Partial preview of the text
Download Ethical Hacking, Penetration Testing, and Red Teaming: A Comprehensive Overview and more Study Guides, Projects, Research Cyberlaw and Internet Law in PDF only on Docsity!
ETHICAL HACKING (Professional Elective – II) Study
Guide
The Busine: Perspective: Business Objectives Security Policy Previous Test Results Business Challenges Planning for a Controlled Attack: Inherent Limitations Imposed Limitations timing is Ever Attack Type Souree Point Required Knowledge Multi-Phased Attacks Teaming and Attack Structure Engagement Planner The Right Security Consultant hing Intermediates Law Enforcement The Business Perspective: As digitization started taking rect in the business world, more and more businesses became sptible te the r Susi Business Objectives © = Tehelptrain your workforee in recognizing a eyberattack; thereby enabling them to avoid phishing emails and improving security from inside the organization, equip your business with digital systems that are built ta ward off hacke and safeguard information, ¢ =6To ensure your security systems arc up to date by ass time simulations of potential attacks © To enhance enstomer & partnership trust in your busine: information during business transactions © To help deteet weak spots in your networ ngineer them to be resistant to atta acl ossing and testing them using real- s by securing sensitive stems which are vulnerable and re Security Policy y continues to become more relevant for businesses worldwide, the importance of | applications and their underlying te prominence. With the changing threat landscape, it is often impractical in real time by simply leveraging automated tools, To help with this, Ethical Tacking has been steadily gaining popularity f its effectiveness in simulating real-world attacks and identifying gar becaus 1. Reconnaissance Before performing any penetration tests, hackers footprint the am and gether as much information as possible, Reconnaissance is 4 preparat: phase where the hacker documents the organization’ s request, finds the system’ s valuable configuration and login information and probes the networks. This information is crucial ta performing the attacks and includ e Naming conventions ¢ Services on the network ¢ = Servers handling workloads in the network ° TP Addresse e Names and Login credentials of users conneeted to the network ¢ The physical location of the target machine 2. Scanning Tn this stage, the ethical hacker begins testing the networks and machines to identify potential attack surfaces gathering information on all machines, us: and services within the network using automated scanning toal s. Penetration testing typically undertakes three types of scans: Network Mapping This involves discovering the network topology, including host information, servers, roulers, and firewalls within the host network, Once mapped, while hat hackers can visualize and strategize Lhe next sleps of the ethical hacking process, Port Scanning Ethical hackers use automated tools to identify efficient mechanism to enumerate the servi mnection with the amy open ports on the network, This makes it an and live systems in a nctwork and how to establish a Vulnerability Scanning The use of automated tools to detect weaknesses that can be exploited ta orchestrate attacks, While there are several Lools available, here are a Jew popular ethical hacking Llools commonly used during the scanning phase: ¢ SNMP Sweepers © Ping swevr e Network mappers. ¢ Vulnerability scanners 3. Gaining Access Once ethical hackers expose vulnerabilities through the pracess’ s first and second hacking phases, they now attempt to exploit them [or administrative ac The third phase involves atlempuing to send a malicious payload to the application through the network, an adjacent subnetwork, or physically using a connected computer, Mackers typically use many hacking tools and techniques to simulate attempted unauthe including dacer e Buller overflows ° Phishing ¢ Injection atta 3. Over—reliance on automated tools Ethical hacking should be manually led, with the specialist relying on experience and knowledge and only light assisted by automated software tools, Tf your cthical hacker relies heavily upon software tools such as vulnerabilities then you will be unlikely to gain significant value from the ethical hacking engagement, scanning engin: Planning for_a Controlled Attack: Command and control attacks, also referred lo as C2 and C&C, are a ype of auack in which a malicious aclor uses a malicious server Lo command and control already compromised machines over anotwork, The malicious server (the command and control server) is also used to receive the desired payload from the compromised network.In this post, we’ Il be going over what a command and control attack is in detail, how the attack works, and what can be done to defend against it, Tlow command and control attacks work d machines from a malicious remote 2 As mentioned above, command and control attacks gontrol inf server, But how do the attackers infect those machines in the first plac This is done through the typical “compromise channels” : e = Phishing emails or instant me: gOS e Vulnerable web browser plugins ¢ = Direct installation of malware Gf the