Module 01 - Introduction to Ethical Hacking
Module 01 - Introduction to Ethical Hacking¶
Element of Information Security¶
| Name | Description |
|---|---|
| Confidentiality | Only authorized users can access information |
| Integrity | Data is accurate and unaltered |
| Availability | Resources accessible when needed |
| Authentication | Verify identity of user/device |
| Non-repudiation | Cannot deny authorship of an action |
Vulnerabilities, Threats, and Risks¶
| Term | Description |
|---|---|
| Vulnerability | Weakness exploitable by an attacker |
| Threat | Potential cause of harm |
| Risk | Likelihood of harm if threat exploits vulnerability |
Common Reasons for Vulnerabilities¶
| Reason |
|---|
| Hardware/software misconfiguration |
| Insecure or poor design |
| Inherent technology weakness |
| End-user carelessness |
| Intentional end-user actions |
Examples of Vulnerabilities¶
| Technological | Configuration |
|---|---|
| TCP/IP (HTTP, FTP, ICMP, SNMP, SMTP) | User accounts – insecure transmission |
| OS – unpatched/insecure | System accounts – weak passwords |
| Network devices – no auth, weak routing | Internet services – misconfigured IIS/Apache/FTPDefault credentialsMisconfigured routers/firewalls |
Classification of Attacks¶
| Type | Examples |
|---|---|
| Passive | Traffic analysis, footprinting, sniffing |
| Active | DoS, MitM, privilege escalation, injections |
| Close-in | Shoulder surfing, eavesdropping, physical tampering |
| Insider | Data theft, sabotage, malware planting, Pod Slurping |
| Distribution | Hardware/software tampering during supply chain |
Information Warfare (InfoWar) – Libicki's 7 Categories¶
| Type | Description |
|---|---|
| C2 Warfare | Control over a compromised system/network |
| Intelligence-based | Sensor-based; design, protect, deny intel systems to dominate battlespace |
| Electronic | Radio/cryptographic techniques to degrade communication |
| Psychological | Propaganda and terror to demoralize adversaries |
| Hacker | Cyberattacks to disrupt/destroy systems (viruses, trojans, logic bombs) |
| Economic | Block information flow to damage economy |
| Cyber | Broadest form; includes info terrorism, semantic attacks, simula-warfare |
Hacker Classes¶
| Class | Background | Motivations | Activity | Targets |
|---|---|---|---|---|
| Script Kiddies | Inexperienced, use pre-made tools | Thrill, fun | DDoS, defacement | Small websites, games |
| White Hat | Cybersecurity professionals | Improve security, salary | Pentest, vuln assessment | Corporations, governments |
| Black Hat | Extraordinary computing skills | Financial gain, harm | Malware, phishing, ransomware | Banks, enterprises |
| Gray Hat | Between ethical and unethical | Recognition, curiosity | Unauth vuln discovery | High-profile orgs |
| Hacktivists | Politically/socially motivated | Promote a cause | DDoS, defacement, leaks | Governments, corporations |
| State-Sponsored | Gov-trained professionals | Espionage, national security | Cyber espionage, sabotage | Foreign agencies, corporations |
| Cyber Terrorists | Extremists | Fear, ideology | Critical infrastructure attacks | Infrastructure, public services |
| Corporate Spies | Hired intel gatherers | Competitive advantage | Industrial espionage | Competitor companies |
| Blue Hat | Temp security testers | Product security | Security audits, pentest | Tech/software companies |
| Red Hat | Vigilantes vs black hats | Cyber justice | Attack black hats | Cybercriminals |
| Green Hat | Newcomers, learning | Curiosity, recognition | Simple attacks, experimenting | Low-risk targets |
Other Hackers Types¶
| Class | Description |
|---|---|
| Suicide Hackers | Individuals who carry out attacks with no regard for personal consequences, often motivated by ideology or revenge |
| Hacker Teams | Groups of hackers who collaborate on attacks, often sharing knowledge, tools, and resources, found vulnerabilities |
| Insiders | Employees or trusted individuals who exploit their access for malicious purposes |
| Criminal Syndicates | Organized groups that engage in cybercrime for financial gain |
| Organized Hackers | Group of hackers working to criminal activities |
Explain Ethical Hacking Concepts and Scope¶
Do only authorized activities by contract, Nondisclosure agreements, and legal boundaries. They perform DoS only if they have previously agreed with the client.
