Index
NUMBERS
A
A4E (AMP for Endpoints), 55
A4N (AMP for Networks), 55
ACL (Access Control Lists), firewall suggestions, 65
action and objectives phase (Cyber Kill Chain Model), 265
activity-attack graphs (Diamond Model of Intrusion), 253
activity threads (Diamond Model of Intrusion), 253
activity threats (Diamond Model of Intrusion), 253
address proxying (IDS/IPS), 58
address spoofing (IDS/IPS), 58
ADS (Alternate Data Streams), Windows forensics, 36
allocated clusters, 35
AMP (Advanced Malware Protection), 55, 241
analytic pivoting, 250
analyzing
data
5-Tuple, 239-240
deterministic analysis, 242-243
file/device trajectories, 241
identifying malicious files, 241
interpreting data values into a universal format, 238
mapping threat intelligence, 242
probabilistic analysis, 242-243
retrospective analysis, 241
events
deterministic analysis, 242-243
file/device trajectories, 241
identifying malicious files, 241
interpreting data values into a universal format, 238
mapping threat intelligence, 242
probabilistic analysis, 242-243
retrospective analysis, 241
security events, 52-53, 57, 66-70
intrusions
false negatives, 58
false positives, 58
protocol analysis, 61
protocol header analysis, 61
security events, 52-53, 57, 66-70
true negatives, 58
true positives, 58
protocol headers, 61
protocols, 61
attack complexity, 12
attack scope, 13
network scanners, 11
privileges, 12
user interaction, 12
vulnerabilities, 8
vulnerability scanners, 11
web application scanners, 11
anomaly-detection, NetFlow and, 113
artifact elements in security events, 52-53, 57
ASA logs, 53
ASDM (Adaptive Security Device Manager)
ASA logs, 53
firewall dashboard, 54
asset address space, network profiling, 212-215
asset attribution, cybersecurity forensics, 21
attack complexity, 12
attack graphs (Diamond Model of Intrusion), 253
attack scope, 13
attack trees, 9
attack vectors
examples of, 10
network scanners, 11
vulnerability scanners, 11
web application scanners, 11
availability (CIA triad)
DoS attacks, 7
threat analysis, 7
B
bandwidth
low-bandwidth attacks (IDS/IPS), 58
throughput-measuring, 202
best evidence, defined, 22
Blue Coat Security Analytics, 65
C
C2 (Command and Control) phase (Cyber Kill Chain Model), 264
caches (NetFlow), 80
capturing packets
Blue Coat Security Analytics, 65
Moloch, 65
Packet Capture, 65
carving data, 23
CDE (Cardholder Data Environments), 179
CDP (Cisco Discovery Protocol), identifying used ports, 209
CERT (Computer Emergency Response Teams)
coordination centers, 167
national CERT, 166
SEI, 167
US-CERT, 166
chain of custody (digital evidence), cybersecurity forensics, 26-27
chaining, vulnerability analysis, 164
CIA triad
availability, 7
confidentiality, 6
integrity, 7
circumstantial (indirect) evidence, defined, 22
Cisco ATA managed security service, 167
Cisco Learning Network, 278
Cisco’s Incident Response Service, 167
classifying data, 7
clusters
allocated clusters, 35
unallocated clusters, 35
Windows forensics, 34
command and control (C2) phase (Cyber Kill Chain Model), 264
complexity of attacks, 12
compliance
HIPAA
e-PHI, 186
goals of, 185
PHI, 186
privacy rule, 185
PCI DSS
overview of, 177
PA DSS, 178
PCI DSS 3.2 overview, 179, 182-185
confidentiality (CIA triad)
data classification, 7
threat analysis, 6
VPN tunneling, 7
configuring
NetFlow
containment, eradication and recovery phase (incident response process), 147
coordination centers, 167
corroborating evidence, defined, 22
CoTaskMemAlloc, 31
credit cards
CDE, 179
PCI DSS
overview of, 177
PA DSS, 178
PCI DSS 3.2 overview, 179, 182-185
processing servers, NetFlow and, 122-124
CSIRT (Computer Security Incident Response Teams), 159-160, 166
CTD (Cyber Threat Defense), NetFlow and, 113
customizing practice exams, 277
CVSS (Common Vulnerability Scoring System), 161-164
Cyber Kill Chain Model, 254
action and objectives phase, 265
command and control (C2) phase, 264
early detection example, 255
