Chapter1-4, summary, and what do you learn/ what do you think
Infrastructure security with Red Team and Blue Team
Yuri Diogenes, Erdal Ozkaya
Cybersecurity Attack and
BIRMINGHAM – MUMBAI
Cybersecurity Attack and Defense
Copyright 2018 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, without the prior written permission of the publisher, except in the case of brief quotations
embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented.
However, the information contained in this book is sold without warranty, either express or implied. Neither the
authors nor Packt Publishing or its dealers and distributors will be held liable for any damages caused or alleged to
have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy
of this information.
Commissioning Editor: Vijin Boricha
Acquisition Editor: Namrata Patil
Content Development Editor: Amrita Noronha
Technical Editor: Sneha Hanchate
Copy Editor: Safis Editing
Project Coordinator: Shweta Birwatkar
Proofreader: Safis Editing
Indexers: Pratik Shirodkar
Graphics: Tania Dutta
Production Coordinator: Shantanu Zagade
First published: January 2018
Production reference: 1230118
Published by Packt Publishing Ltd.
35 Livery Street
B3 2PB, UK.
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as
well as industry leading tools to help you plan your personal development and advance
your career. For more information, please visit our website.
Spend less time learning and more time coding with practical eBooks and Videos
from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
Did you know that Packt offers eBook versions of every book published, with PDF and
ePub files available? You can upgrade to the eBook version at and as a
print book customer, you are entitled to a discount on the eBook copy. Get in touch with us
at for more details.
At , you can also read a collection of free technical articles, sign up for a
range of free newsletters, and receive exclusive discounts and offers on Packt books and
About the authors
Yuri Diogenes is a professor at EC-Council University for their master’s degree in
cybersecurity program. Yuri has a master of science degree in cybersecurity from UTICA
College, and MBA from FGV Brazil. Yuri currently holds the following certifications CISSP,
CyberSec First Responder, CompTIA CSA+, E|CEH, E|CSA, E|CHFI, E|CND, CyberSec
First Responder, CompTIA, Security+, CompTIA Cloud Essentials, Network+, Mobility+,
CASP, CSA+, MCSE, MCTS, and Microsoft Specialist – Azure.
First and foremost, I would like to thank God for enabling me to write another book. I also
would like to thank my wife, Alexsandra, and my daughters, Yanne and Ysis, for their
unconditional support. To my coauthor and friend, Erdal Ozkaya, for the great
partnership. To Amrita Noronha for her amazing support throughout this project.
Erdal Ozkaya is a doctor of philosophy in Cybersecurity, master of information systems
security, master of computing research CEI, MCT, MCSE, E|CEH, E|CSA, E|CISO, CFR,
and CISSP. He works for Microsoft as a cybersecurity architect and security advisor and is
also a part-time lecturer at Australian Charles Sturt University. He has coauthored many
security certification coursewares for different vendors and speaks in worldwide
conferences. He has won many awards in his field and works hard to make the Cyber-
I would like to thank my wife, Arzu, and my kids, Jemre and Azra, for all their support and
love. I would like to give special thanks to my parents and brothers who have helped me
become who I am. I would also like to thank my supervisor, Dr. Rafiqul Islam, for his help
and feedback whenever I have needed it.
About the reviewers
Vijay Kumar Velu is a passionate information security practitioner, author, speaker, and
blogger, currently based in Malaysia. He has more than 11 years of IT industry experience.
He is a licensed penetration tester and has specialized in providing technical solutions to a
variety of cyber problems. He is the author of Mastering Kali Linux for Advanced Penetration
Testing, Second Edition and Mobile Application Penetration Testing.
Pascal Ackerman is a seasoned industrial security professional with a degree in electrical
engineering with over 15 years of experience in designing, troubleshooting, and securing
large-scale industrial control systems and the various types of network technologies they
utilize. After more than a decade of hands-on, in-the-field experience, he joined Rockwell
Automation in 2015. He is currently employed as a senior consultant of industrial
cybersecurity with the Network and Security Services Group. He recently became a digital
nomad and now travels the world with his family while fighting cyber adversaries.
Packt is searching for authors like you
If you’re interested in becoming an author for Packt, please visit and
apply today. We have worked with thousands of developers and tech professionals, just
like you, to help them share their insight with the global tech community. You can make a
general application, apply for a specific hot topic that we are recruiting an author for, or
submit your own idea.
