Pentesting, Threat Hunting, and SOC: An Overview

By Ray Van Hoose, Wade Wells, and Edna Jonsson || Guest Authors

This post is comprised of 3 articles that were originally published in the second edition of the InfoSec Survival Guide. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.

Pentesting – Discover Vulnerabilities, Create Reports, Provide Guidance

by Ray Van Hoose || @_meta.

The question: How can we predict ways the bad guys will attack our systems, and how can we try to stop them?

The answer: Penetration testing.

Penetration testing, especially in the past, included physical security assessments (i.e. breaking into buildings). Penetration testing has grown and evolved over the years, and currently tends to focus more on technical findings, leaving the physical security and social engineering (phishing emails, tricking folks on the phone, etc.) to the red teamers.

What tools do I need to survive as a penetration tester?

• Kali Linux: open-source, Debian-based Linux distribution geared towards various information security tasks, such as penetration testing, security research, etc.
• Nmap: free and open-source utility for network discovery and security auditing.
• Burp: Burp Suite is a comprehensive suite of tools for web application security testing.

What makes us different from red teamers?

• Completedness
  • We find and document as many of the vulnerabilities as we can, not just the vulnerabilities used to gain access.
• Goals and approach:
  • Pentesters are “noisy” in their approach.
  • Pentesters do not focus on things like response time and effectiveness of the defense teams.

Skills and Techniques to Survive

Communication

One of the most important, but least recognized, skills. Your primary deliverable is the report. Additionally, you will often debrief leadership, as well as work with developers, to fix the vulnerabilities discovered.

Documentation

Few, if any, enjoy it but the report needs to be presentable. Good screenshots and documentation are critical in this field.

Command-line interface knowledge

Understanding Linux and Windows commands will provide —

• An interface for the vast majority of hacking and penetration testing tools {wget, cURL, Nikto, metasploit, sqlmap, etc.).
• ‘screen’ or ‘tmux’ allows you to launch, name, access, and manage a shell for each tool, or even split scans or tools across any number of shells.
• Improvement of screenshot readability (by only returning and displaying the most relevant data).

Validation

Can you use different tools or techniques to validate the potential vulnerabilities that are discovered? Discovery and validation are key pillars of a good test.

Exploitation

Often can be the trickiest part of the job. Sometimes, it might be as easy as configuring the tool to execute the appropriate payload… But quite often, you might spend a considerable amount of time tinkering to get a working exploit on that system.

Here are some popular websites that provide insights and (sometimes) working payloads:

• Exploit-db – exploit-db.com
• Rapid7-db – rapid7.com/db/
• NIST – nvd.nist.gov/vuln/search

Using these skills, knowledge, and tools, a successful penetration tester will be able to discover vulnerabilities, create reports that help inform leadership of security weaknesses, and provide meaningful guidance on how to remedy (or mitigate) these issues.

Threat Hunting – An Active Search for Risks

by Wade Wells || @WadingThruLogs

Threat hunting is a role as well as an activity. It can have different definitions depending on the organization. The base definition of threat hunting as an activity is “the proactive search for malicious activities in a network.” Threat hunting is an iterative process that aims to identify potential security threats and risks that may not be detectable through automated security tools alone. It is a human-driven process that empowers organizations to stay one step ahead of cyber adversaries and improve their overall cybersecurity defenses.

A threat hunter should have the mindset that a network is already compromised. Threat hunters should also have an established baseline of the network’s activities to determine abnormalities. A hunt can start with a hypothesis that guides the hunter’s activities. An example would be, “Threat actors have used .iso files as the first stage to infect hosts on our network.” The hunter will then establish if these activities have occurred within the network and if they are malicious.

As a role, threat hunters are usually in a senior position. People seeking this job typically pivot from security analysts, incident responders, or security engineers. All of these roles can perform threat hunting as an activity. A threat hunter should have a well-rounded knowledge of all things infosec and be comfortable wading through any logs. Understanding the blue team, red team, and threat intelligence tactics will improve your abilities in this role.

