Imprimir
segunda-feira, 20 mai. 2024, 03:44
Site: The CSI Linux Academy
Curso: The CSI Linux Academy (CSI Linux Academy)
Glossário: The CSI Linux Knowledge Base
P

Purple Team

A purple team is an internal security team that combines the skills of both red and blue teams to create comprehensive security solutions. Red teams are responsible for offensive actions, such as penetration testing and simulation of attacks, while blue teams are responsible for defensive actions such as system hardening and incident response.

Purple teams use a combination of both offensive and defensive techniques to increase their structured review of systems and networks. They use the same tools and techniques employed in the red and blue teams, but take extra time to analyze the results and suggest corrective measures to improve the security of the system or network. 

Purple teams also focus on testing and validating an organization’s security processes, such as policy, patch management, backup and recovery. This ensures that operational and security processes are understood and correctly configured. Further, purple teams ensure that the organization conducts periodic testing and maintains up-to-date procedures and processes.

The goal of purple teams is to augment the capabilities of red and blue teams to explore the most important vulnerabilities and proactively ensure that the organization’s defenses remain secure. This typically includes the following steps: 

  1. Scanning and mapping the network infrastructure to identify any vulnerabilities and attack points  
  2. Exploiting any known vulnerabilities, such as weak passwords or incomplete patching
  3. Exploiting or simulating new or emerging threats
  4. Implementing recommended defensive measures from the blue team task
  5. Creating reports that include recommendations for remediation or mitigation 

Purple teams enable organizations to have a comprehensive view of their security posture. By combining the perspectives of red and blue teams, organizations can gain a more holistic view of the network and identify any weaknesses or threat vectors. Furthermore, purple teams can increase security levels and proactively safeguard the organization’s networks and infrastructure against external threats.

Pyramid of Pain

The threat hunting pyramid of pain is a concept that describes the progression of an adversary's actions in an attack, from initial access to the final goal of the attack. It is a way for security professionals to visualize and understand the different stages of an attack and how they can detect and respond to it.

The pyramid consists of five levels:

  1. Initial access: This is the point at which an adversary gains access to a network or system. Examples of initial access include phishing attacks, exploitation of a vulnerability, or physical access to a device.

  2. Execution: After gaining initial access, the adversary will execute their attack plan. This can include installing malware, running scripts or commands, or modifying system settings.

  3. Persistence: In order to maintain a foothold in the system, the adversary will establish persistence. This can involve creating new user accounts, modifying system policies, or installing backdoors.

  4. Privilege escalation: The adversary may then try to escalate their privileges in order to gain greater access to the system. This can involve exploiting vulnerabilities or using stolen credentials to access restricted areas.

  5. Lateral movement: Finally, the adversary will attempt to move laterally within the system, gaining access to more resources and potentially reaching their final goal. This can include accessing other systems on the network, exfiltrating data, or sabotaging the system.

In threat hunting, security professionals will look for indicators of compromise at each level of the pyramid, starting with initial access and working their way up. For example, they might look for phishing emails or suspicious activity in system logs to identify initial access. They might then look for signs of malware execution or persistence, such as strange processes running or changes to system policies. By understanding the steps an adversary takes in an attack, security professionals can better detect and respond to threats.


R

Ransomeware

Ransomware is a type of malware that encrypts a victim's files, rendering them inaccessible until a ransom is paid to the attacker to restore access. The ransom is typically demanded in the form of cryptocurrency, such as Bitcoin, in order to maintain the anonymity of the attacker.

Ransomware attacks can be particularly devastating for individuals and organizations, as they can result in the loss of important data and disruption of business operations. In some cases, victims may be unable to recover their data even if the ransom is paid, as there is no guarantee that the attacker will actually restore access to the files.

There are several types of ransomware, including:

  1. Cryptojacking ransomware: This type of ransomware uses the victim's computer resources to mine cryptocurrency for the attacker.

  2. Encrypting ransomware: This type of ransomware encrypts the victim's files and demands a ransom in exchange for the decryption key.

  3. Locker ransomware: This type of ransomware locks the victim out of their computer or device and demands a ransom in order to restore access.

  4. Ransomware-as-a-service: This type of ransomware is offered as a service to other attackers, who can use it to carry out ransomware attacks on their own.

One well-known example of ransomware is the WannaCry attack, which affected thousands of organizations and individuals in 2017. The WannaCry ransomware encrypted victims' files and demanded a ransom of $300 in Bitcoin in order to restore access.

Overall, ransomware is a serious threat to individuals and organizations, and can result in significant financial and operational losses. It is important to take measures to protect against ransomware, such as keeping software and security systems up to date and regularly backing up data.


