Part 1: Step 0

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.

• Traditional incident response methods are reactive, which renders them partially inefficient in many current scenarios.
• New threats such as APT (advanced persistent threat) are on the rise. They are based around undetected system infiltration which can span over years. Such attacks are usually highly sophisticated and difficult to defend against if they are not specifically expected and the target does not possess any background information of the threat actors.
• Kill chain models can improve the defense mitigate the vulnerability against such attacks by mapping potential attack structures, and reducing the risk as well as success rate of APTs.

Kill chains are systematic processes for the engagement and targeting of an objective, which originally originated in the military complex. In the world of data security the same model has served as useful base in areas such as intrusions.

Kill Chain Phases (from a computer network attack perspective)

1. Reconnaissance: Identify the target and gather intelligence. This includes among others digital, physical, and human resources.
2. Weaponization: The preparation of a deliverable payload. This can be digital files or physical devices which will be weaponized with malicious functionality.
3. Delivery: The transmission or delivery of the weaponized payload. This could be an email attachment, USB device, etc.
4. Exploitation: Once the delivery is successful the payload will be triggered/executed.
5. Installation: With the help of the triggered payload we ensure persistence in the target system and accessibility from the outside.
6. Command and Control (C2): Compromised targets often report to a control server to establish a C2 channel.
7. Action on Objectives: After all previous phases are completed we can begin with the main part of the attack. This could be data theft, encryption, sabotage, further compromise, etc.

By gaining a full understanding of the kill chain, it becomes easier to detect and test for potential paths of attack, as well as test how effective the implemented defenses are. This is easier said than done and also depends strongly on the capabilities of both the attacker and defender.

Since this process is rather resource intensive and difficult to quantify in terms of ROI, many companies ignore its importance until it is too late. We can see a reflection of that in the countless news articles where extremely sensitive data is stolen, encrypted through ransomware, and so on. These cases span from power plants, voting systems, defense manufacturers, to insurances, and so on.

• Source

Linux Command Line Basics

When working with Linux we will sooner or later have to deal with the command line. Below are a couple essential commands that will make the start a bit easier.

Navigating

• pwd --> print current directory
• ls --> list files in current directory
• cd --> change directory

File handling

• nano --> text editor current directory
• cat --> prints the contents of a file. It can also be used to create files.
• mkdir --> create folder
• rmdir --> remove folder
• rm --> remove file
• find --> locates files

Help

• man --> shows the manual for a command, as example "man ls"

There are a obviously many other commands which are just as important, if not more. You find some of them in the sources linked below. Do not forget that you can use the commands in combination with the man command to receive additional information.

• Source
• Shell Commands

Installing Debian on VirtualBox

This is a rather straight process. We will require two things here. One is a Linux ISO (I used Debian 11) and VirtualBox from Oracle.Please click the buttons below to get straight to their respective download page.

• VirtualBox
• Debian

Step by Step Process

1. Install VirtualBox and create a new virtual machine. You can set the parameters according to your desired use. Make sure that the operating system parameter matches the one you are planning to install. The storage allocation can be set to dynamic, which prevents that unnecessary disk space on the host will be blocked. I was quite generous here since my host computer has a lot of resources. So your mileage may vary.
   
2. Under the IDE controller property make sure that you mount your downloaded ISO file to a virtual disk drive, so that you can begin with the OS installation once you spin up the VM.
3. Lets start the VM. We should now be presented with the installation menu of the mounted operating system disc.
4. Just follow allow the guided installation and When the process is complete you will have to restart the VM and are now good to go.
5. To update and upgrade the system to the latest state we can run the following two commands:
   $ sudo apt-get update
$ sudo apt-get -y dist-upgrade

PS: it might be useful to boot up first a live environment before installing it to ensure that everything performs to your liking. More detailed step-by-step instructions can be found in the source linked below.

• Source

Installing Webgoat 8

WebGoat is a purposefully insecure web app, which is extremely handy for the practicing and testing of security related techniques. Before we install it we should ensure that the following prerequisites are met:

• UFW firewall installed and enables
• Java installed

To install and start WebGoat we can run the following two commands

• wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M26/webgoat-server-8.0.0.M26.jar
• java -jar webgoat-server-8.0.0.M26.jar

Once those steps are complete we can verify that everything is running by opening up http://localhost:8080/WebGoat/. If everything went as planned we should see the following screen To proceed further we will have to create a new user on the web-interface. Once that is done we are ready to go.

More detailed information and steps can be found in the source linked below.

• Source
• WebGoat