SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment

Overview

In section one, students will develop the skills needed to conduct high-value vulnerability assessments with measurable impact. We will explore the elemental components of successful vulnerability assessment programs, deconstruct the logistical precursors to value-added operations, and integrate adversarial threat modeling and intelligence.

To lens our approach to cybersecurity it is vital to consider the evidence available to use from those who have come before. To this effect we will cover numerous breach case studies including those of the infamous Colonial Pipeline and Equifax. Creating change in our environments, often requires us to communicate the importance of its vulnerabilities. Exploring past exploitation cases enables us to be vigilant for the similarities within our own environments.

Scale and architecture are major challenges for an enterprise. We will discuss techniques and strategies to overcome these obstacles, and perform a table-top exercise to connect theory with reality. We will also dive into fundamental information security topics, explore the nuanced differences between major categories of services, and examine the industry's foremost methodologies for vulnerability assessment. We will examine the strategic influences that impact a typical enterprise and its vulnerability management program.

The goal of SEC460 is to arm the vulnerability assessor with the knowledge and understanding required to capture and deconstruct vulnerabilities that affect the enterprise both on-premise and in the cloud. This first course section establishes a foundational basis to attain this goal using real-world case studies and hands-on exercises.

Exercises

• Case Study: Equifax
• Vulnerability Assessment Methodology – VAF
• Lab: Asset Inventory Vulnerability Discovery
• Case Study: To Patch or Not to Patch
• Case Study: Colonial Pipeline
• Lab: VECTR
• Lab: Threat Modeler
• Lab: OSINT Vulnerability Discovery
• Case Study: Cloud Information Disclosure

Topics

• Maximizing Value from Vulnerability Assessments and Programs
• Strategic and Tactical Vulnerability Management Approaches
• Patch Management and Remediation Strategies
• Setting Up for Success at Scale: Enterprise Architecture and Strategy
• Developing Transformational Vulnerability Assessment Strategies
• Performing Enterprise Threat Modelling
• Threat-Centric Threat Modeling (TCTM) with VECTR
• System-Centric Threat Modeling (SCTM) with Threat Modeler
• Generating Compounding Interest from Threat Intelligence and Avoiding Information Overload
• The Vulnerability Assessment Framework
• Vulnerability Data Management Tools and Techniques
• Overview of Comprehensive Network Scanning
• Compliance Standards and Information Security
• Team Operations and Collaboration
• Discovering Open-Source Disclosure and Understanding these Risks
• Cloud Information Disclosure Vulnerabilities and Open-Source Intelligence Gathering (OSINT)

Overview

As the structural foundations of vulnerability management are covered in section one, this course section will pivot to the realm of direct tactical application. Comprehensive reconnaissance, enumeration, and discovery techniques are the prime elements of successful vulnerability assessment. While gaining additional familiarity with hands-on enterprise operations, you will systematically probe the environment in order to discover the relevant host, service, version, and configuration details that will drive the remainder of the assessment system.

The enterprise and cloud are becoming ever more intertwined as time goes on. Often, it can be difficult to recommend moving toward this transformation within your enterprise, but the transformation is happening, it is constantly evolving, and it is vulnerable. In this course section we will take a hands-on approach to the discussion of the cloud by examining technologies and dissecting the attack surface that is rapidly becoming a core component of our enterprise vulnerability space. We'll look into assessment tools for the cloud and observe real attacks in action. Together, we can identify the potential for vulnerability and strike first.

As we begin active scrutiny of the enterprise, you will learn how to interpret tool output and form a detailed network map. We will explore proven methods to ensure the integrity of our dataset as we identify IP addresses, operating systems, platforms, and services. The section culminates with a case study involving a real organization that experienced a breach of their hybrid-cloud environment, but was able to detect and respond adequately due to consistent attention to vulnerability management. section two concludes by diveing deeper into the PowerShell scripting language with a focus on large-scale system management, vulnerability discovery, and mitigation.

