Index
A
- access escalation / Access and privilege escalation
- accessibility features
- exploiting / Exploiting accessibility features
- access token manipulation / Access token manipulation
- Active Directory (AD) / Active Directory
- Advanced Threat Analytics (ATA) / Behavior analytics on-premises
- Aircrack-ng / Aircrack-ng, Aircrack-ng
- alerts
- avoiding / Avoiding alerts, Avoiding alerts
- Alternate Data Streams (ADS) / Avoiding alerts
- anomaly-based detection / Anomaly-based detection
- applications
- about / The current threat landscape
- security / Apps
- company-owned, versus personal apps / Apps
- application shimming / Application shimming
- application whitelisting / Application whitelisting
- ArcSight Enterprise Security Manager (ESM) / Risk assessment tools
- assault / Assault
- asset inventory / Asset inventory
- asset inventory tools
- about / Asset inventory tools
- peregrine tools / Peregrine tools
- LANDesk Management Suite / LANDesk Management Suite
- StillSecure / StillSecure
- Foundstone's Enterprise / Foundstone's Enterprise
- Azure Security Center / Azure Security Center, Azure Security Center
- Azure Virtual Network (VNET) / Hybrid cloud network security
B
- backdoors / Backdoors
- baiting / Baiting
- behavior analytics
- on-premises / Behavior analytics on-premises
- device placement / Device placement
- in hybrid cloud / Behavior analytics in a hybrid cloud
- Azure Security Center / Azure Security Center
- breached host analysis / Breached host analysis
- Bring your Own Device (BYOD) / The current threat landscape
- bring your own device (BYOD) / Educating the end user
- broken authentication / Broken authentication
- brute force / Brute force
- buffer overflows / Buffer overflows
- business impact analysis (BIA)
- conducting / Conducting business impact analysis
- about / Conducting business impact analysis
- critical IT resources, identifying / Identifying the critical IT resources
- disruption impacts, identifying / Identifying disruption impacts
- recovery priorities, developing / Developing recovery priorities
C
- Cain and Abel / Cain and Abel, Cain and Abel
- Calculator / Avoiding alerts
- central administrator consoles / Central administrator consoles
- Chief Executive Officer (CEO) / The current threat landscape
- Chief Information Security Officer (CISO) / The current threat landscape
- cloud
- hacking / Hacking the cloud
- Cloud Security Alliance (CSA) / Apps
- Common Configuration Enumeration (CCE) / Hardening
- Common Vulnerability and Exposure (CVE) / Monitoring for compliance
- compliance
- monitoring / Monitoring for compliance
- compromised system
- investigating, on-premises / Investigating a compromised system on-premises
- investigating, in hybrid cloud / Investigating a compromised system in a hybrid cloud, Search and you shall find it
- Computer Security Incident Response (CSIR) / Incident response process
- computer security incident response team (CSIRT) / Information management
- containment phase / Incident life cycle
- contingency planning
- about / Contingency planning
- IT contingency planning process / IT contingency planning process
- contingency planning policy
- development / Development of the contingency planning policy
- Corporate Software Inspector (CSI)
- about / Flexera (Secunia) Personal Software Inspector
- reference link / Flexera (Secunia) Personal Software Inspector
- Credential Manager (CredMan) / Harvesting credentials
- credentials
- about / The current threat landscape
- harvesting / Harvesting credentials
- cross-site scripting / Cross-site scripting
- current trends
- analyzing / Analyzing current trends
- extortion attacks / Extortion attacks
- data manipulation attacks / Data manipulation attacks
- IoT device attacks / IoT device attacks
- backdoors / Backdoors
- mobile device attacks / Mobile device attacks
- everyday devices, hacking / Hacking everyday devices
- cloud, hacking / Hacking the cloud
- cybersecurity challenges
- about / Cybersecurity challenges
- techniques / Old techniques and broader results
- broader results / Old techniques and broader results
- threat landscape / The shift in the threat landscape
D
- data / The current threat landscape
- data correlation / Data correlation
- Data Correlation / Detection capabilities
- data manipulation attacks / Data manipulation attacks
- DDoS attacks / DDoS attacks
- DeepSight / Information management tools
- Democratic National Committee (DNC) / The shift in the threat landscape
- depth approach
- defense / Defense in depth approach
- infrastructure / Infrastructure and services
- services / Infrastructure and services
- transit, documents / Documents in transit
- endpoints / Endpoints
- detection capabilities
- about / Detection capabilities
- Indicator of Compromise (IoC) / Indicators of compromise
- detection phase / Incident life cycle
