Tag Archives cyber security

Cyber Security, DFIR & SOC Interview Questions [Update 2020]

Cyber Security is an exciting field, and every next person wants to explore this domain and make a career in it. Still, the problem is they have no idea how to get in and even if they do, They don’t have any idea on what type of questions they might face in an interview.

A few years back @Miss_Malware asked for everyone’s favourites security analyst and DFIR interview question that gave me an idea to compile a list of questions which are asked in every interview one way or another. What follows is a list of questions which you may face in an interview.

All These questions have compiled with the help of @Miss_Malware's twitter thread, contribution from friends and very intelligent internet searches :P, All the relevent sources (Read those I remember) have been mentioned at end of the post. 

GENERAL

  • What is DNS and at what port does it run?
  • Differentiate between TCP & UDP?
  • How does HTTP handle state?
  • Does TLS use symmetric or asymmetric encryption?
  • What is a three-way handshake?
  • What is “Risk”? What is “Risk Management”?
  • Which leg of the CIA triad is the most Important?
  • What do you understand by Risk, Vulnerability & Threat in a network?
  • What is the difference between policies, processes and guidelines?
  • As a Pen-tester, is being a 1337 hax0r or doing a good job more important to you?
  • Describe the SHA-1 hash.
  • How would you explain to a business user why we are not giving them local admin to their machine?
  • What is MD5 checksum?
  • Answer true or false and explain your answer: “Two-factor authentication protects against session hijacking.”
  • Walk me through if you are a threat actor, how would you compromise an organisation in all three domains (Physical, Digital, and Human).
  • Name 3 Internet protocols which use TCP, name three which use UDP, Name 2, which use neither and what port they run on.
  • If I am on my laptop, here inside my company, and I have just plugged in my network cable. How many packets must leave my NIC to complete a traceroute to twitter.com?
  • What’s the difference between encoding, encryption, and hashing?
  • Can you describe rainbow tables?
  • If you had to both encrypt and compress data during transmission, which would you do first, and why?
  • In public-key cryptography, you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which purpose?
  • What are the advantages offered by bug bounty programs over regular testing practices?
  • Who’s more dangerous to an organisation, insiders or outsiders?
  • Who do you look up to within the field of Information Security? Why?
  • You just stepped on to the elevator with your CEO. They ask you how secure we are? What do you say?
  • You have an unlimited budget and resources. Please draw the most secure corporate network for my organisation. It must have specific components including but not limited to: the Internet, one user subnet, at least one Active Directory server, one web server (with backend database) on the Internet, one Human Resources server, WiFi for your users, a VPN, etc.

VULNERABILITY ASSESSMENT AND PENETRATION TESTING

  • What is Cross-Site Request Forgery?
  • In what category XXE falls?
  • How can SQL Injection lead to remote code execution?
  • What is the most significant security issue is with microservices and APIs?
  • What is the difference between VA(Vulnerability Assessment) and PT(Penetration Testing)?
  • What is the difference between HIDS and NIDS?
  • I have a /24 subnet of hosts on the Internet that I would like you to pen-test. Take me through, in detail, all the steps that you will go through in this assessment.
  • On assessment, you have just compromised a Mac OS X laptop inside a corporate user subnet. Your goal is to infiltrate Active Directory hashes from the AD servers. How do you accomplish this?
  • What kind of attack is ARP Spoofing considered, and how could you leverage it on a penetration test?
  • What are some common ways that TLS is attacked, and what are some ways it’s been attacked in the past?
  • During the penetration test, you find an instance of Outlook Web Access belonging to the client. Describe how you would attack this?
  • You are performing an onsite penetration test. You do not want to perform any active scanning. How would you gather credentials?
  • How would you target a database that you know lies behind a jump server with an unknown IP address?
  • Describe the last program or script that you wrote. What problem did it solve?
  • What kind of attacks are you vulnerable to when you are using weak ciphers?
  • Which department in an organisation is more likely to get attacked first?
  • What is some of the low-hanging fruit you go after as a pen-tester?
  • Describe three of the most common ways an external attacker today might attempt to gain access to a network.
  • On what port does ping run?
  • What are the common vulnerabilities in Enterprise WiFi network?
  • How would you bypass a network IDS?
  • What are some parts of the HTTP header and why is this important as a security analyst?
  • Suppose you have physical access to a machine on a corporate domain that you are testing. It is connected to their You do not have credentials for the domain or local computer. You also have your laptop. How would you begin testing?
  • What is the purpose of the same-origin policy in relation to the document object model?
  • You are launching a Metasploit reverse https meterpreter payload against a host that is vulnerable to your attack, but once you type “exploit” nothing happens after it launches the attack, how would you debug this (or what would you change to get your meterpreter session?)

