Network attack and defense standard/framework
Penetration tests performed standard PTES
Penetration test execution standard, an implementation specification of penetration test
1. Early interaction stage
The test team interacts with the customer organization to determine the scope, objectives, constraints, and service contract details
Collect customer requirements, prepare test plan, define test scope and boundaries, define business objectives, project management and planning
2. Intelligence gathering
After the scope is determined, you can use various information sources and collection techniques to obtain more information about the target organization’s network topology, system configuration, and security defense measures. Open source information queries, Google hacking, social engineering, network snooping, scanning probes, passive listening, service checking, and more.
3. Threat modeling stage
After collecting sufficient intelligence information, we discuss the obtained information to conduct threat modeling and attack planning, and sort it out to find the most feasible attack channel.
4. Vulnerability analysis stage
After determining the most feasible attack channel, consider how to obtain access control of the target system. The intelligence information acquired and aggregated in the previous stages needs to be analyzed to identify attack points and verified in the environment. Identify unknown security vulnerabilities that can be exploited and develop infiltration code to open up attack channels.
5. Infiltration attack phase
Using the vulnerabilities found out, the real intrusion system access, black box test penetration testers need to clean up traces
6. Post-penetration test phase
Need according to the target tissue penetration testing team business management pattern, protect assets form and the different characteristics of the safety defense plan independently design target, identify critical infrastructure, and find the organization’s most valuable customers and try to security protection of information assets, achieve finally can cause the most important customer business impact of the attack.
7. Reporting phase
This report provides information on all aspects of the penetration test process, including the penetration test execution process, and helps defenders analyze weaknesses, existing problems, and technical solutions for patching and upgrading the security defense system
Cyber kill chain
Lockheed Martin’s proposed cyberattack model in 2011. Each stage of an attack on a target system is mapped to a real-world intruder.
The first step, target reconnaissance, is similar to the previous PTES intelligence collection stage;
Step 2, Weapon development, writing various tools/backdoors/viruses Exp/Weapon/Malware;
Step 3: payload delivery, where weapons are spread (poison) by means of watering holes and harpoons.
The fourth step, penetration utilization, through vulnerability utilization to obtain the other party’s controller;
Step 5, install the execution, in the target system will backdoor Trojan run up;
Step 6, command control, persistent control to the target;
Step 7, task execution, that is, start the execution of stealing data, damaging the system, etc.
MITRE ATT&CK framework
“ATT&CK framework”, a general knowledge framework proposed by MITRE company in 2013, is called “confrontation tactics, Technology, common sense” in Chinese.
ATT&CK framework is a reorganized network security knowledge system based on real network space attack and defense cases and data, adopting Tactics, Techniques & Procedures (TTPs) methodology in military warfare, aiming to establish a set of common network security language.
For example, we often hear about APT attacks, threat intelligence, situational awareness and so on. Whether individuals or enterprises have different understandings, there will always be some deviations. With ATT&CK framework, we will not have too much deviation, the red team specific attack, blue team specific how to defend, using ATT&CK matrix can be marked out every detail, attack route and defense process can be graphically displayed, both sides have a set of common language.
ATT&CK consists of three parts, one is PRE ATT&CK, one is ATT&CK for Enterprise, and one is ATT&CK for Mobile. When we study and research, we can focus on ATT&CK for Enterprise.
In this chart, Tactics are represented on the horizontal axis, and in the latest version 12 Tactics are represented on the horizontal axis, up from 10, and Techniques on the vertical axis 156 Techniques and 272 sub-techniques.
ATT&CK
MITRE
MITRE is a non-profit organization in the United States. With the support of the U.S. Department of Defense, the Department of Homeland Security and other government organizations, MITRE operates a number of technology research centers, which are involved in various defense high-tech fields such as network security. MITRE initiated or operated several standards in the field of network security, such as STIX/TAXII 1.0 (STIX/TAXII 2.0 is currently operated by OASIS), knowledge base, such as CAPEC, MAEC, CWE, CVE, ATT&CK, etc. Aiming at threat modeling, attack classification and threat intelligence in network security field, a relatively complete security ecosystem is constructed.
ATT&CK
MITRE’s Adversarial Tactics, Technology and Common Sense framework provides a common language for cyberspace security. Its functions include confrontation simulation, red team infiltration, etc., and can identify battle plans through two-dimensional matrix.
The goal of MITRE ATT&CK is to create an exhaustive list of known adversarial tactics and techniques used in cyber attacks. To put it simply, ATT&CK is MITRE’s “Counter Tactics, Techniques, and Common Sense” framework, which is a well-selected repository of a variety of tactics and enterprise techniques that attackers will use to attack an enterprise.
Tactical tactics
Technology techniques
Multiple techniques for lateral tactics
Mitigations
A defense against an attack
The term
vulnerability
vulnerability
Based on technical classification, there are command execution, permission bypass, injection, weak password, etc. The value can be 0 day, 1 day, or N day based on time
cve
Common Vulnerabilities & Exposures were disclosed. CVE is like a dictionary, giving a common name for a widely recognized information security vulnerability or weakness that has been exposed. If a vulnerability identified in a vulnerability report has a CVE name, you can quickly find the corresponding patch information in any other CVE-compatible database to resolve the security issue.