Skills of an Ethical Hacker¶
| Skill | Description |
|---|---|
| Technical Skill | Proficiency in various technologies, systems, and networks to identify and exploit vulnerabilities. Knowledge of programming, networking, security tools, OS and applications. |
| Non-Technical Skill | Quick learning, ethical mindset, problem-solving, communication, and analytical skills. |
AI Driven Hacking¶
| Benefits | Description |
|---|---|
| Efficiency | Automates repetitive tasks, faster vulnerability scanning and exploitation |
| Accuracy | Reduces human error, identifies complex patterns and vulnerabilities |
| Scalability | Can analyze large datasets and systems, enabling comprehensive security assessments |
| Cost-Effectiveness | Reduces time and resources needed for security testing, making it more accessible |
| Automation of Repetitive Tasks | Frees up human hackers to focus on more complex and creative aspects of ethical hacking |
| Predictive Analysis | Anticipates potential attack vectors and vulnerabilities based on historical data and trends |
| Advanced Threat Detection | Identifies sophisticated threats that may evade traditional security measures, enhancing overall security posture (zero-day vulnerabilities, anomaly detection) |
| Enhanced Decision-Making | Provides insights and recommendations based on data analysis, helping ethical hackers make informed decisions during security assessments |
| Adaptive Learning | Continuously learns from new data and attack techniques, improving its effectiveness over time |
| Enhanced Reporting | Generates detailed reports and visualizations of security assessments, making it easier for stakeholders to understand vulnerabilities and risks |
| Simulation and Testing | Simulates attacks and tests defenses in a controlled environment, allowing ethical hackers to evaluate the effectiveness of security measures and identify weaknesses |
| Scalability | Can analyze large datasets and systems, enabling comprehensive security assessments that may be impractical for human hackers alone |
| Continuous Monitoring | Provides real-time monitoring and alerts for potential security threats, allowing ethical hackers to respond quickly to emerging risks |
| Adaptive Defense Mechanism | AI can adapt its defense strategies based on evolving threats, making it more effective in protecting against new and emerging attack techniques |
Explain Hacking Methodologies and Frameworks¶
Phases of Ethical Hacking Framework¶
| Phase | Description |
|---|---|
| Reconnaissance | Gathering information about the target system or network to identify potential vulnerabilities. Port scanning, enumeration |
| Vulnerability Scanning | Identifying and analyzing vulnerabilities in the target system or network. Automated tools, manual testing |
| Gaining Access | Exploiting identified vulnerabilities to gain unauthorized access to the target system or network. Exploitation techniques, social engineering and privilege escalation |
| Maintaining Access | Establishing a persistent presence on the target system or network to ensure continued access. Backdoors, rootkits, trojans, services or registry modifications |
| Clearing Tracks | Removing evidence of the attack to avoid detection and maintain anonymity. Log manipulation, file deletion, anti-forensics techniques |
Cyber Kill Chain (Lockheed Martin)¶
| Phase | Description |
|---|---|
| Reconnaissance | Attacker gathers information about the target to identify vulnerabilities and plan the attack. |
| Weaponization | Attacker creates a malicious payload (e.g., malware, exploit) to deliver to the target. |
| Delivery | Attacker transmits the weaponized payload to the target (e.g., email, drive-by download). |
| Exploitation | Attacker exploits a vulnerability in the target system to execute the payload. |
| Installation | Attacker installs malware or establishes a foothold on the target system. |
| Command and Control (C2) | Attacker establishes communication with the compromised system to control it remotely. |
| Actions on Objectives | Attacker achieves their goals (e.g., data exfiltration, system disruption) using the compromised system. |
Tactic, Techniques, and Procedures (TTPs)¶
| Term | Description |
|---|---|
| Tactic | The overall goal or objective of an attack (e.g., data exfiltration, system disruption). It defines the way an attacker operates to achieve their objectives. |
| Technique | The specific method or approach used by an attacker to achieve a tactic (e.g., phishing, SQL injection). It describes how an attacker accomplishes a particular task. |