installation phase, 263
late detection example, 255
cybersecurity
CTD, NetFlow and, 113
forensics
asset attribution, 21
endpoints/servers, 23
mobile devices, 24
network infrastructure devices, 24-26
network security forensics, 114-118
NetFlow, 78
analysis tools, commercial analysis tools, 125-135
anomaly-detection, 113
caches, 80
capturing, 204
credit card processing servers, 122-124
CTD and, 113
data leak detection/prevention, 119-125
example of, 79
flow records, 80
IP Accounting versus, 78
network profiling, 200
network security forensics, 114-118
templates, 85
D
dashboards, ASDM firewall dashboard, 54
data analysis
data values, interpreting into a universal format, 238
deterministic analysis, 242-243
file/device trajectories, 241
malicious files, identifying, 241
probabilistic analysis, 242-243
retrospective analysis, 241
threat intelligence, mapping, 242
data carving, 23
data classification, 7
data leak detection/prevention, NetFlow and, 119-125
data normalization
data values, interpreting into a universal format, 238
VERIS, 239
delivery phase (Cyber Kill Chain Model), 260-261
denial-of-service
DoS attacks, 7
STRIDE threat model, 9
detecting data leaks, NetFlow and, 119-125
detection and analysis phase (incident response process), 146-147
deterministic data analysis versus probabilistic analysis versus, 242-243
DHCP (Dynamic Host Configuration Protocol)
identifying used ports, 209
IP address inventory management, 214
Diamond Model of Intrusion, 247
activity-attack graphs, 253
activity threads, 253
activity threats, 253
analytic pivoting, 250
attack graphs, 253
shared threat space, 251
social-political meta-feature, 251
technology meta-feature, 251
digital evidence
best evidence, 22
corroborating evidence, 22
cybersecurity forensics, 21-22
collecting from endpoints/servers, 23
collecting from mobile devices, 24
collecting from network infrastructure devices, 24-26
defined, 22
ESD, 27
indirect (circumstantial) evidence, 22
use of, 21
digital forensics
asset attribution, 21
endpoints/servers, 23
mobile devices, 24
network infrastructure devices, 24-26
network security forensics, 114-118
disclosing information, STRIDE threat model, 9
DNS (Domain Name Servers)
IP address inventory management, 214
tunneling, 123
DoS (Denial-of-Service) attacks, 7
DREAD threat model, 8
dynamic memory allocation, Windows forensics, 30
E
e-PHI (Electronic Protected Health Information), 186
EFI (Extensible Firmware Interface), Windows forensics, 36
Elasticsearch open source NetFlow monitoring/analysis tool, 135
elevation of privilege, STRIDE threat model, 9
encryption (IDS/IPS), 58
end-of-chapter review tools, exam preparation, 279
endpoints, collecting evidence from (cybersecurity forensics), 23
ESD (Electrostatic Discharges), 27
events
analyzing
data values, interpreting into a universal format, 238
deterministic analysis, 242-243
file/device trajectories, 241
identifying malicious files, 241
mapping threat intelligence, 242
probabilistic analysis, 242-243
retrospective analysis, 241
defined, 144
examples of, 145
evidence (digital)
best evidence, 22
corroborating evidence, 22
cybersecurity forensics, 21-22
collecting from endpoints/servers, 23
collecting from mobile devices, 24
collecting from network infrastructure devices, 24-26
defined, 22
ESD, 27
indirect (circumstantial) evidence, 22
use of, 21
exam preparation
Cisco Learning Network, 278
customizing exams, 277
end-of-chapter review tools, 279
memory tables, 278
Pearson Cert Practice Test Engine, 275-277
Premium Edition, 278
study plans, 279
updating exams, 277
exploitation phase (Cyber Kill Chain Model), 261-263
F
false negatives (intrusion analysis), 58
false positives (intrusion analysis), 58
FAT (File Allocation Tables), Windows forensics, 35-36
fibers, defined, 28
file hashes, security events, 55
files/folders
ADS, Windows forensics, 36
EFI, Windows forensics, 36
EXT3 file system, 40
EXT4 file system, 40