- device placement / Device placement
- disaster recovery (DR) / Forming a disaster recovery team
- disaster recovery plan
- about / Disaster recovery plan
- process / The disaster recovery planning process
- disaster recovery team, forming / Forming a disaster recovery team
- risk assessment, performing / Performing risk assessment
- processes, prioritizing / Prioritizing processes and operations
- operations, prioritizing / Prioritizing processes and operations
- recovery strategies, determining / Determining recovery strategies
- collecting data / Collecting data
- creating / Creating the disaster recovery plan
- testing / Testing the plan
- approval, obtaining / Obtaining approval
- maintaining / Maintaining the plan
- challenges / Challenges
- Distributed Denial of Service (DDoS) / The current threat landscape
- diversion theft / Diversion theft
- DLL injection / DLL injection
- Backdoor.Oldrea / DLL injection
- BlackEnergy / DLL injection
- Duqu / DLL injection
- DLL search order hijacking / DLL search order hijacking
- dumpster diving / Dumpster diving
- Dylib hijacking / Dylib hijacking
E
- email pillaging / Email pillaging
- end user
- educating / Educating the end user
- social media security guidelines / Social media security guidelines for users
- security awareness training / Security awareness training
- Enhanced Mitigation Experience Toolkit (EMET)
- Estimated Time to Detection (ETTD) / The Red and Blue Team
- Estimated Time to Recovery (ETTR) / The Red and Blue Team
- Eternal Blue / Response planning
- Event Tracing for Windows (ETW) / Azure Security Center
- exfiltration / Exfiltration
- external reconnaissance
- about / External reconnaissance, External reconnaissance
- scanning / Scanning
- dumpster diving / Dumpster diving
- social media / Social media
- social engineering / Social engineering
- extortion attacks / Extortion attacks
F
- file shares / File shares
- firewall logs / Firewall logs
- Foundstone's Enterprise / Foundstone's Enterprise
- fuzzing / Fuzzing
G
- Graphical User Interface (GUI) / Remote Desktop
- Group Policy Object (GPO) / Policy enforcement
H
- hardening / Hardening
- Homeland Security Exercise and Evaluation Program (HSEEP) / The Red and Blue Team
- horizontal privilege escalation / Horizontal privilege escalation, Horizontal privilege escalation
- host-based intrusion detection system (HIDS) / Intrusion detection systems
- Hybrid cloud network security / Hybrid cloud network security
I
- ICSA Labs
- identity
- about / Identity is the new perimeter
- enterprise users / Identity is the new perimeter
- home users / Identity is the new perimeter
- incident handling
- about / Handling an incident
- best practices, to optimize / Best practices to optimize incident handling
- incident life cycle / Incident life cycle
- incident response process
- about / Incident response process
- terminology / Reasons to have an IR process in place
- creating / Creating an incident response process
- functional impact / Creating an incident response process
- information affected / Creating an incident response process
- recoverability / Creating an incident response process
- in cloud / Incident response in the cloud
- updating, to cloud / Updating your IR process to include cloud
- detection phase / Updating your IR process to include cloud
- containment phase / Updating your IR process to include cloud
- incident response team
- about / Incident response team
- shifts / Incident response team
- team allocation / Incident response team
- on-call process / Incident response team
- Indicator of Compromise (IoC) / The Red and Blue Team, Reasons to have an IR process in place, Indicators of compromise, Introduction to threat intelligence
- infiltration
- about / Infiltration, Infiltration
- network mapping / Network mapping
- alerts, avoiding / Avoiding alerts
- information management tools / Information management, Information management tools
- Infrastructure as a Service (IaaS) / The current threat landscape, Infrastructure and services
- internal reconnaissance
- about / Internal reconnaissance
- sniffing tools / Sniffing and scanning
- scanning tools / Sniffing and scanning
- wardriving / Wardriving
- Internet of Things (IoT) / The current threat landscape, Threat life cycle management
- intrusion detection system (IDS) / Intrusion detection systems
- Intrusion Detection Systems (IDS) / Old techniques and broader results
- intrusion prevention system (IPS)
- about / Intrusion prevention system
- rule-based detection / Rule-based detection
- anomaly-based detection / Anomaly-based detection
- IoT device attacks / IoT device attacks
- issue
- scoping / Scoping the issue
- key artifacts / Key artifacts
- IT contingency planning process
- about / IT contingency planning process
- contingency planning policy, development / Development of the contingency planning policy
