SlideShare a Scribd company logo

How to Survive CERT Cyber Drill--By Avinash Sinha

Avinash Sinha
Avinash Sinha

In this article we will be focusing on CERT Cyber Drill. We will cover How the attack is planned, what is the flow of drill, who will be involved, who does what so that next time when you participate in a CERT Cyber Drill you can keep this handy :)

Technology
1 of 4
Download to read offline
About the Author Avinash Sinha is a Security Consultant working with Aujas. Previously he has worked with IBM India Pvt Ltd as an Application Security Consultant. His key area of interests includes Vulnerability assessments, Secure Code review, Security research, Penetration testing, Mobile Application security and Network Infrastructure protection. Today I will be walking you through how to survive a CERT Cyber Drill. Well, many people get confused between a CERT Empanelment process and CERT Cyber Drill. There is a huge difference between the two. In CERT Empanelment process you will be provided with a DVD that contains a vulnerable application image and you have to find out all the vulnerabilities in that vulnerable application image. CERT already has a list of findings for that application and they compare the findings with your reported findings and generate a compliance score for the same. If they see fit you will progress to next round and have to solve some challenges which are a bit complex part. In this article we will not be focusing on CERT Empanelment process but on CERT Cyber Drill. We will cover what is the flow of drill, who will be involved, who does what so that next time when you participate in a CERT Cyber Drill you can keep this handy ☺ Pre-requites Before the Drill Equipments:-IBM ISS Site Protector, CISCO ASA Firewall, IBM ISS Proventia and IBM Q-Radar (These can be different for different organizations)
CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL avisinha87@gmail.com Page 2 CERT Cyber Drill starts at 10 Am, so make sure you are all set with your NIPS, SIEM and firewall in place. CERT team sends you a DVD 12-15 days before the actual drill. So you have all that time for the preparation of how and where you need to install the vulnerable application image. First thing you would want to do, is just install it on a test server had have your Application security team analyse the application. As goes by the saying “knowing is half the battle”, you would want to know all the vulnerabilities within the application both at network and application level. This way you would be already aware if the CERT team launches and attack, where would be the pin point or which way they will getting into your server .The objective of this drill is to analyse how efficiently can you detect an attack, raise an incident level ticket along with the remediation and share the same with the corresponding team which in this case is CERT team itself. CERT Cyber drill takes in 2 parts. The first part consist to an attack Phase (10 AM- 2 PM) and the second part consist of an incident response and escalation matrix (2PM -5 PM). I will share my experience with you with the recent CERT Cyber drill I was part of. To tell you the truth one must always go through at least one CERT Cyber drill, it’s amazing to learn and know how an attacker plans an attack, how he takes over your system, how you data gets compromised and the best how your system starts attacking other system without your knowledge. On the other hand you will also get to know and learn when there is a real time attack ,how it gets detected, how your Network Intrusion Prevention System (NIPS) works, how your firewall works (If at all they work or not) ,whom to reach out to in your organization. This is the one place where you can see and observe how your AppSec team, Network Team, SIEM Team and SOC team work i.e. one complete cycle from an attack detection to raising an incident ticket with the appropriate team and believe me it’s a lot Fun !!! A day before the drill make sure you have installed the image and all your devices and software are properly configured and conduct a prior drill by having your Penetration Testing team perform the attacks which they have discovered during the analysis phase .This is done to check if all your Firewalls and SIEM tool is detecting the attack or not. If not rules/signatures must be written to detect them. It is made clear by CERT team to enable your Detection system but not block an attack. So make sure you do this activity in an isolated environment. Although all the guidelines for installation will be provided by CERT team make sure to follow them thoroughly. Install the IRC chat client provided by CERT team .CERT team will warn you every time they start an attack and your responsibility is to detect the attack and make sure you mention the time accurately with every attack as time is a very crucial factor. This is because your SIEM system, here in our case it was IBM Q Radar, you would see that multiple different attacks will get detected and getting logged. Ensure that you mention the correct attack, vulnerability, IP Source and Time when they say that they are launching an attack. Also only port 80 and 21 are kept open during the drill. Don’t panic as you may see attacks coming from various externals IP’s belonging to Taiwan, Canada, Belgium and India of course. Make sure to note down the Source IP and segregating them country wise as this will help you when you will raise an incident ticket and also narrow the scope of finding the attackers ip. Phase I- The Attack At approximately 10 AM you will see a lot to traffic coming and hitting your vulnerable server. Your SIEM and firewall will start detecting it as it as a DOS attack. This is just done by CERT team to check the connectivity if properly set up or not. In our case they started the attack at 10:20 .They started with a Port scan and scanned all the ports .During this scan you can observer on IBM Q-radar that a series of port are getting scanned. You can observe it also showing teardrop, SMURF attack, Ping of
