IMPORTANT: I have rewritten this blog based on original Linkedin Post by Timothy R – https://www.linkedin.com/in/timrohrbaugh/ , https://www.linkedin.com/posts/timrohrbaugh_cybersecurity-allowlisting-applicationwhitelisting-activity-7132859242478219264-plO1/ I am not claiming authorship and I have approval from Timothy for this blog

In the ever-evolving landscape of cybersecurity, the role of Allowlisting, specifically application whitelisting for computing devices, has transformed from being a mere option to an absolute necessity. Operating without this critical defense mechanism not only exposes vulnerabilities but also poses substantial threats to both human and financial resources. To emphasize the urgency of this matter, let’s explore the mathematical perspective of Allowlisting and its impact on the endpoint surface area—a crucial consideration in the battle against malware.

At the core of this mathematical analysis is the concept of the attack surface (S), representing the myriad potential entry points for malware into a system. This surface is influenced by several variables, each playing a distinct role in shaping the overall security posture:

• E: The number of types of executable files a system can process.
• A: The number of application files currently permitted to run.
• D: The daily influx of new executable files, originating from updates or other sources.
• T: The time elapsed since the last system rebuild.

The formula encapsulating this concept is defined as follows:

S = (E × A) + (D × T)

Breaking down this formula:

• S: Represents the expanding attack surface over time.
• E × A: Signifies the baseline attack surface derived from the system’s capabilities.
• D × T: Illustrates the growth of the attack surface due to the daily addition of new files.

Consider the scenario of a standard Windows 11 x64 Pro desktop, starting with nearly 60,000 potential entry points on the C drive alone. Routine updates contribute around 25,000 new files monthly, averaging about 833 daily. This calculation doesn’t even account for files from less secure sources such as email attachments, drive-by downloads, or shared drives.

Without the implementation of Allowlisting, every one of these files could potentially execute, placing the burden on Endpoint Detection and Response (EDR) systems—a strategy that has proven inadequate over the past decade, as evidenced by the surge in ransomware attacks.

Allowlisting, which involves predefining each file that can run based on factors such as Publisher’s signing Cert, HASH, or location, offers a strategic solution. By significantly narrowing down the number of executable files (A) and controlling the growth of the attack surface (S), this proactive approach not only slows the expansion of potential threats but also ensures that only vetted files can execute.

In essence, for those serious about safeguarding their enterprises from the ever-present threat of malware, Allowlisting is not merely beneficial—it’s imperative in today’s dynamic cybersecurity landscape. Embracing this approach empowers organizations to take a proactive stance against evolving cyber threats, ultimately fortifying their defenses and securing the longevity of their digital infrastructure.

Reference

• https://www.linkedin.com/posts/timrohrbaugh_cybersecurity-allowlisting-applicationwhitelisting-activity-7132859242478219264-plO1?utm_source=share&utm_medium=member_desktop

Fipped

Flipper zero

• https://www.redteamtools.com/rfid-electronic-access-control
• https://shop.redteamalliance.com/collections/2021-classes/products/1-day-defcon-special-event-flipping-out-about-pacs-applied-modern-hacking-tools-and-techniques
• https://flipc.org/

Lora – Long Range Protocols

• Meshtastic
• https://www.youtube.com/watch?v=vxF1N9asjts
• https://www.youtube.com/watch?v=7NxgD22amCQ
• https://www.allaboutcircuits.com/news/asset-tracker-test-proves-efficacy-zeta-new-lpwa-network/
• https://www.szanysecu.com/en/h-pr–0_526_3.html?complexStaticUrl=true

Car Hacking Village

• https://github.com/nonamecoder/FlipperZeroHondaFirmware
• https://medium.com/@naoumine/vehicle-hacking-with-icsim-part-1-f4bd632cac9e
• https://www.carhackingvillage.com/talks
• https://forum.flipperzero.one/t/car-key-emulation/1094
• https://forum.flipperzero.one/t/car-key-emulation/1094/7
• https://www.reddit.com/r/flipperzero/comments/u922ur/car_key_cloning/
• https://gigazine.net/gsc_news/en/20221227-flipper-zero-car-key/
• https://www.youtube.com/watch?v=1RipwqJG50c

Microsoft Windows Defender Bypass (Research)