- business impact analysis (BIA), conducting / Conducting business impact analysis
- preventive controls, identifying / Identifying the preventive controls
- recovery strategies, developing / Developing recovery strategies
- plan maintenance / Plan maintenance
J
- jailbreaking / Vertical privilege escalation
- John the Ripper / John the Ripper
K
- key artifacts / Key artifacts
- key aspects
- identifying / Lessons learned
- Kismet / Kismet
L
- LANDesk Management Suite / LANDesk Management Suite
- lateral movement
- performing / Performing lateral movement
- port scans / Port scans
- sysinternals / Sysinternals
- file shares / File shares
- remote desktop / Remote Desktop
- PowerShell / PowerShell
- Windows Management Instrumentation (WMI) / Windows Management Instrumentation
- scheduled tasks / Scheduled tasks
- token stealing / Token stealing
- pass-the-hash / Pass-the-hash
- Active Directory (AD) / Active Directory
- remote registry / Remote Registry
- breached host analysis / Breached host analysis
- central administrator consoles / Central administrator consoles
- email pillaging / Email pillaging
- references / Email pillaging
- horizontal privilege escalation / Horizontal privilege escalation
- vertical privilege escalation / Vertical privilege escalation
- launch daemon / Launch daemon
- Linux logs / Linux logs
- live recovery / Live recovery
- Local Security Authority (LSA) / Harvesting credentials
- Local Security Authority Subsystem (LSASS) / Harvesting credentials
- Log Parser
- URL, for downloading / Web server logs
- LogRhythm / Azure Security Center
M
- Metadefender Cloud TI
- reference link / Open source tools for threat intelligence
- Metasploit
- about / Metasploit, Metasploit
- using / Using Metasploit
- metrics
- Mean Time to Compromise (MTTC) / The Red and Blue Team
- Mean Time to Privilege Escalation (MTTP) / The Red and Blue Team
- Microsoft Operations Management Suite's (OMS's) / Monitoring for compliance
- Microsoft Security Compliance Toolkit
- reference link / Policy enforcement
- Microsoft Security Development Lifecycle (SDL) / Apps
- Microsoft threat intelligence
- about / Introduction to threat intelligence, Microsoft threat intelligence
- Cybercriminal / Introduction to threat intelligence
- Hacktivist / Introduction to threat intelligence
- Cyber espionage/state sponsored / Introduction to threat intelligence
- open source tools / Open source tools for threat intelligence
- Azure Security Center / Azure Security Center
- leveraging, to investigate suspicious activity / Leveraging threat intelligence to investigate suspicious activity
- mobile device attacks / Mobile device attacks
- Mobile Device Management (MDM) / The current threat landscape
- MS14-068 / Exploration of vulnerabilities
N
- Nessus
- about / Nessus
- vulnerability management, implementing / Implementing vulnerability management with Nessus
- URL, for downloading / Implementing vulnerability management with Nessus
- Netcat
- reference link / Avoiding alerts
- network-based intrusion detection system (NIDS) / Intrusion detection systems
- network access
- gaining / Gaining access to the network
- network access control (NAC) / Securing remote access to the network
- Network Intrusion Detection Systems (NDISs) / Network mapping
- network mapping / Network mapping
- network operations center (NOC) / Introduction to threat intelligence
- Network Performance Monitor Suite / Discovering your network
- Nikto / Nikto
- Nishang / PowerShell
- NMap / NMap, NMap
O
- obfuscation / Obfuscation
- OpenIOC
- URL / Indicators of compromise
- operating system logs
- about / Operating system logs
- Windows logs / Windows logs
- Linux logs / Linux logs
- operating systems
- compromising / Compromising operating systems
- compromising, Konboot used / Compromising systems using Kon-Boot or Hiren's BootCD
- compromising, Hiren's boot used / Compromising systems using Kon-Boot or Hiren's BootCD
- compromising, Linux Live CD used / Compromising systems using a Linux Live CD
- compromising, pre-installed applications used / Compromising systems using preinstalled applications
- compromising, Ophcrack used / Compromising systems using Ophcrack
- organizational units (OUs) / Policy enforcement
P
- pass-the-hash / Pass-the-hash, Investigating a compromised system on-premises
- payloads
- deploying / Deploying payloads
- vulnerability scanner, installing / Installing and using a vulnerability scanner
- vulnerability scanner, using / Installing and using a vulnerability scanner
- Metasploit, using / Using Metasploit
- PDF Examiner
- reference link / Social engineering
- peregrine tools / Peregrine tools
- personal identifiable information (PII) / Creating an incident response process
- Personal Software Inspector (PSI) / Flexera (Secunia) Personal Software Inspector
