7.
Security Operations
2
Basics of Security Operations
• Security Operations team is responsible for performing defensive activities for the organization
• They aim to protect critical organization assets from threat actors
• Employee equipped with different expertise work together on protecting the organization infrastructure
• SOC procedural workflow :
• Collect Logs from each and every system devices, networks etc.
1
• Analyse the logs to remove false positives and detect anomaly 2
• Regularly scan the organization assets to detect mis-configurations / vulnerability
3 • Act on possible ways to remediate the identified threat 4
• Document the findings and prepare sustainable incident response plan for possible
future cyber attack.
Security Operations Center
Monitor Detect Remediate
IT Threats
Applications Systems Locations
Devices Network
ASSETS
• Three main functions of SOC
• Technology
• For SOC Team members, technology is their weapon, they use it to collect
different type of logs (login events, activities etc).
• Security Monitoring :
Log
Collection
Log
Development
Analysis
of detection
(events,
rules
incidents)
• Threat Hunting:
Collected Logs
(events, incidents)
Active search for new threats Suspicious Anomaly
• Threat Intelligence
Threat Intel
Data1 Data2
Information
Data Source
Data Source 1
2 Data Source
Data source 2
1
Data Source Data Source
3 3
• Continuous OSINT Gathering
•Selling •Social
breached Media
information
Internal
Credentials
documents
On-Premise
Certificates
Locations
•Leaked •Dark / Deep
Documents Web
• People
• Team comprises of people uses least amount of resources to get good visibility into active and emerging
threats.
• Continuous consolidation of technologies and effectively organizing team is required
ROLE DESCRIPTION RESPONSIBILITIES
Jr. Security Analyst [Tier-1] Triaging security incidents Triage alerts acc. to urgency and
relevancy. Manages & configures
security monitoring tools
Security Analyst [Tier-2] Incident Responder Reviews triaged alerts, identify
scope of the alert. Perform
remediation and recovery efforts
Senior Security Analyst [Tier-3] Threat Hunter Conducts pentesting on production
env. Optimizes SOC tools based on
threat hunting
SOC Manager Chief of SOC Hiring, training & assessing staff.
Measures SOC performance &
communicates with CISOs
• Processes
• Process ensures timely synchronization and execution of various activities performed by the
SOC.
1.
4. Assessment Event
and Auditing Classification &
Triage
SOC PROCESS
2.
3. Remediation
& Recovery Prioritize &
Analysis
• Security Information and Event Management (SIEM) WorkFlow
Relevant Security Data
Firewall File Server DNS Server Web Network Devices Cloud Providers
Applications
Log Management / Analytics Tool
Anomaly Rule Traffic
Detection Implementation Visualization
• Industry recognized SIEM Tools
• Feed data from organization resources and they provide deep level insights of the assets
day to day operations
• SIEM Detection Rule
• Device integration with SIEM Tools
Reference : https://nxlog.co/agent-based-versus-agent-less
• Exercises :
• Setting-up the environment for attack and defense visualization
Host based Defence
• Host includes physical / virtual OS that are allocated to the employee of organization
• Enterprise majorly have the following OS’s:
• Windows
• Linux
• Mac
• Tools like OSQuery (cross-platform), Sysmon (Windows) etc can be used to collect
and transmit logs for analysing performance of hosts devices.
• Host Firewall - Windows
• Defender host firewall present in Win Vista, 7, 8, 10, 11 & server edition.
• It helps secure the devices by in-bound & out-bound rules.
• The rules states which network traffic can go in and out from the device
• The firewall works on 3 different network types : Private, Public & Domain
• Inbound Rules : Network traffic coming from the external device. Ex : Someone tries to
connect to FTP Server on host machine.
• Outbound rules : Network traffic originating from the host device. Ex : Host machine tries to
connect to a web server.
• Connection Rules : Used to filter the network traffic going in and out the host device.
Traffic Flow Diagram
Internet
Outbound Traffic Web Server
Firewall
Host Device
Inbound Traffic
DEMO : Block Google Chrome
from accessing the internet
Outbound
Setting
Exercise 1 : Isolate Machine from Internet
Inbound
Setting
Exercise 2 : Block ICMP packets originating from Internet
towards your hosts machine
• Host Firewall – iptables
• Firewall utility that comes in-built in most Linux operating systems.
• It is a command line utility, that filters network traffic going-in or going-out of
the system.
• Iptables has 3 different chains, namely:
• Input : Controls incoming connections. Ex : SSH into host machine with iptables enabled
• Output : Controls outgoing connections. Ex : Sending ICMP packets to a destination
• Forward : Helpful during routing scenarios, utilizes traffic forwarding utilities to sent data
to destined address.
