Module 3: Penetration

Testing
Prof. Kanchan Dhuri
• I would immediately worry about whether I could be a target. If I
am the target, I have to read all the information from other
incidents—how they got in, what they did, whether they performed
any data exfiltration, or whether they carried out a ransomware
attack, and so on. Then, I have to check my defense controls to
see if I can handle that particular APT.
MITRE ATT&CK https://attack.mitre.org/
It's a framework to study the adversary's behavior in a very structured way.
Each tactic has multiple techniques by which it can be realized, and techniques can be described in terms
of procedures—how a technique is actually applied. This knowledge base is community-driven; it's not
solely done by MITRE people. They invited everyone to contribute, and it has become a huge and very
useful knowledge base for everyone.

you can have techniques associated with, let's say, initial access. For initial access, you can have content
injection, drive-by compromise, exploit public-facing application, external remote services, and so on.

APT-1 is a Chinese threat group attributed to the 2nd Bureau of the People's Liberation Army General Staff
Department's 3rd Department, commonly known by its military unit cover designator as Unit 61398. This
group has been analyzed quite a bit by various threat intelligence agencies.
So there are 11 tactics that are put in this matrix on the top. And below each of the tactics is a list of techniques
that are usually used to apply that tactic right.
OpenCTI (Open Cyber Threat Intelligence
Platform)
• OpenCTI is an open-source threat intelligence platform
designed to structure, store, analyze, and share cyber threat
intelligence.
• It provides a centralized knowledge base for organizations to
manage all aspects of threat intel, including threat actors, TTPs,
campaigns, indicators, vulnerabilities, and relationships
between them.
• Key Features of OpenCTI
• Structured Data Model (STIX 2.1)
• Uses the STIX standard to represent threat intelligence in a structured, machine-readable format.
• Stores relationships between entities like Threat Actors → Campaigns → Techniques → Indicators.
• Graph-Based Visualization
• Displays relationships between entities in a graph view, making it easier to understand connections
(e.g., which threat group uses which malware and techniques).
• Integration Capabilities
• Supports connectors to ingest data from external sources (like MISP, MITRE ATT&CK, VirusTotal).
• Exports data to SIEM, SOAR, EDR tools for detection and response.
• Collaboration
• Multiple teams (SOC, Threat Intel, CSIRT) can work together on a shared threat intelligence knowledge
base.
• Threat Actor & TTP Mapping
• Integrates with MITRE ATT&CK to map observed behaviors to tactics and techniques.
• Scenario: A financial organization wants to track and analyze APT29 activity
to strengthen its defenses.

1] Ingest Threat Intelligence:

OpenCTI pulls data from MISP, MITRE ATT&CK, and external intel feeds about
APT29.
2] Create Entities & Relationships:
Entity: APT29 (Threat Actor)
Campaign: “SolarWinds Attack”
Techniques: Spearphishing Attachment (T1566.001), Command and Control
over HTTPS (T1071.001)
Malware: SUNBURST
Add Indicators of Compromise (IOCs):
• IP addresses, domain names, file hashes related to SUNBURST.
Export to Detection Tools:
• Pushes relevant IOCs and TTP mappings to SIEM or EDR for
monitoring.
Analyze and Prioritize:
The security team visualizes the attack chain in OpenCTI to find
coverage gaps in defenses.
Why Organizations use OpenCTI?
• Centralized threat intel management.
• Context-rich analysis with relationship mapping.
• Automates intel sharing with SOC, CSIRT, and external partners.
• Vulnerability assessment is the process of identifying, evaluating,
and prioritizing security weaknesses in systems and applications.
Two key elements in this process are CVE (Common
Vulnerabilities and Exposures) and CVSS (Common
Vulnerability Scoring System), which provide standardized
methods for tracking and scoring vulnerabilities.
CVE (Common Vulnerabilities and Exposures)
• CVE is a standardized identifier for publicly known cybersecurity
vulnerabilities.
• Role in Vulnerability Assessment:
• Provides a unique ID for each vulnerability (e.g., CVE-2024-12345),
ensuring consistency across tools and reports.
• Helps organizations track vulnerabilities across different systems and
software.
• Enables integration between vulnerability scanners, SIEMs, and patch
management tools.
• Example:
• CVE-2021-34527 (PrintNightmare vulnerability) – widely referenced
across advisories and tools for patching guidance.
CVSS (Common Vulnerability Scoring System)
• CVSS provides a numerical score (0.0 to 10.0) and severity rating
(Low, Medium, High, Critical) to describe the risk level of a vulnerability.
Role in Vulnerability Assessment:
• Helps prioritize remediation based on severity and exploitability.
• Considers base metrics (e.g., impact, attack vector), temporal metrics
(e.g., exploit availability), and environmental metrics (e.g.,
organizational context).
• Enables risk-based patching strategy instead of treating all
vulnerabilities equally.
• Example:CVSS score 9.8 (Critical) for CVE-2021-44228 (Log4Shell)
indicates urgent remediation.
Severity Level CVSS Score Range
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0
• 0.0 (None) → No impact or exploitability (e.g., informational issue).
• 3.5 (Low) → Minor security impact (e.g., requires local access).
• 6.5 (Medium) → Moderate impact, network attack possible.
• 8.2 (High) → Major risk, easy remote exploitation.
• 9.8 (Critical) → Full remote exploitation, severe impact (e.g.,
Log4Shell).
Combined Role in Vulnerability Assessment
•CVE gives the identifier and description of the vulnerability.
•CVSS provides the severity rating and risk context for prioritization.