| Procedure | The detailed steps or actions taken by an attacker to execute a technique (e.g., crafting a phishing email, exploiting a SQL injection vulnerability). It outlines the specific actions an attacker takes to carry out a technique. |
Adversary Behavior Identification¶
| Behavior | Description |
|---|---|
| Internal Reconnaissance | Attacker gathers information about the internal network and systems after gaining access. |
| Use of PowerShell | Attacker utilizes PowerShell for various tasks, such as reconnaissance, exploitation, and maintaining access. |
| Unspecified Proxy Activties | An attacker can create and configure multiple domains pointing to the same host, making it difficult to identify the true source of the attack. |
| Use of Command-line Interface | Attacker uses command-line tools to execute commands and perform actions on the target system. |
| HTTP User Agent Manipulation | Attacker modifies the HTTP User-Agent header to disguise their identity or evade detection. |
| Command and control (C2) Communication | Attacker establishes communication with the compromised system to control it remotely. |
| DNS Tunneling | Attacker uses DNS queries and responses to exfiltrate data or establish communication with the compromised system. |
| Web Shells | Attacker deploys web shells to maintain access and control over the compromised system. |
| Data Staging | Attacker prepares and organizes data for exfiltration from the compromised system. |
Indicator of Compromise (IoC)¶
| IoC | Description |
|---|---|
| Email IoC | Indicators related to email-based attacks, such as phishing emails, malicious attachments, or suspicious sender addresses. |
| Network IoC | Indicators related to network-based attacks, such as unusual traffic patterns, unauthorized access attempts, or communication with known malicious IP addresses, malware delivery, URLs, domain names. |
| Host-Based IoC | Indicators related to host-based attacks, such as filenames, file hashes, registry keys, DLLs, mutex. |
| Behavioral IoC | Indicators related to attacker behavior, such as unusual user activity, unauthorized access attempts, or suspicious command execution. Malicious IP, viruses signatures, MD5 hash, domain names, use of PowerShell and RCE. |
MITRE ATT&CK Framework¶
| Tactic | Description |
|---|---|
| Reconnaissance | Gathering information about the target to identify vulnerabilities and plan the attack. |
| Resource Development | Attacker creates or acquires resources (e.g., infrastructure, tools) to support the attack. |
| Initial Access | Attacker gains initial access to the target system or network. |
| Execution | Attacker executes malicious code or commands on the target system. |
| Persistence | Attacker establishes a persistent presence on the target system to maintain access. |
| Privilege Escalation | Attacker elevates their privileges on the target system to gain more control. |
| Defense Evasion | Attacker employs techniques to evade detection and avoid defenses. |
| Credential Access | Attacker attempts to steal or access credentials to gain further access. |
| Discovery | Attacker gathers information about the target system and network after gaining access. |
| Lateral Movement | Attacker moves laterally within the target network to access additional systems. |
| Collection | Attacker gathers data from the target system for exfiltration. |
| Command and Control | Attacker establishes communication with the compromised system to control it remotely. |
| Exfiltration | Attacker exfiltrates data from the target system. |
| Impact | Attacker achieves their goals (e.g., data destruction, system disruption) using the compromised system. |
Diamond Model of Intrusion Analysis¶
| Component | Description |
|---|---|
| Adversary | The individual or group responsible for the attack. |
| Victim | The target of the attack, which can be an individual, organization, or system. |
| Capability | The skills, knowledge, and resources possessed by the adversary to execute the attack. |
| Infrastructure | The tools, techniques, and resources used by the adversary to carry out the attack. |
Additional Event Meta-Features:¶
| Meta-Feature | Description |
|---|---|
| Timestamp | The date and time when the attack event occurred. |
| Phase | The stage of the attack lifecycle (e.g., reconnaissance, weaponization, delivery, exploitation) during which the event took place. |
| Result | The outcome or impact of the attack event (e.g., successful compromise, failed attempt, data exfiltration). |
| Direction | The direction of the attack (e.g., inbound, outbound) indicating whether the attack is targeting the victim or originating from the victim. |