GMER

• http://www.gmer.net/

Fancy Defender evasion? RegLoadKey, RegUnloadKey or NtLoadKey, NtUnloadKey

1. Export CurrentControlSet to a file
2. Edit path in a file
3. Import a file as new ControlSet
4. Change “Select” values to new one
5. Reboot

https://www.linkedin.com/posts/grzegorztworek_fancy-defender-evasion-yet-another-method-ugcPost-7090917993022443520-YXY9?utm_source=share&utm_medium=member_desktop

CrowdStrike Bypass

• https://www.horangi.com/blog/bypassing-crowdstrike-falcon
• https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/
• https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/
• https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf
• https://twitter.com/NinjaParanoid
• https://bruteratel.com/tabs/features/

Red Team Tools

• Siliver – https://github.com/BishopFox/sliver
• Mystic – https://github.com/its-a-feature/Mythic
• Covenant – https://github.com/cobbr/Covenant

Reference

• http://www.detectx.com.au/bypass-av-edr-remoting/
• http://www.detectx.com.au/bypassing-av/
• https://securitytrails.com/blog/red-team-tools
• https://securitytrails.com/blog/red-team-tools
• https://cybersecuritynews.com/red-team-tools/
• https://github.com/A-poc/RedTeam-Tools
• https://www.pluralsight.com/paths/red-team-tools
• https://bishopfox.com/blog/9-red-team-tools
• https://www.techtarget.com/searchsecurity/tip/5-open-source-offensive-security-tools-for-red-teaming

CLARK is the largest platform that provides FREE cybersecurity curriculum. It is home to high-value, high-impact cyber curriculum created by top educators and reviewed for relevance and quality. Whether you’re looking to teach something new tomorrow, align with curriculum guidelines and standards, or refine your current course, CLARK has free resources ready for you to use!

https://clark.center/details/cobrien/0e116db4-cf8d-409b-adf8-9744f62ebc27

Channel Distribution strategy for a Cyber Security Software in the context of Managed Security Services, including competitive incentives such as Market Development Funding (MDF), Deal Registration, and more:

Understanding the principles of creating a high-performance channel, and best practices for managing your partners, MSP, MSSPs in order to increase your revenue through a indirect model.

Traits if Effective Channel Managers

DynamicDSI Model

1. Channel Partner Selection:
   • Identify potential channel partners that specialize in Managed Security Services and have a strong customer base.
   • Evaluate their technical expertise, market reach, customer satisfaction, and financial stability to ensure they align with your product and business goals.
2. Partner Onboarding and Enablement:
   • Provide comprehensive training and certification programs to empower partners with in-depth knowledge of your Cyber Security Software and its value proposition.
   • Offer technical documentation, sales collateral, and product demos to aid their understanding and promote effective sales pitches.
   • Conduct regular webinars and workshops to keep partners updated on new features, updates, and industry trends.
3. Competitive Incentives:
   • Market Development Funding (MDF): Allocate a portion of your marketing budget to support joint marketing activities with partners. Offer co-branded marketing materials, campaigns, events, and lead generation programs.
   • Deal Registration: Implement a deal registration program to reward partners who proactively identify and register sales opportunities. Provide them with exclusive access to pricing discounts, protection from channel conflict, and priority support.
   • Volume RebatesPerformance-Based Rewards: Set up a tiered partner program that offers escalating rewards based on partner performance, including sales targets, customer satisfaction, and product adoption metrics. Rewards may include enhanced margins, exclusive access to beta versions, or early access to new features.
   • Certification based Rebate Tiers
4. Channel Marketing Support:
   • Provide partners with customizable marketing materials, such as white papers, case studies, and solution briefs, that they can use to educate prospects and differentiate themselves in the market.
   • Offer co-branded demand generation campaigns, including email templates, landing pages, and social media assets, to drive awareness and generate leads.
   • Facilitate joint marketing events, such as webinars, seminars, and conferences, where partners can showcase your Cyber Security Software and engage with potential customers.
   • Round Tables
     • Industry Specific Event Marketing
     • Threat landscape Insight Webinars
5. Channel Support and Collaboration:
   • Establish a dedicated channel support team to provide timely assistance to partners regarding technical queries, pre-sales support, and post-sales implementation.
   • Foster open communication channels with partners, such as partner portals or online communities, to facilitate knowledge sharing, collaboration, and feedback.
   • Encourage regular business reviews with partners to discuss performance, address concerns, and identify opportunities for improvement.
6. Continuous Partner Development:
   • Conduct regular training sessions, workshops, and webinars to enhance partner skills and knowledge in emerging cyber security trends and technologies.
   • Provide beta access to new product features and encourage partners to provide feedback and suggestions for improvement.
   • Recognize and reward top-performing partners through awards, incentives, and public recognition.
7. Partner Recognition
   • Rewards
   • Certification
   • Annual Events
8. Partner Maturity Matrix and Model ( Journey )

Remember to adapt and customize this strategy based on your specific business goals, target market, and competitive landscape. Regularly assess the effectiveness of the program and make adjustments as needed to maximize channel partner engagement and revenue generation.

