Profiling
Profiling is the process of gathering device information and statistics through data analysis to create a base/default profile of how the device is supposed to behave. This allows for easier anomaly detection by providing a baseline/point of reference. This module touches on 2 main categories, network and server profiling.
Network Profiling
Main details captured are:
| Detail | Description |
|---|---|
| Session Duration | The time taken from the establishment of a connection till its termination. An abnormally long duration could mean data exfiltration. |
| Total Throughput | The amount of data transferred between the source and destination. An abnormally large throughput could indicate a DDoS attack, or data exfiltration. |
| Ports Used | The port used to facilitate the communication. A non-commonly used port to an internal asset could indicate data exfiltration/C2 server communication. |
| Critical Asset Address | The IP address/logical location of essential systems or data. Egress from critical assets to unknown destinations are a huge red flag. |
Network Profiling Tools:
Server Profiling
Main details captured are:
| Detail | Description |
|---|---|
| Listening Ports | A list of TCP and UDP ports that are open. Non-commonly used ports are an indicator of attack. |
| Logged In Users & Accounts | The users and accounts that are logged in/present on the machine. An unauthorised creation of a new account or a login to non commonly used accounts are possible indicators of attack. |
| Service Accounts | List of specialised accounts used to run specific services on a machine. Uncommon usage behaviours on service accounts could indicate lateral movement by an attacker. |
| Software Environment | A list of tasks and processes running on a server. Suspicious tasks indicate potential compromise. |
Network Anomaly Detection
The data from the network profiling done above can then be compared to live data and used to detect anomalies. Anomaly detection on servers were not mentioned.
Network anomaly detection is done by sampling packets every minutes and comparing the sampled details with the profiled details. If any measurements exceed a predefined threshold, an alert is sent.
Network Vulnerability Testing
Testing can be done via risk analysis, vulnerability assessments and/or penetration testing. The difference between them are highlighted in the table below:
| Risk Analysis | Vuln Assessment | Pentesting | |
|---|---|---|---|
| Points | - Determines risk - Hypothetical threat - Hypothetical vulns | - Looks for vulns - Real threat - Hypothetical vulns | - Exploit vulns - Real threat - Real vulns |
| Tools | Internal/external consultants, risk management frameworks | OpenVas, Microsoft Baseline Analyser, Nessus, Qualys, Nmap | Metasploit, CORE Impact, Ethical Hackers |
CVSS Metrics
| Metric | Details | Score |
|---|---|---|
| Base Metric | - Set by vendor - Does not change | Base Score |
| Temporal Metric | - Set by vendor - Changes with time | Temporally Adjusted Score |
| Environmental Metric | - Optional - Set by end-user | Environmentally Adjusted Score |
Secure Device Management
A form of risk management; Devices must be kept up to date to prevent exploits and have defensive measures when exploited.
Mobile Device Management (MDM)
- Companies allow employees to bring personal mobile devices to work
- Such devices are outside of company’s control
- Can be exploited by threat actors to gain access into the company
- MDM reduces the risk by implementing the following features:
- Disabling lost devices
- Encrypting data
- Using stronger authentication
- MDM platforms include
- Cisco Meraki — Remote configuration, monitoring & updating
Configuration Management
- Uses programmable cloud configurations to reduce errors vulnerabilities
- Tools: Puppet, Ansible, Chef, SaltStack
Enterprise Patch Management
- Keeping OSes up to date is the most effective way to reduce amt of vulnerabilities
- Techniques
- Agent-based — Clients have an agent that polls a patch server for updates
- Agentless Scanning — Server scans the network to apply patches
- Passive Network Monitoring — Server applies patches based on public version details (i.e.: Nginx version through a HTTP header)