Fireside Chat: Horizon3.ai and JTI Cybersecurity

Apr 17, 2024

Horizon3.ai Principal Security SME Stephen Gates and JTI Cybersecurity Principal Consultant Jon Isaacson discuss:

– What JTI does to validate things like access control, data loss prevention, ransomware protection, and intrusion detection approaches.
– How #pentesting and red team exercises allow orgs to validate the effectiveness of their security controls.
– Why offensive operations work best to discover and mitigate exploitable vulnerabilities in their client’s infrastructures.

Fireside Chat: Horizon3.ai and JTI Cybersecurity

Apr 17, 2024

Horizon3.ai Principal Security SME Stephen Gates and JTI Cybersecurity Principal Consultant Jon Isaacson discuss:

Glossary

1-Click-Verify

The 1-click verify feature in the NodeZero™ platform allows users to quickly verify whether their remediation of a weakness was successful.

Attack Path

An attack path refers to the sequence of steps or actions an attacker may take to compromise a system or network. It involves identifying vulnerabilities and other weaknesses, exploiting them, and navigating through the network to access valuable information or resources.

Attack Path Graph

An attack path graph is a visual representation of the sequence of steps or actions an attacker might take to compromise a system or a network. It provides a graphical view of the attack path, allowing users to understand the flow of the attack and the relationships between different components of the network.

Attack Surface

An attack surface is the sum of all entry points into an environment that could possibly allow or enable a successful cyberattack. Knowing what way attackers could enter into an environment and assessing the likelihood of successful entry is an important metric when measuring cyber risk.

Autonomous Pentesting

Autonomous pentesting is a capability uniquely offered by the NodeZero platform. Without predetermined scripts, NodeZero maneuvers through an environment on its own just as an attacker would, orchestrating hundreds of offensive security tools and opportunistically choosing its next method of exploitation based on the weaknesses it uncovers in your network.

Black Box Testing

A black box test assumes the testing system or testing personnel know nothing about the environment which they are about to test. This type of test provides a more realistic view and measurement of risk vs. white box testing.

Blast Radius

Blast radius is a metric that measures the total impact of a single security event. For example, in the context of a compromised credential, the blast radius indicates the number of additional devices or applications that can be accessed using that particular compromised credential.

BloodHound Data

BloodHound data is the reconnaissance information collected and analyzed by the BloodHound tool, which is an open source tool used to find unintended relationships within an Active Directory and/or Azure environment. NodeZero users have the option to obtain the BloodHound data collected during a pentest.

Blue Team

In information security, a blue team is responsible for maintaining an organization’s use of IT systems by assessing its level of security against a simulated attack using mock attackers.

CISA

CISA is an acronym for the U.S. Cybersecurity & Infrastructure Security Agency. According to CISA, it develops a range of cyber and infrastructure security services, publications, and programs for federal government, State, local, tribal, and territorial (SLTT) governments, industry, small and medium businesses, educational institutions, and the American public.

Credential Injection

Credential injection defines a process whereby credentials are obtained from one system and injected into another system for the purpose of gaining access to the second system.

Credential Stuffing

Credential stuffing is the automated injection of stolen credentials (username and password pairs) into a device, system, or application usually for the purpose of fraudulently gaining access to some other user’s account.

CVE

CVE stands for Common Vulnerabilities and Exposures which is a widely known cybersecurity industry program designed to identify, define, and catalog publicly known cybersecurity vulnerabilities and exposures.

Cybercriminals

Cybercriminals are organized groups or individuals who are often, but not limited to, being motivated by financial gain. Their methods can include identity theft, credit card fraud, wire-transfer fraud, point-of-sale skimming, and demands for ransom (e.g., ransomware). Additionally, anyone who violates established local, national, and international laws pertaining to illegal cyber activity can also be considered a potential cybercriminal

DORA

DORA is an acronym that stands for the Digital Operational Resilience Act – Regulation (EU). It is government regulation for EU financial institutions that defines a uniform set of requirements in the context of network and information security.

DMZ

In information security, a DMZ (demilitarization zone) sets up a security perimeter around IT assets that often provide both external and internal access to its users. The goal of a DMZ is to add an extra layer of security for protecting an internal network from external untrusted traffic.

Exploitable Attack Surface

The exploitable attack surface of an organization highlights what IT systems and/or applications are actually vulnerable to exploitation by cyber attackers. An exploitable attack surface is distinguished by its identification of what can actually be exploited versus what is potentially vulnerable.

External Pentest (Penetration Test)

An external penetration test is often used to first discover what IT systems and applications are visible to the outside world. Once these systems are identified, the external pentest then identifies vulnerabilities and weaknesses within these systems while also assessing security approaches designed to protect externally-facing systems.

