Security Testing | Security 4 No0bs - MITRE ATT&CK

Mitre ATT&CK

A brief, high-level "Blue Team" Cybersecurity defense framework. I won't be going too deep into the technicals of how it works, but I will cover some of the basics of what I'm learning. To illustrate the purpose of this framework, let's consider football - namely Offense vs Defense.

What is Mitre ATT&CK

In football, it is super-critical and advantageous for the Defense to know what the Offense is capable of, understand trends, and know how to respond. Basically, situational awareness. The Mitre Adversarial Tactics, Techniques & Common Knowledge is that "situational awareness" concept wrapped in a framework.

Imagine the scneario: 2nd quarter, game is tied, the Offense tends to throw a lot, but the situation warrants a run or run/pass option. As a Defender, it is imperative to know what to anticipate. Blue Team, aka Cybersecurity Defenders, must be able to "read & react" when a situation occurs that warrants further investigation.

The framework consists of 6 different actions to take:

1. Develop & Update Malicious Activity Model
• This is like the Defense's playbook. A model is an understanding for what the threat actor is doing, how, and why.
2. Develop Hypotheses and Abstract Analytics
• To understand what the Offense might do (or has done), a hypothesis is drafted. The hypothesis must be concise and succinct.
• Analytics serve to track the "how" of an attack.
3. Determine Data Requirements
• There's a long list of criteria that are factored in to writing up a good model, primarily with the efficacy of the data and its source.
4. Identify and Mitigate Data Collection Gaps
• Eliminate any likelihood of "escaped" data; that is, any missing or obsolete data from the model
5. Implement Test Analytics
• Use the constructed playbook to set up a Defensive posture.
6. Hunt / Detect Malicious Activity and Investigate
• Deploy the defense and have Red Teamers test it.

These 6 different actions iterate as many times as necessary. The goal of Defense is to have close to no false negatives for non-detected issues, and true positive results for detected issue (that is to say, Defense caught something truly malicious instead of confusing a benign action as a hostile one). The MITRE framework attempts to aggregate information from a wide array of resources to "read & react" to an event caught by intrusion detection or intrusion prevention system.

Blue Team spots something fishy on their scanners. The investigate and see something is up. Based on the attack pattern and area compromised, they can refer to their model to understand what the attack type is, what it is targeting and why, and how to craft a threat mitigation plan against it.

It is not a hard framework to learn, nor is it overly simplified. But this is a great thing to learn, do, and grow.

Ciao For Now!

Tune in next week, I will give a brief write-up on some cool attacks learned from Security+ and Network+

Security Testing Journal Entry | w/e Friday March 24, 2023

Highlights for the week

At about this time I would be panicking about the fact the money is running out, the refrigerator is near empty, and things aren't getting better.

Not today! Not this week!

This is week has been nothing short of amazing. In the dog house with the missus, but that's a story for another time. I don't have the bandwidth to concern myself with other people's concerns. As the sole bread-winner, I have a responsibility to right this ship and get back on the work path. No more f** ups! My family deserves my best.

Also, there were a couple of great podcasts and seminars I attended this week that have become a huuuuge step forward in my Cybersecurity learnings.

What We Loved

1. Right off the jump, the "We Hack Purple" & "ThreatX" Podcasts were amazing. They touched on a lot of subjects, primarily focused on the lack of diversity in the field.
2. Becoming a part of the RHINO community was awesome. Joined their discord server and will network with many in the group as time permits. They do cloud security, but mostly PEN TESTING as well.
3. Made it to the final stage of my interview at Paperless Post. It's an exciting opportunity to learn something cool and the pay is better than at Tatango.
4. I've been keeping up with my workouts and forever listening to positive YT channels from time to time. The theme was about "forgiveness" - it's more for you than for them.
5. Completed "Cult*ure: Chapter 3" Need to be inspired for Chapter 4

What We Learned

1. Cybrary - completed module 3. The learning continues
2. Security+ - paused for working through MITRE. Cueued up is "Application Attacks"
3. Burp Suite - completed modules on OAuth - SSRF attack (basically obtain oauth credentials by way of an image's request url)
4. Automation - made some basic API tests in CYPRESS. Didn't get very far with Appium on Webdriver or JAVA (the final piece). Python framwork back in working order.