attacker is able to gain phy ral access to the machine} Onee the machine is sompromised, it will establish communication with the malicious command and control server, indicating that it’ s ready te reecive instructions. The infé computer will execute the commands coming from the attacker’ s C2 server. which typically leads to the installation of further malware, That gives the attacker complete trol of the vietim’ s computer, Ags mere and more users within the organization fall for the phishing scheme or are otherwise compromised, the malicious code typically spreads to more and more computers, creating a botnet - a notwork of infected machines. Within a matter of time, the attacker gains complete control over Lhal network, Devic 28 that can be targeted with command and control atta Essenuially any computing device can be targeted with a command and control alack, That means: © Desktops/lapteps Tablet ¢ Smartphones © = ToT devices That last entry on the list is particularly worrisome because these devices tend to be rather insecure, They have extremely limited user interfaces, making them difficult to control. They dan’ t tend ta get updated with security patches very often, And they tend to share a lot of data over the internet. You may want to limit the number of ToT devices on your network, What arc the risks of command and control attacks? * Data theft - Sensitive company data, like financial documents or proprictar information, could be vied or transferred te the command and contrel server, e¢ = Shutdown - An attacker could shut dawn any number of compromised machines, In a large— seale command and control attack. they could even bring down the entire network. ¢ Reboot Infected machines may suddenly and repeatedly shut down and reboot, disrupiing business operations, ¢ Malwarc/ransomware attacks - Onve the attacker has compromised a machine on your network, thoy’ ve got access to your network, Depending on the permissions they managed to obtain, they could do things like trigger the download of malware or encrypt sensitive data and demand a ransom for the deeryprion key. ¢ =Distributed denial of service Botnet - With enough compromised machines on the network, the allacker will have access Lo a botnet: a network of infected computers ready to recei malicious commands. A common use of botnets is to mount DDoS attacks. DDoS altace: down servers or neuworks by flooding them with trallic. Once the attacke: a botnet. they can instruct cach machine to send a request to the targeted server/netwe which, with cnough requests, can averwhelm the server/netwark to the point of taking it offline, Different command and control architectures Different command and control server/client architectures are used in command and control attacks The architeeture determines how the infected machine communicates with the cammand and control rvor, Different architectures have been developed over time to avoid detection as much as ¢ ble. There are three different command and control architectures. 1. Centralized architecture The centralized architecture is probably the most common, Tt’ s the classie client/server scheme, in which all infected computers communicate with one eentral server that manages all of the responses, Tlawever, this model is the casiest to detceet and block because all the commands come from a single Because of that, the command and control server’ s TP addr an quite readily be detected ed, To try and mitigate this, some attackers use proxy servers, redirectors, and load balancers in their C&C server configuration. 2. Peer-to-peer architecture The peer-to—pecr model works exactly like BitTorrent file transfers, in which there is no central server, In this architecture, cach infeeted computer ac » botnet. pas (.e., commands) Lo any other node in the botnet. In this archivecture model, the need Jor a central. veris eliminated. However, this architecture is often used in a hybrid setup, The peer-lo—peer hivecture is used as a fallback in a hybrid configuration, should the central server be taken down or otherwise compromised, s anode arc The peer-to-peer architecture model is much more difficult to detect than the centralized architecture medel, And even if detected, there’ $a good chanee you’ Il only be able to take ane nade down at atime ~ which will still cause you a substantial headache, 3. Random architecture The random architeeture model is the most difficult ta detect. That’ s also the reason why it came to be: so that security t detect the chain of command of a botnet or trace and shut down the C&C server. This architecture model works by sending commands to the infected hast or betnet from different random sources, Those sources could be links in social media comments, CDNs, email, IRC chat rooms, etc, Atlackers lend to choose trusted and [requenUy used sources to send the malicious commands heightening their chances of success, Defending against command and control attacks As is so often the case, the way Lo defend against command and control allacks depends on whether you' re a user or an administrator. Different mitigation measures apply to each. We’ I provide both.For lem administrators Provide security awareness training You want your staff lo be aware of the online threats