Immerse yourself in the offensive security mindset to better defend against attacks
In The Active Defender: Immersion in the Offensive Security Mindset, Principal Technology Architect, Security, Dr. Catherine J. Ullman delivers an expert treatment of the Active Defender approach to information security. In the book, you’ll learn to understand and embrace the knowledge you can gain from the offensive security community. You’ll become familiar with the hacker mindset, which allows you to gain emergent insight into how attackers operate and better grasp the nature of the risks and threats in your environment.
The author immerses you in the hacker mindset and the offensive security culture to better prepare you to defend against threats of all kinds. You’ll also find:
- Explanations of what an Active Defender is and how that differs from traditional defense models
- Reasons why thinking like a hacker makes you a better defender
- Ways to begin your journey as an Active Defender and leverage the hacker mindset
An insightful and original book representing a new and effective approach to cybersecurity, The Active Defender will be of significant benefit to information security professionals, system administrators, network administrators, and other tech professionals with an interest or stake in their organization’s information security.
Table of Contents
Foreword xxv
Preface xxix
Introduction xxxiii
Chapter 1 What Is an Active Defender? 1
The Hacker Mindset 1
Traditional Defender Mindset 3
Getting from Here to There 4
Active Defender Activities 7
Threat Modeling 7
Threat Hunting 8
Attack Simulations 9
Active Defense 9
“Active Defense” for the Active Defender 10
Another Take on Active Defense 10
Annoyance 11
Attribution 11
Attack 11
Active Defense According to Security Vendors 11
Active > Passive 12
Active Defense by the Numbers 13
Active Defense and Staffing 13
Active Defender > Passive Defender 13
Relevant Intel Recognition 13
Understanding Existing Threats 14
Attacker Behavior 14
Pyramid of Pain 15
MITRE Att&ck 15
TTP Pyramid 15
Toward a Deeper Understanding 16
Return to the Beginning 16
Summary 18
Notes 18
Chapter 2 Immersion into the Hacker Mindset 21
Reluctance 21
Media Portrayal 21
Fear of Government Retribution 22
The Rock Star Myth 22
Imposter Syndrome 23
A Leap of Faith 23
My First Security BSides 24
My First DEF CON 24
Finding the Community 27
Security BSides 27
Structured Format 27
Unconference Format 28
Hybrid Format 28
Additional Events 28
Other Security Conferences 29
CircleCityCon 29
GrrCON 29
Thotcon 29
ShmooCon 30
Wild West Hackin’ Fest 30
DEF Con 30
Local Security Meetups 30
Infosec 716 31
Burbsec 31
#misec 31
Makerspaces 31
DEF CON Groups 32
2600 Meetings 32
Online Security Communities 33
Traditional Security Communities 34
An Invitation 34
Summary 36
Notes 36
Chapter 3 Offensive Security Engagements, Trainings, and Gathering Intel 37
Offensive Security Engagements 37
Targeting 38
Initial Access 38
Persistence 39
Expansion 39
Exfiltration 40
Detection 40
Offensive Security Trainings 40
Conference Trainings 41
Security BSides 41
DEF Con 42
GrrCON 42
Thotcon 43
CircleCityCon 43
Wild West Hackin’ Fest 43
Black Hat 44
Security Companies 44
Offensive Security 44
TrustedSec 44
Antisyphon 45
SANS 45
Online Options 46
Hackthebox 46
Tryhackme 46
Hackthissite 47
CTFs 47
YouTube 47
Higher Education 48
Gathering Intel 48
Tradecraft Intel 49
Project Zero 49
AttackerKB 49
Discord/Slack 50
Twitter 50
Organizational Intel 51
LinkedIn 51
Pastebin 52
GitHub 52
Message Boards 52
Internal Wikis 53
Haveibeenpwned 53
Summary 54
Notes 54
Chapter 4 Understanding the Offensive Toolset 55
Nmap/Zenmap 57
Burp Suite/ZAP 59
sqlmap 60
Wireshark 61
Metasploit Framework 63
Shodan 64
Social-Engineer Toolkit 66
Mimikatz 67
Responder 70
Cobalt Strike 71
Impacket 73
Mitm6 75
CrackMapExec 76
evil-winrm 77
BloodHound/SharpHound 78
Summary 79
Notes 80
Chapter 5 Implementing Defense While Thinking Like a Hacker 81
OSINT for Organizations 81
OPSEC 82
OSINT 82
Social Engineering 82
Actively Defending 84
ASM 84
ATO Prevention 84
Benefits 86
Types of Risks Mitigated 86
Threat Modeling Revisited 87
Framing the Engagement 87
Scoping in Frame 87
Motivation in Frame 88
The Right Way In 88
Reverse Engineering 88
Targeting 89
Inbound Access 89
Persistence 89
Egress Controls 90
LOLBins 90
Rundll32.exe 91
