Nov 28 2023

Stop panic buying your security products and start prioritizing

Category: Security Toolsdisc7 @ 2:12 pm

In the realm of cybersecurity, where a constant influx of new “essential” products occurs, it’s tempting to be influenced into investing in unnecessary tools that not only expand your vulnerability but also provide minimal, if any, value. Let’s delve into the intricacies of security expenditure and the advantages of optimization, especially in times of economic uncertainty as we plan for the 2024 budget.

The culture of panic buying is real

This is an industry that uses fear, uncertainty, and doubt (FUD) as a selling tactic, making security leaders feel like every product is make-or-break for the wellbeing of their organization. The promise of a fix-it-all solution (the mythical silver bullet) is particularly tempting in this environment, especially for smaller organizations that most likely don’t have the budgets to implement a multitude of security tools or hire cyber specialists in-house. Vendors play on that desperation to make profits, and a lot of them are very good at it.

The fear mongering may also lead to impulsive decisions to invest in products that won’t configure correctly with the buyer’s current technology stack, thus introducing even more risk. The name of the game in a lean operation is a solution that is customizable and adaptable, and that will grow with the changing needs of an organization’s security team.  

The consequences can cost millions

According to IBM’s 2023 Cost of a Data Breach Report, organizations are now paying $4.5 million to deal with breaches – a 15% increase over the last three years. Aside from spending cash to purchase the product, panic buying can result in a wider attack surface, costly auto-renews and misconfigurations.

There is no doubt that taking advantage of new technological solutions (with AI and machine learning being fan favorites right now), can be extremely beneficial from both a technological and reputational perspective. But without looking at the big picture and calculating the actual value of the product in question, it’s nearly impossible to make a well-informed investment decision.

To assess the value of a product, security leaders should examine whether it adds or minimizes organizational risk and whether their current cybersecurity personnel and tools will be able to interact with it effectively.

Calculating the value of a product doesn’t have to be a guessing game. Risk = likelihood x impact is a great equation to use to solve for the value of a product or service.

To calculate likelihood of an attack, examine the degree of difficulty to execute an attack and the exposure of your assets. Determine your organization’s acceptable risk and use that equation to work backwards to identify the monetary impact of an attack. If that impact is significantly higher than the price of the product or service, it may be worth looking elsewhere.

It’s easy to fall into the trap of impulse buying cybersecurity products that don’t improve security but instead leave you vulnerable to costly attacks. Organizations should aim to protect their most valuable assets and prioritize addressing threats to those critical puzzle pieces of their business.

The solution is possible, and relatively simple

Look inward and optimize. Companies need to understand what inside their networks and data is most attractive and most vulnerable to attackers. Get visibility into what you have, calculate the value of your tools, and use the information to move forward.

Understanding risk by gaining full visibility into what you already have can allow companies to communicate better with investors and the public in the case of an attack or breach. For example, they will be able to give clear information about the impact (or lack of impact) on the business when an attack occurs and lay out clear steps for remediation, not having to guess the next best course of action.

‘Tis the season to prioritize your security investments

It is important to remember that the goal is not to buy more tools to chase the growing number of vulnerabilities that experts find every day, but to protect the assets that are most relevant to overall vital business operations and limit the fallout of inevitable cyber incidents.

By attaching a dollar value to the cyber risks the organization is up against, you will be in a much better position to discuss your security plan and budgetary needs.

When budgets are tight, every purchase must be accounted for with a clear indication of its value to the business operation. This is especially true for security purchases, which tend to be costly line items.

In today’s economic climate, proving ROI for security spend is a big part of security leaders’ jobs. It is crucial that before purchasing a new cybersecurity tool, investing in a service, or hiring specialists, you understand their functionality and purpose.

Cyber Security Program and Policy Using NIST Cybersecurity Framework: NIST Cybersecurity Framework (CSF)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: security products


Oct 16 2023

GUARDIANS OF THE HACKERS GALAXY: UNLOCK THE TOOL OF TODDYCAT’S GROUP

Category: Cyber Espionage,Security Toolsdisc7 @ 9:36 am

COMPREHENSIVE ANALYSIS: TODDYCAT’S ADVANCED TOOLSET AND STEALTHY CYBER ESPIONAGE TACTICS

ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCat’s toolset and operational tactics.

STEALTH AND SOPHISTICATION: TODDYCAT’S MODUS OPERANDI

ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.

EXPLOITATION TECHNIQUES AND MALWARE UTILIZATION

  • Disposable Malware: Utilized to enhance stealth and evasion capabilities.
  • Data Exfiltration: Malware designed to access and extract sensitive information.
  • Lateral Movement: Techniques employed to expand reach and access within compromised environments.

TOOLSET SUMMARY

  1. Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
  2. LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
  3. Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
  4. Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.

DETAILED INSIGHTS INTO THE TOOLSET

1. LOADERS

  • Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
  • Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).

2. NINJA TROJAN

The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCat’s arsenal. It provides functionalities like:

  • Managing running processes
  • File system management
  • Managing multiple reverse shell sessions
  • Injecting code into arbitrary processes
  • Loading additional modules during runtime
  • Proxy functionality to forward TCP packets between the C2 and a remote host

3. LOFISE

LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.

4. DROPBOX UPLOADER

This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.

5. PCEXTER

Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.

POTENTIAL IMPACT AND THREAT LANDSCAPE

The emergence of ToddyCat’s new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.

MITIGATION AND DEFENSE STRATEGIES

  • Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
  • User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
  • Regular Patching: Keeping all systems regularly patched and updated.
  • Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.

ToddyCat’s advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.

Spy Secrets That Can Save Your Life: A Former CIA Officer Reveals Safety and Survival Techniques to Keep You and Your Family Protected

100 Deadly Skills: The SEAL Operative’s Guide to Eluding Pursuers, Evading Capture, and Surviving Any Dangerous Situation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ToddyCat’s Group


Oct 11 2023

UNMASKING CRACKED COBALT STRIKE 4.9: THE CYBERCRIMINAL’S TOOL OF CHOICE

Category: Cybercrime,Security Toolsdisc7 @ 8:58 am

Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.  

COBALT STRIKE 4.9 FEATURES

The latest release, version 4.9, introduces several significant features and improvements:

  • User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
  • Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
  • Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
  • Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver.
  • Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
  • WinHTTP Support: The update adds support for the WinHTTP library to the Beacon’s HTTP(S) listener.
  • Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.

CRACKED VERSIONS IN THE WILD

Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the tool’s popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.

THE CRACKDOWN

Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.

WHY COBALT STRIKE?

Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.

THE USERS

Cobalt Strike’s cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.

REMEDIATION EFFORTS

To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).

The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.

