Evaluating product security

Introduction to applications and system security; building reliable and resilient ICT infrastructure:

• Approaches for evaluating product security;
• Assessment techniques of a vendor’s software development process;
• Analyzing a vendor’s data processing practices;
• Static and dynamic examination techniques of a software product for its security.

Threat modelling

Introduction to the process of identifying and mitigating potential threats, such as structural vulnerabilities or the absence of appropriate safeguards. The purpose of threat modelling is to provide a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker.

The sections includes:

• Approaches to threat modeling;
• Actor identification;
• Risk identification;
• Prioritization.

Secure code review

Introduction to basic techniques for identifying vulnerabilities in software code. The purpose of the code review is to ensure that a product has no potential vulnerabilities or backdoors. We will also share best practices of Kaspersky’s Transparency Centers and how processes are organized for external reviews of our source code and software development.

The sections includes:

• Approaches for automated source code analysis;
• Static analysis of source code;
• Dynamic analysis of source code;
• Approaches to manual analysis of source code.

Code fuzzing

This gives an introduction to the process of defining, developing and testing Windows-based applications through fuzzing to identify bugs and vulnerabilities. Though the training focuses on native Windows-based applications, most of the concepts – as well as the methodology and tools – can be applied to other platforms.

After completing this course, trainees will be able to:

• Understand different fuzzing techniques and when to apply them;
• Choose the appropriate tools and prepare a target for fuzzing;
• Generate interesting fuzzing input depending on the target.

Vulnerability management and disclosure

Introduction to and definition of approaches for building the process of managing vulnerabilities within an organization’s ICT infrastructure.

This section includes:

• Sharing best practices for vulnerability management and disclosure;
• Sharing best practice for coordinated vulnerability disclosure;
• Sharing Kaspersky’s experience in handling vulnerability reports from the research community;
• Revealing nuances of bug bounty programs.

Theory

• Introduction to ASM
• The Most Common ASM Instructions
• Correspondence Between C Code And ASM
• Solution: Reading ASM Code. Function calls
• Calling Conventions
• Solution: Understanding a full function. Wrap-up

C-Language 'Hello World'

• Introduction
• The Simplest C Program
• First Steps With IDA
• Working Without Debugging Symbols
• Solution: First Steps With IDA. Windows API
• Solution: Arguments And Constants. Wrap-up

Simple lambdas

• Starting With Value Fields
• Solution: Value Fields. Adding Pointers
• Solution: Adding Pointer. Shallow And Deep Copying
• Solution: Shallow And Deep Copying. Wrap-up

Stuck in the heap

• Counting Hash Value
• Solution: Counting Hash Value. Meet The Heap
• Solution: Meet The Heap. Memory Management
• Solution: Memory Management. Wrap-up

Lists and tricky pointers

• Servers chain
• Solution: Servers chain. List it till the end
• Solution: List it till the end. Pointer to the insides
• Solution: Pointers to the insides. Wrap-up

C++ and OOP

• Introduction
• Solution: A simple class
• Virtual function table
• Solution: C++ inheritance
• The Decompiler
• STL Library: The string class
• STL Library: The vector class. Wrap-up

Pain in the containers

• Commands as dictionary
• Solution: Commands as dictionaries. Real handlers
• Solution: Real handlers. make it set
• Solution: make it set. Wrap-up

Introduction to golang reverse-engineering

• Introduction
• Solution: Golang basics. debuggers
• Working with x64dbg
• Reconstructing go code from the assembly
• Controlling execution with debugger
• Solution: The decryptor. Go reverse-engineering methodology

‘Rusty' code

• Simplest esoteric decryptor
• Solution: Simplest esoteric decryptor. Vector by reference
• Solution: Vector by reference. Let’s be more rusty
• Solution: Let’s be more rusty. Wrap-up

A 'real' malware

• Introduction
• Stage 1
• Stage 2
• Stage 3
• Outro. Course summary

Malicious software

– Knowledge gained: Malware classification. Malicious and suspicious software actions and signs

– Skills gained: Verification of the existence or absence of incident related to malware

– Practice given in the module: Using tools ProcessHacker, Autoruns, Fiddler, Gmer for detecting the malware

Potentially unwanted programs and exploits

– Knowledge gained: The basics of statistical and dynamic analysis of the software samples

– Skills gained: Working with event monitors of the systems and sandboxes. Using statistical engines (virustotal). Removing PuPs

– Practice given in the module: Static (signature) and statistical (virustotal) analysis of the software samples. Using procmon, for finding exploits and malicious behaviour of the software.

Server security

– Knowledge gained: Analyze the network environment; Server hardening; Analyze PowerShell logs to detect attacks

– Skills gained: Search for vulnerable and non-standard network services; Configure systems according to the “default deny” principle; Search for signs of an attack in PowerShell logs

– Practice given in the module: Use Nmap to find vulnerable network services; Configure Software Restriction Policies for program control, and Windows Firewall for network control; Analyze events using Event Log Explore

Investigation basics

– Knowledge gained: Incident Response process, methods of log analysis, specifics of storing digital information

– Skills gained: Incident localization, Data collection, Collecting digital evidence

– Practice given in the module: Collected various data types on computers. Log analysis to find the source and the links of the attack

Phishing & Opensource Intelligence

– Knowledge gained: Modern phishing methods. Methods of detecting targeted phishing

– Skills gained: Phishing emails lookup. Verification of the incident related to phishing. OSINT

– Practice given in the module: Exchange Compliance Search and removal of the phishing emails. Verification of the suspicious email using open sources (lookup for the Counterfeit data)

Active Directory Security

– Knowledge gained: Use an API to check passwords in a database of compromised passwords; Configure domain policies according to recommendations; Methods for analyzing Active Directory domain security

– Skills gained: Safely check for password hashes in a database; Search for inconsistencies between recommended and actual domain policies; Assess the security of Active Directory settings

– Practice given in the module: Use the Have I Been Pwned? API to search the database of compromised passwords; Use Policy Analyzer to compare current domain policies with best practices; Use Ping Castle reports