they may be lacing. Security training lor your stall will not only help you mitigate command and control attacks bul many other types of atlacks as well, Security training promotes more secure habits within your organization and will lessen the risk level of many of the online threats you face every day - spe lly phishing attempts, On top of that. your entire organization will be better prepared to deal with security events. You simply cannot lose with this onc, Monitor your networks You’ re going Lo need visibility into the trallic [lowing over your network, Specilically, you want lo be on the lookout for suspicious behavior occurring over your network, Some of the signs that may point to an attack (command and contral or otherwise) would be filename mismatches with their sponding hashes. properly named files being stored in odd locations, and user logins at unusual sual network locations being accessed. Use an AT-based Intrusion Detection System (TDS) Tt’ s typically difficult for traditional TT defenses to identify they tend to be binary in nature. They refer to the aecount’ s permissions or an ACL and between “yes” and “no” or “grantaccess” or “deny access.” But there is tech available today that can efficiently sean for and detect unerdinary events, AT-pawered tech is being used aerass many industries today, And TT security is net being left cut, With an AT—based IDS, you can “teach” it via machine learning to identify “normal” behavior patterns aver your network. From that baseline, and with a bit of training, it will be able to detect outlier behavior and may save you from a major headache. Limit user permissions as much as possible The principle of least pri should be implemented in your organization, Assign ca the least amount of perm s required te do their work and nothing beyond that, chuser with Set up Two-factor authentication (2FA) on all accounts that support it Ais a robust way to make it more difficult for malicious actors to abuse your eredentials, Not only that. but it may di of them from trying. courage many Implement digital code—signing Digital signing prevents unauthorized software from being executed unless it is signed by a trusted entity, Don’ t leave the door wide open by allowing any application fram anywhere to be installed on devices on your network, Put a whitelist in place through digital code—signing, For users These are primarily common-sense tips that can help you avoid various online threats. Tlowever, the first four points are direetly related to mitigating masquerade attacks, ¢ Don’ t open attachments in cmails unless you’ re sure you know who the sender you’ ye confirmed with that person that they really did send you the email in que You should alsa make sure they’ re aware the email contains an attachment and know what the attachment is, = ¢ Don’ t click links (URLs) in emails unless you can confirm who sent you the link, what its destination is, and thal Lhe sender is not being impersonated. Once you’ ve done thal, you should scrutinize the link, Is it an HTTP or an HTTPS link? The vast majority of the legitimate internct uses TITTPS taday, Also. cheek the link for inecorreet spelling (facchoook instead of facebook or ¢ i google)? Tf you ean get to the destination without using the link, do that ins ° Use a firewall - All major oper a built-in incoming fi commercial routers on the market provide a built-in NAT firewall, You w these are enabled, They could well be your first line of defense link, ¢ Log out and reboot your computer - When you’ re done working on your computer, log out of your s jon and reboot the machine. That will clear things from memory that could be used te compromise your computer, ¢ Use strong and complex passwords = The more complex your passwords are, the less likely you are to fall victim to eredential—based attacks. Depending on the attacker sful command and control attack may well start o and all ant to make sure you click a malicious chosen methodology, a sucee eredential- based attack, ¢ Use an antivirus program = Only pul : genuine and well-reviewed antivirus soltware from legitimate vendors, Keep your antivirus updated and configure it to run frequent seans. * Keep your operating system updated - You want the latest OS updates, as they contain the latest sceurity patches. Make sure you mstall them installed as sven as they’ re availabl ¢ Never cl bad news, ¢ Don’ tgive into “warning fatigue” if your browser displays yet another warning about a website you are trying to access, With web browsers becoming more and more secure, the number of security prompts they display has gone up somewhat, You should still take rg ously, and if your browser displays a security prompt about 4 URL you’ re trying to visit, listen te your browser and get y wher That’ s especially true if you clicked a link you re ad by email or SMS - it could sending you te a malicious site. Den’ t disregard your computer’ s warning prompts. 