Cobalt Strike, a Defender’s Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cobalt Strike


Oct 09 2023

Chalk: Open-source software security and infrastructure visibility tool

Category: Open Network,Security Toolsdisc7 @ 10:38 am

Chalk is a free, open-source tool that helps improve software security. You add a single line to your build script, and it will automatically collect and inject metadata into every build artifact: source code, binaries, and containers.

Gaining visibility

Chalk enables complete visibility across the development process, from the first time a developer creates the code to the entire lifetime a container hosting is running.

Chalk is a convenient tool for compliance by producing SBOMs, embedding code provenance details, and digitally signing them. You can then send these to your preferred location as a report. Additionally, without added effort, you can achieve SLSA level 2 compliance even before SLSA level 1 becomes a mandated standard.

Usage scenarios

“Interestingly, early design partners are constantly developing new use cases, but the classic ones are still unique because nothing else solves those today. The canonical one is knowing what code is in production and what is not. “Prod or not”. That basic use case means most users can shut off code scanning on the majority of their code repos, shutting down the noise and the busy work people have to do looking at it, but also saving massive amounts of money on wasted tools licenses,” Mark Curphey, Co-Founder of Crash Override, told Help Net Security.

“A great and topical one is automatically generating software security supply chain reports. Chalk will generate an SBOM, add build provenance data about where the code came from and who built it, something required by the US gov directives and where no other automated solution exists, and then to top it all, digitally signs it all in a report and sends it to a central report registry. That use case is huge, just huge,” he concluded.

The source code for Chalk is available on GitHub.

Tags: Open-source software security


Sep 20 2023

Nagios Monitoring Tool Vulnerabilities Let Attackers Perform SQL Injection

Category: Security Tools,Security vulnerabilitiesdisc7 @ 9:47 am

Nagios XI is a prominent and frequently used commercial monitoring system for IT infrastructure and network monitoring. 

Vulnerability Research Engineer Astrid Tedenbrant found four distinct vulnerabilities in Nagios XI (version 5.11.1 and below) while conducting routine research.

By making use of three of these flaws classified as (CVE-2023-40931CVE-2023-40933, and CVE-2023-40934), users with various levels of access rights can get access to the database field via SQL injection.

Additionally, the vulnerability (CVE-2023-40932) permits Cross-Site Scripting through the Custom Logo component, rendering on all pages, including the login page.

Details of the Vulnerabilities

SQL Injection in Banner acknowledging endpoint (CVE-2023-40931)

“Announcement Banners” are a feature of Nagios XI that users may choose to recognize. This feature’s endpoint is susceptible to a SQL Injection attack.

When a user acknowledges a banner, a POST request is made to ‘/nagiosxi/admin/banner_message-ajaxhelper.php’ with the POST data ‘action=acknowledge banner message&id=3’.

“The ID parameter is assumed to be trusted but comes directly from the client without sanitization”, the researcher explains.

“This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the `xi_session` and `xi_users` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets”.

SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)

An authorized user with access to control host escalations can run any database query using Nagios XI’s Core Configuration Manager.

The same database access is possible through this vulnerability as through previous SQL Injection vulnerabilities, although it necessitates more privileges than CVE-2023-40931.

SQL Injection in Announcement Banner Settings (CVE-2023-40933)

In this case, while performing the `update_banner_message_settings` action on the affected endpoint, the `id` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query, the researcher said.

Compared to CVE-2023-40931, successful exploitation of this vulnerability needs more privileges but provides the same database access as the other two SQL Injection Vulnerabilities.

Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)

Reports say Nagios XI may be modified to include a unique corporate logo, which will be visible across the entire product. Included in this are the login page, various administration pages, and the landing page.

A cross-site scripting flaw in this functionality allows an attacker to inject arbitrary JavaScript, which any user’s browser will be able to execute.

“This can be used to read and modify page data, as well as perform actions on behalf of the affected user. Plain-text credentials can be stolen from users’ browsers as they enter them.,” reports said.

Fix Available

All of these vulnerabilities have been fixed, and users are encouraged to update to 5.11.2 or later.

The commercial version of the open-source Nagios Core monitoring platform, Nagios XI, offers more functionality that makes managing complicated IT settings easier.

Because of the access that Nagios XI requires, it is frequently used in highly privileged instances, making it an attractive target for attackers.

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks


InfoSec tools
 | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SQL injection


Sep 18 2023

Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromise

Category: Forensics,Mobile Security,Security Toolsdisc7 @ 8:53 am

Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.

It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.

Mobile Verification Toolkit key features

MVT’s capabilities are continuously evolving, but some of its key features include:

  • Decrypt encrypted iOS backups.
  • Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
  • Extract installed applications from Android devices.
  • Extract diagnostic information from Android devices through the adb protocol.
  • Compare extracted records to a provided list of malicious indicators in STIX2 format.
  • Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
  • Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.

Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.

Mobile Forensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Mobile Verification Toolkit


Sep 15 2023

Attackers hit software firm Retool to get to crypto companies and assets

Category: App Security,Crypto,Security Toolsdisc7 @ 3:18 pm

Retool, the company behind the popular development platform for building internal business software, has suffered a breach that allowed attackers to access and take over accounts of 27 cloud customers, all in the crypto industry.

According to a CoinDesk report, one the known victims is Fortress Trust, i.e., four of its customers who accessed their crypto funds via a portal built by Retool.

It all started with an SMS

The attack started with spear phishing text messages delivered to a number of Retool employees. According to the company, only one fell for the scheme.

The phishing text message. (Source: Retool)

Spoofed to look like it was coming from the company’s IT department, the goal was to make the targets log in to a fake Retool identity portal, at which point they would receive a phone call by the attacker.

“The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code,” Snir Kodesh, Retool’s head of engineering, shared on Wednesday.

“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite [i.e., Google Workspace] session on that device.”

And because the employee’s MFA codes were synched with their Google account, the attacker now had access to all MFA tokens held within that account.

“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry),” Kodesh noted, and added that the attacker also poked around some of the Retool apps – but didn’t specify which ones.

“We have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.”

Who’s to blame?

“Social engineering can affect anyone,” Kodesh noted, and “even with perfect training and awareness of these attacks, mistakes will happen.” He also put some on the blame for the hack on Google.

The company recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud and made it easier to activate the feature than not to.

“Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this ‘feature’. If you want to disable it, there isn’t a clear way to ‘disable syncing to the cloud’, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync ‘feature’,” he explained.

“Through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.”

Of course, Google cannot be blamed for this breach entirely – Retool should have regularly reviewed the protections they’ve put in place and evaluated whether they are still adequate. After all, attackers have been finding ways around multi-factor authentication for a while now, and the threat landscape is changing quickly.