Table of Contents
Chapter 1: Security Posture 6
The current threat landscape 6
The credentials – authentication and authorization 10
Cybersecurity challenges 14
Old techniques and broader results 14
The shift in the threat landscape 15
Enhancing your security posture 16
The Red and Blue Team 18
Assume breach 21
Chapter 2: Incident Response Process 25
Incident response process 25
Reasons to have an IR process in place 26
Creating an incident response process 28
Incident response team 31
Incident life cycle 32
Handling an incident 33
Best practices to optimize incident handling 36
Post-incident activity 36
Real-world scenario 36
Lessons learned 38
Incident response in the cloud 39
Updating your IR process to include cloud 40
Chapter 3: Understanding the Cybersecurity Kill Chain 42
External reconnaissance 42
Table of Contents
[ ii ]
John the Ripper 47
THC Hydra 48
Cain and Abel 54
Access and privilege escalation 55
Vertical privilege escalation 55
Horizontal privilege escalation 56
Threat life cycle management 60
Chapter 4: Reconnaissance 66
External reconnaissance 67
Dumpster diving 67
Social media 68
Social engineering 69
Diversion theft 70
Phone phishing (vishing) 72
Spear phishing 73
Water holing 74
Quid pro quo 75
Internal reconnaissance 76
Sniffing and scanning 76
Cain and Abel 82
Table of Contents
[ iii ]
Conclusion of the reconnaissance chapter 86
Chapter 5: Compromising the System 90
Analyzing current trends 91
Extortion attacks 91
Data manipulation attacks 92
IoT device attacks 94
Mobile device attacks 95
Hacking everyday devices 95
Hacking the cloud 97
Exploiting a vulnerability 101
Source code analysis 102
Types of zero-day exploits 103
Buffer overflows 104
Structured exception handler overwrites 104
Performing the steps to compromise a system 105
Deploying payloads 105
Installing and using a vulnerability scanner 105
Using Metasploit 106
Compromising operating systems 108
Compromising systems using Kon-Boot or Hiren’s BootCD 108
Compromising systems using a Linux Live CD 110
Compromising systems using preinstalled applications 111
Compromising systems using Ophcrack 112
Compromising a remote system 113
Compromising web-based systems 114
SQL injection 114
Cross-site scripting 115
Broken authentication 115
DDoS attacks 116
Chapter 6: Chasing a User’s Identity 120
Identity is the new perimeter 120
Table of Contents
[ iv ]
Strategies for compromising a user’s identity 123
Gaining access to the network 125
Harvesting credentials 125
Hacking a user’s identity 127
Brute force 128
Social engineering 129
Pass the hash 137
Other methods to hack identity 139
Chapter 7: Lateral Movement 141
Network mapping 142
Avoiding alerts 144
Performing lateral movement 145
Port scans 145
File shares 149
Remote Desktop 150
Windows Management Instrumentation 152
Scheduled tasks 154
Token stealing 154
Active Directory 155
Remote Registry 156
Breached host analysis 157
Central administrator consoles 157
Email pillaging 158
Chapter 8: Privilege Escalation 160
Horizontal privilege escalation 161
Vertical privilege escalation 162
Avoiding alerts 162
Performing privilege escalation 163
Exploiting unpatched operating systems 164
Table of Contents
[ v ]
Access token manipulation 165
Exploiting accessibility features 166
Application shimming 167
Bypassing user account control 172
DLL injection 173
DLL search order hijacking 174
Dylib hijacking 175
Exploration of vulnerabilities 176
Launch daemon 177
Hands-on example of privilege escalation on a Windows 8 target 177
Conclusion and lessons learned 179
Chapter 9: Security Policy 181
Reviewing your security policy 181
Educating the end user 183
Social media security guidelines for users 184
Security awareness training 185
Policy enforcement 185
Application whitelisting 188
Monitoring for compliance 194
Chapter 10: Network Segmentation 200
Defense in depth approach 200
Infrastructure and services 202
Documents in transit 202
Physical network segmentation 205
Discovering your network 208
Securing remote access to the network 210
Site-to-site VPN 212
Virtual network segmentation 213
Hybrid cloud network security 215
Chapter 11: Active Sensors 219
Table of Contents
[ vi ]
Detection capabilities 220
Indicators of compromise 221
Intrusion detection systems 224
Intrusion prevention system 226
Rule-based detection 227
Anomaly-based detection 228
Behavior analytics on-premises 228
Device placement 232
Behavior analytics in a hybrid cloud 232
Azure Security Center 233
Chapter 12: Threat Intelligence 240
Introduction to threat intelligence 240
Open source tools for threat intelligence 244
Microsoft threat intelligence 249
Azure Security Center 250
Leveraging threat intelligence to investigate suspicious activity 252
Chapter 13: Investigating an Incident 258
Scoping the issue 258
Key artifacts 259
Investigating a compromised system on-premises 265
Investigating a compromised system in a hybrid cloud 270
Search and you shall find it 278
Lessons learned 279
