2014/03/11/byod-article-published-at-issa-journal/

 

  1. Refer to http://www.csoonline.com/article/3154714/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html
  2. Refer to http://blog.trendmicro.com/ransomware-growth-will-plateau-in-2017-but-attack-methods-and-targets-will-diversify/
  3. Read this article for more information about the dangerous aspects of using the same password for different accounts http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/12149022/Use-the-same-password-for-everything-Youre-fuelling-a-surge-in-current-account-fraud.html
  4. Download the report from http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf
  5. Read more information about SDL at https://www.microsoft.com/sdl
  6. Microsoft Office 365 Security and Compliance can be found at https://support.office.com/en-us/article/Office-365-Security-Compliance-Center-7e696a40-b86b-4a20-afcc-559218b7b1b8
  7. Read the entire study at https://downloads.cloudsecurityalliance.org/initiatives/surveys/capp/Cloud_Adoption_Practices_Priorities_Survey_Final.pdf
  8. Read the full report at http://www.kasperskyreport.com/?gclid=CN_89N2b0tQCFQYuaQodAQoMYQ
  9. You can download the report at http://www.kasperskyreport.com/?gclid=CN_89N2b0tQCFQYuaQodAQoMYQ
  10. Refer to https://info.microsoft.com/ME-Azure-WBNR-FY16-06Jun-21-22-Microsoft-Security-Briefing-Event-Series-231990.html?ls=Social
  11. Read the Microsoft bulletin for more information https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  12. Read this article for more information about this group https://www.symantec.com/connect/blogs/equation-has-secretive-cyberespionage-group-been-breached
  1. Refer to https://twitter.com/MalwareTechBlog/status/865761555190775808
  2. Refer to https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
  3. Refer to http://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citing-sources.html
  4. Refer to https://www.theverge.com/2017/5/17/15655484/wannacry-variants-bitcoin-monero-adylkuzz-cryptocurrency-mining
  5. Refer to https://www.quora.com/Could-the-attack-on-Pearl-Harbor-have-been-prevented-What-actions-could-the-US-have-taken-ahead-of-time-to-deter-dissuade-Japan-from-attacking#!n=12
  6. You can download the Red Team handbook at http://usacac.army.mil/sites/default/files/documents/ufmcs/The_Applied_Critical_Thinking_Handbook_v7.0.pdf
  7. Refer to https://www.fema.gov/media-library-data/20130726-1914-25045-8890/hseep_apr13_.pdf
  8. Download the paper from https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
  9. Refer to http://www.cbsnews.com/news/fbi-fighting-two-front-war-on-growing-enemy-cyber-espionage/

    Summary

    In this chapter, you learned more about the current threat landscape and how these new threats are used to compromise credentials, apps, and data. In many scenarios, old hacking techniques are used, such as phishing emails. However, with a more sophisticated approach. You also learned the current reality regarding the nationwide type of threat, and government-targeted attacks. In order to protect your organization against these new threats, you learned about key factors that can help you to enhance your security posture. It is essential that part of this enhancement shifts the attention from protection only to include detection and response. For that, the use of Red and Blue Team becomes imperative. The same concept applies to the assume breach methodology.

    In the next chapter, you will continue to learn about the enhancement of your security posture. However, the chapter will focus on the incident response process. The incident response process is primordial for companies that need a better detection and response against cyber threats.

