Advanced Cyber Security Operations

19-09-2022

Introduction

The Advanced Cyber Security Operations module was designed to challenge our ability to analyze real-world cyber attacks, identify attack vectors, and apply mitigation strategies. The module focused on understanding how cybercriminals operate, including various techniques like SQL injection, ARP poisoning, Cross-Site Scripting (XSS), and social engineering.

Key Concepts Covered:

  • Threat & Intrusion Analysis: We learned how to identify and analyze potential threats and intrusions in a system. The ability to recognize signs of compromise is critical in preventing attacks and limiting damage once an incident has occurred.

  • Incident Response & Mitigations: This area taught us how to respond to cyber incidents, from detecting intrusions to containing and mitigating the attack. We explored best practices for handling security incidents and minimizing their impact on an organization.

  • Attack Vectors: We analyzed various attack vectors that hackers use to gain access to systems, including both digital exploits and social engineering techniques.

  • Network Analysis: This included examining PCAP (Packet Capture) files to understand network traffic and identify suspicious activity. Network analysis is essential for detecting attacks in progress and understanding the tactics used by attackers.

  • Social Engineering: In addition to digital attacks, we explored social engineering, where attackers manipulate people to gain access to confidential information. We learned about common social engineering tactics and how to defend against them.

PCAP Analysis and Attack Simulation:

In one of the key exercises of this module, we analyzed a PCAP file that simulated a cyber attack on a company's system. The scenario included several types of attacks:

  1. SQL Injection: A classic attack method where the attacker injects malicious SQL code into a vulnerable application form to manipulate the database.
  2. ARP Poisoning: An attack that targets the network layer to intercept and manipulate traffic between devices on a local network.
  3. Cross-Site Scripting (XSS): A vulnerability that allows an attacker to inject malicious scripts into a webpage, potentially compromising users' sessions and data.
  4. Social Engineering: This part of the simulation involved a threat actor physically entering the office and stealing login credentials, granting unauthorized access to confidential financial data.

images/AdvancedSecOpsMitigations.png

These attacks demonstrated how an attacker could breach Sections 1 and 2 of the Computer Misuse Act 1990:

  • Section 1: Unauthorized access to computer material.
  • Section 2: Further offenses committed after gaining unauthorized access.

After analyzing the attacks, we discussed various mitigation strategies to prevent similar attacks in real-world scenarios. These strategies included improving web application security, network monitoring, and employee training to avoid falling for social engineering schemes.

Key CVEs Studied:

In addition to the simulated attack scenario, I researched several real-world Common Vulnerabilities and Exposures (CVEs) that provide valuable insights into attack techniques. Some notable CVEs studied include:

  • CVE-2022-30998 (WooCommerce Plugin SQL Injection): A vulnerability in a popular e-commerce plugin that allowed attackers to inject malicious SQL code into a website's database, potentially compromising customer data and system integrity.

  • CVE-2019-11354 (Origin Client Application Remote Code Injection): This CVE described a vulnerability in the Origin client application, where attackers could exploit the flaw to execute arbitrary code on a victim’s machine, giving them control over the system.

  • CVE-2019-0227 (Apache Axis Server-Side Request Forgery): This CVE highlighted a vulnerability in Apache Axis, a web service framework, where attackers could manipulate the server to make unauthorized requests, potentially exposing sensitive internal resources.

By studying these CVEs, I gained practical knowledge about real-world vulnerabilities, attack techniques, and their mitigations. This understanding is crucial for staying proactive in defending against emerging threats in the cybersecurity field.

Key Tools Used:

  • Wireshark: We used Wireshark to analyze the PCAP files generated during the attack simulation. Wireshark helped us understand the network traffic involved in the attack, making it a valuable tool for detecting and analyzing network intrusions.

  • Metasploit: Metasploit was used for simulating attacks like SQL injection and XSS in a controlled environment. It provided us with the ability to test vulnerabilities in systems and see how attackers could exploit them.

  • Burp Suite: This tool was essential for testing web application security, specifically for identifying and exploiting SQL injection and XSS vulnerabilities in the web application.

  • Nmap: Nmap was used for network mapping and vulnerability scanning. It allowed us to discover open ports, services, and potential vulnerabilities in the simulated attack environment.

  • Social Engineering Toolkit (SET): The SET tool helped us simulate social engineering attacks, such as phishing emails and credential harvesting, allowing us to understand the various tactics used by attackers.

Practical Insights:

The Advanced Cyber Security Operations module gave me a deeper understanding of the various attack techniques employed by cybercriminals and the tools available to defend against them. The hands-on experience with analyzing PCAP files, performing incident response, and researching real-world CVEs was incredibly valuable.

We also gained a greater appreciation for the role of social engineering in cyber attacks. While technical vulnerabilities are often the focus, human error and manipulation can play just as significant a role in compromising security. Understanding how attackers exploit human behavior is key to designing effective defense strategies.

Conclusion:

This module has greatly enhanced my ability to detect, analyze, and mitigate cyber threats in real-world environments. The combination of digital attack simulations and research into CVEs provided practical experience in both offensive and defensive cybersecurity techniques. As I continue to develop my cybersecurity skills, this module has given me the foundation to tackle complex security challenges in the rapidly evolving threat landscape.

Sources:

  • None