Recon-ng

Recon-ng is a powerful, full-featured web reconnaissance framework written in Python. It is designed to perform open-source intelligence (OSINT) gathering in a structured manner, automating the process of collecting information from various public sources about individuals, companies, and websites. Recon-ng's design mirrors that of a web application, providing a command-line interface that allows users to execute various reconnaissance modules, each tailored to retrieve specific types of information.

Key Features of Recon-ng:

  • Modular Framework: Recon-ng is built around a modular framework, allowing users to activate and run specific modules targeted at different data collection tasks. These modules can range from gathering basic domain information to more complex data scraping from social media platforms.
  • Ease of Use: Despite its powerful capabilities, Recon-ng is user-friendly, with a straightforward command-line interface that makes it accessible even to those with minimal technical expertise in OSINT.
  • Automation: One of the main strengths of Recon-ng is its ability to automate repetitive tasks, streamlining the data collection process and saving significant time and effort.
  • Integration Capabilities: Recon-ng can integrate with various APIs and external services, enhancing its data collection capabilities. This includes integration with popular search engines, social networks, and specialized databases.
  • Data Management: The framework allows for efficient management of collected data, organizing it into a local database for easy access and analysis.


Recon-ng can access a wide range of data, making it an invaluable tool for OSINT purposes. Some of the types of information that can be collected include:

  • Domain and IP Information: Recon-ng can collect data on domain names, including registration details, associated IP addresses, and subdomains. It can also perform reverse IP lookups to find all domains associated with a particular IP address.
  • Location Data: Through various geolocation modules, it can gather physical location information associated with IP addresses or other digital assets.
  • Person Identification: The framework can search for information on individuals, including social media profiles, email addresses, and other online identifiers.
  • Company Information: Recon-ng can retrieve details about companies, including employee names, roles, and contact information, from professional networking sites.
  • Security Vulnerabilities: Some modules are designed to identify potential security vulnerabilities in web applications or to gather information that could be used in penetration testing.
  • Data Breaches: It can search databases of known data breaches for compromised accounts related to specific email addresses or domains.


Recon-ng is particularly useful for cybersecurity professionals, penetration testers, and investigators for the following OSINT activities:

  • Cybersecurity Assessments: By gathering information on potential vulnerabilities and exposed services, Recon-ng can help in assessing the security posture of a target organization or system.
  • Investigations: Investigators can use Recon-ng to collect evidence or clues in cybercrime investigations, fraud detection, and other legal cases.
  • Competitive Intelligence: Businesses can use Recon-ng to gather intelligence on competitors, including website technologies, online presence, and employee details.
  • Penetration Testing: Before attempting to penetrate a network or system, penetration testers can use Recon-ng to collect detailed information about the target, aiding in the identification of potential entry points.


Recon-ng's effectiveness in OSINT lies in its ability to aggregate and correlate data from multiple public sources quickly and efficiently. However, it's crucial for users to operate within legal and ethical boundaries, ensuring that their data collection activities comply with applicable laws and regulations. Recon-ng, with its extensive capabilities, exemplifies how automated tools can enhance the practice of open-source intelligence, providing deep insights into digital footprints left online.

Red Team

A cyber red team is a type of security assessment that involves simulating real-world attack scenarios within an organization’s network environment in order to identify any existing weaknesses or vulnerabilities that could be exploited by malicious actors. A cyber security red team is essentially a specialized group of cyber security professionals who use their knowledge of the latest attack techniques to test a company’s security posture across the entirety of its networks and systems. The primary goal of a cyber red team is to identify and assess any potential threats and vulnerabilities before they can be exploited by malicious actors.

The cyber red team generally consists of experienced professionals with a deep understanding of the cyber security landscape and the latest attack techniques. They are often skilled in advanced penetration testing, detailed SecOps, forensics, and threat intelligence. Cyber red teams are typically employed by organizations to constantly assess their security posture and ensure that their networks and systems are secure against potential threats.

In addition to assessing a company’s security posture, the cyber red team may also be tasked with looking for any areas of weakness within the organization’s policies and procedures. This can include evaluating the effectiveness of employee training and security policies, as well as ensuring that the organization is following the latest government regulations. Once any weak spots have been identified, the cyber red team works with the organization to develop security measures and best practices for addressing them.

Essentially, the cyber red team provides organizations with in-depth security assessments of their current security posture and helps them identify any areas of improvement. By acting as a proactive security measure, the cyber red team helps organizations reduce the risk of being compromised by malicious actors and protect the security of their networks and systems.

Rootkit

A rootkit is a type of malware designed to gain unauthorized privileged access (such as root or administrative access) and maintain persistence on a compromised system. Rootkits are particularly insidious because they are adept at concealing their presence and activities from detection. They achieve this by operating at a low level within the system, often within the kernel or system libraries, and by subverting or bypassing security mechanisms.

