Wednesday, May 4, 2016

Blue Team hand book notes - "Detection&Analysis" A.K.A Identification

NIST SP 800-61 calls this phase as "Detection&Analysis" A.K.A Identification.

Initial determination
Try to see if the event is a possible incident to start with IR.
If possible assign two IR people, have a start time logged.
Check identification points
Perimeter, DMZ, Internal systems, line of business apps, and notification from external sources.
Understand limitations
"No one size fits all" you need to have a baseline to see what sticks out.
Run through system checklist
OS, network devices and app specific logs to be checked for suspicious activity.  Analysis should be guided by checklist to help provide a uniform and consistent response.
Perform internal Vs External system & n/w consistency check
If netstat & tcpdump must not have discrepancy. Likewise nmap scan vs process vs memory analysts should all match up.
Key decision
1. Is the event an actual incident?
2. Do we watch and learn or pull the plug?
Identification step exit criteria
The assessment process has determined events constitutes a real incident so activate the IR process and continue.

Example question for assessment.
1. Can you give justification for the event not to be an incident like typo ?
2. Is there a deviation from the norm ?
3. How wide is the problem from an availability perspective?
4. Does RCE vulnerability have a say here ?
5. Do we have a publicly posted exploit code ?
6. Are there any compensatory controls ?

Monday, May 2, 2016

Blue Team hand book notes - Preparation

As per US Dept of Energy and NIST SP 800-61 we will see about the six phases in more detail.

Step1: - Preparation

Enable NTP for all devices.
Need to have a login banner, How to deal with LEA, Media liaison, Get elevated user rights for IR personal.  IR Team needs to be one with compliance and monitor abuse   email ID.
Central logging
Needs to be enabled.  Incident detection should be logged locally and remotely.
Identify&User Account Mgmt
We should have one user one account policy.
Service/System account mgmt issues
Establish generic common user name and ensure that the password is rotated on that account.
Jump Bag contents
Never steal from it :-p. Clean HDD as per NIST 800-88, Incident forms, bound notebook, pens, Call tree, tools like leatherman, Kali on CD/bootable USB, Flashlight, Network tap, Earplugs for data center, spare clothes.
OOB notification capability
Every1 on the IR team needs to have a Cellphone & a secondary email address.
Train these people to identify trends and call the IR Team.
Workout IR Team issues
Determine IR team member & Rotation,  Budget to continue training, SLA,  Perodically do IR drills, Get secure room and cabinets to lock evidences.
Key decisions
1. Decide on "Watch and learn" or "Pull the plug"
2. Decide on "Contain & Clean" or preserve evidence.
3. Understand applicable data breach.
4. Determine a process for handling and reporting criminal activity.
5. Understand the organization, stakeholder and their expectiation.
6. Ensure that IRT understands and supports the organization priorities.
7. Fully understand the IR operating modle, roles and forensics capability.

Wednesday, April 27, 2016

Blue Team hand book notes

OODA Loop - Observe, Orient, Decide and Act
FoW - Fog of War

1. Prepare
2. Identify
3. Contain
4. Eradicate
5. Recover
6. Lessons Learned

2-6 are period of intense action.
2 - OODA
3 - FOW
4-5 - Friction

Wednesday, April 6, 2016

Auto shutdown - Debian

5 1 6 4 * /sbin/shutdown -h now /var/log/shut.log

Sunday, March 20, 2016

Different EAP

* Cisco purely password-based Lightweight EAP(LEAP).

* Other vendors&Microsoft, use EAP and Transport Layer Security (EAP-TLS), which carries out authentication through digital certificates.

If EAP-TLS is being used, the authentication server and wireless device exchange digital certificates for authentication purposes.

When EAP-TLS is being used, the steps the server takes to authenticate to the wireless device are basically the same as when an SSL connection is being set up between a web server and web browser. Once the wireless device receives and validates the server’s digital certificate, it creates a master key, encrypts it with the server’s public key, and sends it over to the authentication server. Now the wireless device and authentication server have a master key, which they use to generate individual symmetric session keys. Both entities use these session keys for encryption and decryption purposes, and it is the use of these keys that sets up a secure channel between the two devices.

* Protective EAP (PEAP), where only the server uses a digital certificate.

 If PEAP is being used instead, the user of the wireless device sends the server a password and the server authenticates to the wireless device with its digital certificate.

* EAP-TTLS provides authentication that is as strong as EAP-TLS, but it does not require user certificate. however require server certificates.

User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates.

* EAP-Tunneled TLS (EAP-TTLS) is an EAP protocol that extends TLS. 

Thursday, February 11, 2016

Using Tar

We can use TAR to get a bulk of files and directories from one machine with their absolute path and move to another machine in the same absolute path with the following commands.

$ cat files.txt

Now for creating a tar file with the directory structure shown above issue the following command.
$ tar cvpfP a.tar -T files.txt

c will create the archive called a.tar
v will give us a verbose output
p will preserve the permission of the file
f will use the following archive file name
P will not ignore the / before the tmp.

Now for deflating all the files and folders in the corresponding absolute path use the following command.
$ tar xvpfP a.tar

Saturday, January 2, 2016