journaling file systems, 41
malicious files, identifying, 241
NTFS, 36
swap file systems, Linux forensics, 42
Windows file system, 34
Firepower dashboard, throughput-measuring, 203
firewalls
ACL suggestions, Wireshark and, 65
ASDM firewall dashboard, 54
Windows Firewall, 30
Flash Card mode (practice exams), 277
flow monitors
applying to interfaces, 109-110
flow samplers, 102
flow records
non-key fields, 100
predefined records, 101
user-defined records, 101
flow samplers, 102
records, 97
flow monitors
applying to interfaces, 109-110
flow samplers, 102
FlowPro analysis tool (Plixer), 129
flow records, 80
non-key fields, 100
pre-defined records, 101
predefined records, 101
user-defined records, 101
Flow Replicator analysis tool (Plixer), 129
flow samplers, 102
flows (NetFlow), defined, 78-79
FMC (Firepower Management Center)
DNS intelligence CnC communication, 55
file trajectories, 241
intrusion events, 53
retrospective analysis, 57
security intelligence events, 55
forensics
cybersecurity forensics
asset attribution, 21
RAM, 42
threat actor attribution, 20-21
digital forensics
asset attribution, 21
endpoints/servers, 23
mobile devices, 24
network infrastructure devices, 24-26
network security forensics, 114-118
Linux forensics
boot process, 42
EXT3 file system, 40
EXT4 file system, 40
journaling file systems, 41
MBR, 41
swap file systems, 42
swap space, 42
network security forensics, NetFlow and, 114-118
Windows forensics
ADS, 36
clusters, 34
EFI, 36
MACE values, 36
MBR, 34
NTFS, 36
timestamps, 36
Windows file system, 34
fragmentation (IDS/IPS), 58
G-H
Garg and STRIDE threat model, Praerit, 9
hard coding IP addresses, 215
HeapAlloc, 31
heaps (memory), 30
HIPAA (Health Insurance Portability and Accountability Act)
e-PHI, 186
goals of, 185
PHI, 186
privacy rule, 185
administrative safeguards, 188
physical safeguards, 188
host profiling
least privilege (access rights), 220
logged-in user/service accounts, 220-222
Remote Desktop Services Manager, 220
I
identity spoofing. See spoofing
IDS (Intrusion Detection System)
evasion techniques, 58
protocol analysis, 61
SigID, 240
incident response
CERT
coordination centers, 167
national CERT, 166
SEI, 167
US-CERT, 166
Cisco ATA managed security service, 167
Cisco’s Incident Response Service, 167
coordination centers, 167
information sharing/coordination, 148
MSSP, 167
national CSIRT, 166
process of
containment, eradication and recovery phase, 147
detection and analysis phase, 146-147
post-incident activity (postmortem) phase, 148
preparation phase, 146
PSIRT, 161
security events
defined, 144
examples of, 145
security incidents, defined, 144
vulnerabilities
chaining analysis of, 164
fixing theoretical vulnerabilities, 164-165
internally versus externally found vulnerabilities, 165
incidents (security)
indirect (circumstantial) evidence, defined, 22
information disclosure, STRIDE threat model, 9
installation phase (Cyber Kill Chain Model), 263
integrity (CIA triad), threat analysis, 7
intrusion analysis
false negatives, 58
false positives, 58
protocol analysis, 61
protocol header analysis, 61
security events
artifact elements in, 52-53, 57
true negatives, 58
true positives, 58
intrusion events
Cyber Kill Chain Model, 254
action and objectives phase, 265
command and control (C2) phase, 264
early detection example, 255
installation phase, 263
late detection example, 255
Diamond Model of Intrusion, 247
activity-attack graphs, 253
activity threads, 253
activity threats, 253
analytic pivoting, 250
attack graphs, 253
shared threat space, 251
social-political meta-feature, 251
technology meta-feature, 251
security incidents, defined, 247
IP Accounting versus NetFlow, 78
IP addresses
dynamic IP address service management, 214
hard coding, 215
inventory assurance, 214
inventory management
name services inventory management, 214
NAT, 213
planning, 214
statically setting, 215
IPFIX (Internet Protocol Flow Information Export), 110