GDPR

GDPR is the General Data Protection Act drafted and passed by the European Union (EU) in 2016. GDPR can be considered the world’s strictest laws that focus on protecting the privacy of EU citizens in the context of their personal data.

Hacktivists

Hacktivists are individuals or groups using cyberattacks as a form of protest or to promote a social, environmental, or political agenda. Their goal is to draw attention to perceived injustices by disrupting the operations of target organizations or governments.

Hybrid Cloud

Hybrid cloud is a mixed computing environment whereby an organization’s IT systems and applications can exist within on-premises and cloud infrastructures. In hybrid cloud, some systems and applications are on-prem and some are deployed in various cloud environments.

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This U.S. federal law creates a set of national standards to protect sensitive personal information of healthcare patients within the U.S. and applies to healthcare plans, clearinghouses, and healthcare providers.

Internal Pentest

In an internal pentest, the NodeZero platform takes the perspective of an attacker or malicious insider who has already gained access to your internal network.

Impact

In the context of NodeZero, “Impacts” summarize in business terms the effects NodeZero was able to achieve as a result of exploiting weaknesses in a tested environment.

Implant

Within cybersecurity, an implant is a device and/or system that was intentionally modified to gain unauthorized access via interception of communications between IT devices, systems, and/or applications.

Insider Threat

Insider threats are cybersecurity threats that originate with authorized users such as employees, contractors, or business partners who intentionally or carelessly misusing their legitimate access or expose their accounts to takeover by cybercriminals.

Kubernetes

Kubernetes is an open-source orchestration system for containers to aid in automating software deployments, scaling, and management.

MITRE ATT&CK Framework

The MITRE ATT&CK Framework is a curated knowledge base of commonly known cyber attackers’ tactics and techniques based upon real world observations. The framework is used by organizations and individuals so they can understand cyber threat actor behaviors better, and in doing so, improve cybersecurity

MSP

MSP stands for Managed Service Provider. MSPs offer and deliver services to organizations who desire to outsource management of their IT systems, applications, and infrastructure.

MSSP

MSSP stands for Managed Security Service Provider. MSSPs offer and deliver cyber security services to organizations who desire to outsource all or some of their cybersecurity initiatives.

Network Enumeration

Network enumeration is a process used in information security and network management where a user or automated system identifies and maps out a network’s devices, services, and resources.

Network Segmentation

Network segmentation is a network security technique that divides a network into smaller, distinct sub-networks that enable network teams to compartmentalize the sub-networks and deliver unique security controls and services to each sub-network.

N-Day Attack

N-day attacks take advantage of known N-day vulnerabilities that have yet to be patched. These are often a gold mine for attackers since they have enough information about a vulnerability to quickly develop exploits used to compromise unpatched systems. The goal of vendors, distributors, and administrators is to have systems patched as quickly as possible to avoid N-day attacks.

N-Day Test

In the context of NodeZero pentests, these tests automatically identify N-days within an environment as part of the autonomous internal and external pentesting process. For very significant N-days, NodeZero also breaks out specific targeted N-day tests that can be selected and run.

N-Day Vulnerability

An N-day vulnerability is a software or hardware vulnerability that is already publicly known that may or may not have a security patch available to alleviate the vulnerability. The “N” in N-day acts as a placeholder designed to represent the number of days since a CVE was assigned and the vulnerability became publicly known.

NIST

NIST stands for National Institute of Standard and Technology and is part of the U.S. Department of Commerce. Their mission is to promote American innovation and industrial competitiveness.

NodeZero Runner

The NodeZero runner enables the automated deployment of a NodeZero Docker container. This allows you to provision and deploy pentests from the portal, without having to manually run a NodeZero launch script.

Notable Event

Notable events are a feature of NodeZero’s RealTime View (RTV). These events signify actions that would likely lead to a Critical Impact in your environment.

PCI DSS

PCI DSS stands for the Payment Card Industry Data Security Standard. Although this is not a government regulation, it is a standard handed down by the payment card industry. Organizations who store, process, or transmit payment card information are required to conform to this standard and prove they are meeting PCI Compliance requirements.

OSINT

OSINT is the acronym for open-source intelligence, or publicly available information from various sources such as public records, news media, libraries, social media platforms, images, videos, websites, and the dark web. In the context of NodeZero, it gives you the option of including OSINT in your pentests. When enabled, NodeZero gathers publicly available information to enhance its exploits just as an attacker might.

Purple Team

A purple team is a group of cybersecurity professionals who act as an interface between blue teams and red teams with a primary purpose of defining strategies and recommending actions needed to improve cybersecurity.