Digital Forensics and Incident Response

  • What is the primary reason to not upload targeted malware to VT?
  • What DFIR evidence do you gather first, and why?
  • Why is DNS monitoring essential?
  • Assume a user forwards you a suspected phishing email. How do you respond and handle it?
  • Excluding atomic IoCs, provide three examples of how you would detect evil in the network.
  • What percentage of malware in the wild do you think AV can detect?
  • Explain to me why you need to consider scope in the “identification” stage of IR.
  • What is the primary problem with bash history as a forensic artefact, and name one way to partially recreate this data during an investigation
  • How will you identify a malicious file without executing it?
  • How will you unpack malware? Moreover, in how many ways?
  • How will malware try to evade analysis? What are the ways?
  • Given a binary, how would you say it has been packed, and how would you figure out which packer was used?
  • Name at least three diff vulnerability scanners and patterns to identify them.
  • How would you validate a false positive?
  • How would you validate a false negative
  • How would you design and execute an incident response plan?
  • What ares the differences between FAT32 and NTFS?
  • Describe how the TCP handshake works?
  • What’s the difference between an IDS and an IPS? Give examples of each.
  • Name four types of DNS records and what they signify.
  • What sorts of anomalies would you look for to identify a compromised system?
  • You get a report that your company’s LAMP website may be being DDoSed. How do you investigate?
  • What are different ways to find out actual date of file creation from a disk image and how you can be sure that the date is correct?
  • Explain the difference between local and network authentication and walk me through the authentication process?
  • What will be your primary data sources for detecting botnet activity?
  • What is a disadvantage of signature-based malware detection?
  • An incident has been reported that an enterprise host was identified communicating with a known malicious external host. The incident responders have already blocked the communication and have requested the disk for forensic investigation. You are the forensic analyst on duty when the disk arrives. How will you begin the investigation?

Malware Analysis, Exploit Writing and Cryptography

  • How would you bypass ASLR?
  • How would you bypass SafeSEH?
  • Explain the behaviour and your analysis methodology of any new APT
  • What is DEP? How can it be bypassed?
  • Explain a PE file.
  • How does keylogging work?
  • What is code injection?
  • What are the APIs used by malware to connect to the server?
  • How can you unpack a malware and in how many ways?
  • In what way malware tries to evade analysis?
  • Explain the Anti-Debugging techniques employed by macro malware.
  • What are different types of breakpoints, what is their use and when to use those breakpoints?
  • Describe what Buffer overflow is and how you would test for it?
  • Describe what SEH is and how you exploit it?
  • Describe how debugger modules and plugins can speed up initial exploit development?
  • How does interrupts work in a debugger? What are the Opcodes for that?
  • What are salted hashes?
  • How do UAF exploits work?
  • Differentiate between symmetric and asymmetric encryption?
  • In public-key cryptography, which key is used for what function (think the public/private & encryption/signing)?
  • Which of this algorithm is better than others and why – AES-128, AES-196 and AES-256?
  • What is the difference between CBC mode and EBC mode of encryption?
  • What is a Windows Portable Executable?
  • What is the ESP register used for in the Intel x86–32 architecture?
  • During the execution of a piece of malware in a segregated virtual lab environment, the sample was observed making an HTTP GET request for a text file. Because the lab is separated from the Internet, the sample did not receive the text file. What would you do to move the investigation forward?