18 4 k on pop-ups, Ever, Regardless of where they take you, popsups are just your brows warning s¢ ral Wrap-up So that’ s essentially the deal with command and control attacks, They can delinively be nasty insolar as they could lead lo complete network takeovers, But. as is the case wilh many other online allacks, pulling Lhe security measures above inlo practice and promoting securily awareness within your organization is a goad bet towa lowering the odds of falling prey to online attacks in general and command and control attacks, specifically, Inherent Limitation Understanding the limitations of internal control ean help your busines ganization better prevent gaps in its infarmation systems. Learn how with this helpful guide from the team at Reviprocity, Ags the inherent risks confronting your organization or busin grow, having the proper peli > procedures, and technical safeguards in place to prevent problems and proteet your assets is more important than ever before. Together, these policies, procedures. and technical safeguards are called internal controls. or or Internal controls are designed to provide organizations with reasonable assurance regarding the chigvement of objectives in the following categorics: ¢ reliability of financial reporting ¢ effectiveness and effivione business operations ¢ compliance with applicable laws and regulations o Control Environment The control environment is at the foundation for all the other internal control elements. Tt encompa: your organization’ s attitude about internal controls, under the assumption that your board of directors and senior management are responsible for establishing the “tone at the top” regarding the importeneg of internal controls and the expected standards of conduct, Ideally, other employees will then follaw suit, irs An effective internal control environment should include the following seven factors: e | Integrity and ethical valu e =Commitment to competence, ¢ Human resource policies and practices. e Assignment of authority and responsibility, ¢ = Management’ s philosophy and operating style, ° = Board of directors or audit committee participation, e Organizational structure. Risk Assessment The risk assessment process includes identifying, analyzing and prioritizing your organization’ risks, Tt will ultimately inform the pro ing and mitigating risks, An effective risk assessment should: for manag e Clearly spevify objectiv e Identify risks to the achicvemoent of objectives, Consider the potential for fraud. ° Identify and assess significant change: e Tnglude third-party and supply chain ris Control Activities Control activities are the actions established by policies and procedures that help assure management directives are carried out, Control activities should be performed at all levels of your organization and at various stages within your business processes, They should address the risks identified in your risk assessment, be clearly documented and clearly communicated Lo stakeholders and stall, and evolve with the changing needs of your business. Control activities should include: e = Performance reviews, ¢ Information proce ¢ Physical controls, ° = Segregation of dutivs. Information and Communication Information and gemmunication are the systems and processes that suppert identifying, capturing, and exchanging information that allows people to earry out their duties cffertively, Your information and gommunication systems should: sing, e = Facilitate the acquisition. generation, and use of quality information throughout your organization, ¢ Define the processes for internally communicating information about internal controls, ¢ = Define the processes for externally communicating information about internal controls, Monitoring Activitic Monitoring activities re the processes that identify, moniter and report on the quality of your internal controls, Monitoring activities should include: Ongeing and/or separate evaluations. Juation and communication for any internal control defici Options for automation whe Ev vor possible, A timing attack is a sophisticated way to circumvent security mechanisms and discover vulnerabilities by studying how long it takes t ystem to respond to different inputs, In a timing attack, the attacker gains information that is indirectly leaked by the application, This information is then used for malici s, such as guessing the password of a user, Timing attacks are part of a wider family of attacks, called side-channel attacks, \ side-channyl attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in Lhe implemented algorithm (e.g. cryptanalysis and soluware bugs). An attacker uulizes the dala gained [rom monitoring patterns in physical parameters such as EMP radiation, pawer consumption, resp times, and acoustic emi: during cryptographic operations performed by the system, The attacker ean then break eneryption by leveraging this information to discover the assaciated key, Surprisingly detailed sensitive information is being leaked out from a few high-profile, toaprof-thecline web applications in healthcare, taxation, investment and web search despite TITTPS protec s purpos: ms Tlow do timing attacks work? Timing characteristics of eryptographic operations vary depending on the encryption ke Different systems require dilferent amounts of time lo process different inputs, The variables thal influence the timing characteristics include performance optimizations. branching and conditional statements, processor instructions, RAM and cache hits, \ timing attack looks at how long it takes em to da