RAT

RAT stands for remote access trojan, which is software that gives a person full control over a computing system remotely. Although RATs have some legitimate uses, such as in the case of technical support needing to access a system they support remotely, RATs can also be used by attackers with malicious intent. In the context of NodeZero, a RAT is used to provide NodeZero with additional access to systems to further explore attack paths during operations.

RealTime View (RTV)

In the context of NodeZero, the RealTime View provides users with real-time information and updates on the progress of a running pentest, including status updates for injected credentials and so on.

Red Team

In cybersecurity, a red team is a group of highly skilled cybersecurity personnel who have been authorized to emulate an attack using the same tactics, techniques, and procedures as cyber attackers use to assess an organization’s cybersecurity posture with the end goal of improving security.

RCE

RCE stands for remote code execution. In cybersecurity, some exploitable vulnerabilities allow attackers to remotely execute code on the target system. RCE is considered one of the highest levels of vulnerabilities since the victim device actually executes additional code supplied by attackers without knowing it is executing the code. Often, RCE results in an attacker gaining complete root-level access and control over the target system.

RFC

RFC stands for requests for comments. In the early days of the internet, RFCs were formal documents from the IETF (Internet Engineering Task Force) and were used to create some sort of internally recognized standardization of the internet since it had no single governing body.

RFC 1918

This RFC defines the IPv4 address space that would be used for internal and often private networks. RFC 1918 IP addresses are non-routable IP addresses on the internet. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

10.0.0.0 – 10.255.255.255 (10/8 prefix)

172.16.0.0 – 172.31.255.255 (172.16/12 prefix)

192.168.0.0 – 192.168.255.255 (192.168/16 prefix)

Script Kiddies

Script kiddies are novice attackers, typically with limited technical knowledge, who rely on pre-written scripts or tools to launch attacks.They may be motivated by curiosity or a desire to test boundaries and may be seeking peer validation or personal entertainment.

Sensitive Data Exposure

In the context of NodeZero, sensitive data exposure is a type of impact that indicates NodeZero was able to potentially access sensitive information given the filetype or service that is compromised. Examples include, but are not limited to:

- - Business documents in file shares (.docx, .pdf, .xlsx)
  - Outlook PST files
  - Confluence RCE
  - Exchange RCE

State-Sponsored Attackers

State-sponsored attackers are highly sophisticated attackers funded and directed by national governments. Their goals include:

- - Espionage: Gathering intelligence on adversaries or global developments.
  - Disruption: Sabotaging critical infrastructure or services of adversarial nations.
  - Influencing operations: Manipulating perceptions or elections.

TCP

In networking, TCP stands for transmission control protocol. This protocol is the underlying protocol that allows two distinct computing devices to send and receive information between one another in a controlled fashion and is foundational to the internet. This is a connection-oriented protocol that defines how connections are established between devices, how those connections are maintained, and how data is transferred between devices while ensuring the integrity and deliverability of data.

UDP

In networking, UDP stands for user datagram protocol. This protocol is also an underlying protocol used widely between devices. However, unlike TCP, this protocol is connectionless, meaning, the data transferred between devices is at “best effort”. This protocol is primarily to establish low-latency data transmission that is also capable of tolerating some level of data loss, for example, in a video stream.

Vulnerability

In the context of software, vulnerabilities are created by way of poorly written code that is at risk from a host of different types of cyber attacks. All known software likely has some number of hidden vulnerabilities that have or have not yet been found. Researchers and attackers find these hidden vulnerabilities, develop exploits, and take advantage of the poorly written code.

Weakness

In cybersecurity, a weakness refers to a vulnerability, security flaw, risky situation, or an oversight that can be exploited by an attacker to compromise a system or network. Weaknesses can include misconfigurations, outdated software, default credentials in use, easily guessable credentials, or other vulnerabilities that can be leveraged to gain unauthorized access or perform malicious actions.

Zero Day

A zero day is a vulnerability or security flaw in software or systems that is unknown to the vendor or developer. Some vulnerabilities can be called a “zero day” because the software vendor has had zero days to fix or patch the unknown vulnerability. Zero day vulnerabilities are valuable to attackers because they can be exploited in the wild since there is no patch or fix yet available.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	LinkedIn - Used to store information about the time a sync took place with the lms_analytics cookie
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	2 years	LInkedIn Used to store consent of guests regarding the use of cookies for non-essential purposes
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_V462VSRXXS	2 years	This cookie is installed by Google Analytics.
6suuid	2 years	6sense is a B2B predictive intelligence engine for marketing and sales.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
visitorId	1 year	Salesforce

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Attack Content

Security Strategies