Interview
TODO
- [ ] TCP/IP Model
- [ ] Access Control Models
- [ ] OSI Model
- [ ] EDR
- [ ] Recent CVE -> CVE-2024-3400 -> Global Protect Palo Alto Network
QA
CrowdStrike
- Goal: We stop breaches!
-
Falcon Platform
- Endpoint Security
- Next-Gen Antivirus
- Endpoint Detection & Response
- Device Control
- Security Platform
- IT Hygiene
- Threat Hunting
- Vulnerability Management
- Threat Intelligence
- Intelligence Automation
- Malware Search
- Malware Analysis
- Endpoint Security
-
Endpoint Security
- Cybersecurity approach to defending endpoints such as desktops, laptops, and mobile devices from malicious activity.
- An endpoint is any device that connects to the corporate network from outside its firewall.
- Endpoint Protection Platform:
- Solution used to detect & prevent security threats like file-based malware attacks
- Provides investigation & remediation capabilities needed to respond to dynamic security incidents & alerts.
- Endpoint Security is necessary because every remote endpoint can be entry point from the attack
- Working:
- Examines files, processes & system activity for suspicious or malicious indicators
- Offers a centralized management console from which administrators can monitor, protect, investigate & respond to incidents
- Benefits:
- Endpoint Protection
- Identity Protection
- Threat Detection & Response
- Core Functions
- Next-Gen Anti-Virus (NGAV) (Prevention)
- Traditional AC compares malicious signatures or bits of code, to a database that is updated by contributors whenever a new malware signature is detected.
- But, unknown antivirus can not be identified using that database.
- NGAV closes this gap by using advanced endpoint protection technologies such as AI & ML, to identify new malware by examining more elements such as file hashes, URLs & IP addresses.
- Endpoint Detection & Response (EDR) (Detection)
- Silent Failure: Allow attackers to access organization's environment without detection
- To prevent silent failures, an EDR solution provides continuous & comprehensive visibility into what is happening on endpoints in real time.
- Managed Threat Hunting:
- Conducted by elite teams that learn from incidents that have already occurred, aggregate crowdsourced data & provide guidance on how best to respond when malicious activity is detected
- Threat Intelligence Integration:
- Provides automation to investigate all incidents & gain knowledge in minutes
- It should generate custom indicators of compromise directly from endpoints to enable a proactive defense.
- Next-Gen Anti-Virus (NGAV) (Prevention)
- Types of Endpoint Protection:
- Legacy Endpoint Protection: On-Premises security framework that operates in conjunction with a locally hosted data center
- Hybrid Endpoint Protection: Legacy + Cloud
- Cloud-Native Endpoint Protection: Cloud-based solution, Network administrators can remotely monitor & manage all endpoints through a centralized management console & lightweight agent
- Challenges:
- Diversity of Devices
- High Volume of alerts
- Advanced Persistent Threats (APT)
- Key Aspects:
- Endpoint Visibility: View activities on endpoints
- Threat Database: Signs of attacks with variety of analytic techniques
- Behavioral Protection: Search for indicators of attack (IOAs)
- Insight & Intelligence: Threat Intelligence can provide context
- Fast Response: Fast & Accurate Response
- Cloud-Based Solution: Manage & monitor in cloud
-
Security Platform:
- IT Hygiene:
- Provides real time & historical visibility into your assets & applications
- Identify rogue computers
- Gets an accurate inventory of the systems in your environment, software they are running & user accounts.
- Threat Hunting:
- Threat Hunting is the practice of proactively searching for cyber threats that are present undetected in a network
- Methodology:
- Threat Hunters assume that adversaries are already in system
- Hypothesis Based Investigation: Identify Tactics, Techniques & Procedures (TTPs)
- Investigation based on Indicators of Compromise / Attack (IOCs or IOAs)
- Advanced Tactics & ML investigations: Use ML to analyze massive data
- Vulnerability Management:
- Ongoing, Regular process of identifying, assessing, reporting, managing & remediating security vulnerabilities across endpoints, workloads & systems
- Concepts:
- Vulnerability: A weakness of an asset
- Threat: Something can exploit the vulnerability
- Risk: What happens when threat exploits the vulnerability
- IT Hygiene:
-
Threat Intelligence:
- Automated Intelligence:
- Uses data analytics & AI/ML algorithms to analyze, predict & respond to cyber threats, enriching telemetry with high threat intelligence
- System can learn from data, identify patterns & make decision with minimal human input.
- Malware Search:
- Process of understanding the behavior & purpose of suspicious file or URL
- Static Analysis: Examines the file for signs of malicious intent
- Dynamic Analysis: Executes malicious code in a safe environment called sandbox
- Hybrid Analysis: Static + Dynamic
- Automated Intelligence:
-
Security Controls
- Measure / Mechanism implemented to reduce the risk of threats
- Preventive, Detective, Compensating, Corrective, Administrative
- Information Lifecycle:
- Creation, Storage, Processing, Transmission, Disposal
- Information Security Governance:
- Framework, Processes & structures that an organization implements to ensure information security
- Secure a server
- Update & Patch
- Configure Firewall
- Ensure Port Security
- Why insider threats are easy
- Insider Knowledge
- Legitimate Access
- Insufficient Monitoring & Controls
- Deleted Data
- OS removes file entry from file system index. But, the actual data remains intact until it is overwritten by new data
- Chain of Custody
- Tracking of handling, transfer & preservation of digital evidence throughout its lifecycle
- Ports
- Filtered Ports: Protected by Firewall
- Closed Ports: Not actively listening
- Cloud Security Challenges
- Misconfiguration
- Poor Authentication Controls
- Poor API Implementation
- DDOS
- Data Loss
- Open S3 Buckets
- Lambda Command Injection
- OSI Model
- Physical: Transmits raw bits over physical medium
- Data Link: Responsible for framing data into frames & adding physical addresses to frames
- Network: Responsible for routing packets from source to destination across multiple networks
- Transport: Responsible for end-to-end communication between hosts, providing reliable & ordered delivery of data packets.
- Session: Responsible for establishing, managing & terminating sessions between applications
- Presentation: Responsible for data translation, encryption & compression to ensure integrity & confidentiality
- Application: Provides network services to end users such as HTTP, SMTP, FTP, etc.
- CSRF
- Vulnerability that allows attacker to trick user into executing unintended actions
- CSRF Tokens, SameSite Cookies, Referrer Header, Anti-CSRF Header
- Malwares
- Trojans
- Ransomeware
- Botnets
- Worms
- Spyware
- Keyloggers
- Fileless Virus
- XSS
- Attackers inject malicious scripts into web pages viewed by other users
- IDOR -> Insecure Direct Object Reference
- NIST Cybersecurity Framework:
- Help businesses to understand, manage & reduce their cybersecurity risk & protect their network & data
- Identify, Protect, Detect, Respond, Recover