CERT CYBERCERT CYBERCERT CYBERCERT CYBER avisinha87@gmail.com death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI , unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar. Now as per our analysis we had a list those that may have been leveraged during the attack 1. XSS 2. SQL injection 3. Vulnerable XAMP 4. PhpMyAdmin blank password 5. Code generator Word Press Plug 6. ftp unauthorized access 7. Vulnerable version of FCK Editor 8. Vulnerable version of Filezilla Phase II- The Incident Escalation MATRIX This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection. In this phase all your teams have to share the POC’s of attacks that for every attack such as the “Malicious File Upload” you will be required to share POC with all the details. Make sure your Q-Radar and Firewalls are set to informational level logging during the attack period. I know there will be a lot of logs generated but this is required and you will know in the end why ☺.So In second phase the CERT team ticket based on the type of att Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM IT Security are kept in loop. This is not because you had a Network/Application scan or hits for different attacks but your system/customer Attacking other Targets using your compromised system as source System is completly compromised and becomes part of Zoombie Network File upload vulnerablity Malicious Fie upload (Code Generator Wordpress) CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI , unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar. Now as per our analysis we had a list of vulnerabilities in the vulnerable image, however below are leveraged during the attack PhpMyAdmin blank password Code generator Word Press Plug-in of FCK Editor Vulnerable version of Filezilla The Incident Escalation MATRIX This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection. In this phase all your teams have to share the POC’s of attacks that occurred and were successful. “Malicious File Upload” you will be required to share POC with all the Radar and Firewalls are set to informational level logging during the attack will be a lot of logs generated but this is required and you will know in the end .So In second phase the CERT team asks you question such as while raising the incident level ticket based on the type of attack, identifying the owner of asset, identifying the corresponding Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM IT Security are kept in loop. This is not because you had a Network/Application scan or hits for different attacks but your system/customer data got stolen and your website got defaced Attacking other Targets using your compromised system as source System is completly compromised and becomes part of Zoombie Network vulnerablity used to upload a DoS/DDoS script SQL database export PhpMyaAdmin access Website Defacement Uploading C99 shell Malicious Fie upload (Code Generator Wordpress) Web Application scan Port Scan DRILLDRILLDRILLDRILL Page 3 death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI , unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar. of vulnerabilities in the vulnerable image, however below are This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection. and were successful. So “Malicious File Upload” you will be required to share POC with all the Radar and Firewalls are set to informational level logging during the attack will be a lot of logs generated but this is required and you will know in the end such as while raising the incident level ing the corresponding Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM- IT Security are kept in loop. This is not because you had a Network/Application scan or hits for data got stolen and your website got defaced and all Attacking other Targets using your compromised system as source System is completly compromised and becomes part of Zoombie Network script
CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL avisinha87@gmail.com Page 4 other attacks that were successful. Every organization has an Incident Management Escalation Matrix just make sure you follow that. Make a compact report and share with CERT Team. FUN Facts during the CERT CYBER DRILL During the drill everyone’s is alert about the attack which is going to next. For an hour you will have your lunch break. Make sure you don’t leave your seat empty and have someone monitor during that period too. During this CERT Drill they launched an attack when you were supposed to be on break. Though many technical spocs were out for lunch still few of them were present and monitoring was still on, so everything was captured right on time. It’s a good lesson that attacker won’t tell you that he will attack only when you do your shift but also when you are having your lunch or sleeping at night. Now if you have observed IBM Q-Radar though many attacks were detected but not all successful attacks were shown Q-Radar. Now let’s see why this happened. This is because the way how C99 shell was uploaded. It was not shown in Q-Radar however as the logging level was set to informational at syslog, all logs were captured and you could observe that it was a series of 3 php files. One was code to provide an upload facility, second was upload of C99 shell and 3rd was a code to perform a DoS/DDoS attack. If there is a feature to upload anything, it will go unnoticed unless it’s based on signature of that particular file or Analytics such as to call any system level commands present in that file. You may share POC’s close to PHP Script injection. Make sure the in last POC for DoS/DDoS Attacks, the traffic generates from your system as source so all attacks that were previously coming from an external ip to your ip now its vice-versa. Hope you Njoyed reading. ☺

