#CTI #STIX #TAXII #MAEC
اطلاعات تهدید ساختار یافته یا Structured Threat Information Expression یک استاندارد است در خصوص اشتراک گذاری اطلاعات یک تهدید و حمله APT بر پایه شاخه ها (#IoC) و رفتار تاکتیکی و تکنیکی حمله (#TTP).

اما در کنار ساختار STIX یک مکانیزم Transport هم وجود دارد با نام Trusted Automated Exchange of Intelligence Information است که به معنی تبادل اطلاعات قابل اعتماد بصورت اتوماتیک است که برای استانداردسازی فرایند های اشتراک گذاری بواسطه یک مکانیزم مشخص تا کلیه ابزارها و محصولات مرتبط با مقوله #CTI با هم ارتباط گیرند.

مورد بعدی Malware Attribute Enumeration and Characterization است به معنی سرشماری خصوصیات و ویژگی های بدافزار که برای توسعه زیرساخت های #CTI در راستای پالایش منابع بدافزارها طراحی شده است.

اما مورد آخر Cyber Observable eXpression است به معنی ساختارمند کردن داده های قابل مشاهده در فضای سایبر، که در راستای استفاده در پایگاه داده های #CTI نقش آفرینی میکند.

https://oasis-open.github.io/cti-documentation/
@Engineer_Computer

#Cybersecurity #Israel #Azerbijan
اساسا استراتژی مدیریتی کشورها برای بوجود آوردن خدمات امنیت سایبری، این است که مبتنی بر شرکت های دانش بنیان نیازمندی ها تامین شود، چرا که بحث رقابت پذیری و ارزیابی بدون تعارف را به همراه خواهد داشت.

اما در ایران وضعیت چگونه است؟ در ایران هم شرکت های متعددی فعالیت دارند اما با دو فرق با کل جهان:

اول اینکه در هیچ یک از کشور های دنیا شرکتی بدون اخذ نمایندگی معتبر، نمیتواند اقدام به فروش محصولات خارجی کند، اما در ایران اینگونه نیست و شرکت های دلال در ایران به چندین برابر قیمت دلاری محصولات خارجی را بدون اخذ نمایندگی به دستگاه ها فروخته و قرارداد میبندند، که این موضوع موجب میشود شرکت ها نیازی به فعالیت های R&D نداشته باشند چرا که محصولی تولید نمیکنند.

دوم، کیفیت سنجی، اصالت سنجی در خصوص محصولات بومی نیز انجام نمیشود و عموما محصولات بظاهر بومی به ارگان های دولتی به فروش میرسد، مانند ماجرای ایمیل سرور بومی سازمان انرژی اتمی که بعد از هک شدن مشخص شد محصول فروخته شده در اصل برای شرکت Zimbra بوده و شرکت ایرانی آنرا صرفا فارسی سازی کرده است.

https://fna.ir/3cb2u4
@Engineer_Computer

🔍 مقایسه کارکرد EDR های مختلف بر روی سیستم عامل ویندوز

🔗 https://docs.google.com/spreadsheets/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/edit#gid=1993314609

🔗https://github.com/tsale/EDR-Telemetry

@Engineer_Computer

⚙️ آزمایشگاه تحلیل بدافزار خودتون رو بسازید🔎

🔬 اگر میخواهید مهارت های تحلیل بدافزار ، RE و مهندسی نرم افزار خودتون رو افزایش بدید آزمایشگاه Arch Cloud Labs میتونه گزینه مناسبی برای شما باشه...

🦠 آزمایشگاه Arch Cloud Labs یک بازسازی از تجزیه و تحلیل بدافزار شرکت های بزرگ رو برای شما فراهم میکنه و همچنین شمارو تشویق میکنه که همان تجزیه و تحلیل رو انجام دهید.هر بخش به گونه ای طراحی شده که تحلیل رو به همراه شما آغاز میکنه و در آخر سوالاتی را برای شما باقی گذاشته که خودتان آن ها را کاوش کنید.


🔗https://github.com/archcloudlabs/HackSpaceCon_Malware_Analysis_Course

@Engineer_Computer

hint :
Found out the differences between Debug & Release Modes in Flutter!

@Engineer_Computer

What is a bug?
Security bug or vulnerability is “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.

What is Bug Bounty?
A bug bounty or bug bounty program is IT jargon for a reward or bounty program given for finding and reporting a bug in a particular software product. Many IT companies offer bug bounties to drive product improvement and get more interaction from end users or clients. Companies that operate bug bounty programs may get hundreds of bug reports, including security bugs and security vulnerabilities, and many who report those bugs stand to receive awards.
• What is the Reward?
◦ There are all types of rewards based on the severity of the issue and the cost to fix. They may range from real money (most prevalent) to premium subscriptions (Prime/Netflix), discount coupons (for e commerce of shopping sites), gift vouchers, swags (apparels, badges, customized stationery, etc.). Money may range from 50$ to 50,000$ and even more.