architecture of, 111
mediators, 111
NetFlow comparison to, 113
SCTP and, 112
IPS (Intrusion Prevention Systems)
evasion techniques, 58
protocol analysis, 61
SigID, 240
J-K
job objects, defined, 28
Kibana open source NetFlow monitoring/analysis tool, 135
Kohnfelder and STRIDE threat model, Loren, 9
L
leak detection/prevention (data), NetFlow and, 119-125
least privilege (access rights), 220
Linux forensics
boot process, 42
EXT3 file system, 40
EXT4 file system, 40
journaling file systems, 41
MBR, 41
swap file systems, 42
swap space, 42
listening ports, host profiling, 216-220
LLDP (Link Layer Discovery Protocol), identifying used ports, 209
logged-in user/service accounts, host profiling, 220-222
Logstash open source NetFlow monitoring/analysis tool, 135
low-bandwidth attacks (IDS/IPS), 58
M
MACE (Modify, Access, Create and Entry Modified) values, Windows forensics, 36
malicious files (malware), identifying, 241
Malloc, 31
man-in-the-middle attacks, 12
mapping
threat intelligence, 242
mballoc, 41
MBR (Master Boot Records)
Linux forensics, 41
Windows forensics, 34
memory
dynamic memory allocation, 30
heaps, 30
RAM, cybersecurity forensics, 42
stacks, 30
static memory allocation, 30
memory tables, exam preparation, 278
MFT (Master File Tables), Windows forensics, 34-36
mobile devices, collecting evidence from (cybersecurity forensics), 24
modeling threats
attack trees, 9
DREAD model, 8
online resources, 10
STRIDE model, 9
Moloch, 65
MSSP (Managed Security Service Providers), 167
N
NAC (Network Access Control), port security, 207
national CERT (Computer Emergency Response Teams), 166
national CSIRT (Computer Security Incident Response Teams), 166
NAT (Network Address Translation), 213
NBAR (Network-Based Application Recognition), 227
NetFlow
analysis tools
commercial analysis tools, 125-126
Flow Replicator analysis tool (Plixer), 129
FlowPro analysis tool (Plixer), 129
open source monitoring/analysis tools, 129-135
Scrutinizer analysis tool (Plixer), 129
StealthWatch analysis tool (Lancope), 126-129
anomaly-detection, 113
caches, 80
capturing, 204
commercial analysis tools, 125-126
credit card processing servers, 122-124
CTD and, 113
data leak detection/prevention, 119-125
example of, 79
flow samplers, 102
records, 97
FlowPro analysis tool (Plixer), 129
non-key fields, 100
predefined records, 101
user-defined records, 101
Flow Replicator analysis tool (Plixer), 129
IP Accounting versus, 78
IPFIX, 110
architecture of, 111
mediators, 111
NetFlow comparison to, 113
SCTP and, 112
network profiling, 200
network security forensics, 114-118
open source monitoring/analysis tools, 129
Elasticsearch, 135
Kibana, 135
Logstash, 135
NfSen, 134
SiLK, 134
Scrutinizer analysis tool (Plixer), 129
StealthWatch analysis tool (Lancope), 126-129
templates, benefits of, 85
netstat command, listening ports, 217
network infrastructure devices, collecting evidence from (cybersecurity forensics), 24-26
network scanners, threat analysis, 11
networks
bandwidth, throughput-measuring, 202
Cisco Learning Network, 278
packet capturing, network profiling, 200, 203
profiling
IP address inventory management, 212-215
security forensics, NetFlow and, 114-118
NFdump open source NetFlow monitoring/analysis tool, 131-134
NfSen open source NetFlow monitoring/analysis tool, 134
host profiling, 225
port scanners, 217
version scanning, 227
normalizing data
data values, interpreting into a universal format, 238
VERIS, 239
NTFS (NT File System), 36
O
online resources
regular expressions, 61
threat modeling, 10
open source NetFlow monitoring/analysis tools, 129
Elasticsearch, 135
Kibana, 135
Logstash, 135
NfSen, 134
SiLK, 134
option templates (IPFIX), 112
P
PA DSS (Payment Application Data Security Standards), 178
packet analyzers, 204
packet capturing
Blue Coat Security Analytics, 65
Moloch, 65
Packet Capture, 65
pattern change evasion (IDS/IPS), 58
payment cards
CDE, 179
PCI DSS
overview of, 177
