Learning By Practicing

Nik Alleyne https://www.securitynik.com

This site contains the files used for analysis of SecurityNik Inc.'s compromise in the book Hack and Detect. These files represents all the packets, logs and other output files which were created as a result of executing various commands. The original Splunk log file was over 3GB. As a result, I've split that file into multiple 24MB size files. The numbering is sequential so if you wish you can reinsert this data into Splunk or simply use your command line tools to analyze the event files one after the other.

The main idea behind this book, is to leverage the Cyber Kill Chain to teach you how to hack and detect, from a network forensics perspective. Therefore, there will be lots of packet and log analysis as we go along.

There are lots of books that teach you how to hack. So the main purpose of this book is not really about hacking. However, the problem with many of those books, is that they don’t teach you how to detect your activities. This means, you the reader have to go read another book, in order to understand the traces of network evidence, indicators of compromise (IoC), events of interests (EoI) and the breadcrumbs which are left behind, as part of your activities related to system compromise. Therefore, this book is truly meant to help you the reader detect sooner, whenever someone compromises your network. Remember, it is not if you will be compromised but when. This statement is assuming you have not already been compromised.

To ensure you enjoy this book, it is written from the perspective of storytelling. While most technology related books are done from a how-to guide style, this one is not. However, the objectives remain the same. I believe tying the technical material in with a story, will add more context, make the message clearer and the learning process easier.

An important note, as Neysa (Threat Actor) hacks, she plans to use the Lockheed Martin Cyber Kill Chain model as her framework. By leveraging the Cyber Kill Chain, she anticipates she can operate similar to an advanced persistent threat (APT). Where possible, she will follow the model exactly as it is. However, where needed, she may deviate while still being focused on achieving the actions and objectives as identified by the Cyber Kill Chain.

For each of the attacks Neysa (Threat Actor) performs, where possible, Nakia (newly hired Cybersecurity Ninja) will leverage her Cybersecurity Ninja awesomeness, to detect Neysa’s actions.

More importantly, for each of the attacks that Nakia detects, she must provide answers to the who, what, when, where, why and how to Saadia, the owner of SecurityNik Inc. These are critical questions every incident handler must answer. Now, the reality is, in many cases you won't be able to tell “why” it happened, as you don’t typically know your adversaries motive. However, Nakia will do her best to provide the necessary guidance, thus ensuring she gives Saadia actionable intelligence to decide on the way forward.

• Understand the Cyber Kill Chain from a practical perspective. Fully hands on! No fluff!!
• Learn not just how attacks can be done but how they can be detected.
• Learn network forensics.
• Learn how misconfigurations can be taken advantage of by attackers.
• Learn how to put mitigation strategies in place.
• Learn how attackers can gain access to your isolated LANS/subnets which have no internet access via pivoting/lateral movement.
• Learn how exfiltration can be done via relays.
• Learn about various command and control (C2) mechanisms leveraging different common ports and/or protocols.

• Individuals now starting off their cybersecurity careers.
• Individuals working in a Cyber/Security Operations Center (C/SOC).
• Red Team practitioners who may wish to understand how their efforts may be detected.
• General practitioners of cybersecurity.
• Experienced Cybersecurity Ninjas who may be looking for a trick or two.
• Anyone who just wishes to learn more about cybersecurity, hacking and its detection.
• Anyone involved in network forensics.
• Most importantly, anyone looking for a good read :-)

• "Nik's approach to viewing both the attacker and defender's side of the compromise is an amazing way to correlate the causes and consequences of every action in an attack. This not only helps the reader learn, but is entertaining and will cause readers to flip all around the book to make sure they catch every detail."
  Tyler Hudak, Information Security
  


• "By showing both the offensive and defensive sides of an attack, Nik helps each side better understand how the other operates."
  Joe Schottman, SANS Advisory Board Member
  


• "Hack and Detect provides a window outlook into a modern day attack from an advanced persistent threat in an easy to follow story format. Nik walks through the Cyber Kill Chain from both an offensive perspective, showing tools and tricks an attacker would leverage, and a defensive perspective, highlighting the trails which are left behind. By following along step by step with virtual machines the reader is able to obtain a greater understanding of how the attacks work in the real world and gain valuable insight into defending against them."
  Daniel McAuley, Manager Infrastructure and Technology Group
  

• Grab the full set of sample pcaps, logs and other data from my GitHub page at https://github.com/SecurityNik/SUWtHEh- Ohh!! You are here already , clumsy ninja:-)
.

• Grab them from this link https://bit.ly/NikAlleyne-Hackand-Detect
• Moreover, you can visit my blog directly at https://www.securitynik.com.

NOTE: The .exe file above "Nik_in_Vegas.exe" is actually called "Pam_In_Guyana.exe" in the book. Therefore if you are going through the book, simplay replace "Pam_In_Guyana.exe" with "Nik_In_Vegas.exe".

Feel free to drop me a line and let me know your thoughts on the book.

Enjoy:
Nik Alleyne
www.securitynik.com