If the company had used a FIDO2-compliant hardware security key instead of one-time passwords delivered via an authenticator app, this particular social engineering attack would have failed – as a similar attack against Cloudflare employees did a year ago.

The investigation is ongoing

Retool is working with law enforcement and a third party forensics firm to investigate the breach in depth.

So far, they found that 27 cloud customers have been affected (and they notified them all), but that on-premise Retool customers remain secure.

“Retool on-prem operates in a ‘zero trust’ environment, and doesn’t trust Retool cloud. It is fully self contained, and loads nothing from the cloud environment. This meant that although an attacker had access to Retool cloud, there was nothing they could do to affect on-premise customers,” Kodesh noted.

Fortress’ customers, on the other hand, apparently lost nearly $15 million.

UPDATE (September 15, 2023, 04:35 a.m. ET):

“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies,” Google stated.

“Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”

Application Security Program Handbook: A guide for software engineers and team leaders

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Sep 10 2023

Security Controls and Vulnerability Management

IS27002 Control:-Vulnerability Management
Why penetration test is important for an organization.
Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards.
#informationsecurity #cyberdefense #cybersecurity
Cheat sheet for pentester
Image credit:-https://lnkd.in/eb2HRA3n

Linux Cheat Sheet

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: vulnerability management


Sep 08 2023

CALDERA: FREE OPERATIONAL TECHNOLOGY OT ATTACK EMULATION TOOL TO SECURE ICS, SCADA AND PLC DEVICES

Category: OT/ICS,Scada Security,Security Toolsdisc7 @ 7:23 am

MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new open source tool that simulates cyber-attacks on operational technology (OT). The product was published recently.

The MITRE Calder for OT is now accessible to the general public as an addition to the open-source Caldera platform that may be found on GitHub. This would make it possible for cybersecurity specialists who deal with industrial control systems (ICS) to carry out automated adversary simulation exercises. These exercises will have the goal of testing and improving their cyber defenses on a constant basis. In addition to this, this includes security inspections as well as exercises involving red, blue, and purple teams.

This Caldera extension for OT was created via a collaborative effort between CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI). HSSEDI is a research and development institution that is financed by the federal government and is maintained and run by MITRE on behalf of the Department of Homeland Security (DHS).

The program contributes to the goal of the federal government to strengthen the security of vital infrastructure that is dependent on OT. Some examples of such infrastructure are water and electricity. This objective was elaborated upon in the United States’ National Cybersecurity Strategy, which was published in March 2023, and in the Executive Order on Improving the Nation’s Cybersecurity, which was issued by President Biden in May 2021.
Work done by CISA and HSSEDI to automate opponent emulation simulations in CISA’s Control Environment Laboratory Resource (CELR) served as the foundation for the OT extension, which was developed upon that work. This made it possible to identify hostile strategies that may be implemented in Caldera.

The defensive mechanisms and testing capabilities of critical infrastructure systems are slated to get a boost from the use of these plugins.

These plugins, which are stored in the “caldera-ot” repository, are essential instruments for the protection of operational technology (OT) settings.

They are made available as Git submodules, which enables researchers and experts in the security industry to quickly and readily access them.

The purpose of these plugins is to facilitate enemy simulation inside the OT environment. This was the driving force behind their development.

Because of this, companies are given the ability to strengthen their security defenses and better prepare for possible attacks.

In addition to this, it is compatible with classic use cases for Caldera, such as rigorous testing of security mechanisms and operator training.

The move that has been taken by MITRE marks a major step forward in the continuing endeavor to secure critical infrastructure systems and to strengthen security within the OT sector.

A presentation titled “Emulating Adversary Actions in the Operational Environment with Caldera (TM) for OT” has also been made available by MITRE for individuals who are looking for further information of a more in-depth kind.

Users may apply the following command in order to install the whole collection of Caldera for OT plugins:

git clone https://github.com/mitre/caldera-ot.git –recursive


Individuals also have the option of configuring certain plugins on their own, which allows them to personalize their approach to OT security to meet their unique requirements.

At the moment, the following three important plugins are available:

  1. BACnet Catering to Building Automation and Control Networks (BACnet) protocol.
  2. DNP Addressing the Distributed Network Protocol 3 (DNP3).
  3. Modbus Supporting the Modbus protocol.

Open-Source OT Protocol Libraries That Are Unified And Exposed To Users. Caldera for OT plugins is a service provided by MITRE that aims to standardize and expose open-source OT protocol libraries, making them available for use as protocol-specific plugins. Each plugin comes with its own extensive documentation.

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

Cyber Defence Strategy using NIST and MITRE ATT&CK Frameworks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Caldera, MITRE ATT&CK, MITRE Caldera


Aug 28 2023

Security Onion 2.4: Free, open platform for defenders gets huge update

Category: Security Toolsdisc7 @ 8:55 am

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It has been downloaded over 2 million times and is being used by security teams worldwide. Security Onion 2.4 comes with many updates, and the hotfix 2.4.10 release is available on GitHub.

For network visibility, they offer signature-based detection via Suricata, rich protocol metadata and file extraction using Zeek or Suricata, full packet capture via Stenographer, and file analysis via Strelka.

For host visibility, Security Onion offers the Elastic Agent, which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All these logs flow into Elasticsearch, and they’ve built their own UIs for alerts, dashboards, threat hunting, case management, and grid management.

New features in Security Onion 2.4

Over the past year of developing Security Onion 2.4, the developers added new features to give you a better experience and make you more efficient:

Security Onion Console (SOC) has many new features to make you more efficient as a defender:

  • SOC now allows you to add a value directly from a record in Hunt, Dashboards, or Alerts as an observable to an existing or new case
  • SOC includes a new DNS lookup capability
  • SOC includes pivots for relational operators on numbers
  • SOC Cases support dynamic observable extraction
  • SOC can import PCAP and EVTX files

SOC has many new administration features, so you can spend less time managing your deployment and more time hunting adversaries.

  • You can manage users via SOC’s Administration section
  • SOC’s Administration section also includes a new Grid Members Interface to manage adding and removing nodes
  • You can configure most aspects of your deployment via the Configuration interface
  • SOC’s Grid interface has been improved to show more status information about your nodes
  • The installer has been simplified and configuring new members of the grid will take place in the Grid Members interface
  • SOC authentication has been upgraded to include additional authentication protections, such as rate-limiting login requests. It also supports passwordless login via Webauthn

Endpoint telemetry is more powerful and easier to manage.

