7.

Security Operations

2
 Basics of Security Operations
• Security Operations team is responsible for performing defensive activities for the organization

• They aim to protect critical organization assets from threat actors

• Employee equipped with different expertise work together on protecting the organization infrastructure
• SOC procedural workflow :

• Collect Logs from each and every system devices, networks etc.
1
• Analyse the logs to remove false positives and detect anomaly 2
• Regularly scan the organization assets to detect mis-configurations / vulnerability
3 • Act on possible ways to remediate the identified threat 4
• Document the findings and prepare sustainable incident response plan for possible

future cyber attack.

 Security Operations Center

Monitor Detect Remediate

IT Threats

Applications Systems Locations

Devices Network

ASSETS
• Three main functions of SOC
• Technology

• For SOC Team members, technology is their weapon, they use it to collect
different type of logs (login events, activities etc).

• Security Monitoring :

Log
Collection

Log
Development
Analysis
of detection
(events,
rules
incidents)
• Threat Hunting:

Collected Logs
(events, incidents)

Active search for new threats Suspicious Anomaly

• Threat Intelligence

Threat Intel
Data1 Data2
Information

Data Source
Data Source 1
2 Data Source
Data source 2
1
Data Source Data Source
3 3
• Continuous OSINT Gathering

•Selling •Social
breached Media
information

Internal
Credentials
documents

On-Premise
Certificates
Locations

•Leaked •Dark / Deep

Documents Web
• People

• Team comprises of people uses least amount of resources to get good visibility into active and emerging
threats.

• Continuous consolidation of technologies and effectively organizing team is required

ROLE DESCRIPTION RESPONSIBILITIES

Jr. Security Analyst [Tier-1] Triaging security incidents Triage alerts acc. to urgency and
relevancy. Manages & configures
security monitoring tools
Security Analyst [Tier-2] Incident Responder Reviews triaged alerts, identify
scope of the alert. Perform
remediation and recovery efforts
Senior Security Analyst [Tier-3] Threat Hunter Conducts pentesting on production
env. Optimizes SOC tools based on
threat hunting
SOC Manager Chief of SOC Hiring, training & assessing staff.
Measures SOC performance &
communicates with CISOs
• Processes
• Process ensures timely synchronization and execution of various activities performed by the
SOC.

1.
4. Assessment Event
and Auditing Classification &
Triage

SOC PROCESS

2.
3. Remediation
& Recovery Prioritize &
Analysis
• Security Information and Event Management (SIEM) WorkFlow

Relevant Security Data

Firewall File Server DNS Server Web Network Devices Cloud Providers
Applications

Log Management / Analytics Tool

Anomaly Rule Traffic

Detection Implementation Visualization
• Industry recognized SIEM Tools

• Feed data from organization resources and they provide deep level insights of the assets
day to day operations
• SIEM Detection Rule
• Device integration with SIEM Tools

Reference : https://nxlog.co/agent-based-versus-agent-less
• Exercises :

• Setting-up the environment for attack and defense visualization

Host based Defence
• Host includes physical / virtual OS that are allocated to the employee of organization

• Enterprise majorly have the following OS’s:

• Windows

• Linux

• Mac

• Tools like OSQuery (cross-platform), Sysmon (Windows) etc can be used to collect
and transmit logs for analysing performance of hosts devices.
• Host Firewall - Windows

• Defender host firewall present in Win Vista, 7, 8, 10, 11 & server edition.

• It helps secure the devices by in-bound & out-bound rules.

• The rules states which network traffic can go in and out from the device

• The firewall works on 3 different network types : Private, Public & Domain
• Inbound Rules : Network traffic coming from the external device. Ex : Someone tries to
connect to FTP Server on host machine.

• Outbound rules : Network traffic originating from the host device. Ex : Host machine tries to
connect to a web server.

• Connection Rules : Used to filter the network traffic going in and out the host device.
 Traffic Flow Diagram

Internet

Outbound Traffic Web Server

Firewall

Host Device

Inbound Traffic
DEMO : Block Google Chrome
from accessing the internet
 Outbound
Setting
Exercise 1 : Isolate Machine from Internet

Inbound
Setting
Exercise 2 : Block ICMP packets originating from Internet
towards your hosts machine
• Host Firewall – iptables

• Firewall utility that comes in-built in most Linux operating systems.

• It is a command line utility, that filters network traffic going-in or going-out of

the system.