MITRE, an American company, was founded to assign vulnerability numbers through CNA organizations and evaluate vulnerability levels through CVSS system
poc
A Proof of Concept (POC) is an incomplete implementation of an idea in order to prove its feasibility and demonstrate its principle. The purpose of the POC is to test some concept or theory. Usually a vulnerability verification program/attack sample that can only verify the existence of a vulnerability but cannot be exploited.
exploit
It means exploit, exploit. Represents a valuable piece of attack code or an exploit process. Common exploits include SQL injection, buffer overflows, remote code execution, and so on
payload
The attack payload usually refers to the customized code or program executed by the attacker on the target machine after the exploit takes down the target, such as session establishment, shellcode, etc
shellcode
Shellcode is a piece of code that is executed to exploit a software vulnerability. Shellcode is hexadecimal machine code, so named because it often lets attackers get the shell. Shellcode is often written in machine language. After the memory EIP overflows, a shellcode can be inserted into the machine code for the CPU to execute, so that the computer can execute any instructions of the attacker.
Malicious programs
malware
Malicious software or programs, commonly referred to as viruses, trojans, and ransomware
virus
Viruses, usually attached to other files or programs, do not replicate and spread themselves, but start when other programs are being run and damage the target system
worm
Worm virus, can be independent of other files or programs to run, can be based on the network to carry out self-replication and spread, the implementation of destruction
trojan horse
Trojan Horse, referred to as Trojan horse, lurks in legitimate software, does not copy and spread and is highly secret. When running, a back door is created to implement remote control and monitoring of the target system through the back door
ransomware
Ransomware, which operates independently of other files, can replicate and spread itself over a network, carrying out extortion through cryptographic hijacking of the target system
spyware
Spyware, rogue/malicious software, collection of users’ personal information to implement webpage hijacking, url navigation, etc
rootkits
Advanced Trojan virus, generally refers to malicious programs that can obtain root permissions, bypassing antivirus software
infrastructure
C2
Command and control server, a cloud server that remotely controls a target host and sends instructions, usually to prevent exposure
chicken
A computer or device infected with malicious software that can be taken over by hackers
A botnet
A large distributed network consisting of thousands of chickens to achieve ddos attacks and so on
Attack methods
APT
Advanced Persistent Threat. An insidious and persistent computer intrusion, usually orchestrated by someone for a specific purpose. They are often commercially or politically motivated, target specific organizations or countries, and require high secrecy over long periods of time. Advanced long-term threat consists of advanced, long-term, and threat. Advanced emphasizes the use of sophisticated malware and techniques to exploit vulnerabilities in systems. Long-term implies that an outside force is constantly monitoring and extracting data from a particular target. A threat is an attack orchestrated by a person.
0day
0DAY refers to a vulnerability that has not been patched or exploited by an exploit that has not been released by an exploit discoverer. Because the details of the vulnerability have not been made public and the manufacturer has not released a patch, it is theoretically impossible to defend against
The harpoon attack
A type of phishing attack usually involves using a Trojan horse program as an E-mail attachment sent to the target computer and inducing the victim to open the attachment to infect the Trojan horse.
Puddle attack
One of the hacking methods, as the name suggests, is to set up a “watering hole” in the path of the victim. The most common approach is that the hacker analyzes the online activity of the target, looking for the weakness of the website that the target frequently visits, and first “breaks” the website and implants the attack code. Once the target visits the website, it will be “caught”.
ddos
Distributed denial of Service attack Principle Distributed denial of Service attack DDoS is a distributed and coordinated large-scale denial of service attack based on DoS. Single DoS attack is usually adopts the one-to-one method, which USES the network protocol and some defects of the operating system, adopts the strategy of deception and camouflage to cyber attacks, restoring web server with a large number of requirements of information, network bandwidth or system resources consumption, lead to a network or system to bear that paralyzed and stop provide normal network services. Compared with DoS attack launched by a single host, distributed denial of service attack DDoS is a group action launched by hundreds or even thousands of hosts with attack process installed after being hacked.
Drag the library
Exploit vulnerabilities (such as SQL injection) to hack into the process by which a website drags out a database
Hit library
By collecting leaked user and password information on the Internet, the corresponding dictionary table is generated, and a series of users that can log in can be obtained after trying to log in to other websites in batches. Many users use the same account password on different websites, so hackers can try to log in to WEBSITE B by obtaining users’ account on website A, which can be understood as A bump attack.
Content sources
The red team quickstart Chen Xinjie 】 【 | red blue confrontation, ATT&CK framework, Kill Kill Chain Chain network | learn from scratch from the red team 01
The red team jargon daqo | 1 hour master Chen Xinjie 】 【 30 high-frequency network security terms | learn from scratch from the red team 02 period
Penetration Testing Process (PTES)
What learn from scratch from the red team 01: the red team quick start | ATT&CK framework, Kill ChainCyber kill chain?
Cyber kill chain(Cyber Kill chain)