Recommended

My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drillFINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drillDavid Sweigert
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
Cyber Crime Management
Cyber Crime ManagementCyber Crime Management
Cyber Crime ManagementRahul Neel Mani
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Secure Sharing PHI PCI PII -Android app_Content Provider
Secure Sharing PHI PCI PII -Android app_Content ProviderSecure Sharing PHI PCI PII -Android app_Content Provider
Secure Sharing PHI PCI PII -Android app_Content ProviderAvinash Sinha
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 

Recommended

My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drillFINAL: San Francisco Cyber TTX exercise -- ESF 18 drill
FINAL: San Francisco Cyber TTX exercise -- ESF 18 drillDavid Sweigert
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
Cyber Crime Management
Cyber Crime ManagementCyber Crime Management
Cyber Crime ManagementRahul Neel Mani
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Secure Sharing PHI PCI PII -Android app_Content Provider
Secure Sharing PHI PCI PII -Android app_Content ProviderSecure Sharing PHI PCI PII -Android app_Content Provider
Secure Sharing PHI PCI PII -Android app_Content ProviderAvinash Sinha
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

How to Survive CERT Cyber Drill--By Avinash Sinha

  • 1. About the Author Avinash Sinha is a Security Consultant working with Aujas. Previously he has worked with IBM India Pvt Ltd as an Application Security Consultant. His key area of interests includes Vulnerability assessments, Secure Code review, Security research, Penetration testing, Mobile Application security and Network Infrastructure protection. Today I will be walking you through how to survive a CERT Cyber Drill. Well, many people get confused between a CERT Empanelment process and CERT Cyber Drill. There is a huge difference between the two. In CERT Empanelment process you will be provided with a DVD that contains a vulnerable application image and you have to find out all the vulnerabilities in that vulnerable application image. CERT already has a list of findings for that application and they compare the findings with your reported findings and generate a compliance score for the same. If they see fit you will progress to next round and have to solve some challenges which are a bit complex part. In this article we will not be focusing on CERT Empanelment process but on CERT Cyber Drill. We will cover what is the flow of drill, who will be involved, who does what so that next time when you participate in a CERT Cyber Drill you can keep this handy ☺ Pre-requites Before the Drill Equipments:-IBM ISS Site Protector, CISCO ASA Firewall, IBM ISS Proventia and IBM Q-Radar (These can be different for different organizations)
  • 2. CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL avisinha87@gmail.com Page 2 CERT Cyber Drill starts at 10 Am, so make sure you are all set with your NIPS, SIEM and firewall in place. CERT team sends you a DVD 12-15 days before the actual drill. So you have all that time for the preparation of how and where you need to install the vulnerable application image. First thing you would want to do, is just install it on a test server had have your Application security team analyse the application. As goes by the saying “knowing is half the battle”, you would want to know all the vulnerabilities within the application both at network and application level. This way you would be already aware if the CERT team launches and attack, where would be the pin point or which way they will getting into your server .The objective of this drill is to analyse how efficiently can you detect an attack, raise an incident level ticket along with the remediation and share the same with the corresponding team which in this case is CERT team itself. CERT Cyber drill takes in 2 parts. The first part consist to an attack Phase (10 AM- 2 PM) and the second part consist of an incident response and escalation matrix (2PM -5 PM). I will share my experience with you with the recent CERT Cyber drill I was part of. To tell you the truth one must always go through at least one CERT Cyber drill, it’s amazing to learn and know how an attacker plans an attack, how he takes over your system, how you data gets compromised and the best how your system starts attacking other system without your knowledge. On the other hand you will also get to know and learn when there is a real time attack ,how it gets detected, how your Network Intrusion Prevention System (NIPS) works, how your firewall works (If at all they work or not) ,whom to reach out to in your organization. This is the one place where you can see and observe how your AppSec team, Network Team, SIEM Team and SOC team work i.e. one complete cycle from an attack detection to raising an incident ticket with the appropriate team and believe me it’s a lot Fun !!! A day before the drill make sure you have installed the image and all your devices and software are properly configured and conduct a prior drill by having your Penetration Testing team perform the attacks which they have discovered during the analysis phase .This is done to check if all your Firewalls and SIEM tool is detecting the attack or not. If not rules/signatures must be written to detect them. It is made clear by CERT team to enable your Detection system but not block an attack. So make sure you do this activity in an isolated environment. Although all the guidelines for installation will be provided by CERT team make sure to follow them thoroughly. Install the IRC chat client provided by CERT team .CERT team will warn you every time they start an attack and your responsibility is to detect the attack and make sure you mention the time accurately with every attack as time is a very crucial factor. This is because your SIEM system, here in our case it was IBM Q Radar, you would see that multiple different attacks will get detected and getting logged. Ensure that you mention the correct attack, vulnerability, IP Source and Time when they say that they are launching an attack. Also only port 80 and 21 are kept open during the drill. Don’t panic as you may see attacks coming from various externals IP’s belonging to Taiwan, Canada, Belgium and India of course. Make sure to note down the Source IP and segregating them country wise as this will help you when you will raise an incident ticket and also narrow the scope of finding the attackers ip. Phase I- The Attack At approximately 10 AM you will see a lot to traffic coming and hitting your vulnerable server. Your SIEM and firewall will start detecting it as it as a DOS attack. This is just done by CERT team to check the connectivity if properly set up or not. In our case they started the attack at 10:20 .They started with a Port scan and scanned all the ports .During this scan you can observer on IBM Q-radar that a series of port are getting scanned. You can observe it also showing teardrop, SMURF attack, Ping of