What to learn?
Technical
Computer Fundamentals
▪ https://www.comptia.org/training/by-certification/a
▪ https://www.youtube.com/watch?v=tIfRDPekybU
▪ https://www.tutorialspoint.com/computer_fundamentals/index.htm
▪ https://onlinecourses.swayam2.ac.in/cec19_cs06/preview
▪ https://www.udemy.com/course/complete-computer-basics-course/
▪ https://www.coursera.org/courses?query=computer%20fundamentals

Computer Networking
▪ https://www.youtube.com/watch?v=0AcpUwnc12E&list=PLkW9FMxqUvyZaSQNQslneeODER3bJCb2K
▪ https://www.youtube.com/watch?v=qiQR5rTSshw -https://www.youtube.com/watch?v=L3ZzkOTDins
▪ https://www.udacity.com/course/computer-networking--ud436
▪ https://www.coursera.org/professional-certificates/google-it-support
▪ https://www.udemy.com/course/introduction-to-computer-networks/

Operating Systems
▪ https://www.youtube.com/watch?v=z2r-p7xc7c4
▪ https://www.youtube.com/watch?v=_tCY-c-sPZc
▪ https://www.coursera.org/learn/os-power-user
▪ https://www.udacity.com/course/introduction-to-operating-systems--ud923
▪ https://www.udemy.com/course/linux-command-line-volume1/
▪ https://www.youtube.com/watch?v=v_1zB2WNN14

Command Line
▪ Windows:
▪ https://www.youtube.com/watch?v=TBBbQKp9cKw&list=PLRu7mEBdW7fDTarQ0F2k2tpwCJg_hKhJQ
▪ https://www.youtube.com/watch?v=fid6nfvCz1I&list=PLRu7mEBdW7fDlf80vMmEJ4Vw9uf2Gbyc_
▪ https://www.youtube.com/watch?v=UVUd9_k9C6A
▪ Linux:
▪ https://www.youtube.com/watch?v=fid6nfvCz1I&list=PLRu7mEBdW7fDlf80vMmEJ4Vw9uf2Gbyc_
▪ https://www.youtube.com/watch?v=UVUd9_k9C6A -
▪ https://www.youtube.com/watch?v=GtovwKDemnI
▪ https://www.youtube.com/watch?v=2PGnYjbYuUo
▪ https://www.youtube.com/watch?v=e7BufAVwDiM&t=418s
▪ https://www.youtube.com/watch?v=bYRfRGbqDIw&list=PLkPmSWtWNIyTQ1NX6MarpjHPkLUs3u1wG&index=4

Programming
▪ C
▪ https://www.youtube.com/watch?v=irqbmMNs2Bo
▪ https://www.youtube.com/watch?v=ZSPZob_1TOk
▪ https://www.programiz.com/c-programming
▪ Python
▪ https://www.youtube.com/watch?v=ZLga4doUdjY&t=30352s
▪ https://www.youtube.com/watch?v=gfDE2a7MKjA
▪ https://www.youtube.com/watch?v=eTyI-M50Hu4
▪ JavaScript
▪ https://www.youtube.com/watch?v=-lCF2t6iuUc
▪ https://www.youtube.com/watch?v=hKB-YGF14SY&t=1486s
▪ https://www.youtube.com/watch?v=jS4aFq5-91M
▪ PHP
▪ https://www.youtube.com/watch?v=1SnPKhCdlsU
▪ https://www.youtube.com/watch?v=OK_JCtrrv-c
▪ https://www.youtube.com/watch?v=T8SEGXzdbYg&t=1329s


-Cyber Security awareness-

Up2date 4 Defense Today,
Secure Tomorrow
@CisoasaService
1402.02.11
@Engineer_Computer

Extensive Recon Guide For Bug Hunting

https://hacklido.com/blog/398-extensive-recon-guide-for-bug-hunting

@Engineer_Computer
@Engineer_Computer

INCIDENT RESPONSE FOR COMMON ATTACK TYPES
1. Brute Forcing Details:
Attacker trying to guess a password by attempting several different passwords
Threat Indicators:
Multiple login failures in a short period of time
Where To Investigate:
• Active directory logs
• Application logs
• Operational system logs
• Contact user
Possible Actions:
If not legit action, disable the account and investigate/block attacker
2. Botnets Details:
Attackers are using the victim server to perform DDoS attacks or other malicious activities
Threat Indicators:
• Connection to suspicious IPs
• Abnormal high volume of network traffic
Where To Investigate:
• Network traffic
• OS logs (new processes)
• Contact server owner
• Contact support team
Possible Actions:
If confirmed:
• Isolate the server
• Remove malicious processes
• Patch the vulnerability utilized for infection
3. Ransomware
Details:
A type of malware that encrypts files and requests a ransom (money payment) from the user to decrypt the files
Threat Indicators:

