Class log: Getting Started in Security with BHIS and MITRE ATT&CK, Day 4

Day 4 of the Antisyphon "Getting Started in Security" class had a LOT of material for a shorter session. Things are getting spicy.

Subject: Host-Based Firewalls

Host-based firewalls can be very effective for shutting down lateral movement attacks. Something important to remember is to treat your internal network like it's hostile, because it is. It really is. Windows Firewall isn't great, but it's better than nothing and can be centrally-managed which is a plus. Also, a lot of antivirus software has built-in firewalls you can use so be sure to do so.

Lab: Using Nmap. Scanned a Windows system with firewall on and then off to see the results.

 

A stand-out quote from the class: "The Active Directory environment is a super highway for hackers."

Internet Allow Listing

• Doesn't have to be hard
• Denylists fail because the internet is too vast, users will not stop until they've clicked everything
• Uncategorized category filter: needs to be blocked as well, sites that have never been seen before
• Malware: you can get compromised via a "legit" site

DNS over HTTPS blinds your network from knowing where people are going. Not good.

 

Vulnerability Management key points:

• About the same as it was 10+ years ago
• New focus on vulnerability prioritization, which is not a good methodology 
• A low vulnerability is just one where there isn't an exploit available directly
• A lot of companies just focus on the critical ones
• Most orgs address vulnerabilites by IP address, addressing vulnerabilities ONE at a time
• focus on grouping by vulnerability, not by IP

Where and when to test your environment and with what:

• Tools should be used every build cycle, nightly if possible, weekly at minimum
• Zed Attack Proxy (free)
• Nikto (free)
• Burp, highly recommended

Lab: Web Testing. Stood up a simple Python Web Server and a web server called by Damn Vulnerable Web App (DVWA) and then used OWASP Zap to look for vulnerabilities.