Characteristics of Rootkits

  • Privileged Access: Rootkits are designed to obtain and retain high-level access to a system. This privileged access allows the attacker to control the system completely, often without the user's knowledge.
  • Persistence: Once installed, rootkits ensure they remain on the system even after reboots. They often modify system files and settings to reload themselves automatically.
  • Concealment: Rootkits employ various techniques to hide their presence and activities. They can hide processes, files, registry entries, and network connections, making them difficult to detect using traditional security tools.
  • Low-Level Operation: Many rootkits operate at the kernel level, meaning they can intercept and modify system calls, which allows them to manipulate the core functions of the operating system. This level of operation makes them particularly dangerous and hard to remove.

Kernel Mode Rootkits

  • Description: These rootkits operate at the kernel level, which is the core of the operating system. By modifying kernel data structures and hooking system calls, they gain extensive control over the system.
  • Example: The "Stuxnet" rootkit targeted specific industrial control systems and was able to hide its presence while manipulating the behavior of the hardware it targeted.

User Mode Rootkits

  • Description: These rootkits operate at the user level, affecting applications and processes rather than the operating system's core functions. They often use techniques such as DLL injection to remain hidden.
  • Example: The "Hacker Defender" rootkit is a user-mode rootkit that hides files, processes, and registry entries from view, making detection difficult.

Bootkits

  • Description: Bootkits infect the master boot record (MBR) or the Unified Extensible Firmware Interface (UEFI) to gain control during the boot process. By loading before the operating system, they can evade detection by traditional security measures.
  • Example: The "TDL4" bootkit infects the MBR, ensuring it loads before the operating system and can manipulate system functions from the earliest stages of booting.

Firmware Rootkits

  • Description: Firmware rootkits target the firmware of hardware devices, such as the BIOS or network cards. They are particularly persistent because they reside outside the operating system, making them difficult to detect and remove.
  • Example: The "GrayFish" rootkit, part of the Equation Group's malware suite, infects the hard drive firmware, allowing it to persist across operating system reinstalls and disk formatting.

Challenges

  • Stealth Techniques: Rootkits employ advanced stealth techniques, such as hooking system calls and direct kernel object manipulation, to hide their presence.
  • System Integrity Compromise: By operating at a low level, rootkits can compromise the integrity of the system, making traditional security tools ineffective.
  • Persistence Mechanisms: Rootkits often use sophisticated persistence mechanisms, such as infecting the MBR or firmware, making them difficult to eradicate.

Detection Methods

  • Behavioral Analysis: Monitoring system behavior for anomalies, such as unusual network traffic or unexpected system modifications, can help detect rootkits.
  • Integrity Checks: Tools that compare the current state of system files and settings with known good states can identify unauthorized changes indicative of rootkit activity.
  • Memory Forensics: Analyzing memory dumps can reveal hidden processes and modules that rootkits attempt to conceal.

Removal Techniques

  • Manual Removal: This involves identifying and manually removing rootkit components, a process that can be complex and time-consuming.
  • Reinstallation: In many cases, the most effective way to remove a rootkit is to completely reinstall the operating system, ensuring all compromised components are replaced.
  • Specialized Tools: Tools such as "GMER" and "RootkitRevealer" are designed specifically to detect and remove rootkits by scanning for hidden processes and file system inconsistencies.

Examples of Notorious Rootkits

Stuxnet

  • Overview: Stuxnet is a highly sophisticated worm that targeted Iran's nuclear facilities. It used a rootkit to hide its presence and manipulated industrial control systems to cause physical damage.
  • Impact: Stuxnet was the first known malware to cause physical damage to infrastructure, highlighting the potential of rootkits in cyber warfare.

TDSS/TDL-4

  • Overview: The TDSS or TDL-4 rootkit is known for infecting the MBR to gain control during the boot process. It uses advanced techniques to hide its presence and communicate with command-and-control servers.
  • Impact: TDSS/TDL-4 has been used to create botnets and distribute other types of malware, demonstrating the versatility and persistence of rootkit infections.

Sony BMG Rootkit

  • Overview: In 2005, Sony BMG included a rootkit in their DRM software to prevent copying of their music CDs. This rootkit hid its files and processes, making it difficult to detect.
  • Impact: The discovery of the Sony BMG rootkit led to a significant public backlash and legal consequences, emphasizing the ethical and legal implications of using rootkit technology.

S

Script Kiddie

A script kiddie (also known as a skiddie) is an individual who uses pre-written scripts or code—often stolen or borrowed without permission or knowledge—to attack computer systems or networks. Script kiddies are not necessarily malicious hackers, and the term is often used to describe those with little or no technical knowledge who use scripts or programs written by more skilled hackers to launch simple attacks against unsuspecting victims.