• Anti-Virus alerts
• Connection to suspicious Ips
Where To Investigate:
• AV logs
• OS logs
• Account logs
• Network traffic
Possible Actions:
• Request AV checks
• Isolate the machine
4. Data Exfiltration Details:
Attacker (or rogue employee) exfiltrate data to external sources
Threat Indicators:
• Abnormal high network traffic
• Connection to cloud -storage solutions (Dropbox, Google Cloud)
• Unusual USB Sticks
Where To Investigate:
• Network traffic
• Proxy logs
• OS logs
Possible Actions:
• If employee: Contact manager, perform full forensics
• If external threat: Isolate the machine, disconnect from network
5. Compromised Account Details:
Attackers get access to one account (via social engineering or any other method)
Threat Indicators:
• Off-hours account logins
• Account group changes
• Abnormal high network traffic
Where To Investigate:
• Active directory logs
• OS logs
• Network traffic
• Contact user for clarifications
Possible Actions:

If confirmed:
• Disable account
• Password changes
• Forensic investigations
6. Denial Of Service (Dos/DDoS)
Details:
When attacker can cause interference in a system by exploiting DoS vulnerabilities or by generating a high volume of traffic
Threat Indicators:
Abnormal high network traffic in public facing servers
Where To Investigate:
• Network traffic
• Firewall logs
• OS logs
Possible Actions:
• If DoS due to vulnerabilities: Contact patching team for remediation
• If DDoS due to network traffic: Contact network Support or ISP
7. Advanced Persistent Treats (APTs)
Details:
Attackers get access to the system and create backdoors for further exploitation. Usually hard to detect
Threat Indicators:
• Connection to suspicious IPs
• Abnormal high volume of network traffic
• Off-hours access logs
• New admin account creations
Where To Investigate:
• Network traffic
• Access logs
• OS logs (new processes, new connections, abnormal users)
• Contact server owner/support teams
Possible Actions:
If confirmed:
• Isolate the machine
• Start formal forensics process
• Start escalation/communication plan

@Engineer_Computer
@Engineer_Computer

Open Source cyber security tools:

1. Zeek: https://zeek.org/
Network Security Monitoring
2. ClamAV: https://www.clamav.net/
Antivirus
3. OpenVAS: https://www.openvas.org/
Vulnerability Scanner
4. TheHive: https://lnkd.in/e7aVCRUZ
Incident Response
5. PFSense: https://www.pfsense.org/
Security appliance (firewall/VPN/router)
6. Elastic: https://www.elastic.co/de/
Analytics
7. Osquery: https://www.osquery.io/
Endpoint visibility
8. Arkime: https://arkime.com/
Packet capture and search
9. Wazuh: https://wazuh.com/
XDR and SIEM
10. Alien Vault Ossim: https://lnkd.in/eShQt29h
SIEM
11. Velociraptor: https://lnkd.in/eYehEaNa
Forensic and IR
12. MISP project: https://lnkd.in/emaSrT57
Information sharing and Threat Intelligence
13. Kali: https://www.kali.org/
Security OS
14. Parrot: https://www.parrotsec.org/
Security OS
15. OpenIAM: https://www.openiam.com/
IAM
16. Yara: https://lnkd.in/eEJegEak
Patterns
17. Wireguard: https://www.wireguard.com/
VPN
18. OSSEC: https://www.ossec.net/
HIDS
19. Suricata: https://suricata.io/
IDS/ips
20. Shuffler: https://shuffler.io/
SOAR
21. Phish Report: https://phish.report/
Anti Phishing
22. Graylog: https://lnkd.in/eAFuUmuw
Logmanagement
23. Trivy: https://lnkd.in/e7JxXStY
DevOps/IaC Scanning
24. OpenEDR: https://openedr.com/
EDR
25. Metasploit: https://lnkd.in/e4ECX-py
Pentest
26. NMAP: https://nmap.org/

@Engineer_Computer
@Engineer_Computer

What Is a Red Teamer?
A Red Teamer is a professional who simulates cyberattacks, physical security breaches, or other types of adversarial activity against a company or organization, in order to identify vulnerabilities and weaknesses in their security posture.
Red Teamers typically work alongside Blue Teamers to help them improve their defenses and ensure that they are adequately prepared to prevent and respond to real-world attacks.
Red Teamers use various techniques, such as social engineering, penetration testing, and physical security testing, to simulate attacks and provide feedback on how to improve security.
Their goal is to uncover weaknesses that an attacker might exploit and provide recommendations to address them.
As you probably already understand, red team member is someone, that in simple words, can compromise an organization using a large arsenal that includes many tactics and tools; and when choosing the wrong side, we get highly dangerous individuals.