Exercises

• PowerShell Primer
• Advanced Reconnaissance
• Scanning with Nmap
• Case Study: Hybrid-Cloud Incident Response
• Enterprise and Cloud Scanning
• PowerShell as an Operations Platform

Topics

• PowerShell Operations for Discovery
• Automating Vulnerability Assessment Tasks with PowerShell
• Active and Passive Reconnaissance
• Reconnaissance Frameworks
• Identification and Enumeration with DNS
• DNS Zone Speculation and Dictionary-Enabled Discovery
• Port Scanning with Nmap and Zenmap
• Scanning Large-Scale Environments
• Commonplace Services
• Scanning the Network Perimeter and Engaging the DMZ
• Cloud Technology Fundamentals
• Identifying Cloud Vulnerabilities with First-Party Tools like Amazon Inspector
• Identifying Cloud Vulnerabilities with Third-Party Tools like SpiderfootHXTrade-offs: Speed, Efficiency, Accuracy, and Thoroughness
• The Fundamentals of the Enterprise Cloud
• Scanning the Enterprise Cloud

Overview

This section begins by delving into the next phase of the Vulnerability Assessment Framework and charging into the most exciting topic in security testing: automation to handle scale. We start by breaking vulnerability scanning into its elemental components to gain an understanding of vulnerability measurement that can be applied to task automation. This focus will direct us to the quantitative facets underlying cybersecurity vulnerabilities and drive our discussion of impact, risk, and triage. Each topic discussed will focus on identifying, observing, inciting, or assessing the entry points that threats leverage during network attacks.

This day is dedicated to learning the hierarchy of vulnerability discovery and translates easily to frontline operations. We'll use premier industry tools like Rapid7's Nexpose/InsightVM and Acunetix MVS, while simultaneously exploring manual testing procedures. We'll also cover application-specific testing tools and techniques to provide you with a broad perspective and actionable experience.

Exercises

• Vulnerability Discovery
• Estimating and Assigning Risk
• General-Purpose Vulnerability Scanning with Nexpose/InsightVM
• Case Study: SSL/TLS Vulnerabilities
• Application-Specific Scanning with Nikto, Acunetix, and WPScan
• Scanning Enterprise and Cloud Infrastructure

Topics

• Assigning a Confidence Value and Validating Exploitative Potential of Vulnerabilities
• Enhanced Vulnerability Scanning
• Risk Assessment Matrices and Rating Systems
• Quantitative Analysis Techniques Applied to Vulnerability Scoring
• Performing Tailored Risk Calculation to Drive Triage
• General Purpose vs. Application-Specific Vulnerability Scanning
• Tuning the Scanner to the Task, the Enterprise, and Tremendous Scale
• Scan Policies and Compliance Auditing
• Performing Vulnerability Discovery with Open-Source and Commercial Appliances
• Scanning with the Nmap Scripting Engine, Nexpose/InsightVM, and Acunetix
• The Windows Domain: Exchange, SharePoint, and Active Directory
• Testing for Insecure Cryptographic Implementations Including SSL
• Assessing VOIP Environments
• Discovering Vulnerabilities in the Enterprise Backbone: Active Directory, Exchange, and SharePoint
• Minimizing Supplemental Risk while Conducting Authenticated Scanning through Purposeful Application of Least Privilege
• Probing for Data Link Liability to Identify Hazards in Wireless Infrastructure, Switches, and VLANs
• Manual Vulnerability Discovery Automated to Attain Maximal Efficacy
• Enterprise Cloud Vulnerability Discovery

Overview

Throughout the fourth section of SEC460 we will tackle vulnerability validation, which is the next phase of our overarching testing methodology. Simultaneously, we will confront and address the biggest headaches common to a vulnerability assessment at scale. At large scale, vulnerability data can be overwhelming and possibly even contradictory. We will cover the specific techniques needed to wade through and better focus those data. Next, we will examine techniques for collaboration and data management with the Acheron tool to analyze vulnerability data across an organization. Later in this section, we will apply our understanding of the vulnerability concept to evolve our PowerShell skills and take action on an enterprise scale.