something and uses statistical ana find the right deeryption key and gain a: s. The only information needed by the attacker Uming information that is revealed by the algorithms of the application, By supplying various inpuls Lo Lhe application, Liming the proc ng and statistically analyzing Lhe information, the attacker can gu the valid input. Tlow do timing attacks threaten encryption? ample of a timing attack was designed by eryptographer Paul Kocher, Te was 2xpose the private decryption keys used by RSA eneryption without breaking RSA, Tn hig paper, Keeher mentions: “By carefully measuring the amount of time required te perform private key operations. attackers may be able to find fixed Diffie-TMellman exponents, factor RSA keys, and break other eryplosystems, Against a vulnerable system, the attack is computationally i inexpensive and often requires only known ciphertext, Actual systems are potentially al risk, including cryplographic tokens, nelwork—based cryplosystems. and other applications where allackers can make reasonably accurate timing measurements, The general belicf was that timing attacks were only applicd in the context of hardware security tokens such as smarteards, The assumption was that timing atte id not be used to attack general purpo: vers, since decryption tim: sked by many concurrent processes running on the system, Towever, research by David Brumley and Dan Bonch of Stanford University challonged this assumption, The two researchers demonstrated that they “can extract private keys from an OpenS od web server running on a machine in the local network, Our chances are you wouldn't just open a random attachment or elick on a link in any email that comes your way—there has to be a compelling reason for you to take ation. Attackers know this, too, When an attacker wants you to install malware or divulge sensitive information, they often turn to phishing tactics, or pretending to be someone or nething else to get you to take an on you normally wouldn’ t. Since they rely on human curigsity and impulses. phishing atta can be difficult to sti D. In a phishing attack, an attacker may send you an email that appears to be from someone you trust, like your boss or a company you do bu with, The email will seer legitimate, and it will have some urgency to it (og. fraudulent a y en deteeted on your account}, Tn the email, there will be an attachment to open or a link to click, Upon opening the malicious attachment, you’ U thereby install malware in your computer. If you click the link, it may send you lo a legilimale— looking website that asks Jor you Lo log in lo access an important ile except the website is actually a rap used lo caplure your credentials when you try Lo log in, Tn order to combat phishing attempts. understanding the importance of verifying email senders and attachments/links is essential. SQL Injection Allack SQL (pronounced “sequel” ) stands for structured query language: it’ s a programming language used ta communicate with databases, Many of the servers that store critical data for wok sand sorvices use SQT. to manage the data in their databa: A SQT. injection attack specifically targets this kind of server, using malicious cade to get the server to divulge information it normally wouldn’ t. This is especially problematic if the server stores private customer information from the website, such as eredit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker, An SQL injection attack w ploiting any one of the known SQI. vulnerabilities that all the SQL server to run malicious code, Por cxample, if a SQL. server is vulnerable to an injecti attack, it may be possible for an attacker to go to a website's search box and type in code that would foree the site's SQT. server te dump all of its stored use or the s by names and passwords Cross—Sile Scripting (XSS. Tn an SQL. injection attack, an attacker gocs after a vulnerable website to target its stored data. such as user credentials or sensitive financial data, But if the attacker would rather direetly target a website's users, they may opt for a er ite seripting attack, Similar to an SQT. injection attack, this attack also invalyes injecting malicious code into a website, but in this case the website itself is not being attacked, Instead, the malicious code the $ eted runs in the user's browser when they visit the attacked website, and it goes after the visitor direetly, not the website, One of the most common ways an attacker can deploy a eross—site scripting attack is by jecting malicious cade inte a comment or a ipt that could autamatically run, Me they could embed a link to a malicious JavaSeript in a comment on a blog, example, ite scripting attacks can significantly damage a website’ s reputation by placing the users’ information al risk without any indication that anything malicious even occurred, Any sensitive information a user sends to the site such as their credenuals, credit card information, or other private data—can be hijacked via cross—site seripting without the website owners realizing there was even a problem in the place, Imagine you're sitting in traffic on a oneslane country road, with cars backed up as far as the eye can sec, Normally this read never sees more than a or two, but @ county