Chapter 14: Recovery Process 281
Disaster recovery plan 282
The disaster recovery planning process 282
Forming a disaster recovery team 283
Performing risk assessment 284
Prioritizing processes and operations 284
Determining recovery strategies 284
Collecting data 285
Creating the disaster recovery plan 285
Testing the plan 285
Table of Contents
[ vii ]
Obtaining approval 285
Maintaining the plan 286
Live recovery 287
Contingency planning 288
IT contingency planning process 289
Development of the contingency planning policy 290
Conducting business impact analysis 290
Identifying the critical IT resources 291
Identifying disruption impacts 291
Developing recovery priorities 291
Identifying the preventive controls 292
Developing recovery strategies 292
Alternative sites 293
Equipment replacement 295
Plan testing, training, and exercising 295
Plan maintenance 296
Best practices for recovery 296
Chapter 15: Vulnerability Management 298
Creating a vulnerability management strategy 299
Asset inventory 299
Information management 300
Risk assessment 301
Collecting data 302
Analysis of policies and procedures 302
Vulnerability analysis 302
Threat analysis 303
Analysis of acceptable risks 303
Vulnerability assessment 304
Reporting and remediation tracking 305
Response planning 306
Vulnerability management tools 307
Asset inventory tools 307
Peregrine tools 308
LANDesk Management Suite 308
Foundstone’s Enterprise 309
Information management tools 310
Risk assessment tools 311
Table of Contents
[ viii ]
Vulnerability assessment tools 312
Reporting and remediation tracking tools 313
Response planning tools 313
Implementation of vulnerability management 314
Best practices for vulnerability management 316
Implementing vulnerability management with Nessus 318
Flexera (Secunia) Personal Software Inspector 328
Chapter 16: Log Analysis 333
Data correlation 333
Operating system logs 335
Windows logs 335
Linux logs 338
Firewall logs 339
Web server logs 341
Other Books You May Enjoy 344
With a threat landscape that it is in constant motion, it becomes imperative to have a strong
security posture, which in reality means enhancing the protection, detection, and response.
Throughout this book, you will learn the attack methods and patterns to recognize
abnormal behavior within your organization with Blue Team tactics. You will also learn
techniques to gather exploitation intelligence, identify risks, and demonstrate impact on
Red and Blue team strategies.
Who this book is for
This book is for information security professionals and IT professionals who want to know
more about Cybersecurity.
What this book covers
, Security Posture, defines what constitute a secure posture and how it helps in
understanding the importance of having a good defense and attack strategy.
, Incident Response Process, introduces the incident response process and the
importance to have one. It goes over different industry standards and best practices for
handling the incident response.
, Understanding the Cybersecurity Kill Chain, prepares the reader to understand the
mindset of an attacker, the different stages of the attack, and what usually takes place in
each one of those phases.
, Reconnaissance, speaks about the different strategies to perform reconnaissance
and how data is gathered to obtain information about the target for planning the attack.
[ 2 ]
Compromising the System, shows current trends in strategies to compromise the
system and explains how to compromise a system.
, Chasing a User’s Identity, explains the importance of protecting the user’s identity
to avoid credential theft and goes through the process of hacking the user’s identity.
, Lateral Movement, describes how attackers perform lateral movement once they
compromise one system.
, Privilege Escalation, shows how attackers can escalate privileges in order to gain
administrative access to the network system.
, Security Policy, focuses on the different aspects of the initial defense strategy,
which starts with the importance of a well-created security policy and goes over the best
practices for security policies, standards, security awareness training, and core security
, Network Segmentation, looks into different aspects of defense in depth, covering
physical network segmentation as well as the virtual and hybrid cloud.
, Active Sensors, details different types of network sensors that help the
organizations to detect attacks.
, Threat Intelligence, speaks about the different aspects of threat intelligence from
the community as well as from the major vendors.
[ 3 ]
, Investigating an Incident, goes over two case studies, for an on-premises
compromised system and for a cloud-based compromised system, and shows all the steps
involved in a security investigation.
, Recovery Process, focuses on the recovery process of a compromised system and
explains how crucial it is to know what all options are available since live recovery of a
system is not possible during certain circumstances.