References

• Market Development Fund
• Usage and Software Credits
• Free Software to develop Professional Service and Managed Services
• ToolKit
  • Managed Service Agreement
  • Statement of Services Examples
  • Marketing Fund
  • Market Develop Fund
  • Rebate Program
  • Awards and Events
  • Certification Training e-learning
  • Deal Registration
  • Deal, Registration,
  • Startup Funding examples;
    • https://aws.amazon.com/startups/startup-programs/

Malware Analysis Course and Certification

1) Ultimate Malware Analysis by Zero2Automated
https://lnkd.in/dN7v2zNj

2) Practical Junior Malware Research by TCM Security
https://lnkd.in/dR6mTmQ8

3) Giac Reverse Engineering and Malware by SANS
https://lnkd.in/d6UvAbun

4) Certified Malware Analyst by Ethical Hackers Academy
https://lnkd.in/dt3xQFQT

5) Malware Analysis by Red Team Academy
https://lnkd.in/duBMbZV8

6) Malware Analysis Course by Black Storm Security
https://lnkd.in/dwhn_uuH

7) Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software 
https://lnkd.in/dmyhKDBV

8) Malware Analysis Fundamentals by Let’s Defend
https://lnkd.in/dSDUeyP7

9) Malware Analysis Detection Engineering
https://lnkd.in/dSEA37wQ

10) Malware Analysis Master by Mandiant
https://lnkd.in/dNM54d2C

11) CS6038/CS5138 Malware Analysis
https://class.malware.re/

12) Malware Analysis CSCI 4976 by RPISEC
https://lnkd.in/dC7kZkAK

13) Reverse Engineering 101 by Malware Unicorn
https://lnkd.in/dwGu22if

14) Purple Team Analyst by CyberwarfareLabs
https://lnkd.in/dBAqYG3j

Disaster Recovery of Workloads on AWS: Recovery in the Cloud

Reference

• https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

• https://www.showwcase.com/show/35459/building-a-resilient-three-tier-architecture-on-aws-with-deploying-mern-stack-application

Information Security Risk Assessment Checklist

• Framing Risk
  • Understand the business
  • Define & document the environment
  • Decide Risk Assessment Approach
  • Define how risk dcecisions will be made
  • Qualitative vs Quantitive vs Semi
• Identifying Risk
  • Document threat environment
  • Identify threat scenarios & actors
  • Identify vunlnerabilities
  • Calculate likelihood & Impact
  • Consider current security controls
• Responding to Risk
  • Document risk remediation plans
  • Accept, Mitigate, Avoid, or Transfer
  • Derive Risk Ratings
  • Focus on High Risk first
• Monitoring Risk
  • Perform effective monitoring
  • Monitor high risks for remediation
  • Track risks over time
  • Perform audits ensuring risk treatment

Threat modeling, the cloud, and shared responsibility

An interesting aspect of cloud-related threat models is that cloud-based threats must take into account shared responsibility models that are specific to each cloud provider and service.

If a key output of any threat modeling exercise is a set of identified threats, then the ideal state for any threat is that you eliminate it completely by way of design, engineering, or otherwise. Of course, the value of threat modeling is that you not only identify threats that you can eliminate, but that you make thoughtful decisions about how to deal with the remaining threats that you cannot.

In this model, threats end up in one of three states:

• Green, which is as good as it gets for a threat you can’t eliminate outright. Of course, if controls are available, there’s a good question to be asked re: whether those controls can be implemented such (i.e., by using restrictive defaults or policies) that the threat is eliminated and thus removed from this grid entirely.
• Yellow, which is probably the most common. In this state, you’re able to rely on either security controls or on monitoring. The trick with relying solely on monitoring to mitigate a threat is that monitoring is only an effective mitigation when coupled with detection (knowing the threat occurred) and response (doing something about it).
• Red, which should leave you questioning your design, your cloud provider, or both. In particular, threats in this state require putting significant trust in both your cloud provider and the security inherent to their platform, as well as your ability to engineer for safety.