Tips:

• Use knowledge of your network and threat intelligence to help create a threat hunting hypothesis.
• Don’t reinvent the wheel. Leverage community resources and security vendor reports to help improve threat hunting.
• If you’re moving too fast to keep notes, slow down.
• Be constantly looking for misconfigurations and opportunities to harden the network while performing a hunt.

Threat Hunting Resources:

• Use the Sigma Project to view how others are detecting similar activities: github.com/SigmaHQ/sigma
• Use the ATT&CK® Powered Suit browser app to obtain information on MITRE ATT&CK® TTPs quickly: mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/attack-powered-suit/
• Great place to leverage what’s going on in the news and think about it from a logging perspective: research.splunk.com/stories/
• Fantastic blog on threat hunting: kostas-ts.medium.com/threat-hunting-series-the-basics-cccadac830c6
• Check out “MITRE ATT&CK® Defender™ ATT&CK® Threat Hunting” training on Cybrary: cybrary.it/course/mitre-attack-threat-hunting
• A full zine just on threat hunting: blackhillsinfosec.com/prompt-zine/prompt-issue-threat-hunting/

Hunting frameworks:

• splunk.com/en_us/blog/security/peak-threat-hunting-framework.html
• youtu.be/TqMjMpvspJ4
• github.com/TactiKoolSec/OTHF
• https://www.gigamon.com/content/dam/resource-library/english/white-paper/wp-intelligence-driven-threat-hunting-methodology.pdf

Projects to try:

• acm.re/ac-hunter-community-edition/
• lolbas-project.github.io/
• loldrivers.io/
• gtfobins.github.io/

SOC – Security Operations Center

by Edna Jonsson || @ednas

What is a SOC?

The SOC, or Security Operations Center, is a cybersecurity department that helps to identify threats and suspicious activity that take place within a company’s network and devices. The entry position for the SOC is a SOC analyst. As a SOC analyst, you might work directly for the company or in a managed SOC (which provides companies with SOC services as a third-party). In order to become a SOC analyst, you need to have a good understanding of how computers work, as well as networking concepts and cybersecurity concepts. There are several ways that you can acquire the skills and knowledge needed for this position, such as a college degree, a training course, or self-study. Acquiring certificates will help prove you have a proficient knowledge of your area of study. You can use services like TryHackMe, Blue Team Labs Online, and Antisyphone Training to get started. In addition to the technical knowledge, it helps to be detail-oriented and have good communication skills.

Tips

Stay Up-To-Date

A good way to begin to understand the threat landscape and what the threat actors today are doing is to follow the news and cybersecurity professionals on social media, who will share what trends and threats they are seeing. There are also threat reports published, such as those by CrowdStrike, that are excellent resources for understanding threat actors, their tactics, and procedures.

Safeguarding Communication

When communicating with stakeholders, fellow SOC analysts, and management or customers, you need to make sure that they won’t accidentally visit malicious URLs that you are informing them about. The way to do that is to “defang” them; that is, to make them unclickable.

How to defang a URL:

• Example malicious website URL — https://www.example.com/
• https becomes hxxps
• the . becomes [dot]
• The end result is hxxps://www[dot]example[dot]com/

Tools

Today, a SIEM (security information and event management) solution is the primary tool that is used in a SOC. This is a tool that collects and analyzes log events, and gives alerts on potential incidents. There are many different vendors for SIEM tools, such as Splunk, Microsoft, AlienVault, and more. In addition, the SOC might use an endpoint detection and response (EDR) tools, malware analysis tools, and vulnerability management tools.

SOC Resources

Website you will use as a SOC analyst –

These are helpful in verifying if the IP address or URL that you see is expected and if it is potentially malicious. CyberChef is a wonderful tool that can be used for decoding and deobfuscating code of text you encounter.

• abuseipdb.com/
• virustotal.com/
• who.is/
• gchq.github.io/CyberChef/

Further reading:
mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf

Read more Infosec Survival Guide Blogs:

• Blue Team, Red Team, and Purple Team: An Overview
• How to Put Yourself Out There – Networking on Social Media
• How to Get a Job in Cybersecurity
• How to Perform and Combat Social Engineering
• Mental Health – An Infosec Challenge
• Build a Home Lab: Equipment, Tools, and Tips

---

---

Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand

---

---