, Vulnerability Management, describes the importance of vulnerability
management to mitigate vulnerability exploitation. It covers the current threat landscape
and the growing number of ransomware that exploits known vulnerabilities.
, Log Analysis, goes over the different techniques for manual log analysis since it
is critical for the reader to gain knowledge on how to deeply analyze different types of logs
to hunt suspicious security activities.
To get the most out of this book
We assume that the readers of this book know the basic information security1.
concepts, Windows, and Linux operating systems.
Some of the demonstrations from this book can also be done in a lab2.
environment; therefore, we recommend you to have a virtual lab with the
following VMs: Windows Server 2012, Windows 10, and Kali Linux.
[ 4 ]
Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this
book. You can download it here:
There are a number of text conventions used throughout this book.
: Indicates code words in text, database table names, folder names, filenames,
file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an
example: “Mount the downloaded disk image file as another disk in
Bold: Indicates a new term, an important word, or words that you see onscreen. For
example, words in menus or dialog boxes appear in the text like this. Here is an example:
“Select System info from the Administration panel.”
Warnings or important notes appear like this.
Tips and tricks appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: Email and mention the book title in the
subject of your message. If you have questions about any aspect of this book, please email
us at .
[ 5 ]
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes
do happen. If you have found a mistake in this book, we would be grateful if you would
report this to us. Please visit , selecting your book,
clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we
would be grateful if you would provide us with the location address or website name.
Please contact us at with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in
and you are interested in either writing or contributing to a book, please visit
Please leave a review. Once you have read and used this book, why not leave a review on
the site that you purchased it from? Potential readers can then see and use your unbiased
opinion to make purchase decisions, we at Packt can understand what you think about our
products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit .
Over the years, the investments in security moved from nice to have to must have, and now
organizations around the globe are realizing how important it is to continually invest in
security. This investment will ensure that the company stays competitive in the market.
Failure to properly secure their assets could lead to irrepairable damage, and in some
circumstances could lead to bankruptcy. Due to the current threat landscape, investing only
in protection isn’t enough. Organizations must enhance their overall security posture. This
means that the investments in protection, detection, and response must be aligned.
In this chapter, we’ll be covering the following topics:
The current threat landscape
The challenges in the cybersecurity space
How to enhance your security posture
Understanding the roles of the Blue Team and Red Team in your organization
The current threat landscape
With the prevalence of always-on connectivity and advancements in technology that are
available today, the threats are evolving rapidly to exploit different aspects of these
technologies. Any device is vulnerable to attack, and with Internet of Things (IoT) this
became a reality. In October 2016, a series of Distributed Denial of Service (DDoS) attacks
were launched against DNS servers, which caused some major web services to stop
working, such as GitHub, Paypal, Spotify, Twitter, and others (1).
Security Posture Chapter 1
[ 7 ]
This was possible due to the amount of insecure IoT devices around the world. While the
use of IoT to launch a massive cyber attack is something new, the vulnerabilities in those
devices are not. As a matter of fact, they’ve been there for quite a while. In 2014, ESET
reported 73,000 unprotected security cameras with default passwords (2). In April 2017,
IOActive found 7,000 vulnerable Linksys routers in use, although they said that it could be
up to 100,000 additional routers exposed to this vulnerability (3).
The Chief Executive Officer (CEO) may even ask: what do the vulnerabilities in a home
device have to do with our company? That’s when the Chief Information Security Officer
(CISO) should be ready to give an answer. Because the CISO should have a better
understanding of the threat landscape and how home user devices may impact the overall
security that this company needs to mitigate. The answer comes in two simple scenarios,
remote access and Bring your Own Device (BYOD).
While remote access is not something new, the number of remote workers are growing
exponentially. Forty-three percent of employed Americans are already working remotely
according to Gallup (4), which means they are using their own infrastructure to access
company’s resources. Compounding this issue, we have a growth in the number of
companies allowing BYOD in the workplace. Keep in mind that there are ways to
implement BYOD securely, but most of the failures in the BYOD scenario usually happen
because of poor planning and network architecture, which lead to an insecure
What is the commonality among all technologies that were previously mentioned? To
operate them, you need a user and the user is still the greatest target for attack. Humans are
the weakest link in the security chain. For this reason, old threats such as phishing emails
are still on the rise, because it deals with the psychological aspects of the user by enticing
the user to click on something, such as a file attachment or malicious link. Usually, once the
user performs one of these actions, their device becomes compromised by either malicious
software (malware) or is remotely accessed by a hacker.