Regsvr32.exe 91
MSbuild.exe 92
Cscript.exe 92
Csc.exe 92
Legitimate Usage? 92
Threat Hunting 93
Begin with a Question 93
The Hunt 94
Applying the Concepts 94
Dumping Memory 95
Lateral Movement 95
Secondary C2 96
Proof of Concept 97
Attack Simulations 97
Simulation vs. Emulation 97
Why Test? 98
Risky Assumptions 99
Practice Is Key 100
Tools for Testing 100
Microsoft Defender for O365 101
Atomic Red Team 102
Caldera 103
Scythe 103
Summary 104
Notes 104
Chapter 6 Becoming an Advanced Active Defender 107
The Advanced Active Defender 107
Automated Attack Emulations 108
Using Deceptive Technologies 108
Honey Tokens 109
Decoy Accounts 109
Email Addresses 110
Database Data 110
AWS Keys 111
Canary Tokens 111
Honeypots 111
Other Forms of Deception 112
Web Server Header 112
User Agent Strings 113
Fake DNS Records 113
Working with Offensive Security Teams 114
But We Need a PenTest! 114
Potential Testing Outcomes 115
Vulnerability Identification 116
Vulnerability Exploitation 116
Targeted Detection/Response 116
Real Threat Actor 117
Detection Analysis 117
Scope 117
Scoping Challenges 118
Additional Scope Considerations 118
Decisions, Decisions 119
Measuring Existing Defenses 119
Crown Jewels 119
Selecting a Vendor 120
Reputation 120
Experience and Expertise 121
Processes 121
Data Security 122
Adversarial Attitudes 122
Results 123
Additional Considerations 123
Purple Teaming - Collaborative Testing 124
What Is a Purple Team? 124
Purple Team Exercises 125
Cyber Threat Intelligence 125
Preparation 126
Exercise Execution 126
Lessons Learned 127
Purple Teams and Advanced Active Defenders 127
Summary 127
Notes 128
Chapter 7 Building Effective Detections 129
Purpose of Detection 129
Funnel of Fidelity 130
Collection 130
Detection 130
Triage 131
Investigation 131
Remediation 131
Building Detections: Identification and Classification 131
Overall Detection Challenges 132
Attention Problem 132
Perception Problem 133
Abstraction Problem 134
Validation Problem 135
The Pyramids Return 135
Lower Levels 136
Tools 137
Wrong Viewpoint 137
Bypass Options 138
Higher Levels 139
Testing 140
Literal Level 140
Functional Level 140
Operational Level 141
Technical Level 142
Proper Validation: Both Telemetry and Detection 143
Telemetry Coverage 143
Detection Coverage 144
Testing Solutions 144
Atomic Red Team 144
AtomicTestHarness 145
Summary 146
Notes 147
Chapter 8 Actively Defending Cloud Computing Environments 149
Cloud Service Models 150
IaaS 150
PaaS 150
SaaS 150
Cloud Deployment Environments 151
Private Cloud 151
Public Cloud 151
Fundamental Differences 151
On-Demand Infrastructure 152
Shared Responsibility Model 152
Control Plane and Data Plane 153
Infrastructure as an API 154
Data Center Mapping 154
IAM Focus 155
Cloud Security Implications 157
Larger Attack Surface 158
New Types of Exposed Services 158
Application Security Emphasis 159
Challenges with API Use 160
Custom Applications 161
Cloud Offensive Security 161
Enumeration of Cloud Environments 162
Code Repositories 162
Publicly Accessible Resources 163
Initial Access 164
Phishing/Password Spraying 164
Stealing Access Tokens 164
Resource Exploitation 165
Post-Compromise Recon 165
Post-Exploitation Enumeration 166
Roles, Policies, and Permissions 166
Dangerous Implied Trusts 166
Overly Permissive Configurations 170
Multi-Level Access 170
Persistence/Expansion 171
Lateral Movement 172
Privilege Escalation 173
Defense Strategies 175
Summary 175
Notes 176
Chapter 9 Future Challenges 179
Software Supply Chain Attacks 179
A Growing Problem 180
Actively Defending 180
Counterfeit Hardware 181
Fake CISCO Hardware 181
Actively Defending 182
UEFI 182
Increasing Vulnerabilities 182
Enter BlackLotus 183
MSI Key Leak 184
Actively Defending 185
BYOVD Attacks 185
Lazarus Group 186
Cuba Ransomware Group 186
Actively Defending 186
Ransomware 186
Continuing Evolution 187
Actively Defending 187
Tabletop Exercises 188
Ransomware Playbooks 189
Frameworks 191
Cobalt Strike 192
Silver 192
Metasploit 192
Brute Ratel 193
Havoc 193
Mythic 193
Actively Defending 194
Living Off the Land 194
Actively Defending 195
API Security 195
Defining APIs 195
API Impact 196
Security Significance 196
Actively Defending 196
Everything Old Is New Again 197
OWASP Top 10 197
Old Malware Never (Really) Dies 198
Emotet 198
REvil 199
Actively Defending 199
Summary 200
Notes 201
Index 203