  • 3. CERT CYBERCERT CYBERCERT CYBERCERT CYBER avisinha87@gmail.com death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI , unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar. Now as per our analysis we had a list those that may have been leveraged during the attack 1. XSS 2. SQL injection 3. Vulnerable XAMP 4. PhpMyAdmin blank password 5. Code generator Word Press Plug 6. ftp unauthorized access 7. Vulnerable version of FCK Editor 8. Vulnerable version of Filezilla Phase II- The Incident Escalation MATRIX This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection. In this phase all your teams have to share the POC’s of attacks that for every attack such as the “Malicious File Upload” you will be required to share POC with all the details. Make sure your Q-Radar and Firewalls are set to informational level logging during the attack period. I know there will be a lot of logs generated but this is required and you will know in the end why ☺.So In second phase the CERT team ticket based on the type of att Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM IT Security are kept in loop. This is not because you had a Network/Application scan or hits for different attacks but your system/customer Attacking other Targets using your compromised system as source System is completly compromised and becomes part of Zoombie Network File upload vulnerablity Malicious Fie upload (Code Generator Wordpress) CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI , unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar. Now as per our analysis we had a list of vulnerabilities in the vulnerable image, however below are leveraged during the attack PhpMyAdmin blank password Code generator Word Press Plug-in of FCK Editor Vulnerable version of Filezilla The Incident Escalation MATRIX This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection. In this phase all your teams have to share the POC’s of attacks that occurred and were successful. “Malicious File Upload” you will be required to share POC with all the Radar and Firewalls are set to informational level logging during the attack will be a lot of logs generated but this is required and you will know in the end .So In second phase the CERT team asks you question such as while raising the incident level ticket based on the type of attack, identifying the owner of asset, identifying the corresponding Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM IT Security are kept in loop. This is not because you had a Network/Application scan or hits for different attacks but your system/customer data got stolen and your website got defaced Attacking other Targets using your compromised system as source System is completly compromised and becomes part of Zoombie Network vulnerablity used to upload a DoS/DDoS script SQL database export PhpMyaAdmin access Website Defacement Uploading C99 shell Malicious Fie upload (Code Generator Wordpress) Web Application scan Port Scan DRILLDRILLDRILLDRILL Page 3 death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI , unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar. of vulnerabilities in the vulnerable image, however below are This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection. and were successful. So “Malicious File Upload” you will be required to share POC with all the Radar and Firewalls are set to informational level logging during the attack will be a lot of logs generated but this is required and you will know in the end such as while raising the incident level ing the corresponding Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM- IT Security are kept in loop. This is not because you had a Network/Application scan or hits for data got stolen and your website got defaced and all Attacking other Targets using your compromised system as source System is completly compromised and becomes part of Zoombie Network script
  • 4. CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL avisinha87@gmail.com Page 4 other attacks that were successful. Every organization has an Incident Management Escalation Matrix just make sure you follow that. Make a compact report and share with CERT Team. FUN Facts during the CERT CYBER DRILL During the drill everyone’s is alert about the attack which is going to next. For an hour you will have your lunch break. Make sure you don’t leave your seat empty and have someone monitor during that period too. During this CERT Drill they launched an attack when you were supposed to be on break. Though many technical spocs were out for lunch still few of them were present and monitoring was still on, so everything was captured right on time. It’s a good lesson that attacker won’t tell you that he will attack only when you do your shift but also when you are having your lunch or sleeping at night. Now if you have observed IBM Q-Radar though many attacks were detected but not all successful attacks were shown Q-Radar. Now let’s see why this happened. This is because the way how C99 shell was uploaded. It was not shown in Q-Radar however as the logging level was set to informational at syslog, all logs were captured and you could observe that it was a series of 3 php files. One was code to provide an upload facility, second was upload of C99 shell and 3rd was a code to perform a DoS/DDoS attack. If there is a feature to upload anything, it will go unnoticed unless it’s based on signature of that particular file or Analytics such as to call any system level commands present in that file. You may share POC’s close to PHP Script injection. Make sure the in last POC for DoS/DDoS Attacks, the traffic generates from your system as source so all attacks that were previously coming from an external ip to your ip now its vice-versa. Hope you Njoyed reading. ☺