Security Operation Center (SOC) and Blue Team  

  • What is the Blue Team, and what purpose does it serve?
  • Let say, we ask you to implement a new SIEM, what will be your approach?
  • What are the essential components of Security Operation Center?
  • Given an HTTP traffic log between a machine on your network and a 3rd party website (e.g. Google), what would the source and destination ports look like?
  • What are the fundamentals of SOC?
  • What is SIEM, and what does it do?
  • SOC analysts are required to collect information from multiple sources, how can you determine which information is relevant?
  • What is the difference between Cyber Threat and Cyber Attack?
  • What is IOC and IOA, what is the difference between them?
  • Define the concepts of handling alerts, analysing alerts and triaging alerts?
  • What is the need of Threat Intelligence in Security Operation Center?
  • Does only setting up SIEM solutions completes the SOC?
  • What are measures to evaluate SOC maturity?
  • Describe the importance of Playbooks and Workflows in SOC.
  • How often should you perform Patch management?
  • Why is DNS monitoring necessary?
  • What sorts of anomalies would you look for to identify a compromised system?
  • What are security risks associated with BYOD environment?
  • How can you detect SQL injection? What is the most common SQL injection tool?
  • How would you identify a CSRF Attack?

Free free to contact me if you have any comments on the questions, or if you have ideas for additions.

Sources: @MissMalware, Himanshu Khokhar, Ravi KiranDaniel Miessler

Share

Low-Cost Honeypots as Enterprise Defense Mechanism

By Posted on 0 Comments8min read189 views

Since the launch of Fred Cohens’ Deception Toolkit in 1998 (First publically released Honeypot), Honeypots has been a proven useful method for attack detection and analysis. As these honeypots are complex in installation and require high maintenance, they are yet to get their proper place in enterprise security suits. However, the honeypot technology has been seeing rapid growth, and soon it will be held among various business threat detect security tools. There are two types of Honeypot deployments

  1. Internal Honeypots (Behind Firewall)
  2. External Honeypots (Outside Firewall)

Both deployment methods have their benefits such as follows

Internal Honeypots: These honeypots run behind the firewall as part of the internal network and work as a low noise IDS. These are very useful in detecting any compromised hosts, malicious users.

External Honeypots: You can deploy these honeypots in two types

Local External Honeypots: They are outside firewall but part of your IP space. This deployment helps your get idea of who is attacking you and assist you in filter attack traffic from legitimate traffic.

Global External Honeypots: They run over public clouds or VPSes and used by the organisations to make threat feeds and reputation engine for IP addresses.

The Low Cost and Low Maintenance Solution: Honeypots are part of natural enterprise security solution because of the hardware cost involved and high maintenance, but in the era of cost-effective open source hardware this problem can be solved easily with Raspberry Pi boards.

The Raspberry Pi is a credit sized single-board computer developed by Raspberry Pi Foundation. With the initial intention of promoting the teaching of basic computer science in school, this ARM Linux box would be one of the suitable candidates for deploying honeypot sensors. Low cost, low power consumption. It could turn into a powerful honeypot or attack detector.

One can easily install honeypots variant of his choice on the raspberry pi boards I will be adding some links in references for the same but if one is not looking forward to putting extra effort, he can directly Honeepi – A Customised Raspbian based honeypot sensor pre-loaded with different honeypots. The fourth release of honeepi comes pre-installed with honeypot packages like Dionaea, Cowrie, Conpot, Glastopf and classic honeypots like honeyd, Amun that run on Raspberry Pi 3 Model B. It also comes loaded with ntop, snort and remote pcap to allow network monitoring and capturing of pcap for further analysis.

Process for Settings up Sensors.

Pre-Requirements:        

  1. Raspberry Pi (3 Model B preferred)
  2. SD Card (32 GB preferred)
  3. SD Card reader
  4. Keyboard and Network Connectivity

Downloading Honeepi: You can download honeepi from the URL below.

https://sourceforge.net/projects/honeeepi/

Simple Installation

You should be able to use the Honeeepi image easily. The installation process is similar to the typical raw images (e.g. Raspbian), I am currently using Windows Operating System so I will be following method for same however one can easily search methods for other operating systesm.