fair and a major sporting event have ended around the same time, and this road is the only way for visitors to leave town, The road can't handle the massive amount of traffic. and as a result it gets so backed up that pretty much no one can leave. kk. TE server That's essentially what happens to a website during a denial-of-serviee (DoS) atta flood a website with more traffic than it was built to handle, you'll overload the we and itll be nigh-impossible for the website to serve up its content to visitors who arc trying to ou of eourse if a massive news story breaks and a newspaper's website gots overloaded with traffic from people trying to find out more, But often, this kind of traffic overload is malicious. as an attacker floads a website with an overwhelming amount of traffic to essentially shut it down for all use In some instar these DoS altacks are performed by computers al the same Lime, This scenario of allack is known as a Distributed Denial-of—Service Aulack (DDoS), This type of attack can be even more difficult to overcome due lo the allacker appearing [rom many different TP addresses around the world simultancously, making determining the source of the attack even more difficult for network administrators, Session Mijacking and Man—in-the—Middle Attacks When you're on the internet, your computer has a lot of small back-and-forth transactions with rvors around the world letting them know who you are and requesting specific websites or i Tn return, if everything goes as it should, the web pond to your request by giving you the information you're accessing. This process, or session, happens whether you are simply browsing or when you are logging into a websile with your username and password, The jan betwe your computer and the remote web server is given a unique 5: a which should stay private between the wo parties: however, an atlacker can hijack the session by capturing Lhe session ID and posing as Lhe computer making a request, allowing them Lo log in as ting user and gain aceess to unauthorized information on the web server. Ther: f methods an attacker can use to steal the session IN, such as a cross—site scripting jon TDs, an unsus a number attack used to hijac po are. An attacker can also opt to hijack the session to insert themselves between the requesting computer and the remote server. pretending to be the other party in the se n. This all them to intercept information in both directions and is commonly called a man-in-the-middle attack, WS tial Reu: sers today have so many logins and passwords to remember that il’ s lempling lo reuse credentials here or there Lo make life a little easier. Even though security best practices universally recommend thal you have unique passwords for all your applications and websites, many people still reuse their passwords a [act allackers rely on, words from a breached website or service (casily acquired on any number of black market websites on the internet), they know that if they use these same eredentials on other websites there’ s a ehance they’ U be able to log in, No matter how tempting it may be to reuse eredentials for your email, bank aecount, and your favorite sports forum, it’ s possible that one day the forum will get hacked, giving an attacker casy acecss to ar email and bank account, When it comes to credentials, varicty is ¢ Password managers are available and can be helpful when it comes to managing the y ercdentials you use, ion of usernames and p your PayPal account, Rinse and repeat, Ina multiphase attack, this initial act of deception is just the beginning, A multi-phase attack involves first scraping your account credentials via a phishing email and then credentials to send phishing or spear phishing emails from the account, Por example, the kor might first send @ Microsoft 365 phishing email to compromise your Microsoft 383 account, 1 @ OneDrive for Business Then, using your Microsoft 355 account, the hacker, impersonating you, will send a phishing or spear phishing email to someone in your company, Often, spear phishing emails will target users who have the power to execute wire transfers, make purchases, or change direct deposit information, A link in a phishing cmailmight lead to another phishing page designed to scrape additional Microsoft 353 account credentials, or it could initiate a malware or ransomware dawnload, Shard file | © a Show Details Good Day, Please find encrypted document for your review: httesi// my.sharepoint.com/:0:/g/personal/) co_uk/EUUKS|uSICxOrvrNXxR_TIABUEXWIuBI6VEMocikgBfeNQ? e=AX2Hdy This email link are for the intended recipient only and may contain information that is confidential. Let me know if you have any issue/concerns in this regards. Tn the above seenario, the email recipient has no reason to suspect that it is net you who sent the email requesting a wire ransler, And an email security filter won’ 1 recognize the allack because the email is sent [rom a legitimate Microsolt 365 account, There are many variants on the multiphase attack, Armed with a legitimate account, the attacker can conduct phishing attacks laterally within the organization and also spear phish external busines partners and vendors, In on¢ recent case. the SEC revealed that an unnamed American