These attacks typically involve using vulnerable programs to gain unauthorized access to systems, networks, or websites. For example, a script kiddie may borrow or steal someone else’s script or program and use it to exploit vulnerable software and gain access to the system. Script kiddies will often target systems or networks for their own amusement and may not have any malicious intent.

Though script kiddies may possess some basic knowledge of computer programming and coding, they often lack the technical expertise necessary to understand the risks associated with their attacks. As a result, their activities may cause unnecessary disruption or damage to systems.

The term "script kiddie" is often used negatively and viewed derogatorily by experienced hackers and cybersecurity professionals. Script kiddies are often viewed as irresponsible and reckless, and their activities can be dangerous for both them and those they target.

SDR

An SDR radio, or software-defined radio, is a radio communication system that uses software to define the characteristics of the radio signal. This allows the radio to be reconfigured and adapt to different frequencies and modes without the need for hardware changes.

SDR radios have become increasingly popular in recent years due to their flexibility and ability to support a wide range of communication protocols. They can be used for a variety of purposes, including amateur radio, military communications, and commercial applications.

One of the key benefits of SDR radios is that they can be easily modified and customized using software. This allows users to adapt the radio to their specific needs and requirements, rather than being limited to the capabilities of a fixed hardware design.

For example, an amateur radio operator may use an SDR radio to receive and transmit on a wide range of frequencies, including shortwave, medium wave, and high frequency. They may also use software to add features such as digital voice decoding or automatic frequency control.

Another example of an SDR radio is the HackRF, which is a low-cost, open-source SDR radio that can be used for a variety of purposes, including wireless testing, RF analysis, and digital signal processing. The HackRF can be programmed and modified using software, making it a popular choice among hobbyists and researchers.

Overall, SDR radios are a versatile and flexible tool for radio communication, and can be customized and adapted to a wide range of purposes using software. They offer a cost-effective and efficient alternative to traditional hardware-based radios.


SIGINT

Sigint, or Signals Intelligence, refers to the collection and analysis of electronic signals and communications for the purpose of obtaining strategic, military, or intelligence information. This can include intercepting and analyzing phone calls, emails, and other electronic communication, as well as tracking and analyzing satellite and radar signals.

Examples of Sigint activities include:

  1. Monitoring and intercepting phone calls and emails between foreign government officials to gather information about their plans and intentions.

  2. Tracking and analyzing satellite signals to determine the location and movements of foreign military units.

  3. Analyzing radar signals to determine the capabilities and capabilities of foreign military aircraft.

  4. Monitoring social media and other online communication to gather intelligence on political or military activities in other countries.

  5. Analyzing and decoding encrypted communications to gather sensitive information.

Overall, Sigint is an important tool for intelligence agencies to gather and analyze information about foreign governments, military activities, and other strategic information that may be relevant to national security.

Snapps

Snapps, short for "Service Node Applications," are specialized, privacy-focused applications and services accessible exclusively within the Lokinet network. Designed to operate on the decentralized and secure infrastructure provided by Lokinet, Snapps offers enhanced privacy and security features, ensuring users can communicate, browse, and transact anonymously.

Snapps cater to a wide audience seeking privacy and security in their online activities, including journalists needing secure communication channels, activists organizing without government surveillance, and individuals desiring anonymous internet usage. By leveraging Lokinet's encrypted network, Snapps provide a safe environment for various online interactions free from external monitoring and censorship.

Snapps utilize the unique onion routing protocol of Lokinet, which encrypts data in multiple layers and routes it through a series of nodes, effectively masking the origin and destination of the data. This process ensures that the user's location and activity remain anonymous, making Snapps ideal for sensitive communications and private online services.

Key Features:

  • Anonymity: Snapps allow users to access and provide online services without revealing their identity or location, thanks to the underlying Lokinet infrastructure.
  • Decentralization: Built on Lokinet's decentralized network of service nodes, Snapps benefits from a robust, censorship-resistant platform.
  • Security: Encrypted data transmission and the privacy-focused nature of Lokinet ensure that Snapps offers a secure environment for users' online activities.

While Snapps provides significant advantages in terms of privacy and security, users should be mindful of the ethical and legal implications of their online activities. The anonymity offered by Snapps and Lokinet, though powerful, can potentially be misused. However, for those committed to upholding privacy and freedom of information, Snapps represents an invaluable tool in navigating the digital world securely.

In summary, Snapps are at the forefront of leveraging Lokinet's private networking capabilities, offering a range of services that prioritize user anonymity and data security. They embody the shift towards a more secure and private online ecosystem, providing a sanctuary for those seeking refuge from the prying eyes of the digital age.

Resource:

Course: CSI Linux Certified Dark Web Investigator | CSI Linux Academy
Course: CSI Linux Certified Covert Comms Specialist (CSIL-C3S) | CSI Linux Academy