SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment

Overview

On the first day of SEC460, students will develop the skills needed to conduct high-value vulnerability assessments with measurable impact. We will explore the elemental components of successful vulnerability assessment programs, deconstruct the logistical precursors to value-added operations, and integrate adversarial threat modeling and intelligence.

Scale and architecture are major challenges for an enterprise. We will discuss techniques and strategies to overcome these obstacles, and perform a table-top exercise to connect theory with reality. We will also dive into fundamental information security topics, explore the nuanced differences between major categories of services, and examine the industry's foremost methodologies for vulnerability assessment. We will examine the strategic influences that impact a typical enterprise and its vulnerability management program.

The goal of SEC460 is to arm the vulnerability assessor with the knowledge and understanding required to capture and deconstruct vulnerabilities that affect the enterprise both on-premise and in the cloud. This first course section establishes a foundational basis to attain this goal using real-world case studies and hands-on exercises.

Exercises

• Case Study: Equifax
• Exploring PowerShell and Win10
• Case Study: Failed Vulnerability Management Programs
• Vulnerability Management with Brinqa
• Case Study: Major Enterprise Compromise through the Cloud
• OSINT
• Case Study: To Patch or Not to Patch
• Threat Modeling

Topics

• Maximizing Value from Vulnerability Assessments and Programs
• Setting Up for Success at Scale: Enterprise Architecture and Strategy
• Developing Transformational Vulnerability Assessment Strategies
• Performing Enterprise Threat Modelling
• PowerShell Fundamentals
• Generating Compounding Interest from Threat Intelligence and Avoiding Information Overload
• The Vulnerability Assessment Framework
• Vulnerability Data Management Tools and Techniques
• Overview of Comprehensive Network Scanning
• Compliance Standards and Information Security
• Team Operations and Collaboration
• Discovering Open-Source Disclosure and Understanding these Risks

Overview

As the structural foundations of vulnerability management are covered on day one, this course section will pivot to the realm of direct tactical application. Comprehensive reconnaissance, enumeration, and discovery techniques are the prime elements of successful vulnerability assessment. While gaining additional familiarity with hands-on enterprise operations, you will systematically probe the environment in order to discover the relevant host, service, version, and configuration details that will drive the remainder of the assessment system.

The enterprise and cloud are becoming ever more intertwined as time goes on. Often, it can be difficult to recommend moving toward this transformation within your enterprise, but the transformation is happening, it is constantly evolving, and it is vulnerable. In this course section we will take a hands-on approach to the discussion of the cloud by examining technologies and dissecting the attack surface that is rapidly becoming a core component of our enterprise vulnerability space. We'll look into assessment tools for the cloud and observe real attacks in action. Together, we can identify the potential for vulnerability and strike first.

As we begin active scrutiny of the enterprise, you will learn how to interpret tool output and form a detailed network map. We will explore proven methods to ensure the integrity of our dataset as we identify IP addresses, operating systems, platforms, and services. The day culminates with an introduction to the PowerShell scripting language focusing on large-scale system management, vulnerability discovery, and mitigation.

Exercises

• PowerShell Primer
• Whois, DNS, and Advanced Reconnaissance
• Reconnaissance Automation
• Scanning with Nmap
• Enterprise and Cloud Scanning
• PowerShell as an Operations Platform

Topics

• PowerShell Operations for Discovery
• Automating Vulnerability Assessment Tasks with PowerShell
• Active and Passive Reconnaissance
• Reconnaissance Frameworks
• Identification and Enumeration with DNS
• DNS Zone Speculation and Dictionary-Enabled Discovery
• Port Scanning with Nmap and Zenmap
• Scanning Large-Scale Environments
• Commonplace Services
• Scanning the Network Perimeter and Engaging the DMZ
• Trade-offs: Speed, Efficiency, Accuracy, and Thoroughness
• The Fundamentals of the Enterprise Cloud
• Scanning the Enterprise Cloud

Overview

The third course section begins by delving into the next phase of the Vulnerability Assessment Framework and charging into the most exciting topic in security testing: automation to handle scale. We start by breaking vulnerability scanning into its elemental components to gain an understanding of vulnerability measurement that can be applied to task automation. This focus will direct us to the quantitative facets underlying cybersecurity vulnerabilities and drive our discussion of impact, risk, and triage. Each topic discussed will focus on identifying, observing, inciting, or assessing the entry points that threats leverage during network attacks.

This day is dedicated to learning the hierarchy of vulnerability discovery and translates easily to frontline operations. We'll use premier industry tools like Rapid7's Nexpose/InsightVM and Acunetix MVS, while simultaneously exploring manual testing procedures. We'll also cover application-specific testing tools and techniques to provide you with a broad perspective and actionable experience.