| Methodology | The specific techniques or tactics used by the adversary during the attack event (e.g., phishing, SQL injection, lateral movement). |
| Resources | The tools, infrastructure, or resources utilized by the adversary during the attack event (e.g., malware, command and control servers). |
Extended Diamond Model¶
This model extend the original model by adding Socio-Political and Technology features | Component | Description | |---|---| | Socio-political | The political context or motivations behind the attack, such as geopolitical tensions, ideological beliefs, or state-sponsored activities. | | Technology | Describes the relationship between the infrastructure and capability and how technology can enable both infrastructure and capability for communication, coordination, and execution of attacks. |
Summarize the Techniques used in Information Security Controls¶
Information Assurance¶
| Processes |
|---|
| Developing local policy, process, and guidance |
| Designing network and user authentication strategies |
| Identifying network vulnerabilities and threats |
| Identifying problem and resource requirements |
| Creating plans for identified resource requirements |
| Applying appropriate information assurance controls |
| Performing certification and accreditation |
| Providing information assurance training |
Continual/Adaprive Security Strategy¶
| Strategy | Description |
|---|---|
| Protection | Implementing security measures to prevent attacks and protect assets. Policies, physical security, host security, firewall and IDS |
| Detection | Implementing measures to identify and respond to attacks in a timely manner. SIEM, IDS, honeypots, anomaly detection |
| Response | Developing and implementing plans to respond to security incidents and mitigate their impact. Incident response plans, communication protocols, containment strategies |
| Prediction | Utilizing threat intelligence and analytics to anticipate and proactively defend against potential attacks. Threat modeling, vulnerability assessments, predictive analytics |
Defense in Depth¶
Risk¶
| Term | Description |
|---|---|
| Risk | The potential for loss or damage to an organization's assets, operations, or individuals due to threats exploiting vulnerabilities. Is calculated by a formula: Risk = Threat x Vulnerability x ImpactRisk = Threat x Vulnerability x Asset Value |
Risk Level¶
| Risk Level | Description |
|---|---|
| Low | Risk is acceptable and can be tolerated without significant impact. |
| Medium | Risk is moderate and may require additional controls or mitigation strategies. No immediate action is required but action should be implemented quickly. |
| Extreme or High | Risk is unacceptable and requires immediate attention and mitigation to prevent significant impact. Identify controls to reduce risk to a reasonably low level. |
Risk Matrix¶
| Probability | Likelihood | Insignificant | Minor | Moderate | Major | Severe |
|---|---|---|---|---|---|---|
| 81 - 100% | Very High Probability | Low | Medium | High | Extreme | Extreme |
| 61 - 80% | High Probability | Low | Medium | High | High | Extreme |
| 41 - 60% | Equal Probability | Low | Medium | Medium | High | High |
| 21 - 40% | Low Probability | Low | Low | Medium | Medium | High |
| 1 - 20% | Very Low Probability | Low | Low | Medium | Medium | High |
Risk Management¶
| Step | Description |
|---|---|
| Identify | Identify and categorize assets, threats, and vulnerabilities. |
| Assess | Assess the likelihood and impact of identified risks. |
| Treatment | Develop and implement strategies to mitigate or manage identified risks. |
| Risk Tracking and Review | Continuously monitor and review risks to ensure that mitigation strategies are effective and to identify new risks. |
Threat Intelligence¶
| Type | Description |
|---|---|
| Strategic | High-level information about threat actors, their motivations, capabilities, potential targets, geopolitical context. Used for long-term planning and decision-making. |
| Tactical | Information about specific attack techniques, tactics, and procedures (TTPs) used by threat actors. Used for operational planning and defense. |
| Operational | Information about specific threats, such as indicators of compromise (IoCs), attack patterns, and vulnerabilities. Used for immediate response and mitigation. |
| Technical | Information about specific technical details of threats, such as malware signatures, IP addresses, domain names, and file hashes. Used for detection and prevention. |