- phishing
- about / Phishing, Phishing
- phone phishing / Phone phishing (vishing)
- spear phishing / Spear phishing
- phone phishing / Phone phishing (vishing)
- physical network segmentation
- about / Physical network segmentation
- business objectives / Physical network segmentation
- level of sensitivity / Physical network segmentation
- location / Physical network segmentation
- security zones / Physical network segmentation
- network, discovering / Discovering your network
- plan maintenance / Plan maintenance
- policy enforcement
- about / Policy enforcement
- application whitelisting / Application whitelisting
- hardening / Hardening
- port scans / Port scans
- post-incident activity
- about / Post-incident activity
- real-world scenario / Real-world scenario
- lessons learned / Lessons learned
- PowerShell
- launching / Pass the hash
- reference link / File shares
- about / PowerShell
- PowerShell scripts
- reference link / Active Directory
- PowerSploit / PowerShell
- pretexting / Pretexting
- preventive controls
- identifying / Identifying the preventive controls
- prismdump / Prismdump
- Privilege Account Certificate (PAC) / Active Directory
- privilege escalation
- about / Access and privilege escalation
- vertical privilege escalation / Vertical privilege escalation
- horizontal privilege escalation / Horizontal privilege escalation
- performing / Performing privilege escalation
- unpatched operating systems, exploiting / Exploiting unpatched operating systems
- access token manipulation / Access token manipulation
- accessibility features, exploiting / Exploiting accessibility features
- application shimming / Application shimming
- User Account Control (UAC), bypassing / Bypassing user account control
- DLL injection / DLL injection
- DLL search order hijacking / DLL search order hijacking
- Dylib hijacking / Dylib hijacking
- vulnerabilities, exploration / Exploration of vulnerabilities
- launch daemon / Launch daemon
- hands-on example, on Windows 8 / Hands-on example of privilege escalation on a Windows 8 target
- complex phases / Conclusion and lessons learned
Q
- quid pro quo / Quid pro quo
R
- real-world scenario / Real-world scenario
- reconnaissance
- conclusion / Conclusion of the reconnaissance chapter
- recovery process
- best practices / Best practices for recovery
- recovery strategies
- developing / Developing recovery strategies
- backups / Backups
- alternative sites / Alternative sites
- equipment replacement / Equipment replacement
- training / Plan testing, training, and exercising
- plan testing / Plan testing, training, and exercising
- exercising / Plan testing, training, and exercising
- redundant array of independent disks (RAID) / Best practices for recovery
- reflective DLL injection / DLL injection
- remote access
- securing, to network / Securing remote access to the network
- site-to-site VPN / Site-to-site VPN
- remote registry / Remote Registry
- remote system
- compromising / Compromising a remote system
- risk assessment
- about / Risk assessment
- scope / Scope
- data, collecting / Collecting data
- policies, analysis / Analysis of policies and procedures
- vulnerability analysis / Vulnerability analysis
- threat analysis / Threat analysis
- acceptable risks, analysis / Analysis of acceptable risks
- risk assessment tools / Risk assessment tools
- rule-based detection / Rule-based detection
S
- scanning, external reconnaissance
- NMap / NMap
- Metasploit / Metasploit
- John the Ripper / John the Ripper
- THC Hydra / THC Hydra
- Wireshark / Wireshark
- Aircrack-ng / Aircrack-ng
- Nikto / Nikto
- Kismet / Kismet
- Cain and Abel / Cain and Abel
- scanrand / Scanrand
- scheduled tasks / Scheduled tasks
- Security Accounts Manager (SAM) / Harvesting credentials
- security awareness training
- about / Security awareness training
- real-world examples / Security awareness training
- practice / Security awareness training
- Security Information and Event Management (SIEM) / Azure Security Center
- security policy
- reviewing / Reviewing your security policy
- policy / Reviewing your security policy
- procedure / Reviewing your security policy
- standard / Reviewing your security policy
- guidelines / Reviewing your security policy
- best practices / Reviewing your security policy
- security posture
- enhancing / Enhancing your security posture
- about / The Red and Blue Team
- Server Message Block (SMB) / Introduction to threat intelligence
- service-level agreement (SLA) / Incident response team
- Service Principal Name (SPN) / Active Directory
- site-to-site VPN / Site-to-site VPN
- sniffing tools
- prismdump / Prismdump
- tcpdump / tcpdump
- NMap / NMap
- Wireshark / Wireshark
- scanrand / Scanrand
- Cain and Abel / Cain and Abel
- Nessus / Nessus
- Metasploit / Metasploit
- Aircrack-ng / Aircrack-ng