  • The primary endpoint agent is now Elastic Agent and it provides data collection and live queries via embedded osquery. It replaces the previous osquery, Beats, and Wazuh
  • Elastic Agent is managed in Elastic Fleet
  • Elastic Agent and Elastic Fleet support Elastic Integrations
  • Grafana has been removed and all health metrics can be found in InfluxDB
  • The Security Onion ISO image has upgraded from CentOS 7 to Oracle Linux 9

Security Onion Documentation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Security Onion


Aug 17 2023

FREE CITRIX ADC ZERO-DAY SCANNER TOOL ALLOWS DISCOVERING CVE-2023-3519  VULNERABLE SERVERS

Category: Security Tools,Zero daydisc7 @ 9:36 am

In the past, Citrix was found to have a Zero-Day vulnerability in its Citrix NetScaler Application Delivery Controller (ADC), which made it possible for malicious actors to carry out remote code execution.

It was discovered that the zero-day vulnerability was being used in the wild, hence it was assigned the CVE ID 2023-3519 and the severity rating of 9.8 (Critical). Citrix did provide fixes to address the vulnerability, but there was no way to determine whether or not a particular Citrix appliance had been compromised.

A new report states that it has been discovered that more than 1900 NetScalers are still infected with a backdoor. This information was obtained during a recent investigation.

Mandiant has launched a tool to assist business defenders in determining whether Citrix networking devices have been hacked in light of the fact that thousands of Citrix networking products are still susceptible to a major vulnerability that has not been patched and are accessible on the internet.

Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0 are all compatible versions with which the IoC Scanner may be utilized.

On July 18, Citrix released a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products. The company also recommended that businesses that use the vulnerable products immediately deploy the fix. The vulnerability might be exploited to allow for the execution of unauthenticated remote code. The vulnerability is already being aggressively exploited by a number of threat organizations, who are doing so by establishing web shells within corporate networks and carrying out hundreds of attacks.

According to the findings of the researchers, there are still close to 7,000 examples available on the web. Around 460 of them had Web shells installed, most likely as a result of being compromised.

This application, which may be found on GitHub, was developed by Mandiant and has the ability to determine the file system paths of known malware, post-exploitation activities in shell history etc. The independent Bash script may be executed directly on a Citrix ADC device to search for known indications in files, processes, and ports. (The utility must be executed on the appliance in live mode while logged in as root.) According to Mandiant, it can also examine a forensic image that has been mounted for use in an investigation.

This application has a wide variety of functionality, such as scanning,

File system path that could be a malware
Shell history for suspicious commands
NetScaler directories and files that match with IOCs
Suspicious file permissions or ownership
Instances of Crontab
Malicious processes running on the system

This solution, which was created in partnership with Citrix and Mandiant, has the only purpose of assisting enterprises in preventing compromised systems and scanning for evidence of their presence.

According to Mandiant, the IoC Scanner will do a “best-effort job” of detecting compromised items; nevertheless, it is possible that it may not be able to locate all infected devices or determine whether or not the device is susceptible to being exploited. According to the company, “This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519,” which is a vulnerability.

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: CITRIX ADC ZERO-DAY, CVE-2023-3519


Aug 05 2023

Open-source penetration testing tool BloodHound CE released

Category: Pen Test,Security Toolsdisc7 @ 2:17 pm

SpecterOps released version 5.0 of BloodHound Community Edition (CE), a free and open-source penetration testing solution that maps attack paths in Microsoft Active Directory (AD) and Azure (including Azure AD/Entra ID) environments. It is available for free on GitHub.

Identifying simple Attack Paths between two objects is a straightforward “search and click” exercise

This update brings many enterprise-grade usability features to BloodHound CE, like containerized deployment, REST APIs, user management, and access control. It also significantly improves performance while streamlining development allowing for faster development and incorporation of community contributions.

“The way that BloodHound Community Edition maps out Attack Paths in AD and Azure is unique – there isn’t another tool (or feature within either of those) that can find hidden and unintentional relationships to identify complex Attack Paths that attackers can exploit. After this update, the tool will offer a user experience closer to an enterprise-grade product than an open-source tool,” Andy Robbins, co-creator of BloodHound and a Principal Product Architect at SpecterOps, told Help Net Security.

The entire UI is driven via RESTful APIs and includes a full Swagger spec within the application

New features

Support for REST APIs â€“ BloodHound CE is a three-tier application with a database, an API layer, and a web-based user interface. Users can now use REST APIs to interact with data rather than needing to write queries directly to the database.

Containerized deployment â€“ The tool will deploy as a containerized product. This much simpler process will reduce deployment time by 80%. This also makes it easier for users with different sized environments to manipulate the resources assigned to BloodHound.

Enterprise-grade user management â€“ This update adds built-in full multi-user support with RBAC, the ability to create and assign user roles, and support for two-factor authentication and SAML to BloodHound CE.

Protected Cypher searches â€“ Cypher queries will include available guardrails to automatically cancel queries that will cause performance or security issues.

Reliability and performance upgrade â€“ Routine maintenance updates will make the tool faster, more resilient, and more reliable.

More frequent updates and community contributions â€“ These changes will allow SpecterOps to increase the rate of updates and new features added to BloodHound CE going forward and will increase the number of pull requests from the community that can be implemented.

Better community support â€“ More similarities between BloodHound CE and BloodHound Enterprise under the hood means users will have better access to support and documentation for both.

BloodHound was created in 2016 by Rohan Vazarkar, Will Schroeder, and Andy Robbins. It has been downloaded nearly 500,000 times and has over 12,000 users in the BloodHound Community Slack. The tool has been recommended by CISA and Microsoft to help secure Microsoft Active Directory and Azure AD.

Checkout our posts on security tools

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

CISSP training course

InfoSec tools | InfoSec services | InfoSec books


Jul 31 2023

Tools for cloud transition and securing cloud environments?

Category: Cloud computing,Security Toolsdisc7 @ 10:06 am

CISA released a fact-sheet, listing some of the great tools that CISA offers for orgs to transition and secure their cloud environments?

Five tools are described in the fact-sheet, along with other guidance to “…provide network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, detecting, and mitigating cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment.”

1- The Cyber Security Evaluation Tool – CISA developed the Cyber Security Evaluation Tool (CSET) using industry-recognized standards, frameworks, and recommendations to assist organizations in evaluating their enterprise and asset cybersecurity posture.

2- Secure Cloud Business Applications (SCuBA) project – which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments.

3- Untitled Goose Tool – CISA, together with Sandia National Laboratories, developed the Untitled Goose Tool to assist network defenders with hunt and incident response activities in Microsoft Azure, AAD, and M365 environments.

4- Decider – assists incident responders and analysts in mapping observed activity to the MITRE ATT&CK framework.