corporation had been fleeced to the tune of $45,000,000 in 14 separate events linked to one multiphase attack, The main driver of multiphase attack: With 258 million active business users and a single point of entry into the entire suite. Microsoft 363 is a remarkably fertile environment for malicious behavior, From SharePoint, OneDrive, and Teams file repositories to email accounts, Microsoft 365 hosts a rich collection of sensilive data for businesses around the world, including contact names and email addresses. contracts, and financials, A single success/ul phishing auack ona Microsoft 365 user gives a hacker access lo all that data. Tt’ s the single biggest driver of compromised Microsoft accounts and the sole reason Microsoft has been the most impersonated brand in phishing atta in six of the last cight quarters, Tlow hackers get inside and evade detection from Microsoft: Microsoft 365° s native email security, Exchange Online Provection (EOP), is good at identifying known threats, including bad senders or IPs. I] an auacker sent dozens of similar phishing nails ta different targets. whether from inside or outside Microsoft 365, FOP would flag them and block future attacks, Therefore. ta successfully compromise a Microsoft 365 account, the attacker must make cach of their attacks ind Jual and unique, One way to get past the fingerprint scanning used by EOP and other traditional solutions is by inserting random or invisible text into the messages, Attackers also us hamoglyphs, « substituting the Greck letter Beta for the lower case “b’ and so forth, Other techniques include: ¢ = =Randomizing content lo make each message unique ¢ Using images disguised as text to bypass toxt—analysis filrors e¢ = Bypassing URL domain filtering using shorteners such as bitly * Using subdomains ¢ = Abusing redirection mechanisms e = Distorting images Mitigating the multiphase attack risk: Multiphase attacks require multicticred defenses or the stacking up of security layers, In the same way that you might employ more than ong tyne of firewall to improve your odds of stepping a network— based attack. it makes sense to use a layered approach to Microsoft 363 security to block multiphase attacks Because EQP’ s fingerprint—based detection is sufficient for known threats, it’ s impartant to maintain the benefits of that native protection while adding another layer of email security thal predicts and block unknown, dynamic threats, The challenge to layering email security into Microsoft 365, however, is email architecture cure Email Gatew (SEG), for example, sit gutside BOP, This architectural design creates a number of limitation ¢ Requires an MX re * Ts visible to hackers via a simple MX loakup ¢ Can’ tscan internal email Te continue to get the benefits from EOP, an add-on email security solution should be integrated with Microsoft 353 via APT—able to scan from the inside and complement EOP rather than limit its effectiveness, The solution should also go beyond lingerprint scanning and use a4 more modern approach to threat detection, with a combination of heuristic rules and artificial intelligence to predict and block attacks. As for your users, provide phishing training as mistakes arise. c.g, clicking on a phishing URL, Users are more likely to learn from contextual training based on a real event as it happens than annual training, Finally, trust and act on what your users are reporting, Offer a feedback loop that allows users to report suspicious emails and ensure ther a closed loop with the email filter se that the engine learns from this feedback and continually improv ¢ Intercepling communicauion: To map your network or gain more information about the environment, red teams will cireumyent common security techniques by hac communications such as internal emails, texts, or even phone calls, to, ¢ = Social enginecring: Red teams will try to exploit weaknesses in people within your organization by relying on human nature, They’ Il try to manipulate employees inte giving up access ercdentials via phishing, phone calls, text messaging, or falsifying an identity on— site. Red teaming is a Sull-scope, multi-layered atlack simulation designed to measure how well your people, networks, applicauion, and physical security controls can withstand an allack [rom a real—lile adversary. Therefore, a strong red team will employ an array of toals, tactics, and strategies to our defens breach y Red teaming benefits Mt the broadest level, the value of red teaming is that it provides 4 comprehensive picture of cybersecurity within your organization, Red teams should be as creative and resourcelul as real-life malicious actors who will inevitably probe and Lest every square inch of the potential attack surface. The assessment docsn’ t conclude after initial vulnerabilities are discovered and expased. however, The exercise will extend towards re-testing, lateral movement, and remediation phases that will test Just about every aspect of your cybersecurity strategy. You’ Il be able to completely assess your capability to detect, remediate and prevent targeted attacks, Tn fact. the real work typically begins after ared team intrusion, when you’ I perform forensic analysis of the attack and formulate ways to mitigate