• Iptables has 3 different chains, namely:

• Input : Controls incoming connections. Ex : SSH into host machine with iptables enabled

• Output : Controls outgoing connections. Ex : Sending ICMP packets to a destination

• Forward : Helpful during routing scenarios, utilizes traffic forwarding utilities to sent data
to destined address.
• Check the current configuration of iptables.

• Iptable accept, deny chains:

“Linux” Host “Windows”

Iptables
Device External Device
• DROP the connection in INPUT chain :

• ACCEPT the connection in INPUT chain :

• DROP the connection in OUTPUT chain :

• ACCEPT the connection in INPUT chain :

• Connection Specific Responses

• ACCEPT : Allow the connection

• DROP : Drop the connection without sending any errors
• REJECT : Drop the connection but send back an error response

• Block connection from a range of IP address:

• Block connection to a specific service port (SSH) over TCP

SSH from another machine

• Save the configured rules

• Flush the rules:

 OUTPUT
Setting
Exercise 1 : Block ICMP packets using iptables

INPUT
Setting
Exercise 2 : Block ICMP packets originating from Internet
towards your hosts machine
• Anti-Virus
• In General Terms, it is a computer program used to prevent, detect and remove malicious s/w.

• They continuously scan incoming files (coming to system from everywhere) and if any anomaly is
detected, it is quarantined / removed.

• The Landscape of security has moved a lot from focusing only a single device to end-point devices
like Cell-phone, Enterprise laptop, Tablet, Servers, Computers etc.

• End Point Security protects network, using a combination of FireWall, AntiVirus, Anti-Malware etc.

• They are explicitly designed for enterprise clients to protect all their endpoints devices like servers,
computers, mobile etc.
• Endpoint Detection & Response (EDR)
• Understanding Naming Context, it is clear that EDR is a solution that
continuously monitors, stores endpoint-devices behaviour to detect and
block suspicious / malicious activities and also provides remediation
facilities all at one place (single dashboard).

• Some unique key features of EDR are :

− Visibility
− Continuously updating Telemetry Database
− EDR Focus more on Indicator of Attack (IOA, Detecting the intention of an Adversary)
− Detailed Insights to the environment
− Precision & Accuracy in response
− Integrated with Cloud Based Solution
− Real-Time Monitoring and insights on a single dashboard
• But why?
− Big enterprises with more endpoint devices have more sensitive data
− Adversaries targeting endpoint servers / computers to establish foothold
− Detailed Insights to the environment
− Enterprise Adoption of SaaS based solutions is growing
− More Scalability and ease of configuration
− EDR includes fine-tuned multiple security solutions (focus on consolidation)

• Examples of EDR in market (not particularly in order of performance):

− FireEye Endpoint Security
− CrowdStrike Falcon Insight
− Microsoft Defender Advanced Threat Protection (ATP)
− VMware Carbon Black EDR
− Symantec Endpoint Protection
− SolarWinds Endpoint Detection and Response etc

33
Microsoft Defender for Endpoint
• Centralized platform to manage all the organization endpoint devices in a single dashboard
• Works on agent based methodology, it needs to be installed on endpoints which collects the data &
send the telemetry to dashboard
Microsoft Defender for Endpoint sign-up procedure

1. Sign-up with the Defender for Endpoint account

2. Login to the portal & select the platform agent

3. Download the agent to the endpoint and on-board it.

Endpoint will be visible in the dashboard within 30 minutes

4. Manage the endpoint from the defender for endpoint dashboard

 Defender Dashboard
Prioritize Alerts & Check incidents

Write custom queries to track

missed alerts

Overall threat Analytics

of on boarded
endpoints

Score as per MS
recommendations
DEMO : MS Defender for Endpoint
Demonstration

37
 Exercise 1

Onboard a Windows Machine and check it’s status in dashboard

Exercise 2

Onboard a Linux Machine and check it’s status in dashboard

Network based Defence
• Network comprises of multiple hosts present in the organization

• Network are segregated using firewalls, switches etc

• Collecting logs from network devices becomes difficult as they have a ton of data
regularly processing in the production
• Snort

• Open-Source Intrusion prevention system (IPS) developed by Cisco

• This software is capable of performing real-time traffic analysis and packet

logging on IP networks

• It can also be used to detect a variety of attacks and probes

• It has 3 modes:
• Packet Sniffer (like tcpdump)
• Packet Logger
• Full-blown IPS
• Download the software from here: https://www.snort.org/downloads

• The software can also be downloaded using the apt from already added
repository

• Snort performs real-time monitoring of packets using rules that are present in the
configuration file.
 Snort Rule Header