5- Memory Forensic on Cloud – Memory Forensic on Cloud, developed by JPCERT/CC, is a tool for building a memory forensic environment on Amazon Web Services.

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: CISA security tools


Jul 22 2023

TOP 5 FREE CLOUD SECURITY TOOLS, THAT CAN PROTECT YOUR AWS & AZURE CLOUD DATA FROM HACKERS

Category: Cloud computing,Security Toolsdisc7 @ 1:14 pm

The Cybersecurity and Infrastructure Security Agency (CISA) has come up with a list of free tools that businesses may use to protect themselves in cloud-based settings. According to the article published by CISA, these tools will assist incident response analysts and network defenders in mitigating, identifying, and detecting threats, known vulnerabilities, and abnormalities that occur in settings that are cloud-based or hybrid.During an attack, threat actors have generally focused their attention on servers located on the premises. However, several threat actors have been drawn in by the fast expansion of cloud migration in order to target cloud systems due to the vast number of attack vectors that are available when it comes to the cloud.

Organizations who do not have the essential capabilities to protect themselves against cloud-based attacks may benefit from the tools that are supplied by CISA. These technologies may assist users in securing their cloud resources from data theft, information exposure, and information theft respectively.
The Cloud Industry Security Alliance (CISA) stated that companies should use the security features supplied by Cloud Service Providers and combine them with the free tools that were recommended by the CISA in order to defend themselves from these attacks. The following is a list of the tools that the CISA provides:

  1. Cybersecurity Evaluation Tool (CSET).
  2. The SCuBAGear tool.
  3. The Untitled Goose Tool
  4. Decider Tool
  5. Memory Forensic on Cloud (JPCERT/CC) is an offering of Japan CERT.

THE CYBERSECURITY EVALUATION TOOL, ALSO KNOWN AS THE CSET.


For the purpose of assisting enterprises in the assessment of their cybersecurity posture, the CISA created this tool, which makes use of standards, guidelines, and recommendations that are widely accepted in the industry. Multiple questions about operational rules and procedures, as well as queries on the design of the system, are asked by the tool.This information is then utilized to develop a report that gives a comprehensive insight into the strengths and shortcomings of the businesses, along with suggestions to remedy them. The Cross-Sector Cyber Performance Goals (CPG) are included in the CSET version 11.5. These goals were established by the National Institute of Standards and Technology (NIST) in collaboration with the Computer Security Industry Association (CISA).

M365 SECURE CONFIGURATION BASELINE ASSESSMENT TOOL, SCUBAGEAR


SCuBAGear is a tool that was developed as a part of the SCuBA (Secure Cloud Business Applications) project. This project was started as a direct reaction to the Supply Chain hack that occurred with SolarWinds Orion Software. SCuBA is a piece of automated software that does comparisons between the Federal Civilian Executive Branch (FECB) and the M365 Secure configurations of the CISA. CISA, in conjunction with SCuBAGear, has produced a number of materials that may serve as a guide for cloud security and are of use to all types of enterprises. This tool resulted in the creation of three different documents:

SCuBA Technical Reference Architecture (TRA) — Offers fundamental building blocks for bolstering the safety of cloud storage environments. Cloud-based business apps (for SaaS models) and the security services that are used to safeguard and monitor them are both included in the purview of TRA.
The Hybrid Identity Solutions Architecture provides the best possible methods for tackling identity management in an environment that is hosted on the cloud.
M365 security configuration baseline (SCB) — offers fundamental security settings for Microsoft Defender 365, OneDrive, Azure Active Directory, Exchange Online, and other services.This application generates an HTML report that details policy deviations outlined in the M365 SCB guidelines and presents them.

UNTITLED GOOSE TOOL


The tool, which was created in collaboration with Sandia National Laboratories, is designed to assist network defenders in locating harmful behaviors in Microsoft Azure, Active Directory, and Microsoft 365. Additionally, it enables the querying, exporting, and investigating of audit logs.Organizations who do not import these sorts of logs into their Security Incident and Event Management (SIEM) platform will find this application to be quite helpful. It was designed as an alternative to the PowerShell tools that were available at the time since those tools lacked the capability to gather data for Azure, AAD, and M365.

This is a tool that Network Defenders may use to,

Extraction of cloud artifacts from Active Directory, Microsoft Azure, and Microsoft 365
The Unified Audit Logs (UAL) should have time bounding performed on them.
Collect data making use of the time-bounding feature of the MDE (Microsoft Defender Endpoint) data Decider Tool.
Incident response analysts may find it useful to map malicious actions using this tool in conjunction with the MITRE ATT&CK methodology. In addition to this, it makes their methods more accessible and offers direction for laying out their actions in the appropriate manner.

DECIDER TOOL

This tool, much like the CSET, asks a number of questions in order to give relevant user inquiries for the purpose of selecting the most effective identification technique. Users now have the ability to, given all of this information:

Export heatmaps from the ATT&CK Navigator.
Publish reports on the threat intelligence you have collected.
Determine and put into effect the appropriate preventative measures.
Prevent Exploitation
In addition, the CISA has given a link that describes how to use the Decider tool.

MEMORY FORENSIC ON CLOUD (JPCERT/CC)


It was built for constructing and analyzing the Windows Memory Image on AWS using Volatility 3, which was the reason why it was developed. In addition, Memory Forensics is necessary when it comes to the recently popular LOTL (Living-Off-the-Land) attacks, which are also known as fileless malware. 
Memory image analysis may be helpful during incident response engagements, which often call for the use of high-specification equipment, a significant amount of time, and other resources in order to adequately prepare the environment.

Practical Cloud Security: A Guide for Secure Design and Deployment

InfoSec books | InfoSec tools | InfoSec services

Tags: Free CLOUD SECURITY TOOLS, Practical Cloud Security


Jul 21 2023

12 open-source penetration testing tools you might not know about

Category: Hacking,Pen Test,Security Toolsdisc7 @ 12:19 pm

Red Siege has developed and made available many open-source tools to help with your penetration testing work.

The company plans to continue to support the tools listed below, whether in the form of bug fixes or new features. Give them a try, they’re all available on GitHub for free.

“I find joy in writing code, turning it into a logic puzzle to create powerful software tools. The satisfaction of seeing my creations in action, like EyeWitness, brings a sense of pride and saves valuable time. Motivated by the possibility of filling a software gap, I open source my creations, hoping they’ll benefit others as they did for me,” Chris Truncer, Senior Security Consultant & Director of Training, Red Siege, told Help Net Security.

AutoFunkt

AutoFunkt is a Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles.

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.