    Left arrow icon Right arrow icon

    Key benefits

    • Gain a clear understanding of the attack methods, and patterns to recognize abnormal behavior within your organization with Blue Team tactics
    • Learn to unique techniques to gather exploitation intelligence, identify risk and demonstrate impact with Red Team and Blue Team strategies
    • A practical guide that will give you hands-on experience to mitigate risks and prevent attackers from infiltrating your system

    Description

    The book will start talking about the security posture before moving to Red Team tactics, where you will learn the basic syntax for the Windows and Linux tools that are commonly used to perform the necessary operations. You will also gain hands-on experience of using new Red Team techniques with powerful tools such as python and PowerShell, which will enable you to discover vulnerabilities in your system and how to exploit them. Moving on, you will learn how a system is usually compromised by adversaries, and how they hack user's identity, and the various tools used by the Red Team to find vulnerabilities in a system. In the next section, you will learn about the defense strategies followed by the Blue Team to enhance the overall security of a system. You will also learn about an in-depth strategy to ensure that there are security controls in each network layer, and how you can carry out the recovery process of a compromised system. Finally, you will learn how to create a vulnerability management strategy and the different techniques for manual log analysis.

    Who is this book for?

    This book aims at IT professional who want to venture the IT security domain. IT pentester, Security consultants, and ethical hackers will also find this course useful. Prior knowledge of penetration testing would be beneficial.

    What you will learn

    • Learn the importance of having a solid foundation for your security posture
    • Understand the attack strategy using cyber security kill chain
    • Learn how to enhance your defense strategy by improving your security policies, hardening your network, implementing active sensors, and leveraging threat intelligence
    • Learn how to perform an incident investigation
    • Get an in-depth understanding of the recovery process
    • Understand continuous security monitoring and how to implement a vulnerability management strategy
    • Learn how to perform log analysis to identify suspicious activities

    Product Details

    Country selected
    Publication date, Length, Edition, Language, ISBN-13
    Publication date : Jan 30, 2018
    Length: 384 pages
    Edition : 1st
    Language : English
    ISBN-13 : 9781788475297
    Category :
    Languages :
    Concepts :
    Tools :

    What do you get with a Packt Subscription?

    Free for first 7 days. $19.99 p/m after that. Cancel any time!
    Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
    Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
    Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
    Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
    Subscribe now
    View plans & pricing

    Product Details

    Publication date : Jan 30, 2018
    Length: 384 pages
    Edition : 1st
    Language : English
    ISBN-13 : 9781788475297
    Category :
    Languages :
    Concepts :
    Tools :

    Packt Subscriptions

    See our plans and pricing
    Modal Close icon
    $19.99 billed monthly
    Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
    Feature tick icon Constantly refreshed with 50+ new titles a month
    Feature tick icon Exclusive Early access to books as they're written
    Feature tick icon Solve problems while you work with advanced search and reference features
    Feature tick icon Offline reading on the mobile app
    Feature tick icon Simple pricing, no contract
    $199.99 billed annually
    Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
    Feature tick icon Constantly refreshed with 50+ new titles a month
    Feature tick icon Exclusive Early access to books as they're written
    Feature tick icon Solve problems while you work with advanced search and reference features
    Feature tick icon Offline reading on the mobile app
    Feature tick icon Choose a DRM-free eBook or Video every month to keep
    Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
    Feature tick icon Exclusive print discounts
    $279.99 billed in 18 months
    Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
    Feature tick icon Constantly refreshed with 50+ new titles a month
    Feature tick icon Exclusive Early access to books as they're written
    Feature tick icon Solve problems while you work with advanced search and reference features
    Feature tick icon Offline reading on the mobile app
    Feature tick icon Choose a DRM-free eBook or Video every month to keep
    Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
    Feature tick icon Exclusive print discounts

    Frequently bought together


    Stars icon
    Total $ 242.97
    Cybersecurity Attacks (Red Team Activity)
    $137.99
    Learning Malware Analysis
    $54.99
    Cybersecurity - Attack and Defense Strategies
    $49.99
    Total $ 242.97 Stars icon
    Banner background image