Reference:

• https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods
• https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/
• https://www.netwrix.com/information_security_risk_assessment_checklist.html
• https://www.slideteam.net/risk-analysis-powerpoint-presentation-slides.html#images-10
• ISO 27001:2022 Lead Implementer https://www.udemy.com/course/information-security-for-beginners/?couponCode=JUNE2023

Step-by-step procedure and a set of questions to conduct a Business Impact Analysis (BIA):

What is a Business Impact Analysis

A Business Impact Analysis, or BIA, predicts how disruptions will impact a business’ critical business functions (CBF) and what the likely outcomes of those disruptions would be. As potential loss scenarios are identified, this deep dive into your business can also offer recovery strategies, including the order in which critical functions and processes are restored. 

Consider the Impact

The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include:

• Lost sales and income
• Delayed sales or income
• Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
• Regulatory fines
• Contractual penalties or loss of contractual bonuses
• Customer dissatisfaction or defection
• Delay of new business plans

Business Disruption Scenarios

• Physical damage to a building buildings
• Damage to or breakdown of machinery, systems or equipment
• Restricted access to a site or building
• Interruption of the supply chain including failure of a supplier or disruption of transportation of goods from the supplier.
• Utility outage (e.g., electrical power outage)
• Damage to, loss or corruption of information technology including voice and data communications, servers, computers, operating systems, applications, and data
• Absenteeism of essential employees.

Procedure for Conducting a Business Impact Analysis:

1. Define the Scope: Determine the boundaries and objectives of the BIA. Identify the critical business processes, systems, and resources that will be analyzed.
2. Assemble the BIA Team: Form a cross-functional team comprising representatives from different departments, including key stakeholders, subject matter experts, and IT personnel.
3. Identify Potential Disruptions: Brainstorm and document a comprehensive list of potential threats or events that could disrupt business operations. This may include natural disasters, cyberattacks, equipment failures, or supply chain disruptions.
4. Assess Impacts: For each potential disruption, analyze the potential impacts on the critical business processes and resources. Consider the following areas:
   • Operational Impact: How will the disruption affect day-to-day business operations?
   • Financial Impact: What are the financial consequences, including revenue loss, increased expenses, or insurance claims?
   • Customer Impact: How will customers be affected? What are the potential reputational impacts?
   • Legal and Regulatory Impact: Are there any legal or regulatory requirements that may be impacted?
   • Employee Impact: What are the potential effects on employees, such as safety concerns, workload, or morale?
5. Determine Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): Define the acceptable downtime and data loss limits for each critical business process or resource. This will help prioritize recovery efforts and allocate resources effectively.
6. Identify Dependencies: Identify the dependencies between critical business processes, systems, and resources. This includes dependencies on suppliers, IT infrastructure, personnel, or other external factors.
7. Document Findings: Compile all the information gathered during the analysis, including the identified risks, impacts, dependencies, and recovery objectives. Document these findings in a clear and organized manner.
8. Review and Validate: Review the documented findings with the BIA team and other relevant stakeholders to ensure accuracy and completeness. Validate the findings against available data and industry best practices.
9. Identify Mitigation Strategies: Based on the BIA findings, develop mitigation strategies to minimize the potential impacts of disruptions. This may include implementing redundant systems, backup processes, contingency plans, or alternative suppliers.
10. Communicate and Document: Share the BIA report and its findings with key decision-makers, stakeholders, and relevant personnel. Maintain proper documentation of the BIA process and outcomes for future reference and updates.

Questions to Ask During a Business Impact Analysis:

1. What are the critical business processes and resources that must be analyzed?
2. What potential threats or events could disrupt these critical processes and resources?
3. How would each potential disruption impact the day-to-day operations of the organization?
4. What are the financial consequences of each disruption? Are there any revenue losses or increased expenses?
5. How would customers be affected by each potential disruption? What are the potential reputational impacts?
6. Are there any legal or regulatory requirements that may be impacted by the disruptions?
7. What are the potential effects on employees, such as safety concerns, workload, or morale?
8. What are the acceptable downtime limits for each critical process or resource (RTO)?
9. What are the acceptable limits for data loss for each critical process or resource (RPO)?
10. Are there any dependencies between critical processes, systems, or resources? If so, what are they?
11. How can the organization minimize the potential impacts of disruptions? What mitigation strategies can be implemented?
12. How can redundant systems, backup processes, or contingency plans be leveraged to ensure business continuity?
13. Are there alternative suppliers or resources that can be used in case of disruptions?
14. How can the organization communicate the BIA findings to