What We Longed For

1. More time. Not enough hours in the day, and getting up at 4am in this household is improbable.

What We Loathed

1. N/A .. it has been a pleasant week.

Security Testing Journal Entry | w/e Friday March 17, 2023

Highlights for the week - St. Patrick's Edition

Another quiet week of unemployment. Officially at the 7month mark. To say it's a rough job market is an understatement. We're talking +500 applicants to every job lead. Good news is I have a 2nd interview next week. Gotta make it happen. Meanwhile, lots of great security lessons.

What We Loved

1. Working out and getting some great rest

What We Learned

1. For Security+ lots of excitiing things by way of learning about Threat Hunting, Vulnerabilities / Pentesting, and Security Assessments
2. Google cloud education continued. Some cool lessons on cloud infrastructure and security.
3. Making great progress on Network+ fundamentals. On to module 2
4. Interesting thing on the automation front. Next week will be centered on Java and some Appium practice.
5. Signed up for Cybrary course on Mitre ATT&CK framework. That should be fun.
6. Some progress on Burp Suite as well. Learned about stealing OAuth credentials by manipulating an image

What We Longed For

1. Need more time to get back to writing. I have chapter 2 of the book near-complete.

What We Loathed

1. Unemployment is a bitch! The job search really .. really .. really sucks

Security Testing | Security 4 No0bs - Burp Suite

Today's tool to learn: Burp Suite

So what is Burp Suite?

Burp Suite is a proxy tool that sits between your application and your computer. When configured to do so, it "reads" the interactions/requests of the application and allows you to interact with it in all kinds of ways. Interactions such as:

• With Target you can create a site map of the entire application and its pages for future use
• You can employ view the application requests with Proxy/HTTP History
• Intruder lets you configure automated attacks like Brute-force login
• The Repeaterallows you to intercept the request, modify it in some way, then send it back into the system. A really deadly tool in the hands of a skilled person

And this is just the tip of the proverbial iceberg. There are a plethora of features and functions to use. There's a Community Edition and a PRO version of Burp Suite. The Community Edition is a great introduction to learning how to proxy an application and play with the requests. The PRO version allows you to add a plethora of extensions that transform this platform into a powerful tool in your arsenal.

Why Burp Suite?

There might be many options available to use, but none can match Burp Suite's array of features. It is only limited by the mind of the user. The setup is simple and the learning curve is optimal.

How to use Burp Suite?

I won't go into the many many .. many ways to use Burp Suite, but I can offer a quick example. We'll use a simple scenario where you browse a fake website, visit the product details page, intercept the request to change the price, then send it and place the order:

1. To begin: download Burp Suite (Community or PRO)
2. If using Firefox, follow the directions on how to configure FoxyProxy. For chrome, no action needed.
3. Launch Burpsuite and skip past the options configure a new project. Simply click "Start.."
4. Once the application is launched, click Target > Open browser -> this opens a built-in Chromium instance that is pre-configured by Burp Suite to proxy the requests.
5. Paste the following url in the address bar: https://5elementslearning.dev/demosite/index.php
6. In Burp Suite, click Proxy > Http History. Pro-tip: right-click into the pane and click Clear History .. just to remove any noise from site navigation.
7. Browse the site and select a product to arrive at the product details page. Note the displayed price.
8. Add the item to the cart, then look for the request in Burp Suite
9. Right-click on the request and click send to Repeater
10. In the Repeater, scroll to where the price is displayed and modify it so the price is more to your liking then click the SEND button.
11. Proceed through the checkout flow with product and it's new price. If the price reverts, change it again in the final step before submission.

Et Voila! You have just 'hacked' an e-commerce site. Congratulations!! This is one of many many ... many scenarios you can learn via the labs.

For the complete list of labs, visit: portswigger.net/web-security/all-labs

Ciao For Now!