yulnorabilities, Red teaming also offers several other benefits when used in conjunction with other threat analysis techniques: information Identification of the risk and susceptibility of attack against key busine assets and technology systems. ¢ Simulation of techniques. tactics, and procedures (TTPs) used by risk-managed and controlled environment. ¢ Assessment of your organization’ ¢ ability to detect, respond, and prevent sophisticated and targeted threats before they take place, e = Eneouragement of clase engagement with internal incident response teams to provide meaningful mitigation and comprehensive post-assessmont debrief workshops, ¢ Compliance assistance: strengthen your cyber defense posture Lo be up Lo par with relevant frameworks such as CCPA, FISMA, or ITTPAA, ¢ = Training and eybersecurity education of your entire staff. from the executive le te rank-and-file worker e = Perfermance—metrie gathering with regards to eyber defenses without the downside of a realm life attack. You’ Il collect measurements that are relevant to real-world performance. Prioritization of cybersecurity initiatives and expenses based on the results of the exercise. Become more cost-ellicient and address the most pressing needs first, enuing threat actors ina el down These are just a fow of the main benefits that red teaming provides, Noxt, we’ Il eover how to devide if your organization needs red teaming and who benefi Who needs red teaming? Just about any company and organization ~ public or private - ean benefit from some form of red teaming. Even if your company doesn’ t work in technclogy or isn’ t necessarily TT—-foeused, it still likely that red teaming will be us¢ful as hackers might be after the personal sensitive information of customers in data stores or internal employees, For smaller firms, it’ s understandably mor needed for comprehensive red teaming ¢xercis out the red teaming proc: > costly and difficult to deploy the ¢ cant resources ‘s. In th it) stypieally worthwhile to contract s, using experienced eybersecurity and compliance partmer, ni iS CaS Red teaming considerations Though almost ¢very company can benefit from red teaming, the best time te undertake this practice -and how frequently to do it - will vary according to your sector and the maturity of your cybersecurity defenses, Tere are some key considerations to make when planning your future red teaming exercises: * Automation: You should alrcady be engaged in activities such as assct investigation and vulnerability analysis, Your organization should also be combining automated technology with human intelligence by implementing regular, robust penctration testing, Proc automation will make it casicr to conduct, and measure the results of, red teaming, ¢ Preparation: Onee you’ ve completed several business cycles of vulnerability and pen esting, you can start red teaming, Only after you’ ve completed these preparations can the total value of red teaming be realized, Attempting to bring in red teaming before establishing a solid and consistent cybersecurity baseline will produce very little value, ¢ Comparison: To be truly effective, the insights produced by the red team need to be given context by comparing against previous penetration testing and vulnerability assessment activity. We’ ve mentioned penetration testing as both a tactic and key consideration within the realm of red teaming, Therefore, it’ s important to understand the differences and similarities between red teaming and pen-testing. Red teaming vs. penctration testing Though pen testing is important. it is only one part of what a red team does, Red team operations have broader objectives than pen testers, whose goal is often just to get access to a network, Red team exervises are designed to emulate 4 more real-world advanced persistent threat (APT) ult in reviewing defensive strategics and detailed risk analysis, Penetration testing is only a small part of red teaming, Red teaming includes evasion and porsistence. pri filtration, whereas penctration testing exercises only the first part of the_cyh scenario and ilege escalation, kill chai and ¢ Time box This is the time frame in which cach activity is conducted, For pen testing, the time box is extremely narraw ~ typically loss than one day, Por red teaming. the time box can be extended over multiple days, weeks, and even months, Tooling Pen testing and red teaming also employ different tools and technologies, Employees will typically conduct a pen test using commercially available software, Red teams arc encouraged to use any tool, trick, or tactic in their arsenal and think creatively while attempting lo breach systems, Awareness This is one of the most distinet differences between Pen Testing and red teaming, With Pen Testing, most of your employees arc aware of what’ s taking place. But red teaming exercises require that your organization is completcly unaware te get 4 real picture of your cyber defenses, Vulnerabilities Which vulnerabilities are attacked will also differ. In pen testing, knawn vulnerabilities are specified and targeted to see how well-defended they are, Red teams won't just exploit a single vulnerability, however, They’ also seck out new ones in your network and attempt to move laterally, 