    Table of Contents

    17 Chapters
    Security Posture Chevron down icon Chevron up icon
    Incident Response Process Chevron down icon Chevron up icon
    Understanding the Cybersecurity Kill Chain Chevron down icon Chevron up icon
    Reconnaissance Chevron down icon Chevron up icon
    Compromising the System Chevron down icon Chevron up icon
    Chasing a User's Identity Chevron down icon Chevron up icon
    Lateral Movement Chevron down icon Chevron up icon
    Privilege Escalation Chevron down icon Chevron up icon
    Security Policy Chevron down icon Chevron up icon
    Network Segmentation Chevron down icon Chevron up icon
    Active Sensors Chevron down icon Chevron up icon
    Threat Intelligence Chevron down icon Chevron up icon
    Investigating an Incident Chevron down icon Chevron up icon
    Recovery Process Chevron down icon Chevron up icon
    Vulnerability Management Chevron down icon Chevron up icon
    Log Analysis Chevron down icon Chevron up icon
    Other Books You May Enjoy Chevron down icon Chevron up icon

    Customer reviews

    Top Reviews
    Rating distribution
    Full star icon Full star icon Full star icon Full star icon Half star icon 4.7
    (33 Ratings)
    5 star 81.8%
    4 star 12.1%
    3 star 0%
    2 star 3%
    1 star 3%
    Filter icon Filter
    Top Reviews

    Filter reviews by




    Leyla Aliyeva May 18, 2018
    Full star icon Full star icon Full star icon Full star icon Full star icon 5
    In the last days of my research on a special topic on cybersecurity, I have discovered a book which was published just in January in 2018. The book title is "Cybersecurity Attack and Defense Strategies" by Erdal Ozkaya and Yuri Diogenes. This book talks about cybersecurity threats, attacks, incident respnse procedure, gives detailed information about attack scenarios and each stage of attacks, and also covers security policy topics. On the other hand, the technical language of the book is very understandable with full of examples and good structure. This book was very useful for my research and punlishing my paper and will be very helpful to pass my international certificate exam on Incident Response. I recommend this book to all incident responders, penetration testers, network and system security engineers and others who are interested in deep technical topics on cyber security, or willing to start their career in this field.
    Amazon Verified review Amazon
    Trinity Jul 04, 2019
    Full star icon Full star icon Full star icon Full star icon Full star icon 5
    Good for enhancing your knowledge if you’re in the security industry.
    Amazon Verified review Amazon
    JeremyC May 18, 2019
    Full star icon Full star icon Full star icon Full star icon Full star icon 5
    Once I picked the book up, I could barely put it down. It really is a highly readable cyber reference for beginners and intermediate level technology professionals. I find it to be an excellent introduction to several aspects of cybersecurity. The authors provide many helpful diagrams and explain what is going on in simple structured terms. I particularly enjoyed the red/blue contrasts for every use case. Its usually quite easy to find out about defensive postures, but to see so many attack strategies laid out in such a systematic way is quite refreshing.
    Amazon Verified review Amazon
    Hmsc Nov 26, 2018
    Full star icon Full star icon Full star icon Full star icon Full star icon 5
    I found this to be a very good book on Cybersecurity. This book is very readable and one that I will likely refer back to often. The authors provide excellent resources, tools and websites to refer to for further study.
    Amazon Verified review Amazon
    armando Aug 18, 2018
    Full star icon Full star icon Full star icon Full star icon Full star icon 5
    Excellent book 100%
    Amazon Verified review Amazon
    Get free access to Packt library with over 7500+ books and video courses for 7 days!
    Start Free Trial

    FAQs

    What is included in a Packt subscription? Chevron down icon Chevron up icon

    A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

    How can I cancel my subscription? Chevron down icon Chevron up icon

    To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

    What are credits? Chevron down icon Chevron up icon

    Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

    What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

    Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

    Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

    If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

    Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

    We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

    When we publish the book, the code files will also be available to download from the Packt website.

    How accurate is the publication date? Chevron down icon Chevron up icon

    The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

    How will I know when new chapters are ready? Chevron down icon Chevron up icon

    We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

    I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

    Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

    How is Early Access delivered? Chevron down icon Chevron up icon

    Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

    How do I buy Early Access content? Chevron down icon Chevron up icon

    Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

    What is Early Access? Chevron down icon Chevron up icon

    Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.