PA DSS, 178
PCI DSS 3.2 overview, 179, 182-185
processing servers, NetFlow and, 122-124
PCI DSS (Payment Card Industry Data Security Standard), 175
overview of, 177
PA DSS, 178
PCI DSS 3.2 overview, 179, 182-185
PDU (Protocol Data Units). See flow records
peaks (throughput), 201
Pearson Cert Practice Test Engine, 275-277
PHI (Protected Health Information)
e-PHI, 186
HIPAA and, 186
planning IP addresses, 214
port scanners, 217
listening ports, host profiling, 216-220
security
NAC, 207
show interface command, 208
show interface status command, 208
switchport port-security command, 207
used ports, network profiling, 207-211
post-incident activity (postmortem) phase (incident response process), 148
PowerShell, Windows services, 29
practice exams
customizing, 277
end-of-chapter review tools, 279
Flash Card mode, 277
memory tables, 278
Pearson Cert Practice Test Engine, 275-277
Practice Exam mode, 277
Study mode, 277
study plans, 279
updating, 277
Premium Edition of book, exam preparation, 278
preparation phase (incident response process), 146
preparing for exams
Cisco Learning Network, 278
customizing exams, 277
end-of-chapter review tools, 279
memory tables, 278
Pearson Cert Practice Test Engine, 275-277
Premium Edition, 278
study plans, 279
updating exams, 277
privacy rule (HIPAA), 185
privileges
elevation of, STRIDE threat model, 9
threat analysis, 12
probabilistic data analysis versus deterministic analysis, 242-243
processes
defined, 28
job objects, 28
running, host profiling, 223-225
profiling
defining, 197
hosts
least privilege (access rights), 220
logged-in user/service accounts, 220-222
Remote Desktop Services Manager, 220
networks
IP address inventory management, 212-215
protocols
analysis of, 61
headers, 61
proxying
IDS, 58
IPS, 58
PSIRT (Product Security Incident Response Teams), vulnerabilities
chaining analysis of, 164
fixing theoretical vulnerabilities, 164-165
internally versus externally found vulnerabilities, 165
Pwnie Express power plug, 206
Q-R
QoS (Quality of Service), throughput-measuring, 205
RAM (Random Access Memory), cybersecurity forensics, 42
ransomware, Diamond Model of Intrusion, 251-253
reconnaissance phase (Cyber Kill Chain Model), 256-259
recovery, carving data, 23
regedit, 32
registry (Windows), Windows forensics, 32-34
defined, 58
online resources, 61
Remote Desktop Services Manager, host profiling, 220
repudiation, STRIDE threat model, 9
retrospective analysis, 241
review tools (end-of-chapter), exam preparation, 279
risk analysis
attack complexity, 12
attack scope, 13
attack vectors
examples of, 10
network scanners, 11
vulnerability scanners, 11
web application scanners, 11
CIA triad
availability, 7
confidentiality, 6
integrity, 7
network scanners, 11
privileges, 12
threat modeling
attack trees, 9
DREAD model, 8
online resources, 10
STRIDE model, 9
user interaction, 12
vulnerabilities
defining, 8
scanners, 11
web application scanners, 11
routers, throughput-measuring, 203
running processes, host profiling, 223-225
S
Sarbanes-Oxley Act (SOX), 189-190
Sc.exe (Service Control utility), Windows services, 29
Schneier and attack trees, Bruce, 9
scope of attacks
scope change, 13
threat analysis, 13
Scrutinizer analysis tool (Plixer), 129
SCTP (Stream Control Transmission Protocol), IPFIX and, 112
SDL (Secure Development Lifecycle), 165
security
CTD, NetFlow and, 113
cybersecurity forensics
asset attribution, 21
RAM, 42
threat actor attribution, 20-21
events
artifact elements in, 52-53, 57
defined, 144
examples of, 145
file hashes, 55
incidents
NetFlow
anomaly-detection, 113
caches, 80
capturing, 204
credit card processing servers, 122-124
CTD and, 113
data leak detection/prevention, 119-125
example of, 79
flow records, 80
IP Accounting versus, 78
network profiling, 200
network security forensics, 114-118
templates, 85
network security forensics, NetFlow and, 114-118
ports
NAC, 207
show interface command, 208
show interface status command, 208