• Check the current configuration of iptables.
• Iptable accept, deny chains:
“Linux” Host “Windows”
Iptables
Device External Device
• DROP the connection in INPUT chain :
• ACCEPT the connection in INPUT chain :
• DROP the connection in OUTPUT chain :
• ACCEPT the connection in INPUT chain :
• Connection Specific Responses
• ACCEPT : Allow the connection
• DROP : Drop the connection without sending any errors
• REJECT : Drop the connection but send back an error response
• Block connection from a range of IP address:
• Block connection to a specific service port (SSH) over TCP
SSH from another machine
• Save the configured rules
• Flush the rules:
OUTPUT
Setting
Exercise 1 : Block ICMP packets using iptables
INPUT
Setting
Exercise 2 : Block ICMP packets originating from Internet
towards your hosts machine
• Anti-Virus
• In General Terms, it is a computer program used to prevent, detect and remove malicious s/w.
• They continuously scan incoming files (coming to system from everywhere) and if any anomaly is
detected, it is quarantined / removed.
• The Landscape of security has moved a lot from focusing only a single device to end-point devices
like Cell-phone, Enterprise laptop, Tablet, Servers, Computers etc.
• End Point Security protects network, using a combination of FireWall, AntiVirus, Anti-Malware etc.
• They are explicitly designed for enterprise clients to protect all their endpoints devices like servers,
computers, mobile etc.
• Endpoint Detection & Response (EDR)
• Understanding Naming Context, it is clear that EDR is a solution that
continuously monitors, stores endpoint-devices behaviour to detect and
block suspicious / malicious activities and also provides remediation
facilities all at one place (single dashboard).
• Some unique key features of EDR are :
− Visibility
− Continuously updating Telemetry Database
− EDR Focus more on Indicator of Attack (IOA, Detecting the intention of an Adversary)
− Detailed Insights to the environment
− Precision & Accuracy in response
− Integrated with Cloud Based Solution
− Real-Time Monitoring and insights on a single dashboard
• But why?
− Big enterprises with more endpoint devices have more sensitive data
− Adversaries targeting endpoint servers / computers to establish foothold
− Detailed Insights to the environment
− Enterprise Adoption of SaaS based solutions is growing
− More Scalability and ease of configuration
− EDR includes fine-tuned multiple security solutions (focus on consolidation)
• Examples of EDR in market (not particularly in order of performance):
− FireEye Endpoint Security
− CrowdStrike Falcon Insight
− Microsoft Defender Advanced Threat Protection (ATP)
− VMware Carbon Black EDR
− Symantec Endpoint Protection
− SolarWinds Endpoint Detection and Response etc
33
Microsoft Defender for Endpoint
• Centralized platform to manage all the organization endpoint devices in a single dashboard
• Works on agent based methodology, it needs to be installed on endpoints which collects the data &
send the telemetry to dashboard
Microsoft Defender for Endpoint sign-up procedure
1. Sign-up with the Defender for Endpoint account
2. Login to the portal & select the platform agent
3. Download the agent to the endpoint and on-board it.
Endpoint will be visible in the dashboard within 30 minutes
4. Manage the endpoint from the defender for endpoint dashboard
Defender Dashboard
Prioritize Alerts & Check incidents
Write custom queries to track
missed alerts
Overall threat Analytics
of on boarded
endpoints
Score as per MS
recommendations
DEMO : MS Defender for Endpoint
Demonstration
37
Exercise 1
Onboard a Windows Machine and check it’s status in dashboard
Exercise 2
Onboard a Linux Machine and check it’s status in dashboard
Network based Defence
• Network comprises of multiple hosts present in the organization
• Network are segregated using firewalls, switches etc
• Collecting logs from network devices becomes difficult as they have a ton of data
regularly processing in the production
• Snort
• Open-Source Intrusion prevention system (IPS) developed by Cisco
• This software is capable of performing real-time traffic analysis and packet
logging on IP networks
• It can also be used to detect a variety of attacks and probes
• It has 3 modes:
• Packet Sniffer (like tcpdump)
• Packet Logger
• Full-blown IPS
• Download the software from here: https://www.snort.org/downloads
• The software can also be downloaded using the apt from already added
repository
• Snort performs real-time monitoring of packets using rules that are present in the
configuration file.