Exercises

• Vulnerability Discovery
• Estimating and Assigning Risk
• General-Purpose Vulnerability Scanning with Nexpose/InsightVM
• Application-Specific Scanning with Nikto, Acunetix, and WPScan
• Scanning Enterprise and Cloud Infrastructure

Topics

• Assigning a Confidence Value and Validating Exploitative Potential of Vulnerabilities
• Enhanced Vulnerability Scanning
• Risk Assessment Matrices and Rating Systems
• Quantitative Analysis Techniques Applied to Vulnerability Scoring
• Performing Tailored Risk Calculation to Drive Triage
• General Purpose vs. Application-Specific Vulnerability Scanning
• Tuning the Scanner to the Task, the Enterprise, and Tremendous Scale
• Scan Policies and Compliance Auditing
• Performing Vulnerability Discovery with Open-Source and Commercial Appliances
• Scanning with the Nmap Scripting Engine, Nexpose/InsightVM, and Acunetix
• The Windows Domain: Exchange, SharePoint, and Active Directory
• Testing for Insecure Cryptographic Implementations Including SSL
• Assessing VOIP Environments
• Discovering Vulnerabilities in the Enterprise Backbone: Active Directory, Exchange, and SharePoint
• Minimizing Supplemental Risk while Conducting Authenticated Scanning through Purposeful Application of Least Privilege
• Probing for Data Link Liability to Identify Hazards in Wireless Infrastructure, Switches, and VLANs
• Manual Vulnerability Discovery Automated to Attain Maximal Efficacy
• Enterprise Cloud Vulnerability Discovery

Overview

Throughout the fourth day of SEC460 we will tackle vulnerability validation, which is the next phase of our overarching testing methodology. Simultaneously, we will confront and address the biggest headaches common to a vulnerability assessment at scale. At large scale, vulnerability data can be overwhelming and possibly even contradictory. We will cover the specific techniques needed to wade through and better focus those data. Next, we will examine techniques for collaboration and data management with the Acheron tool to analyze vulnerability data across an organization. Later in the day, we will apply our understanding of the vulnerability concept to evolve our PowerShell skills and take action on an enterprise scale.

Exercises

• Manual Validation Using Inherent Tools and Systems
• Authenticated Scanning with Nexpose and Acunetix
• Vulnerability Validation with PowerShell and WinRM
• Windows Domain Vulnerability Discovery
• Configuration Auditing
• Data Integration and Synergy to Reduce the Vulnerability Lifecycle
• Testing Egress Controls
• Maximizing Remediation Efforts through Triage

Topics

• Recruiting Disparate Data Sources: Patches, Hotfixes, and Configurations
• Manual Vulnerability Validation Targeting Enterprise Infrastructure
• Converting Disparate Datasets into a Central, Normalized, and Relational Knowledge Base
• Managing Large Repositories of Vulnerability Data
• Querying the Vulnerability Knowledge Base
• Evaluating Vulnerability Risk in Custom and Unique Systems, including Web Applications
• Triage: Assessing the Relative Importance of Vulnerabilities Against Strategic Risk

Overview

Many well-intentioned vulnerability assessment programs begin with zeal and vitality, but after the discovery of vulnerabilities there is often a tendency to ignore the risk reality and shift back to the status quo. During the previous course sections we focused on knowing the target environment and uncovering its weak points. Now it's time for decision and action based on an understanding of the risks the organization faces. Developing an actionable vulnerability remediation plan with time-based success targets sets the stage for continuous improvement, and that's exactly what we cover in this course section. Developing this plan in conjunction with the Vulnerability Assessment Report is an opportunity to galvanize the team, while enhancing the vulnerability assessment value proposition.

Exercises

• Domain Password Auditing with DPAT
• Password Cracking and Trend Analysis with CryptBreaker
• Auditing Domain Trust Relationships
• SEC460 Enterprise NetWars

Topics

• Analyzing User Password Selection and Addressing Underlying Vulnerabilities
• Creating and Navigating Vulnerability Prioritization
• Domain Password Auditing
• Discovering Negative Security Policy Implementation
• Developing a Web of Network and Host Affiliations
• Modeling Account Relationships on Active Directory Forests
• Designing Vulnerability Mitigations and Compensating Controls
• Azure AD Password Protection
• Creating Effective Vulnerability Assessment Reports
• Transforming Triage Listing into the Vulnerability Remediation Plan
• Kerberos and Domain Authentication
• Closure: Be a Positive Influence in the Context of the Global Information Security Crisis

Overview

In celebration of your diligence, curiosity, and new vulnerability skills, we welcome you to your final hands-on challenge to hammer home the capabilities you have learned. The guided scenario in this final course section is designed to test your mettle by trial and detailed work in a fun capture-the-flag-style environment. The challenge is the canvas upon which you can hone your skills and measure your maturing talents. Armed for the fight, you will doubtless rise to the challenge...and triumph!

The scenario: The Ellingson Mineral Company (EMC) has engaged you to perform a vulnerability assessment of its environment. EMC is very aware of your particular set of vulnerability assessment skills, and it treasures the insights it is certain you will provide to help secure the company against its formidable adversaries, including nefarious cybercrime cartels and jealous nation-state actors. Teams will work together to resolve issues that would lead to a compromise of EMC's precious assets.

Exercises

• A Full-Day Campaign Powered by the NetWars Scoring Engine, a Simulation Environment Used by Cutting-Edge Commercial Organizations, Government Agencies, and Military Groups
• Use the Tactics, Techniques, and Procedures Learned Throughout the Course
• Accomplish an Enterprise Vulnerability Assessment Against a Target Environment

Topics

• Tactical Employment of the Vulnerability Assessment Framework
• Threat Modeling
• Discovery
• Vulnerability Scanning
• Validation
• Data Management and Triage