DigDug

Dig Dug works by appending words from a dictionary to an executable. This dictionary is appended repeatedly until the final desired size of the executable is reached. Some AV & EDR engines may measure entropy to determine if an executable is trustworthy for execution. Other vendors inspect executables for signs of null byte padding.

dumpCake

dumpCake will dump password authentication attempts to the SSH daemon. Every SSHD child process will get attached to and at the completetion of the process, the attempted passwords and connection logs will be dumped to the script.

EyeWitness

EyeWitness takes screenshots of websites, collects server header info, and identifies default credentials if possible. Saves a lot of time triaging web sites on large tests. This tool is very commonly used by penetration testers looking to sift through a long list of websites.

EDD – Enumerate Domain Data

Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers. Blue teams can use this file as a honeyfile. By monitoring for access to the file, Blue Teams can detect pen testers or malicious actors scanning for GPP files containing usernames and cpasswords for lateral movment.

Just-Metadata

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset. It is used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen.

ProxmarkWrapper

ProxmarkWrapper is a wrapper around the Proxmark3 client that will send a text alert (and/or email if warranted) if a RFID card is captured.

Wappybird

Wappybird is a ultithreaded Wappalyzer CLI tool to find web technologies, with optional CSV output. You can also provide a directory and all scraped data will be saved with a subfolder per host.

WMImplant

WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant requires local administrator permissions on the targeted machine.

WMIOps

WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It’s designed primarily for use on penetration tests or red team engagements.

Security Controls Evaluation, Testing, and Assessment Handbook

InfoSec books | InfoSec tools | InfoSec services

Tags: Open source, Penetration Testing tools


Jul 18 2023

CISA Released Free Cloud Security Tools to Secure Cloud Data

Category: CISA,Security Toolsdisc7 @ 8:59 am

The Cybersecurity & Infrastructure Security Agency (CISA) has released a list of free tools for organizations to secure themselves in cloud environments.

The post from CISA stated that these tools will help incident response analysts and network defenders to mitigate, identify and detect threats, known vulnerabilities, and anomalies in the cloud or hybrid environments.

Threat actors have traditionally targeted internal servers during an attack. However, the rapid growth of cloud migration has attracted several threat actors to target cloud environments as the attack vector is massive when it comes to the cloud.

The tools provided by CISA will aid organizations that lack the necessary tools to defend against cloud threats. These tools can help in protecting their cloud resources from information theft, data theft, and information exposure.

Tools + Pre-built Security features

CISA also mentioned that organizations should use the security features provided by the Cloud Service Providers and combine them with the free tools suggested by the CISA for protecting against these threats. The tools provided by the CISA are,

  • The Cybersecurity Evaluation Tool (CSET) (CISA)
  • SCuBAGear (CISA)
  • The Untitled Goose Tool (CISA)
  • Decider (CISA)
  • Memory Forensic on Cloud (JPCERT/CC)

The Cyber Security Evaluation Tool (CSET)

This tool was developed by the CISA that uses industry-recognized standards, frameworks, and recommendations to assist organizations in their cybersecurity posture evaluation. The tool asks multiple questions about system components, architecture, and operational policies and procedures.

This information is then used to generate a report that provides a complete insight into the strengths and weaknesses of the organizations including the recommendations to fix them. The CSET version 11.5 includes Cross-Sector Cyber Performance Goals (CPG) which was developed by the CISA and the NIST (National Institute of Standards and Technology).

CPG can provide best practices and guidance that all organizations should follow. This tool can help against common and impactful TTPs. 

SCuBAGear M365 Secure Configuration Baseline Assessment Tool

SCuBAGear is a tool that was a part of the SCuBA (Secure Cloud Business Applications) project that was initiated in response to the Supply Chain compromise of SolarWinds Orion Software. SCuBA is an automated script that compares the Federal Civilian Executive Branch (FECB) against M365 Secure configurations of the CISA.

In collaboration with SCuBAGear, CISA created multiple documents that can guide cloud security that can help all organizations. Three documents were created as part of this tool,

  • SCuBA Technical Reference Architecture (TRA) â€“ Provides essential components for hardening cloud security. The scope of TRA adds cloud business applications (for SaaS models) and the security services used to secure and monitor them.
  • Hybrid Identity Solutions Architecture â€“ Provides best approaches for addressing identity management in a Cloud environment.
  • M365 security configuration baseline (SCB) â€“ provides basic security configurations for Microsoft Defender 365, OneDrive, AAD, Exchange Online etc.

This tool provides an HTML report highlighting policy deviations described in the M365 SCB guides.

Untitled Goose Tool

This tool was developed alongside Sandia National Laboratories which can help network defenders identify malicious activities in Microsoft Azure, AAD, and M365. It can also help query, export, and investigate audit logs.

This tool is extremely useful for organizations that do not ingest these kinds of logs into their Security Incident and Event Management (SIEM) tool. It was developed as an alternative to PowerShell tools since they did not have data collection capacity for Azure, AAD, and M365.

Network Defenders can use this tool to,

  • Cloud artifacts extraction from AAD, Azure, and M365
  • Perform time bounding of the Unified Audit Logs (UAL)
  • Extra data within time bound
  • Collect data using the capability of time bounding for MDE(Microsoft Defender Endpoint) data

Decider Tool

This tool can help incident response analysts to map malicious activities with the MITRE ATT&CK framework. It also provides an easier approach to their techniques and provides guidance for mapping the activities accordingly.

Just like CSET, this tool also asks several questions to provide relevant user queries for determining the best possible identification method. With this information, the users can now,

  • Export ATT&CK Navigator heatmaps
  • Publish Threat Intelligence reports 
  • Identify and execute mitigation procedures
  • Prevent Exploitation

The CISA has also provided a link on how to use the Decider tool.

Memory Forensic on Cloud (JPCERT/CC)

It was developed for building and analyzing the Windows Memory Image on AWS using Volatility 3. Furthermore, Memory Forensics is required when it comes to the newly trending LOTL (Living-Off-the-Land) attacks which are otherwise called fileless malware.

A memory image analysis can help during incident response engagements that usually require high-specification machines, time, and resources to prepare a sufficient environment.

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Secure Cloud Data


Jun 23 2023

10 open-source recon tools worth your time

Category: OSINT,Security ToolsDISC @ 8:30 am

Altdns

Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) and takes in a list of subdomains you know of.

From these two lists provided as input to Altdns, the tool then generates a massive output of “altered” or “mutated” potential subdomains that could be present. It saves this output so that it can then be used by your favorite DNS brute-forcing tool.

Amass

The OWASP Amass project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.

The high adoption rate of Amass potentially means better data consistency and integration with other tools. As such, it can constitute a trustworthy tool to use in proof of concepts and engagements, and it may be easier to convince your clients or manager to use it for periodic mapping of the organization’s attack surface.

