General Infosec

MITRE Att&ck Framework

Mittre Att&ck is a knowledge base of adversary tactics and techniques. This resource attempts to comprehensively categorize all known methods of accomplishing adversarial tactics.

It is a great resource to know how to use. Not something you need to or perhaps even can memorize. I found value in reading through all the different techniques, Googling what I did not understand.

Threat Intelligence Resources

Threat Intelligence Research Groups

You will find many threat research publications and blogs. The groups specified bellow generally offer information relevant to an operational level of understanding. Tactical Intelligence sources are provided bellow in Threat Intel Content Development.

Security Vendors Threat Blogs

CrowdStrike
RiskIQ Articles
PaloAlto’s Unit42
Cisco Talos
Intel471
digital_shadows
ThreatConnect Blog
DomainTools Blog

Federal Agency Threat Blogs

CISA Cybersecurity Blog
CERT Alerts & CERT Current Activity

Meet the Adversaries

Resources to learn about the adversaries that are prolific enough to be identified, named, and tracked.

APT Groups and Operations Matrix
Crowdstrike Classifications

Basic Web Resources for Operations or Research

Sandboxes

HybridAnalysis
tags: #windows #macos #linux
JoesSandbox Cloud
tags: #windows #macos #adnroid #linux #ios

Threat Intell Content Development

VirusTotal
tags: #file #url #domain #host
IBM X-Force Exchange
tags: #ip #url #domain #email #cve #cidr #filehash #filepath #mutex #yara #tag
Open Threat Exchange
tags: #ip #url #domain #email #cve #cidr #filehash #filepath #mutex #yara
PassiveTotal
tags: #domains #host #ips #sslcert #contactemail
DomainTools
tags: #domain #ip
Talos
tags: #domain #ip #contactemail
ThreatCrowd
tags: #doamin #ip #email #organization
ThreatMiner
tags: #domain #ip #filehash #email #ssl #ua #filename #registry #mutex

Train Hard, Train Smart

The InfoSec profession does require a good deal of knowledge; but high performing security practitioners are those with an equally impressive skill set through which they can act on that knowledge. Simulations are a great way to strengthen and develop these skills.

Capture the Flag or CTF exercises are a great way to understand some of the tools and thought process of an adversary. Typically, CTF style exercises involve compromising systems to find hidden flags which prove the accomplishment of some gained level of access. While they primary simulate activity of an adversary, you can also attempt to monitor the exercise environment and then review the generated artifacts to practice finding attacks in audit data. This can include system logs from a compromised device, a firewall or IDS such as Suricata and Snort, a network traffic analysis tool such as Zeek, or even simply a packet capture from the exercise.

VulnHub is a created repository of community contributed VMs made vulnerable by design for various training purposes. While you can attempt to detect your self in logs, nothing prohibits you from attempting to secure the VMs from the same attacks you used to gain access.

My home lab consists of the following networks

The following is just some details on what my current home lab looks like. At most, it contains some recommendations. It certainly is not optimal.

A class B network for community made CTF targets such as those from VulnHub.
A class B “Attack Targets” network
Security monitoring controls and domain resources share a VLAN.
A class C client network for my laptops or attacking VMs.
A class B network for log collection (Logstash and Splunk Universal Forwarder)
A Pfsense Firewall that connects to an interface on my home WiFi + Router Combo. This Firewall will be your edge.

The Attack Targets network consists of multiple operating systems both server and client with multiple versions. This network contains various services designed to mimic what might be found in a typical environment. It has grown organically over the years. I advise creating several snapshots of “golden images” that contain configuration for security monitoring software such as Sysmon, Splunk UF, or Logstash. Another alternative is to use something like Ansible or Puppet to automate this configuration.

Pro Tip: I use KVM; however, if you use ESXi, you can take various partial snapshots before major security updates or periodically. This can allow you to restore or create new VMs from snapshots to test attacks on vulnerabilities you may have patched in your environment. I have found this to save on storage requirement

Security Monitoring for Attack Targets

Windows Monitoring

Sysmon
Windows Event Logs (System, Security, and Application)
Periodic output of various admin tools (netstat, pslist, etc) Splunk UF is used to Collect Logs + run scripts

Linux Monitoring

/var/log/messages
/var/log/secure
/var/log/syslog (syslog-ng)
/var/log/auth.log
/var/log/faillog
Periodic output of various admin tools (netstat, pslist, etc

A simple $30 TP link switch allows me to select one network interface to use as a mirror for the rest of my networking interfaces. This allows me to use Corelight with a home client to send Zeek and Suricata logs to my Splunk and ELK stack.

Note: I had also performed packet captures with this device in the past; however, am unaware if that would interfere with Corelight currently.

File Extension Cheat Sheet

7zip : 7-zip archive format
bzip2 : bzip2 archive format
cab : cab file format
dat : data file format
dmp : memory dump
docx : microsoft word
dwg : drawings
dxf : cad file format for autodesk
ese : database file format
idw : image file format for autodesk
jar : java archive
macho : binary executable format
ole : object linking and embedding
ooxml : office open xml
pdf : pdf
pe : pe
pptx : microsoft powerpoint
rar : rar archive format
rtf : rich text format
script : script file
sld : slide format for autocad
tar : tar archive format
vsdx : microsoft visio
xar : xar archive format
xlsx : microsoft excel
zip : zip archive