  1. Insert your microSD card into your card reader and find out its drive letter in Windows Explorer
  2. Download SDFormatter (https://www.sdcard.org/downloads/formatter_4/) application and format your memory card with it, Don’t forget to turn on Auto Size Adjustment Option.
  3. Unzip the file you downloaded and extract image to a folder
  4. Download Win32DiskImager (https://sourceforge.net/projects/win32diskimager/) ,
  5. Unzip the downloaded file and run the utility file.
  6. Select the image file you downloaded.
  7. Choose the drive of your SD card in the ‘Device’ drop-down. Make sure you choose the correct one. Otherwise, you risk damaging the data on your hard drive.
  8. Select ‘Write’ and wait for the process to finish. That is it!
  9. Now you can plug the SD card into your Raspberry Pi’s slot.

Now power up the board and connect it to a wired network. The honeeepi image is started with ‘DHCP’ and ‘sshd’ as default. Now locate Honeepi Network address in your DHCP list and ssh to it using following credentials.

SSH Port for Honeepi version 2016.10 is TCP/9002 and for the rest versions TCP/22

Default login: pi

Password: honeeepi

Now you can need to sudo raspi-config and expand the file system, post this run apt-get update / apt-get upgrade (Hope you are familiar with this)

Running Honeypots

Now here we will talk about running pre-installed honeypots, some of their description and suggestion on how to run them.

  1. Conpot: Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of standard industrial control protocols, it created the basics to build your system, capable of emulating complex infrastructures to convince an adversary that he just found a massive industrial complex. To improve the deceptive capabilities, it also provided the possibility to serve a custom human-machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behaviour of a system under constant load. Because it is providing complete stacks of the protocols, Conpot can be accessed with productive HMI’s or extended with real hardware. Conpot is developed under the umbrella of the Honeynet Project and on the shoulders of a couple of massive giants.

Starting up conpot

  • Login as pi

         cd /honeeepi/conpot

  • To start for Siemens S7-200 (start as background)
    sudo conpot –template default &
  • start kamstrup_382 (smart meter) (start as background)
    sudo conpot –template kamstrup_382 & (new)
  • start ipmi (start as background)
    sudo conpot –template ipmi &
  • start proxy (start as background)
    sudo conpot –template proxy &
  • tart Guardian AST tank monitoring system
    sudo conpot –template guardian_ast &
  1. Dionaea: Dionaeawas developed by Markus Koetter as a low-interaction honeypot is meant to be nepenthes successor. It emulates vulnerable systems with services often targeted by attackers such as HTTP, FTP, SSH, SMB, etc. It is written in C but uses Python to emulate various protocols to entice attackers.  It uses Libemu to detect shellcode and can alert us of the shellcode and capture it. Dionaea sends real-time notification of attacks via XMPP and then logs the information into a SQLite database.

Starting up Dionaea

  • Login as pi
  • cd /honeeepi/dionaea-honeypot
    • sudo ./start.sh & 
  • To start OS fingerprinting (start as background)
    • sudo ./start-p0f.sh &
  1. Glastopf: Glastopf is a minimalistic web server emulator written in Python by Lucas Rist a.k.a glaslos. The honeypot tool collects information about web application-based attacks like for example remote file inclusionSQL injection, and local file inclusion

Starting up Dionaea

  • Login as pi
  • sudo glastopf-runner &
  1. Cowrie: Cowrie is a Kippo based SSH/Telnet honeypot system written by Michel Oosterhof that is designed to not only log brute-force attempts against an ssh server but to “record” the entire shell session of an attacker. It creates a “fake” server that will be used to lure attackers to attempt access. The functionality of Cowrie extends far beyond what is described here  I encourage you to visit the Cowrie repository on Github in the meantime to read about all that it can do.

Setting up Cowrie

  • Edit your ssh to different port number
    • sudo vi /etc/ssh/sshd_config
  • Edit SSH port to other port of your choice (make sure use different port from honeypot services)
    • Port 22 <—–change port number ensure it does not clashes with other honeypot services
  • restart SSH
    • sudo /etc/init.d/ssh restart
    • sudo su cowrie
  • cd /honeeepi/cowrie
    • ./start.sh (script start process as background)

Running Network Monitoring:

Ntop (Start as background): ntop is computer software that probes a computer network to show network use in a way similar to what the program top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode, it acts as a web server, creating an HTML dump of the network status. It supports a NetFlowsFlow emitter-collector, a Hypertext Transfer Protocol (HTTP) based client interface for creating ntop-centric monitoring applications, and RRDtool (RRD) for persistently storing traffic statistics.