Threat Intelligence Lifecycle¶
| Phase | Description |
|---|---|
| Planning and Direction | Define intelligence requirements, set objectives, and allocate resources for threat intelligence activities. |
| Collection | Gather raw data from various sources, such as open-source intelligence (OSINT), human intelligence (HUMINT), technical intelligence (TECHINT), and social media intelligence (SOCMINT), measurement and signature intelligence (MASINT), and imagery intelligence (IMINT). |
| Processing and Exploitation | Analyze and process collected data to extract relevant information and identify patterns, trends, and relationships to use them in data analysis and decision-making. |
| Analysis and Production | Analyze processed data to produce actionable intelligence, such as threat assessments, attack patterns, and vulnerability reports. Objective, Timely, Accurate, and Actionable. |
| Dissemination and Integration | Share and disseminate produced intelligence to relevant stakeholders, such as security teams, management, and external partners, to inform decision-making and enhance security posture. Strategic, Tactical, Operational, Technical |
Threat Modeling¶
| Methodology | Description |
|---|---|
| Indentify Security Objectives | Define the security goals and objectives for the system or application being analyzed and how much effort should be allocated to achieve them. |
| Application Overview | Create a high-level overview of the system or application, including its components, data flows, and interactions with external entities. |
| Decompose the Application | Break down the system or application into smaller components and analyze each component for potential vulnerabilities and attack vectors. |
| Identify Threats | Identify potential threats and attack vectors that could exploit vulnerabilities in the system or application. |
| Identify Vulnerabilities | Identify vulnerabilities in the system or application that could be exploited by identified threats. |
Incident Handling and Response¶
| Phase | Description |
|---|---|
| Preparation | Establish and maintain an incident response capability, including policies, procedures, tools, and training. |
| Incident Recording and Assignment | Record and categorize incidents, this phase handles identifying an incident and defining proper incident communication plans for the employees. |
| Incident Triage | Assess the severity and impact of the incident, attack type, severity, target, propagation methods to prioritize response efforts. |
| Notification | Notify appropriate stakeholders, such as management, legal, and external partners, about the incident. |
| Containment | Implement measures to contain the incident and prevent further damage, such as isolating affected systems, blocking malicious traffic, and disabling compromised accounts. |
| Evidence Collection and Analysis | Collect and analyze evidence related to the incident to determine the cause, scope, and impact of the attack. |
| Eradication | Remove the root cause of the incident and any related artifacts, such as malware, backdoors, and unauthorized access. |
| Recovery | Restore affected systems and services to normal operation, ensuring that vulnerabilities are addressed |
| Post-Incident Activity | Conduct a post-incident review to identify lessons learned, improve incident response processes, and enhance overall security posture. |
Role of AI and ML in Cyber Security¶
| Application | Description |
|---|---|
| Supervised Learning | AI models are trained on labeled datasets to classify and detect known threats, such as malware, phishing emails, and network intrusions. Classification identifies class from test sample, regression predicts labels of continuous values. |
| Unsupervised Learning | AI models analyze unlabeled data to identify patterns, anomalies, and potential threats without prior knowledge of specific attack signatures. Clustering groups similar data points, anomaly detection identifies outliers. |
How AI and ML Prevents Cyber Attacks¶
| Application | Description |
|---|---|
| Password protection and authentication | AI can analyze biometric data, user behavior, and other authentication factors to enhance security and prevent unauthorized access. |
| Phishing detection | AI can analyze email content, sender information, and other factors to identify and block phishing attempts. |
| Threat detection and response | AI can analyze network traffic, system logs, and other data to identify and respond to potential threats in real-time. |
| Vulnerability management | AI can analyze software and systems to identify vulnerabilities and prioritize them for remediation. |