Together, they enable:

•Standardized communication across teams and tools.
•Efficient vulnerability management by focusing on high-risk issues first.
pyramid of pain is basically a way of looking at what kind of threat intelligence, that is intelligence about the
adversary that helps defenders.
many times we say that this I want to detect whether a particular adversary is attacking me by looking at whether
the malware they normally use is being used in my system or if there is any sign of that malware in my system, and
the way to recognize a malware which has been seen before is to actually take the hash value hash function is
applied on the entire binary of the malware that has been found in another system another attacked system people
actually make that as a kind of a indicator of compromise that is if you find a binary with the same hash value then it
is be that same malware that is in my system.

1] trivial - it is trivial for attackers or adversaries to actually change the hash value and therefore depending on
hash value to detect a particular adversary is not a very effective approach.
2] Easy- for the adversary it is very easy to change the IP addresses.
3] Simple- domain names: those also can be easily changed, when we talked about this before that there is
domain flux, there is that people use to continuously move the domain name and register a new domain name very
quickly. Therefore, the domain names are also very simple for the attacker to change, not as easy as changing IP
addresses or not as easy as changing the hash value, but it is quite easy.
4] Annoying: network and host artifacts: MAC addresses, it could be certain fingerprints of hosts that we can
actually use as a way of detecting some activity of an adversary in my system. But even that can be changed by the
adversary. Although acquiring a new host, or acquiring new network connection etc. is slightly more challenging for
the adversary because he has to then subscribe to a different cloud, maybe a different cloud service and things like
that. So, it is kind of annoying for the adversary, but it is not that difficult.
5] Challenging: Tools: solarwind - use this one particular malware or one particular code that they inserted or in
case of Stuxnet they use the Stuxnet worm that is one of the tool, the use of the black energy malware in case of
Ukrainian power attack in 2015 those tools are expensive to build and so therefore if you are just going by the tool
not by the hash value of the malware like what exactly the functionality of the adversaries unwanted you know
program that has been inserted into your system. If you go by that to recognize the adversary you may be more
effective and for the adversary to suddenly go and develop new tools they do, but over time not necessarily like very
quickly. So, it is kind of challenging for the adversary.

6] Tough: tactics, techniques and procedures: for the adversary to hide that or to change that completely is lot
more work, because it takes them a long time to study a target, figuring out all the different sub goals that needs to
actually succeed in order for the final goal. they use those tactics techniques and procedures they are likely to use
it in other similar targets same tactics, technique and procedures because it takes time to actually plan and build
that capability so for the adversary that is the toughest challenge to you know do a mutation of their TTPs very
quickly adversaries do change their TTPs over time, but at a very close proximity or in time, it is tougher for them to
change and that is why this is in the top of the pyramid.

this is called the pyramid of pain and this pain is with respect to the adversary's pain, not the defender's pain.
MISP (Malware Information Sharing Platform & Threat Sharing)
• is an open-source threat intelligence platform (TIP) that helps organizations
collect, store, share, and correlate indicators of compromise (IOCs) and threat
intelligence.
• Key Points about MISP:
• Purpose: Facilitates information sharing on threats (malware, vulnerabilities, attack
campaigns, TTPs).
• Data Types: Supports IOCs like IP addresses, domains, file hashes, email
addresses, malware samples, etc.
• Collaboration: Organizations can share intel within trusted communities (e.g.,
industry groups, ISACs).
• Correlation: MISP can automatically link related events (e.g., same IP used across
different attacks).
• Integration: It can integrate with SIEMs, IDS/IPS, SOAR, and other security tools to
improve detection & response.
• MISP is a collaborative threat intelligence sharing and analysis platform, widely
used in SOCs (Security Operations Center) and CSIRTs (Computer Security Incident
Response Team).