Introduction

Introduction

  • In a nutshell, infosec is the practice of protecting data from unauthorized access, changes, unlawful use, disruption, etc.

  • Data can be electronic or physical and tangible (e.g., design blueprints) or intangible (knowledge).

  • A common phrase that will come up many times in our infosec career is protecting the "confidentiality, integrity, and availability of data," or the CIA triad.

Risk Management Process

StepExplanation

Identifying the Risk

Identifying risks the business is exposed to, such as legal, environmental, market, regulatory, and other types of risks.

Analyze the Risk

Analyzing the risks to determine their impact and probability. The risks should be mapped to the organization's various policies, procedures, and business processes.

Evaluate the Risk

Evaluating, ranking, and prioritizing risks. Then, the organization must decide to accept (unavoidable), avoid (change plans), control (mitigate), or transfer risk (insure).

Dealing with Risk

Eliminating or containing the risks as best as possible. This is handled by interfacing directly with the stakeholders for the system or process that the risk is associated with.

Monitoring Risk

All risks must be constantly monitored. Risks should be constantly monitored for any situational changes that could change their impact score, i.e., from low to medium or high impact.

Red Team vs. Blue Team

  • In the simplest terms, the red team plays the attackers' role, while the blue team plays the defenders' part.

  • Red teamers usually play an adversary role in breaking into the organization to identify any potential weaknesses real attackers may utilize to break the organization's defenses. The most common task on the red teaming side is penetration testing, social engineering, and other similar offensive techniques.

  • On the other hand, the blue team makes up the majority of infosec jobs. It is responsible for strengthening the organization's defenses by analyzing the risks, coming up with policies, responding to threats and incidents, and effectively using security tools and other similar tasks.

Role of Penetration Testers

  • A security assessor (network penetration tester, web application penetration tester, red teamer, etc.) helps an organization identify risks in its external and internal networks.

  • A good tester can work with a client to identify risks to their organization, provide information on how to reproduce these risks, and guidance on either mitigating or remediating the issues identified during testing.

  • Assessments can take many forms, from a white-box penetration test against all in-scope systems and applications to identify as many vulnerabilities as possible, to a phishing assessment to assess the risk or employee's security awareness, to a targeted red team assessment built around a scenario to emulate a real-world threat actor.

Getting Started with a Pentest Distro

  • Depending on the client environment or scope of the assessment, we may be using a Linux or Windows VM on our machine, our base operating system, a cloud Linux box, a VM installed within the client's environment, or even perform testing directly from a client-owned workstation to simulate an insider threat.

  • There are many Linux distributions (distros) for penetration testing. There are quite a few Debian-based pre-existing distros preloaded with many tools that we need to perform our assessments.

  • The choice of a distro is individual, and, as mentioned, we can even choose to create and maintain our own from scratch. There are countless Linux distros out there that serve various purposes, some explicitly customized for penetration testing, others geared towards web application penetration testing, forensics, etc.

  • There are many ways to set up our local pentest distro. We can install it as our base operating system (though not recommended), configure our workstation to dual boot (time-consuming to switch back and forth between operating systems), or install using virtualization.

ISO

  • The ISO file is essentially just a CD-ROM that can be mounted within our hypervisor of choice to build the VM by installing the operating system ourselves.

  • An ISO gives us more room for customization, e.g., keyboard layout, locale, desktop environment switch, custom partitioning, etc., and therefore a more granular approach when setting up our attack VM.

OVA

  • The OVA file is a pre-built virtual appliance that contains an OVF XML file that specifies the VM hardware settings and a VMDK, which is the virtual disk that the operating system is installed on.

  • An OVA is pre-built and therefore can be rapidly deployed to get up and running quicker.

Staying Organized

  • Whether we are performing client assessments, playing CTFs, taking a course in Academy or elsewhere, or playing HTB boxes/labs, organization is always crucial.

Folder Structure

  • When attacking a single box, lab, or client environment, we should have a clear folder structure on our attack machine to save data such as: scoping information, enumeration data, evidence of exploitation attempts, sensitive data such as credentials, and other data obtained during recon, exploitation, and post-exploitation.

Note Taking Tools

  • Various tools can be used for organization and note-taking. Selecting a note-taking tool is very individual. Some of us may not need a feature that another person requires based on their workflow.

  • Example Tools:

    • Cherrytree

    • Visual Studio Code

    • Evernote

    • Notion

    • GitBook

    • Sublime

    • Text

    • Notepad++

Learning Markdown language is easy and very useful for note taking, as it can be easily represented in a visually appealing and organized way.

Other Tools and Tips

  • Every infosec professional should maintain a knowledge base.

  • This knowledge base should contain quick reference guides for setup tasks that we perform on most assessments and cheat sheets for common commands that we use for each phase of an assessment.

  • As we complete boxes, labs, assessments, training courses, etc., we should be aggregating every payload, command, and tip as we never know when one may come in handy.

  • We should also maintain checklists, and report templates for various assessment types, and build a findings/vulnerability database.

Connecting Using VPN

  • A virtual private network (VPN) allows us to connect to a private (internal) network and access hosts and resources as if we were directly connected to the target private network.

  • At a high-level, VPN works by routing our connecting device's internet connection through the target VPN's private server instead of our internet service provider (ISP).

  • There are two main types of remote access VPNs: client-based VPN and SSL VPN.

Client-based VPN

  • Client-based VPN requires the use of client software to establish the VPN connection.

  • Once connected, the user's host will work mostly as if it were connected directly to the company network and will be able to access any resources (applications, hosts, subnets, etc.) allowed by the server configuration.

SSL VPN

  • SSL VPN uses the web browser as the VPN client.

  • The connection is established between the browser and an SSL VPN gateway can be configured to only allow access to web-based applications such as email and intranet sites, or even the internal network but without the need for the end user to install or use any specialized software.

PreviousGetting StartedNextPentesting Basics

Last updated