Cybersecurity Future Jobs:

Index: 

1. Roles 

2. Responsibilities 

3. Reactions 

4. Remediation 

5. Gaps 

6. Best Practices

Roles: Drawing from my experience, I have progressed from an analyst to senior roles. My past experiences and acquired tool skills have taught me that analysis is an ongoing process. The transition from a physically handled Incident Response procedure to a tool-based one has been a significant shift. Consequently, my previous experiences have proven invaluable in assisting current analysts.

Responsibilities: A few years ago, our dependency on other departments for accurate logs meant relying heavily on SIEM collections. However, beyond activity confirmation, we often had to wait for IT or users to confirm their actions, particularly during our early analysis days.

Reactions: Many critical or non-critical devices were isolated due to uncertainty about what occurred on those devices. The suspicion of a potential hacker dropping a bot on a device prompted such precautions.

Gaps: There was a notable gap in tracking exact attack records between human analysis and device-based analysis. However, recent developments, especially with the implementation of AI or ML playbooks, have significantly improved accuracy in identifying executions. This includes details such as when an incident occurred and what was executed on the host machine, with Host-based Intrusion Detection Systems (HIDS) proving more effective nowadays.

Best Practices: Utilizing AI playbooks can effectively prevent future cyber-attacks, reducing the need for extensive human intervention in handling SOC alerts. Achieving 24/7 operations with a team of just 9 members is feasible, provided the company is willing to invest in effective tools. 

##As a metaphorical extension, just as someone in a household should be trained to provide basic medical aid, similarly, one person in a household should be a cybersecurity analyst.

Cyber Hunting Technics

What is Cyber Security Hunting & How will be going benefit to the Org

Hunting: Is something where the unnoticed threat might be lying in an intranet. As a persona like threat hunter should apply his logicality technics to capture a threat or vulnerability. Hence, we identified prior exploiter or stopping future attacks.

Hunter Tools: He/She would apply his/her logics to unearth bots/vulnerabilities. Thus, they need external intel too.

Here logic is: If a person applying his thoughts definitely takes time to dig out the bot. But, if they were taking help from other external intel inputs as well. It is much lesser time to Identify.   

7/10/20

Hunting Topic & IOCs

HEH, a new IOT P2P Botnet going after weak telnet services

https://blog.netlab.360.com/heh-an-iot-p2p-botnet/

The HEH Botnet samples we captured was originally downloaded and executed by a malicious Shell script named wpqnbw.txt

 The malicious scripts and binary programs are hosted on pomf.cat Site(note here, prmf.cat is legit website, don’t block it). The beginning of wpqnbw.txt (similar to the subsequent content):

Universal Declaration of Human Rights

The initial state of this HTTP Server will be set :80/0 to :80/9 a total of 10 URIs, correspondingly, the Universal Declaration of Human Rights in 8 languages and 2 empty contents are displayed. For example, the :80/0 returns the  Chinese version of the “Universal Declaration of Human Rights” .

This article focuses on the UDP service component of HEH Botnet. This component has two key functions: UDP service port number generation and command parsing .

Communication module-Telnet service brute force cracking

After the Bot runs the P2P module, it will execute the brute force task against the Telnet service for the two ports 23 and 2323 in a parallel manner, and then complete its own propagation.

In other words, if the Telnet service is opened on port 23 or 2323, it attempts a brute-force attack using a password dictionary consisting of 171 usernames and 504 passwords. On a successful break-in, the newly infected victim is added to the botnet, thereby amplifying it

6d7502228afe0a56e13e40ae67b2a1d3aab0a3aa1411e2fc3d6d4e674e940d16

95199e8f1ab987cd8179a60834644663

4c345fdea97a71ac235f2fa9ddb19f05
66786509c16e3285c5e9632ab9019bc7
6be1590ac9e87dd7fe19257213a2db32
6c815da9af17bfa552beb8e25749f313
984fd7ffb7d9f20246e580e15fd93ec7
bd07315639da232e6bb4f796231def8a
c1b2a59f1f1592d9713aa9840c34cade
c2c26a7b2a5412c9545a46e1b9b37b0e
43de9c5fbab4cd59b3eab07a81ea8715

Cyber-Combat

Challenging cybersecurity monitoring. Pre-existing use cases or rule-based conditions are not sufficient to capture the new model threat actors. A smart threat hunter is more important than the tools. The attacker scenarios have been changing from attack to attack. The reason I believed vast coding or free tools available on the web. It is much more challenging in the future.

Upatre:  The Trojan propagates through spam emails. The attackes may include links to the malware in the emails. embed the malware into attached files, or the malware in attached password-protected archives. The malware usually disguises itself using the icon of a legitimate file, such as Adobe Acrobat or Reader.

DDoS Attack on  DNS Provider disrupts Okta, Twitter, Pinterest, Reddit, CNN, Others

Brief  but Widespread attack illuminated vulnerabilit of the internets (Domain Name Syster)DNS infrastructure. A major distributed Denial of Service (DDoS) attack on Internet Domain Service provider Dyne in the early morning hours on the East Coast today disrupted major websites -including okta, cnn and provided a grim reminder of the vulnerability of a key element of the internet's infrastructure.

Sinkhole Attack on Wireless Sensors Network(WSN):Sinkhole attack is a type of attack were compromised node tries to attract network traffic by advertise its fake routing update. One of the impacts of sinkhole attack is that, it can be used to launch other attacks like selective forwarding attack, acknowledge spoofing attack and drops or altered routing information.

   Attack on Mint Routing Protocol. A data node has called neibhor. A compromised node metrix hope count is always low. Ask other nodes to let go through the traffic I Am idle.

MintRoute protocol is a type of protocol which is commonly used in wireless sensor network. It was designed purposly  for the wireless sensor network. It is light and suitable for sensor nodes which have minimum storage capacity, low computation power and limited power supply. MintpRoute Protocol uses link quality as a metric to choose the best route to send packet to the Base Station.

  Insider attack and outsider attack are two categories of attack in wireless sensor network. Outside attack is when intruder is not part of network. In inside attack the intruder compromised one of the legitimate node through node temperating or through  weakness in its system software then compromised node inject false information in network after listen to secret information. Inside attack can disrupt  the network by modifying routing packet. Through compromised node sinkhole attack attract nearly all the traffic from particular area after making that compromised node attractive to other nodes.  

  The fact is that compromised node possesses adequate  access privilege in the network  and has acknowledge pertaining to valuable information about the network topology this created challenges in detecting. Base to that situation even cryptographic cannot defend against insider attack although it provides integrity, confidentiality and authentation. Therefore the internal attack has more serious impact on victim system compared to outsider attack.


https://arxiv.org/ftp/arxiv/papers/1505/1505.01941.pdf

IntSight Isreal: It is a cyber security awarens news and actions moreever focused on Incident Investigation rather than Incident Research. As per wikileaks CIA hacking tool is Vault7