Aquatone

Aquatone is a tool for the visual inspection of websites across a large number of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. Aquatone is started by piping the output of a command into the tool. It doesn’t really care how the piped data looks, as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means you can give it the output of any tool you use for host discovery.

Assetfinder

Assetfinder lets you find domains and subdomains potentially related to a given domain. Implemented:

  • crt.sh
  • certspotter
  • hackertarget
  • threatcrowd
  • wayback machine
  • dns.bufferover.run
  • facebook
  • virustotal
  • findsubdomains

Gobuster

Gobuster is a tool used to brute-force:

  • URIs (directories and files) in web sites
  • DNS subdomains (with wildcard support)
  • Virtual Host names on target web servers
  • Open Amazon S3 buckets
  • Open Google Cloud buckets
  • TFTP servers

Gotator

Gotator is a tool to generate DNS wordlists through permutations.

HTTPX

HTTPX is a fully featured HTTP client library for Python 3. It includes an integrated command line client, has support for both HTTP/1.1 and HTTP/2, and provides both sync and async APIs.

Naabu

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT/UDP scans on the host/list of hosts and lists all ports that return a reply.

MASSCAN: Mass IP port scanner

MASSCAN is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine. Its usage (parameters, output) is similar to Nmap, the most famous port scanner.

WhatWeb – Next generation web scanner

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

InfoSec tools | InfoSec services | InfoSec books

Tags: open-source recon tools


Jun 06 2023

10 Best Vulnerability Scanner Tools For Penetration Testing – 2023

Category: Pen Test,Security Toolsdisc7 @ 3:07 pm

Vulnerability Scanner Tools is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.

The Vulnerability scanning tools help detect security loopholes in the application, operating systems, hardware, and network systems.

Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.

What do Vulnerability Scanner Tools do?

Vulnerability scanners are one right way to do this. With their continuous and automated scanning procedures, they can scan the network for potential loopholes.

It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.

Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.

In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.

What are the Three types of Vulnerability Scanners?

This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.

Following are the types of vulnerability scanners

  • Discovery Scanning
  • Full Scanning
  • Compliance Scanning

What is an example of a Vulnerability Scanner?

The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online

In this article, we’ll take a look at the top 10 best vulnerability scanning tools available in the market.

10 Best Vulnerability Scanner Tools

Vulnerability Scanner ToolsKey Features

Vulnerability Manager Plus
Customization of Patches to Application
Detecting zero-day vulnerabilities
Audit end-of-life software
Security recommendations
Custom Scan Configuration
Tripwire IP360Flexible Scanning
Full Network Discovery
Vulnerability Risk Scoring
Asset Discovery
Nessus vulnerability scannerTarget Profiling
Sensitive data discovery
Malware Detection
PCI DSS requirements
Vulnerability scanning
Comodo HackerProofDaily Vulnerability Scanning
Web-based Management Tool
PCI Scanning Tools
Nexpose communityReal Risk Score
Integration with Metasploit
Powerful Reporting
Adaptive Security
OpenVAS Vulnerability ScannerTargeted IP Address
Task Naming
Authorized (credentialed) Scans
Scheduling scans
NiktoSupport for Proxy with authentication
Cookies Support
Username Enumeration
Outdated component report
WiresharkLive capture and offline analysis
Deep inspection of protocols
VoIP analysis
Read/write Capture file
Coloring rules
Aircrack-ngAnalyzing WiFi networks for weaknesses
Capture and injection of WiFi cards
Sniff wireless packets
Recover lost keys
Retina network security scannerDiscover the Full network Environment
Identify Application Flaw
Analyze threats and gain security intelligence

10 Best Vulnerability Scanner Tools 2023

  1. OpenVAS Vulnerability Scanner
  2. Tripwire IP360
  3. Nessus vulnerability scanner
  4. Comodo HackerProof
  5. Nexpose community
  6. Vulnerability Manager Plus
  7. Nikto
  8. Wireshark
  9. Aircrack-ng
  10. Retina network security scanner

Nmap Network Exploration and Security Auditing Cookbook: Network discovery and security scanning at your fingertips

InfoSec tools | InfoSec services | InfoSec books

Tags: Nmap, Scanner Tools


May 30 2023

The essence of OT security: A proactive guide to achieving CISA’s Cybersecurity Performance Goals

Category: CISA,OT/ICS,Security ToolsDISC @ 9:27 am

The widespread adoption of remote and hybrid working practices in recent years has brought numerous benefits to various industries, but has also introduced new cyber threats, particularly in the critical infrastructure sector.

These threats extend not only to IT networks but also to operational technology (OT) and cyber-physical systems, which can directly influence crucial physical processes.

In response to these risks, the US government reinforced critical infrastructure security by introducing Cross-Sector Cybersecurity Performance Goals (CPGs) mandated by the US Cybersecurity Infrastructure & Security Agency (CISA).

Recently, CISA updated the CPGs to align with NIST’s standard cybersecurity framework, establishing each of the five goals as a prioritized subset of IT and OT cybersecurity practices.

In this article, we will look in more detail at CISA’s revamped CPGs and discuss the potential solutions available to help organizations achieve these critical goals.

CPG 1.0 Identify: Scoping out the vulnerabilities in the OT environment

CISA’s first CPG is “Identify”, which includes identifying the vulnerabilities in the IT and OT assets inventory, establishing supply chain incident reporting and vulnerability disclosure program, validating the effectiveness of third-party security controls across your IT and OT networks, establishing OT security leadership, and mitigating known vulnerabilities. Critical infrastructure organizations must address all these sub-categories exclusively to achieve the first CPG.

Addressing these responsibilities requires a dynamic effort. Firstly, organizations must strengthen their IT and OT relationship by fostering more effective collaboration between the security teams of both departments. But, most importantly, IT and OT teams must come together to understand the potential cyber threats and risks of each environment and how it affects the other. To achieve the first CPG, it is critical that these departments are not kept in isolation but rather collaborate and communicate frequently.

At the same time, organizations must establish OT leadership by clearly identifying a single leader who will be responsible and accountable for OT-specific cybersecurity. From there, organizations must create an asset inventory or glossary that clearly identifies and tracks all OT and IT assets across the entire ecosystem. These assets should be regularly audited based on their vulnerability management program. It’s also highly critical to have an open, public, and easily accessible communication channel where vendors, third parties, or employees can disclose any potential vulnerability in relation to the OT and IT assets.

CPG 2.0 Protect: Safeguarding privileged access to OT assets

CISA’s second CPG is “Protect”, which emphasizes the account security aspects of OT assets. To achieve this goal, critical infrastructure organizations are required to strengthen their password policies, change default credentials across OT remote access systems, apply network segmentation to segregate OT and IT networks, and separate general user and privileged accounts.