Snort Rule Header
Type of Target IP & Port
traffic
[action] [protocol] [sourceIP] [sourceport] -> [destinationIP] [destport] ( [Rule Options] )
Action to Source IP & Port
take
Snort Rule Header Example
alert tcp $sourceIP $sourceport -> $destinationIP any
Snort Rule Options
General Rule Options Detection Rule Options
Message: Meaningful msg Content: Search for a specific
stating the purpose of rule content in the packet payload
pcre : Regular expresssions
sid / rev: Unique identified
for each rule
Byte Test : It allows a rule to
test a number of bytes
Classtype : What the effect
against a specific value in
of successful attack would be
binar
Reference : External source
of information
Reference : For the rule to
fire, specifies which direction
the network traffic is going. Snort Infographic
• Snort configuration file location
/etc/snort/snort.conf
• Edit custom snort rules
/etc/snort/rules/local.rules
• Adding a rule in the local.rules
alert icmp any any -> 192.168.1.8 any (msg:”ICMP Test”; sid: 1000001; rev:1;)
• Starting snort and capturing traffic as per configured rules
sudo snort –T –i eth0 –c /etc/snort/snort.conf
sudo snort –A console –q –i eth0 –c /etc/snort/snort.conf
DEMO : Detect SSH Login Attempt
Exercise 1
Detect ICMP packet heading towards the snort installed machine
https://www.youtube.com/watch?v=8lOTUqfkAhQ
Exercise 2
Detect failed FTP attempt using alert type
• Fortinet Fortigate Firewall
• Next-Generation firewall that provides ultimate threat protection for
businesses
• Mainly used in enterprises for the following purposes:
• VPN tunnels
• Network segmentation
• Web Filtering
• Secure Firewall Portal Access
• Easy integration with other Fortinet products
INTERNET
AntiVirus Application Control
IPS SSL Inspection
FORTIGATE
FIREWALL
De-militarized
Militarized
Zone Zone
Network Access via VPN
Segmentation tunnel
Exercise 1
Fortinet Fortigate Dashboard Demonstration
Exercise 2
Fortinet Fortigate Abuse Demonstration (RCE)
• Security Information and Event Management – Splunk
• It provides real-time data to perform analysis based on security events
• Tools like Splunk matches collected events against rules & analytics engines to
detect & analyse advanced threats
• Alert indexing is an important aspect that is covered by Splunk. It integrates
the events into alert workflow procedure
• Splunk and SIEM can be deployed in
• Single environment
• Distributed environment
• Splunk Working Modes
• Configuring Splunk
1. Download (as per platform)
2. Install & Begin
3. Forward data to the splunk
4. Search / Visualize / Raise
• Log Collection in Splunk (local setup)
• Select the following icon after signing up
• Navigate and choose the “Monitor” option, it will monitor the local splunk platform instance
• Choose the auth.log file that collects login attempts locally
• Select the source type as “linux_secure”
• Perform the final review and then start searching
• Monitor the events in real-time
• Log collection other sources
1 2
3 4
5
DEMO : Install Splunk in Linux Instance
DEMO : Log forwarding to Splunk
1. Installing “sysmon” in Windows Machine
2. Collecting & Transferring logs via “Universal
Forwarder (UF)”
DEMO : Log forwarding to Splunk
1. Installing “sysmon” in Windows Machine
2. Collecting & Transferring logs via “Universal
Forwarder (UF)”
• Security Orchestration, Automation and Response – Azure Sentinel
• It is a technology that allows organizations to collect data (alerts + events) &
allows analysts to respond to threats in real-time using repetitive tasks
Security OAR
Orchestration Automation Response
Threat & Automate particular Security Incident
Vulnerability areas of security Response to
Management operations strategically
increase the
effectiveness of
Security Operations
• OSQuery 101
• OSQuery framework originally developed by Meta, exposes an OS as a high-operational
database.
• Data like system network connection, running processes etc is stored in tables
• We can extract the system data using SQL queries from the tables
• Extracted information can then be feed to SIEM servers etc for further processing
System information
stored in tables format
• Install OSQuery (Linux)
Link : https://osquery.io/downloads/
Exercise : Install OSQUERY in Linux Instance
• Run and check all the available tables:
• Check the structure of each table
• Query from a table and limit the results
• Selecting 2 columns from a table
• With Filtering
Exercise : Explore the Tables & Replicate
the above exercises
Final Examination Instructions
• Once the self-paced materials are thoroughly completed, please reach
out at support@cyberwarfare.live to schedule the examination
• The exam project would be of 20 Days, starting from the day when the
Support team shares the details with you as per your schedule
• The project solution report must be in PDF format
Final Examination Instructions
• Candidates can follow any report template, however the steps &
documentation must be clear & thorough
• Candidates can submit the PDF report via email within the mentioned
Duration (20 Days)
• Evaluators will provide the results within 3 working days
Thank you!
For any technical support, please mail at:
support@cyberwarfare.live