switchport port-security command, 207
security rule (HIPAA), 186-187
administrative safeguards, 188
physical safeguards, 188
SEI (Software Engineering Institute), 167
collecting evidence from (cybersecurity forensics), 23
credit card processing servers, NetFlow and, 122-124
DNS, IP address inventory management, 214
service accounts, logged-in accounts and host profiling, 220-222
services (Windows)
defined, 28
Services snap-in (Windows services), 29
session duration, network profiling, 211-212
shared threat space (Diamond Model of Intrusion), 251
sharing information, incident response plans, 148
show interface command, port security, 208
show interface status command, port security, 208
show ip arp command, session duration, 212
SIEM (Security Information and Event Management), 238-239
SigID (Signature ID), 240
SiLK open source NetFlow monitoring/analysis tool, 134
software, Pearson Cert Practice Test Engine software, 275-277
SOP (Standard Operating Procedures), defined, 146
SOX (Sarbanes-Oxley Act), 189-190
IDS, 58
IPS, 58
STRIDE threat model, 9
stacks (memory), 30
static and ESD, 27
static memory allocation, Windows forensics, 30
statically setting IP addresses, 215
StealthWatch analysis tool (Lancope), 126-129
STRIDE threat model, 9
Study mode (practice exams), 277
study plans, exam preparation, 279
swap file systems, Linux forensics, 42
swap space, Linux forensics, 42
switchport port-security command, port security, 207
T
tampering, STRIDE threat model, 9
TCP streams, Wireshark, 63
templates
NetFlow templates, benefits of, 85
option templates (IPFIX), 112
test preparation
Cisco Learning Network, 278
customizing exams, 277
end-of-chapter review tools, 279
memory tables, 278
Pearson Cert Practice Test Engine, 275-277
Premium Edition, 278
study plans, 279
updating exams, 277
threads
fibers, defined, 28
thread pools, defined, 28
threat actor attribution, cybersecurity forensics, 20-21
threat analysis
attack complexity, 12
attack scope, 13
attack vectors
examples of, 10
network scanners, 11
vulnerability scanners, 11
web application scanners, 11
CIA triad
availability, 7
confidentiality, 6
integrity, 7
mapping, 242
network scanners, 11
privileges, 12
threat modeling
attack trees, 9
DREAD model, 8
online resources, 10
STRIDE model, 9
user interaction, 12
vulnerabilities, defining, 8
vulnerability scanners, 11
web application scanners, 11
threat modeling
attack trees, 9
DREAD model, 8
onine resources, 10
STRIDE model, 9
throughput
bandwidth, measuring, 202
defined, 200
network baselines, establishing, 201
peaks, 201
valleys, 201
timestamps, Windows forensics, 36
true negatives (intrusion analysis), 58
true positives (intrusion analysis), 58
tunneling
DNS tunneling, 123
VPN tunneling, 7
U
unallocated clusters, 35
updating practice exams, 277
US-CERT (United States-Computer Emergency Response Teams), 166
used ports, network profiling, 207-211
user accounts, logged-in accounts and host profiling, 220-222
user interaction, threat analysis, 12
V
valleys (throughput), 201
VERIS (Vocabulary for Event Recording and Incident Sharing), 149-152, 239
version scanning, 227
VirtualAlloc, 31
VM (Virtual Machines), VM escape, 13
VNC (Virtual Network Computing), remotely accessing hosts, 222
VPN tunneling, 7
vulnerabilities
chaining analysis of, 164
defined, 28
defining, 8
fixing theoretical vulnerabilities, 164-165
internally versus externally found vulnerabilities, 165
theoretical vulnerabilities, fixing, 164-165
vulnerability scanners, threat analysis, 11
W-X-Y-Z
weaponization phase (Cyber Kill Chain Model), 259-260
web application scanners, threat analysis, 11
web resources
regular expressions, 61
threat modeling, 10
Windows Firewall, 30
Windows forensics
ADS, 36
clusters, 34
EFI, 36
MACE values, 36
MBR, 34
NTFS, 36
timestamps, 36
Wireshark, 61
firewall ACL suggestions, 65
TCP streams, 63
throughput-measuring, 204
WSA (Web Security Appliance), 228