Addressing all these aspects of account security can be a chore for most organizations, but they can turn to unified secure remote access (SRA) solutions that can extend multiple account-level security controls to OT remote users via enforcement of multi-factor authentication (MFA), least privilege policies, and role-based access. Such solutions can also support advanced credential policies to further reduce the risk of unauthorized access and denial of service attacks.

It’s also important that organizations only leverage SRA solutions that are based on zero trust policies. This will help organizations establish effective network segmentation that eliminates direct, unfettered remote connectivity to OT assets, and to continuously monitor personnel activity during all remote OT connections.

CPG 3.0 Detect: Awareness of critical threats and potential attack vectors across your OT environment

CISA’s third CPG emphasizes the detection of relevant threats and knowledge of potential attack vectors and TTPs (tactics, techniques, and procedures) that can compromise OT security and potentially disrupt critical services.

Detecting relevant threats and TTPs across OT assets and networks requires a proactive approach that combines advanced monitoring and analysis. Real-time monitoring solution should be complemented with comprehensive network visibility, allowing for the swift detection of anomalies and unusual patterns.

A critical aspect of threat detection in OT environments — and meeting the CPG mandate — is the sharing of information and collaboration between various stakeholders. Threat intelligence platforms play an essential role in gathering and disseminating information about current and emerging threats. By leveraging this valuable data, organizations can stay ahead of potential risks, fine-tune their defenses, and ensure the safety and security of their OT assets. Additionally, conducting regular security assessments, penetration testing, and vulnerability scanning will help uncover any weaknesses in the infrastructure, allowing for timely remediation and improved resilience against cyberattacks.

CPG 4.0 and 5.0: Respond and Recover

The final two CISA’s CPGs stress the importance of incident reporting and planning. Regardless of how robust your OT security practices are, cyber threats are almost inevitable in today’s interconnected and increasingly remote networking era. So, while proactive security solutions are necessary, attacks still are unavoidable, especially in a highly targeted sector like critical infrastructure.

Therefore, CISA stresses that organizations must have a comprehensive plan and process outlined for reporting security incidents and effectively recovering their affected systems or services upon a breach.

Advanced SRA solutions can help organizations to achieve these goals through automated recording of user activities and asset-related data, as well as creating automated backups of critical data. More specifically, they can log all user sessions, encrypt all user- and asset-related data, and retain logs of OT remote user activity. These measures help to ensure that critical information is stored in accordance with all relevant regulatory requirements and backup and recovery needs.

Conclusion

Overall, the vulnerabilities of ageing OT assets and siloed OT and IT networks have created a significant threat to critical infrastructure entities, which has been further exacerbated by the prevalence of remote access.

CISA’s OT-specific goals and actions within the CPGs provide a much-needed set of guidelines for CNI organizations to strengthen their security posture and increase cyber resilience. By following CISA’s recommendations and employing innovative security technologies, organizations can minimize the risk of cyberattacks affecting the physical world and public safety.

InfoSec tools | InfoSec services | InfoSec books

Tags: CISA, Cybersecurity Performance Goals, ICS, Industrial Cybersecurity, OT


May 08 2023

RECONSHARK: NEW UNDETECTABLE RECONNAISSANCE TOOL USED BY CYBERCRIMINALS FOR HACKING

Category: Cybercrime,Security Toolsdisc7 @ 1:21 pm

Kimsuky is an advanced persistent threat (APT) organization that originates in North Korea and has a lengthy history of launching targeted attacks all around the globe. According to what is currently known about the organization, they have been mainly tasked with conducting information gathering and espionage activities in behalf of the North Korean government from at least the year 2012. Throughout the course of history, Kimsuky targets have been spread throughout several nations in North America, Asia, and Europe. In its most recent efforts, the organization has continued their strategy of worldwide targeting, which is centered on a variety of contemporary geopolitical concerns. The most recent Kimsuky ads, for instance, have been centered on nuclear agendas between China and North Korea; these agendas are pertinent to the continuing confrontation between Russia and Ukraine. In 2018, the gang was seen deploying a malware family known as BabyShark, and  most recent observations show that the group has developed the malware with an enhanced capacity for reconnaissance. Experts call to this component of BabyShark as ReconShark.

During a recent campaign, Kimsuky targeted the employees of the Korea Risk Group (KRG), which is an information and analysis organization that specializes in subjects that have both direct and indirect effects on the Democratic People’s Republic of Korea (DPRK). Kimsuky continues to employ phishing emails that have been carefully designed by himself for the purpose of deploying ReconShark. Notably, spear-phishing emails are created with a degree of design quality customized for certain persons, which increases the possibility that the target would open the email. This involves using correct formatting, language, and visual signals so that the content seems authentic to readers who are not paying attention. Notably, both the targeted emails, which include links to download harmful papers, as well as the malicious documents themselves, exploit the names of genuine people whose knowledge is relevant to the subject matter of the bait, such as Political Scientists.

Kimsuky’s nefarious emails include a link that, when clicked, will direct the recipient to a file that requires a password in order to access it. Most recently, they started hosting the infected document for download on Microsoft OneDrive, which is a cloud storage service.Exfiltrating information about the infected platform is the primary function of ReconShark. This includes information about current processes, information about the battery that is attached to the device, and information about endpoint threat detection measures that have been implemented.

In a manner similar to those of earlier iterations of BabyShark, ReconShark depends on Windows Management Instrumentation (WMI) to query information on processes and batteries. ReconShark does more than just steal information; it also distributes additional payloads in a multi-stage process. These payloads may be built as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. The types of detecting mechanism processes that are active on compromised computers are taken into consideration when ReconShark chooses which payloads to send out.

In order to avoid being detected by static analysis methods, some ReconShark sequences are encoded using a pretty simple encryption. Typically, the instructions or scripts that are included inside these strings are for downloading and/or running payloads. All of the infrastructure that has been spotted as part of this campaign is housed on a shared hosting server provided by NameCheap. LiteSpeed Web Server (LSWS) was often used by operators of the Kimsuky malware in order to manage the harmful functionality. The continual attacks by Kimsuky and their use of the innovative reconnaissance tool ReconShark provide insight on the ever-changing nature of the North Korean threat environment. Organizations and people need to be aware of the tactics, techniques, and procedures (TTPs) utilized by North Korea state-sponsored advanced persistent threats (APTs) and take the required steps to defend themselves against attacks of this kind.

Field Manual FM 3-98 Reconnaissance and Security Operations

  InfoSec tools | InfoSec services | InfoSec books

Tags: RECONSHARK


Next Page »