- Snort / Rule-based detection
- social engineering
- about / Social engineering, Social engineering
- pretexting / Pretexting
- diversion theft / Diversion theft
- phishing / Phishing
- water holing / Water holing
- baiting / Baiting
- quid pro quo / Quid pro quo
- tailgating / Tailgating
- Social Engineering Toolkit (SET) / Social engineering
- social media / Social media
- Software as a Service (SaaS) / The current threat landscape
- source code analysis / Source code analysis
- spear phishing / Spear phishing
- Splunk / Azure Security Center
- SQL injection / SQL injection
- StillSecure / StillSecure
- structured exception handling (SEH) / Structured exception handler overwrites
- sustainment / Sustainment
- sysinternals / Sysinternals
- system breach
- evidence, saving / The Red and Blue Team
- evidence, validating / The Red and Blue Team
- engaging / The Red and Blue Team
- incident triage / The Red and Blue Team
- scope / The Red and Blue Team
- remediation plan, creating / The Red and Blue Team
- plan, executing / The Red and Blue Team
- preventing / Assume breach
- system compromising
- payloads, deploying / Deploying payloads
- operating systems, compromising / Compromising operating systems
- remote system, compromising / Compromising a remote system
- web-based systems, compromising / Compromising web-based systems
T
- tailgating / Tailgating
- tcpdump / tcpdump
- THC Hydra / THC Hydra
- The Shadow Brokers (TSB) / Introduction to threat intelligence
- threat intelligence exchange (OTX) / Open source tools for threat intelligence
- threat landscape
- about / The current threat landscape
- credentials / The credentials – authentication and authorization
- applications / Apps
- data / Data
- threat life cycle management / Threat life cycle management
- token stealing / Token stealing
U
- unpatched operating systems
- exploiting / Exploiting unpatched operating systems
- user's identity
- strategies / Strategies for compromising a user's identity
- network access, gaining / Gaining access to the network
- credentials, harvesting / Harvesting credentials
- hacking / Hacking a user's identity
- brute force / Brute force
- social engineering / Social engineering
- PowerShell, launching / Pass the hash
- methods, to hack / Other methods to hack identity
- User Account Control (UAC)
- bypassing / Bypassing user account control
- about / Bypassing user account control
- User and Entity Behavior Analytics (UEBA) / Behavior analytics on-premises
V
- vendor-agnostic approach, to BYOD
- reference link / Endpoints
- vertical privilege escalation / Vertical privilege escalation, Vertical privilege escalation
- virtual local area network (VLAN) / Physical network segmentation
- virtual network segmentation / Virtual network segmentation
- vulnerabilities
- exploiting / Exploiting a vulnerability
- exploration / Exploration of vulnerabilities
- vulnerability assessment / Vulnerability assessment
- vulnerability management
- implementation / Implementation of vulnerability management
- best practices / Best practices for vulnerability management
- implementing, with Nessus / Implementing vulnerability management with Nessus
- vulnerability management strategy
- creating / Creating a vulnerability management strategy
- asset inventory / Asset inventory
- information management tools / Information management
- risk assessment / Risk assessment
- remediation tracking / Reporting and remediation tracking
- reporting / Reporting and remediation tracking
- response planning / Response planning
- vulnerability management tools
- about / Vulnerability management tools
- information management tools / Information management tools
- risk assessment tools / Risk assessment tools
- vulnerability assessment tools / Vulnerability assessment tools
- reporting / Reporting and remediation tracking tools
- remediation tracking tools / Reporting and remediation tracking tools
- response planning tools / Response planning tools
- vulnerability scanner
W
- wardriving / Wardriving
- water holing / Water holing
- web-based systems
- compromising / Compromising web-based systems
- SQL injection / SQL injection
- cross-site scripting / Cross-site scripting
- broken authentication / Broken authentication
- DDoS attacks / DDoS attacks
- web application firewall (WAF) / Azure Security Center
- web server logs / Web server logs
- WinDbg
- URL / Windows logs
- Windows logs / Windows logs
- Windows Management Instrumentation (WMI) / Windows Management Instrumentation
- Wireshark / Wireshark, Wireshark
Z
- zero-day
- structured exception handling (SEH), overwriting / Structured exception handler overwrites
- zero-day attacks
- about / Zero-day
- fuzzing / Fuzzing
- source code analysis / Source code analysis
- zero-day exploits
- types / Types of zero-day exploits
- buffer overflows / Buffer overflows