| Behavioral analysis | AI can analyze user behavior and network activity to identify anomalies that may indicate a potential attack. |
| Network Security | AI can analyze network traffic to identify and block malicious activity, such as DDoS attacks, malware communication, and unauthorized access attempts. |
| AI-based Antivirus | AI can analyze files and processes to identify and block malware, including zero-day threats that may not have known signatures. |
| Botnet Detection | AI can analyze network traffic and behavior to identify and block botnet activity, which is often used for large-scale attacks such as DDoS. |
| AI-driven Threat Intelligence | AI can analyze vast amounts of data to identify emerging threats, attack patterns, and vulnerabilities, providing actionable intelligence for proactive defense. |
Security Laws and Standards¶
| Law/Standard | Description | Keywords |
|---|---|---|
| Payment Card Industry Data Security Standard (PCI DSS) | A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. | Credit cards, ATM, POS |
| Health Insurance Portability and Accountability Act (HIPAA) | A US law that sets standards for the protection of sensitive patient health information, including requirements for data security, privacy, and breach notification. | Healthcare, patient data, privacy, National Provider Identifier Standard (NPI) |
| Sarbanes-Oxley Act (SOX) | A US law (2002) that establishes requirements for financial reporting and corporate governance, including provisions for data security and internal controls. | Financial reporting, corporate governance, internal controls, stakeholders, 2002 |
| The Digital Millennium Copyright Act (DMCA) | A US law (1998) that criminalizes the unauthorized distribution and reproduction of copyrighted material, including provisions for online service providers and digital rights management. | Copyright, intellectual property, online service providers, digital rights management, 1998 |
| Federal Information Security Management Act (FISMA) | A US law (2002) that requires federal agencies to implement information security programs to protect government information and systems. | Federal agencies, information security programs, government information, systems. |
| General Data Protection Regulation (GDPR) | A European Union regulation (2018) that sets standards for the protection of personal data and privacy, including requirements for data processing, consent, and breach notification. | Personal data, privacy, data processing, consent, breach notification, 2018 |
| Data protection Act (DPA) | A UK law (2018) that sets standards for the protection of personal data and privacy, including requirements for data processing, consent, and breach notification. | Personal data, privacy, data processing, consent, breach notification, 2018 |
ISO/IEC 27000 Series¶
| Standard | Description | Keywords |
|---|---|---|
| ISO/IEC 27001:2022 | An international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). | Information security management, risk management, controls |
| ISO/IEC 27701:2019 | Extends ISO/IEC 27001 to include privacy information management, providing guidelines for managing personal data and ensuring compliance with privacy regulations. | Privacy management, personal data, GDPR |
| ISO/IEC 27002:2022 | Provides best practive and control for critical areas such as access control, cryptography, physical security, and incident management. | Information security controls, best practices |
| ISO/IEC 27005:2022 | Provides guidelines for information security risk management, including risk assessment, risk treatment, and risk acceptance. | Risk management, risk assessment, risk treatment |
| ISO/IEC 27018:2019 | Focuses on the protection of personally identifiable information (PII) in public cloud computing environments, providing guidelines for implementing controls to protect PII. | Cloud security, PII protection, privacy |
| ISO/IEC 27032:2023 | Explain the relationship between internet, web, network security, and cybersecurity. | Internet security, web security, network security, cybersecurity |
| ISO/IEC 27033-7:2015 | Provides guidelines for the implementation of network virtualization security. | Network virtualization, security |
| ISO/IEC 27036-3:2023 | Provides guidelines for information security in supplier relationships. | Supplier relationships, information security |
| ISO/IEC 27040:2024 | Provides guidelines for storage security, including data storage, backup, and recovery. | Storage security, data storage, backup, recovery |