  • Login as pi
  • cd /opt/ntop-5.0.1
  • sudo ntop &
  • The first-time startup will prompt for admin user password
  • go to browser access, http://IPaddress of honeeepi:3000/

Remote Packet Capture (rpcapd): The Remote Capture Protocol (RPCAP) can work in two modes:

Passive Mode (default): the client (e.g. a network sniffer) connects to the remote daemon, it sends them the appropriate commands, and it starts the capture.

Active Mode: the remote daemon try to establish a connection to the client (e.g. the network sniffer); then, the client sends the appropriate commands to the daemon, and it starts the capture. This name is because the daemon becomes active instead of waiting for new connections.

The Active Mode is useful in case the remote daemon is behind a firewall, and it cannot receive connections from the external world. In this case, the daemon can be configured to establish the connection to a given host, which will have been configured to wait for that connection. After establishing the connection, the protocol continues its job in almost the same way in both Active and Passive Mode.

  • Login as pi
  • sudo passwd root -> set root password
  • cd /opt/rpcapd
  • sudo start.sh (script start process as background)
  • Configure remote capture using Wireshark

Analysing Honeypot Logs: – Once all honeypots are active, they generate massive log files and analysis of these records can be easily done using ELK. All you need to do is get all logs files to your ELK machines and use logstash conf file to push them to ElasticSearch, and You can view them quickly in Kibana.

Logstash.conf:

# Input section

input {

# Conpot

  file {

    path => ["file_path/conpot.json"]

    codec => json

    type => "ConPot"

  }

# Cowrie

  file {

    path => ["file_path/cowrie.json"]

    codec => json

    type => "Cowrie"

  }

# Dionaea

  file {

    path => ["file_path/dionaea.json"]

    codec => json

    type => "Dionaea"

  }

# Glastopf

  file {

    path => file_path/glastopf.log"]

    type => "Glastopf"

  }

}

 

# Filter Section

filter {

# Conpot

  if [type] == "ConPot" {

    date {

      match => [ "timestamp", "ISO8601" ]

    }

  }

# Cowrie

  if [type] == "Cowrie" {

    date {

      match => [ "timestamp", "ISO8601" ]

    }

    mutate {

      rename => {

        "dst_port" => "dest_port"

        "dst_ip" => "dest_ip"

      }

    }

  }

# Dionaea

  if [type] == "Dionaea" {

    date {

      match => [ "timestamp", "ISO8601" ]

    }

    mutate {

      rename => {

        "dst_port" => "dest_port"

        "dst_ip" => "dest_ip"

        "[credentials][password]" => "login"

      }

      remove_field => "[credentials]"

    }

  }

# Glastopf

  if [type] == "Glastopf" {

    grok {

      match => [ "message", "\A%{TIMESTAMP_ISO8601}%{SPACE}%{NOTSPACE}%{SPACE}%{IP:src_ip}%{SPACE}%{WORD}%{SPACE}%{URIPROTO:http_method}%{SPACE}%{NOTSPACE:http_uri}%{SPACE}%{NOTSPACE}%{SPACE}%{HOSTNAME}:%{NUMBER:dest_port:integer}" ]

    }

    date {

      match => [ "timestamp", "ISO8601" ]

    }

  }

 

# Add geo coordinates / ASN info

  if [src_ip]  {

    geoip {

      source => "src_ip"

      target => "geoip"

      database => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-2.0.7/vendor/GeoLiteCity-2013-01-18.dat"

      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]

      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]

    }

    mutate {

      convert => [ "[geoip][coordinates]", "float" ]

    }

    geoip {

      source => "src_ip"

      target => "geoip"

      database => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-2.0.7/vendor/GeoIPASNum-2014-02-12.dat"

      add_field => [ "[geoip][full]", "%{[geoip][number]} %{[geoip][asn]}" ]

    }

  }

# In some rare conditions dest_port, src_port is indexed as string, forcing integer for now

  if [dest_port] {

    mutate {

        convert => { "dest_port" => "integer" }

    }

  }

  if [src_port] {

    mutate {

        convert => { "src_port" => "integer" }

    }

  }

}

# Output section

output {

  elasticsearch {

    hosts => ["localhost:9200"]