A spear phish campaign could start with a phishing email, which will basically be the entry
point for the attacker, and from there other threats will be leveraged to exploit
vulnerabilities in the system.
One example of a growing threat that uses phishing emails as the entry point for the attack
is ransomware. Only during the first three months of 2016, the FBI reported that $209
million in ransomware payments were made (6). According to Trend Micro, ransomware
growth will plateau in 2017; however, the attack methods and targets will diversify (7).
Security Posture Chapter 1
[ 8 ]
The following diagram highlights the correlation between these attacks and the end user:
This diagram shows four entry points for the end user. All of these entry points must have
their risks identified and treated with proper controls. The scenarios are listed as follows:
Connectivity between on-premises and cloud (1)
Connectivity between BYOD devices and cloud (2)
Connectivity between corporate-owned devices and on-premises (3)
Connectivity between personal devices and cloud (4)
Notice that these are different scenarios, but all correlated by one single entity-the end user.
The common element in all scenarios is usually the preferred target for cybercriminals,
which appears in the preceding diagram accessing cloud resources.
Security Posture Chapter 1
[ 9 ]
In all scenarios, there is also another important element that appears constantly, which is
cloud computing resources. The reality is that nowadays you can’t ignore the fact that many
companies are adopting cloud computing. The vast majority will start in a hybrid scenario,
where Infrastructure as a Service (IaaS) is their main cloud service. Some other companies
might opt to use Software as a Service (SaaS) for some solutions. For example, Mobile
Device Management (MDM), as shown in scenario (2). You may argue that highly secure
organizations, such as the military may have zero cloud connectivity. That’s certainly
possible, but commercially speaking, cloud adoption is growing and will slowly dominate
most of the deployment scenarios.
On-premise security is critical, because it is the core of the company, and that’s where the
majority of the users will be accessing resources. When an organization decides to extend
their on-premise infrastructure with a cloud provider to use IaaS (1), the company needs to
evaluate the threats for this connection and the countermeasure for these threats through a
The last scenario (4) might be intriguing for some skeptical analysts, mainly because they
might not immediately see how this scenario has any correlation with the company’s
resources. Yes, this is a personal device with no direct connectivity with on-premise
resources. However, if this device is compromised, the user could potentially compromise
the company’s data in the following situations:
Opening a corporate email from this device
Accessing corporate SaaS applications from this device
If the user uses the same password (8) for his/her personal email and his
corporate account, this could lead to account compromise through brute force or
Having technical security controls in place could help mitigate some of these threats against
the end user. However, the main protection is continuous use of education via security
The user is going to use their credentials to interact with applications in order to either
consume data or write data to servers located in the cloud or on-premise. Everything in
bold has a unique threat landscape that must be identified and treated. We will cover these
areas in the sections that follow.
Security Posture Chapter 1
[ 10 ]
The credentials authentication and
According to Verizon’s 2017 Data Breach Investigations Report (9), the association between
threat actor (or just actor), their motives and their modus operandi vary according to the
industry. However, the report states that stolen credentials is the preferred attack vector for
financial motivation or organized crime. This data is very important, because it shows that
threat actors are going after user’s credentials, which leads to the conclusion that companies
must focus specifically on authentication and authorization of users and their access rights.
The industry agreed that a user’s identity is the new perimeter. This requires security
controls specifically designed to authenticate and authorize individuals based on their job
and need for specific data within the network. Credential theft could be just the first step to
enable cybercriminals to have access to your system. Having a valid user account in the
network will enable them to move laterally (pivot), and at some point find the right
opportunity to escalate privilege to a domain administrator account. For this reason,
applying the old concept of defense in depth is still a good strategy to protect a user’s
identity, as shown in the following diagram:
Security Posture Chapter 1
[ 11 ]
Here, there are multiple layers of protection, starting with the regular security policy
enforcement for accounts, which follow industry best practices such as strong password
requirements, a policy requiring frequent password changes, and password strength.
Another growing trend to protect user identities is to enforce MFA. One method that is
having increased adoption is the callback feature, where the user initially authenticates
using his/her credentials (username and password), and receives a call to enter their pin. If
both authentication factors succeed, they are authorized to access the system or network.
We are going to explore this topic in greater detail in , Chasing User’s Identity.
Applications (we will call them apps from now on), are the entry point for the user to
consume data and to transmit, process, or store information onto the system. Apps are
evolving rapidly and the adoption of SaaS-based apps is on the rise. However, there are
inherited problems with this amalgamation of apps. Here are two key examples:
Security: How secure are these apps that are being developed …
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.