@Engineer_Computer
@Engineer_Computer

What Job Titles Suite to a Red Teamer?
A red teamer can go through many types of titles and work positions. Given the ideal scenario where a red teamer only uses his/her power to do good, they can go through work jobs such as:
• Red Team OperatorThis one is pretty obvious by the name but nonetheless – A Red Team Operator is responsible for conducting offensive security operations and simulating adversarial attacks on an organization’s infrastructure, applications, and people.This is the more “classic” role for a red teamer, as the use tactics such as social engineering, penetration testing, and other techniques to identify vulnerabilities and weaknesses in an organization’s security landscape.
• Penetration Tester:A Penetration Tester, also known as a “pentester,” is a cybersecurity professional who performs simulated attacks on an organization’s network and applications to identify vulnerabilities and weaknesses that could be exploited by attackers.They use a variety of tools and techniques to simulate real-world attacks and provide detailed reports on their findings.At first glance, it seems that pentester and red teamer is the same position. However, this is not the case. Pentester is mostly focusing on specific software failpoints such as certain apps and services the organization use, while red teamer is in charge of the whole operation and is targeting not only vulnerabilites but also, as mentioned, people, by using social engineering techniques. In addition, red teamer simulate and ongoing attack and not just setting a foot in the victim’s infrastructure, but also in charge of other steps such as lateral movement and data exfiltration.Overall, we can look at red team operator as a more “broad” position than a pentester.
• Security Auditor:A Security Auditor is responsible for reviewing an organization’s security policies, procedures, and controls to ensure that they meet industry standards and regulatory requirements.They may also perform security assessments and audits to identify vulnerabilities and weaknesses in an organization’s security posture, and provide recommendations for improvements.

@Engineer_Computer
@Engineer_Computer

⭕️ RADAR: How DevSecOps is Revolutionizing Security at Snapp

در این مقاله یکی از AppSec Engineer های Snapp به بررسی جزئیات DevSecOps توی اسنپ پرداخته.

به طور خیلی خلاصه فریمورک رادار اسنپ که ترکیب Security Testing در CI/CD هست شامل ابزار های زیر میشه:
1. SAST:‌ semgrep
2. SCA, SBOM: Grype, Syft
3. Secret Detection: Gitleaks
4. IaC: KICS
5. Container Scanning: Trivy
6. DAST: ZAP
7. Vulnerability Management: DefectDojo, OWASP Dependency-Track

مقاله:
https://medium.com/@mohammadkamrani7/radar-how-devsecops-is-revolutionizing-security-at-snapp-5f496fd08e79

#DevSecOps #AppSec #DAST #SAST
@Engineer_Computer

#کتاب Phishing پیرامون موضوع مهندسی اجتماعی
@Engineer_Computer

Offensive security
1. burpgpt - Burp Suite extension that integrates OpenAI's GPT to perform an additional passive scan for discovering highly bespoke vulnerabilities, and enables running traffic-based analysis of any type
https://github.com/aress31/burpgpt

2. LDAP shell - AD ACL abuse
https://github.com/PShlyundin/ldap_shell

@Engineer_Computer

DFIR
PowerShell script to help Incident Responders discover adversary persistence mechanisms
https://github.com/joeavanzato/Trawler

@Engineer_Computer

Malware analysis
1. ROKRAT Malware
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link

2. Decoy Dog Malware
https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic

@Engineer_Computer

Heads up, everyone!

CISA has issued an advisory warning of active exploitation of three known vulnerabilities, including CVE-2023-1389 (TP-Link Archer AX-21), CVE-2021-45046 (Apache Log4j2) and CVE-2023-21839 (Oracle WebLogic).
Details: https://thehackernews.com/2023/05/active-exploitation-of-tp-link-apache.html

Critical flaw affecting ME RTU remote terminal units!
CISA has issued an advisory about the security vulnerability tracked as CVE-2023-2131, which has received the highest severity rating of 10.0 on the CVSS scoring system.
Details: https://thehackernews.com/2023/05/cisa-issues-advisory-on-critical-rce.html

@Engineer_Computer

#راهنمای IR جهت تهیه playbook
@Engineer_Computer