Exercises

• Manual Validation Using Inherent Tools and Systems
• Authenticated Scanning with Nexpose and Acunetix
• Vulnerability Validation with PowerShell and WinRM
• Windows Domain Vulnerability Discovery
• Configuration Auditing to Discover Vulnerabilities such as Log4shell
• Data Management and Collaboration

Topics

• Recruiting Disparate Data Sources: Patches, Hotfixes, and Configurations
• Manual Vulnerability Validation Targeting Enterprise Infrastructure
• Converting Disparate Datasets into a Central, Normalized, and Relational Knowledge Base
• Managing Large Repositories of Vulnerability Data
• Querying the Vulnerability Knowledge Base
• Evaluating Vulnerability Risk in Custom and Unique Systems, including Web Applications

Overview

Many well-intentioned vulnerability assessment programs begin with zeal and vitality, but after the discovery of vulnerabilities there is often a tendency to ignore the risk reality and shift back to the status quo. During the previous course sections we focused on knowing the target environment and uncovering its weak points. Now it's time for decision and action based on an understanding of the risks the organization faces. Developing an actionable vulnerability remediation plan with time-based success targets sets the stage for continuous improvement, and that's exactly what we cover in this course section. Developing this plan in conjunction with the Vulnerability Assessment Report is an opportunity to galvanize the team, while enhancing the vulnerability assessment value proposition.

Section five explores in depth vulnerabilities within the Active Directory domain that often fly beneath the radar of or typical scanners such as Rapid7, Tenable, and Qualys. The most significant vulnerabilities in many enterprises are the features that they rely upon to do business. We will explore Kerberos vulnerabilities to uncover access issues to the domain.

An emerging security objective is known as Attack Path Mapping. In SEC460 we extend this concept to your enterprise environment so that we can identify risk beyond a simple CVE. When discussing novel risk it is also important to consider unconventional solutions. The fifth section of class culminates with an exercise focused on directed out-of-the-box thinking.

Exercises

• Evaluating Password Strength with the Domain Password Audit Tool (DPAT)
• Password Cracking and Trend Analysis with CryptBreaker
• Auditing Domain Trust Relationships
• Triage, Remediation, and Compensating Controls
• Case Study: HSE and Conti Breach
• Case Study: Vulnerability Assessment

Topics

• Analyzing User Password Selection and Addressing Underlying Vulnerabilities
• Creating and Navigating Vulnerability Prioritization
• Domain Password Auditing
• Discovering Negative Security Policy Implementation
• Developing a Web of Network and Host Affiliations
• Modeling Account Relationships on Active Directory Forests
• Designing Vulnerability Mitigations and Compensating Controls
• Azure AD Password Protection
• Creating Effective Vulnerability Assessment Reports
• Transforming Triage Listing into the Vulnerability Remediation Plan
• Kerberos and Domain Authentication
• Closure: Be a Positive Influence in the Context of the Global Information Security Crisis

Overview

In celebration of your diligence, curiosity, and new vulnerability skills, we welcome you to your final hands-on challenge to hammer home the capabilities you have learned. The guided scenario in this final course section is designed to test your mettle by trial and detailed work in a fun capture-the-flag-style environment. The challenge is the canvas upon which you can hone your skills and measure your maturing talents. Armed for the fight, you will doubtless rise to the challenge...and triumph!

The scenario: The Ellingson Mineral Company (EMC) has engaged you to perform a vulnerability assessment of its environment. EMC is very aware of your particular set of vulnerability assessment skills, and it treasures the insights it is certain you will provide to help secure the company against its formidable adversaries, including nefarious cybercrime cartels and jealous nation-state actors. Teams will work together to resolve issues that would lead to a compromise of EMC's precious assets.

Exercises

• A Full-Day Campaign Powered by the NetWars Scoring Engine, a Simulation Environment Used by Cutting-Edge Commercial Organizations, Government Agencies, and Military Groups
• Use the Tactics, Techniques, and Procedures Learned Throughout the Course
• Accomplish an Enterprise Vulnerability Assessment Against a Target Environment

Topics

• Tactical Employment of the Vulnerability Assessment Framework
• Threat Modeling
• Discovery
• Vulnerability Scanning
• Validation
• Data Management and Triage