  }

}

 

Resource and References:

– Conpot (http://conpot.org/)
– Dionaea (https://github.com/gento/dionaea, with IoT honeypot feature – Internet of Things)
– Glastopf (http://glastopf.org/)
– Cowrie (https://github.com/micheloosterhof/cowrie)
– Kippo (https://github.com/desaster/kippo)
– Honeyd (https://github.com/DataSoft/Honeyd)
– amun (http://amunhoney.sourceforge.net/)

– Snort (https://www.snort.org/)
– ntop (http://www.ntop.org/)
– Remote packet capture (https://github.com/frgtn/rpcapd-linux)

– HoneyNet Project (https://www.honeynet.org)

– Honeepi Wiki (https://redmine.honeynet.org/projects/honeeepi)

– Indian HoneyNet Project (https://honeynet.org.in)

Share

Follow KITTEN to avoid your next cyber security incident

By Posted on 0 Comments3min read133 views

This pic of the kitten looks cute & cuddly but can you imagine a funny cat picture can destroy your data?

Life of Information Security Analysts and Engineers was hell last year, given last year what we have in Internet Security; Rise of Ransomware, Inside Threats, Heartbleed, DirtyCOW and so on. Security Engineers, Analysts and Auditors work so hard to secure organisation; They try to test each and every system on the network, share best practices, share newsletters for do’s and don’t; despite all these efforts, people do some silly thing by ignoring the common sense.

Let’s dissect some of those bad choices, with the help of our little kitten friend

K is for Kiosk Charging

We have all seen those charging stations at conferences, airports and even on aeroplanes, enticing you just to plug in and relax while devices charge. In the old days, power and data flowed through separate cables, but modern mobile devices require that both charging and data flow through a single cord. Without seeing what’s on the other end of that charging kiosk, plugging your phone in can mean that you are allowing access to the data on your phone and possibly even the injection of malicious code, which is known as juice jacking.

To protect yourself, carry a USB charger and plug into an electrical outlet, invest in a USB prophylactic that will allow power flow but block data flow or charge only through a power bank.

I is for Installing Patches Late

Nearly 75 percent of cyber attacks use publicly known vulnerabilities in commercial software, but only about 10 percent of organisations have the capacity to apply patches on the same day they are released. Do your best to be part of that 10 percent, for catnip’s sake!

T is for Thoughtless Clicking

There are many wonders to behold on the Internet. Whether it is an email with a link proclaiming “cutest kitten picture ever!” or a click-bait headline on social media, think before clicking.

Do you know the sender of the email? Is the destination site or publication a reputable one? At best, you have wasted time clicking through to another weird corner of the Internet, and at worst, you are clicking through to a malware host for a drive-by download. Think before you click.

T is for Third-Party Access to Personal Data

Do you know why that game app needs access to your contacts? Alternatively, why that navigation app wants access to your health data? Be mindful of the permissions you grant to apps on your mobile devices and what data they may be sharing on your behalf. If you are suspicious of an application and its need for permissions, compare it to others in the same category to see if there’s consistency for a particular permit type or if it is an indicator of data gathering for potentially illicit purposes.

E is for Egregious Password Practices

Password hygiene continued to be problematic and was one of the key factors cited in the X-Force Threat Intelligence Quarterly as contributing to insider threats. Whether it is multi-user accounts, easy passwords or passwords that never expire, this lack of accountability on user provisioning and privileges is leaving significant holes in corporate networks.

Even with adequate termination procedures, having shared admin accounts or unexpired passwords leaves doors open to disgruntled ex-employees if they take advantage of remote administration tools like LogMeIn or TeamViewer before their departure.

N is for ‘Not Me’ Thinking

There’s a certain haughtiness that an information security analyst and others in the industry can adopt in thinking that they are too well-versed in security practices to ever be the victim of an attack. Social engineering has evolved to such levels of sophistication that even the most seasoned practitioner can fell for it.

No universal security karma prevents those of us in this industry from being infected; It is just your common sense and active that can reduce the risk or avoid any major incident if you are lucky.

Source: Security Intelligence

 

Share