Tune in next week, I will give a brief write-up on MITRE ATT&CK and this cool book I've been reading.

Security Testing Journal Entry | w/e Friday March 10, 2023

Highlights for the week

Creeping in on 7 months of unemployment. While things are precarious to say the least, I feel this is going to be a good month. I mean it has to be. Money is running out. Skill muscles are waning, and the job search is thinning out. Whereas before I would compete against 100 to 300 people, now it's 400 to well over 1,000 applicants, most of whom are probably more talented, younger, skilled, and better equipped. But I have been oozing positivity and I know there's an opportunity out there for me. Can't mess it up this time. Also, the security test learnings has been phenomenal. Making great progress.

What We Loved

1. Applied to many jobs this week, two of which are Cybersecurity companies (fingers crossed)
2. Found several modules on Linked-in Learning, of which Moble (Appium) and Security Fundamentals proved indispensible
3. Been reading "The Red Report 2023: The Top 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries"

What We Learned

1. Burp Suite + File Upload - Obfuscated File Extension was really interesting. Tricking the system to accept a file as ".png" when it is an exploit was fascinating
2. Completed Unit-1 of Network+ and I can finally move forward.
3. Learned a bit more about cloud computing. Azure and AWS were interesting. Google Cloud continued next week
4. The moon is a harsh mistress. And when she beams her light down on you, it opens up a trove of buried demons

What We Longed For

1. Security+ is falling behind. Will start on the big unit this weekend
2. Need more $$ for Linked-in Learning & Hack the box

What We Loathed

1. The advice some influencers give in the way of networking has proven a bit of a challenge. They recommend it, but most people could give 2 sh** about being pinged by a stranger
2. While the job search remains a grind, there is a right way and a wrong way for recruiters to reject candidates. Being told, "we went with someone more qualified" is not cool!

Security Testing Journal Entry | w/e Friday March 3, 2023

Highlights for the week

We are officially in the red, people! It has been more than six months since my release from employment and the money is about to run out. There have been some promising leads that came and went. There were glimpses of hope that things were going to get better. The big tech companies are unloading people at an alarming rate. Remote positions are highly sought after and the competition isn't just with regional talent but global. I would be lying if I said I'm still cheery. The darkness of doubt and desperation is creeping in. 2am and I was flooded with all the horrors of all the dumb shit I've done since I can remember. The purge of my skeletons is in full swing.

In other news, I took a look at where I'm at with my goals and we are right on track with progress. Some areas need more attention (ie, networking), but overall its time to reign in the objectives and stay on the path. With learning about Wireshark and Mitre, things look promising.

What We Loved

1. Vacation was great. Got to see the Chichen Itza Mayan ruins, had some beach time, and great cruise.
2. Since being back, this week was heavy on the admin work and cleaning the old emails.

What We Learned

1. Keeping with the theme of cloud computing, the learning with Google Cloud continues.
2. Completed a Salesforce tutorial. There's one more about SF Dev that I need to finish.
3. AWS was another lesson completed last week.
4. For Automation, I set up the test to randomly select from a set of distinct items rather than having an explicit selection. Very cool!
5. Attended a meeting regarding Certifications. Their value and their worth.
6. I cloased out the week before vacation learning MITRE ATT&CK .. that is a huge win!
7. Learned a bunch with Wireshark. More on the way.
8. Testing with burpsuite continues at a great pace.

What We Longed For

1. Longing for work. I have maybe 1 month left before tapping into my retirement.
2. Network+ learnings will resume next week. Same for Security+
3. The theme next week will be to practice Vulnerability Assessment and put everything together. Pretend you're at work.
4. I reached out to a family member to discuss opportunity to shadow a 3rd Party Security consultant. Will revisit this next week.

What We Loathed

1. Linked.In never for lacking influencers all spouting the same "tips" on getting noticed. Mildly irritating at times.
2. Attended a virtual job fair that didn't have the kind of results I was looking for. Some good leads for Cybersecurity .. but I'm not there yet!!
3. Need to do a better job with my automation test scripting. Can't get too bogged down in a single test.