Type of Target IP & Port

traffic

[action] [protocol] [sourceIP] [sourceport] -> [destinationIP] [destport] ( [Rule Options] )

Action to Source IP & Port

take

Snort Rule Header Example

alert tcp $sourceIP $sourceport -> $destinationIP any

 Snort Rule Options

General Rule Options Detection Rule Options

Message: Meaningful msg Content: Search for a specific

stating the purpose of rule content in the packet payload

pcre : Regular expresssions

sid / rev: Unique identified
for each rule
Byte Test : It allows a rule to
test a number of bytes
Classtype : What the effect
against a specific value in
of successful attack would be
binar

Reference : External source

of information

Reference : For the rule to

fire, specifies which direction
the network traffic is going. Snort Infographic
• Snort configuration file location

/etc/snort/snort.conf

• Edit custom snort rules

/etc/snort/rules/local.rules

• Adding a rule in the local.rules

alert icmp any any -> 192.168.1.8 any (msg:”ICMP Test”; sid: 1000001; rev:1;)
• Starting snort and capturing traffic as per configured rules

sudo snort –T –i eth0 –c /etc/snort/snort.conf

sudo snort –A console –q –i eth0 –c /etc/snort/snort.conf

DEMO : Detect SSH Login Attempt
 Exercise 1

Detect ICMP packet heading towards the snort installed machine

https://www.youtube.com/watch?v=8lOTUqfkAhQ

Exercise 2

Detect failed FTP attempt using alert type

• Fortinet Fortigate Firewall

• Next-Generation firewall that provides ultimate threat protection for

businesses

• Mainly used in enterprises for the following purposes:

• VPN tunnels
• Network segmentation
• Web Filtering
• Secure Firewall Portal Access
• Easy integration with other Fortinet products
 INTERNET

AntiVirus Application Control

IPS SSL Inspection

FORTIGATE
FIREWALL

De-militarized
Militarized
Zone Zone
Network Access via VPN
Segmentation tunnel
 Exercise 1

Fortinet Fortigate Dashboard Demonstration

Exercise 2

Fortinet Fortigate Abuse Demonstration (RCE)

• Security Information and Event Management – Splunk

• It provides real-time data to perform analysis based on security events

• Tools like Splunk matches collected events against rules & analytics engines to
detect & analyse advanced threats

• Alert indexing is an important aspect that is covered by Splunk. It integrates

the events into alert workflow procedure

• Splunk and SIEM can be deployed in

• Single environment
• Distributed environment
• Splunk Working Modes
• Configuring Splunk

1. Download (as per platform)

2. Install & Begin

3. Forward data to the splunk

4. Search / Visualize / Raise

• Log Collection in Splunk (local setup)

• Select the following icon after signing up

• Navigate and choose the “Monitor” option, it will monitor the local splunk platform instance
• Choose the auth.log file that collects login attempts locally

• Select the source type as “linux_secure”

• Perform the final review and then start searching

• Monitor the events in real-time

• Log collection other sources

1 2

3 4
5
DEMO : Install Splunk in Linux Instance
 DEMO : Log forwarding to Splunk

1. Installing “sysmon” in Windows Machine

2. Collecting & Transferring logs via “Universal
Forwarder (UF)”
 DEMO : Log forwarding to Splunk

1. Installing “sysmon” in Windows Machine

2. Collecting & Transferring logs via “Universal
Forwarder (UF)”
• Security Orchestration, Automation and Response – Azure Sentinel

• It is a technology that allows organizations to collect data (alerts + events) &

allows analysts to respond to threats in real-time using repetitive tasks

Security OAR

Orchestration Automation Response

Threat & Automate particular Security Incident

Vulnerability areas of security Response to
Management operations strategically
increase the
effectiveness of
Security Operations
• OSQuery 101

• OSQuery framework originally developed by Meta, exposes an OS as a high-operational

database.

• Data like system network connection, running processes etc is stored in tables

• We can extract the system data using SQL queries from the tables

• Extracted information can then be feed to SIEM servers etc for further processing
 System information
stored in tables format
• Install OSQuery (Linux)

Link : https://osquery.io/downloads/
Exercise : Install OSQUERY in Linux Instance
• Run and check all the available tables:
• Check the structure of each table
• Query from a table and limit the results
• Selecting 2 columns from a table

• With Filtering
Exercise : Explore the Tables & Replicate
the above exercises
 Thank you!

For any technical support, please mail at:

support@cyberwarfare.live