1 of 51

2 of 51

Learning Objectives

  • LO1: Recognize common threat actor types and their motives.
  • LO2: Understand what OSINT is and what basic public sources can reveal.
  • LO3: Explain network scanning at a high level and how attackers use it.
  • LO4: Understand common paths attackers use to gain access (demo in lab).
  • LO5: Describe common data exfiltration techniques and defensive signals.
  • LO6: Identify simple, practical defenses employees can apply immediately.

3 of 51

4 of 51

Ground Rules / Ethics / Legal

  • All demos will be run only in an isolated lab (Kali → Metasploitable).
  • Do NOT run tools against live systems.
  • Aim: learning for defense and awareness only.
  • If you find a real vulnerability at work — report it through official channels (do not ‘test’ it yourself).

5 of 51

Quick Cybersecurity Primer

6 of 51

7 of 51

Threat Actor Profiling

8 of 51

Reconnaissance

  • Footprinting, or reconnaissance, is a method of observing and collecting information about a potential target with the intention of finding a way to attack the target.
  • Footprinting looks for information and later analyzes it, looking for weaknesses or potential vulnerabilities.

9 of 51

POV of a Threat Actor

10 of 51

POV of a Threat Actor

11 of 51

OSINT — What it is & why it matters

  • OSINT = Open Source Intelligence (publicly available info)
  • Why attackers use it: build a profile, find people to target, discover exposed services/IPs

12 of 51

Have you done transactions via Social Media?

13 of 51

Are you familiar with FB Marketplace?

14 of 51

Social Media Impersonation is rampant even for ordinary people.

15 of 51

Have you encountered an enticing article (probably too good to be true) then you are redirected elsewhere when clicked?

16 of 51

Have you received an SMS from Maya asking you to click on a link? Sender says Maya.

17 of 51

NCAP is trending. Have you received an SMS like this?

18 of 51

“Globe” also sends suspicious links

19 of 51

Legitimate-looking domains and website!

20 of 51

21 of 51

Tasks:

  • Can you check the site report for the PhilFIDA Website?
  • Can you check the contents of the PhilFIDA Website back in 2024?

22 of 51

23 of 51

24 of 51

Scanning

  • Purpose: discover hosts, open ports, running services
  • Types: ping/ICMP, TCP connect scan, SYN scan, service/version detection, OS detection
  • Risk: scanning noisy — can trigger alarms on production systems

25 of 51

26 of 51

Port Scan. What for?

27 of 51

Port Range

Numbers

Purpose

Well-Known Ports

0 to 1,023

Reserved for common, well-established internet services (e.g., HTTP on port 80, FTP on port 21, DNS on port 53).

Registered Ports

1,024 to 49,151

Can be registered by applications or vendors for specific services, but they are not as tightly controlled as well-known ports.

Dynamic/

Private Ports

49,152 to 65,535

Used by client programs when they initiate a connection. These are temporary or "ephemeral" ports assigned by the client's operating system.

28 of 51

29 of 51

30 of 51

Tasks

  • Check if Metasploitable is up.
  • Check the open ports
  • Identify the operating system (?)
  • Identify the applications running (?)
  • See if there are vulnerabilities.

31 of 51

  • Warning: NMAP is an active scanner. Permission must be given prior to scanning. 

32 of 51

33 of 51

34 of 51

35 of 51

Gaining Access

  • Attack path model: Recon → Scanning → Exploit → Privilege escalation → Persistence
  • Common vectors: weak passwords, unpatched services, phishing/social engineering, exposed admin interfaces

36 of 51

Metasploit Fundamentals

Server and App VAPT | J. Pineda | © All Rights Reserved 2020

36

37 of 51

38 of 51

Server and App VAPT | J. Pineda | © All Rights Reserved 2020

38

39 of 51

40 of 51

Tasks

  • Choose varying attack surface to launch an attack.
  • Exploit selected vulnerabilities.
  • Prove that exploit exists.
  • Provide recommendations how to remediate findings.

41 of 51

42 of 51

Realizations

Cyber attacks are becoming more and more creative.

Regular security awareness is not enough… we need to go further than that.

Evaluate, scrutinize and analyze!

43 of 51

Defensive Controls

  • People: phishing awareness, reporting suspicious emails, secure password practices, 2FA
  • Processes: asset inventory, patch management, least privilege, backup & recovery
  • Tech: firewalls, segmentation, EDR/antivirus, network monitoring, strong authentication

44 of 51

Policies & Incident Reporting

  • Simple reporting flow: suspect → isolate (if safe) → preserve evidence → notify IT/Security/Commander
  • What to record: who, when, observed actions, screenshots (if safe)
  • Emphasize chain of custody for critical incidents

45 of 51

Knowledge Check # 1

  • Public social posts cannot help attackers.
    • True
    • False

46 of 51

Knowledge Check # 2

  • Which is an immediate action if you suspect an email is malicious?
    • Reply
    • Click link
    • Report to IT

47 of 51

Knowledge Check # 3

  • What is a common sign of data exfiltration?
    • increased outbound traffic
    • slower keyboard
    • brighter screen

48 of 51

Key Takeaways

1. The Cyber Battlefield

    • Threat actors range from script kiddies to nation-states.
    • Their motives: money, espionage, disruption, or activism.

2. How Attacks Begin

    • OSINT: Attackers collect public info — from social media to published reports.
    • Scanning: They probe systems for open ports and weak services.
    • Exploitation: They use vulnerabilities or stolen credentials to gain entry.
    • Exfiltration: They quietly move data out using common channels (HTTP, cloud, USB).

3. Our Defensive Mindset

    • Awareness first: report suspicious behavior, avoid oversharing, use 2FA.
    • Processes: regular patching, least privilege, backups, and monitoring.
    • Technology: firewalls, segmentation, EDR, and DLP protect our perimeter and data.

49 of 51

50 of 51

Exercise

  • Choose 2 web layer or 2 server layer exploits that you would like to test and document the step-by-step procedure how to the vulnerabilities were exploited.
  • Put it in a VAPT Template provided and upload per group.

51 of 51