Introduction to Cybersecurity Operations

Questions and Answers

What is the primary function of Tier 3 in a Security Operations Center?

Threat hunting and development of preventive measures (correct)

Initial incident confirmation and triage

Deep-dive incident analysis and remediation advice

Isolation of affected systems during an incident

During which phase of the Incident Response Lifecycle are tools and resources prepared for immediate use?

Post-Incident Activity

Containment, Eradication & Recovery

Preparation (correct)

Detection & Analysis

What does SOAR stand for in the context of security operations?

Security Operations and Risk

Strategic Operations for Automated Responses

Security Orchestration, Automation and Response (correct)

Systematic Operations Against Risks

What is the primary goal of the Containment, Eradication & Recovery phase?

Isolating affected systems and restoring normal operations

Which of the following best describes the function of Tier 2 in a Security Operations Center?

Conducting in-depth incident analysis and recommending remediation

Which sources are typically used for detection and analysis of incidents?

SIEMs, IDPSs, and antivirus software

What is the primary focus of the Detection & Analysis phase in the Incident Response Lifecycle?

Identifying attack vectors and signs of an incident

What is the outcome of the Post-Incident Activity phase?

Developing new policies to prevent future incidents

What is the primary function of a Command and Control (C2) Server in malware infections?

To centralize control over all infected machines.

Which method is NOT advisable when using VirusTotal for file analysis?

Uploading the file directly for analysis.

What characteristic is typical of the Trickbot malware when identifying indicators of compromise?

It sends requests to external IP checking sites.

Which property would you NOT expect to find in the digital certificate used for Dridex malware's SSL/TLS encryption?

All fields properly populated with relevant information.

Which cryptographic method uses the same key for both encryption and decryption?

Symmetric Key Cryptography

When analyzing network traffic of an infection, which of the following is an uncommon TCP port typically used by Trickbot?

TCP 8082

To follow a TCP stream and save it in a specific format, which sequence of actions should be taken?

Right click frame > Follow > TCP Stream > ASCII to Raw > Save As.

Which method could be used to identify a specific HTTP client in network traffic?

Use the 'Follow HTTP Stream' option

What type of information typically indicates the behavior of a file in a malware analysis context?

File aliases and its communicated IP addresses.

What is the significance of an ‘NS’ DNS record?

It specifies which DNS server to query for a domain

How does Wireshark identify a packet within its framework?

Designating each packet as a 'frame'

To effectively display traffic belonging to the subnet 192.168.20.0/24 in Wireshark, which filter should be applied?

ip.addr == 192.168.20.0/24

When exporting files transmitted via TCP port 4444 from Wireshark, which option is most appropriate?

Export Objects > TCP

What information does a ‘CNAME’ DNS record provide?

It links to another domain's A record.

Which command-line utility is suggested for computing checksums for files exported from Wireshark?

sha256sum

What does a built-in functionality in Wireshark allow users to do?

Extract files uploaded or downloaded in network traffic

Which layer of the OSI model is primarily responsible for the reliable transmission of data frames between two nodes?

Data Link

In the TCP/IP model, which layer is equivalent to the OSI model's Session layer?

Transport

What is the primary function of the Presentation layer in the OSI model?

Translation of data between networking services and applications

At which OSI layer does addressing and routing occur?

Network

Which of the following data units does the Transport layer in the OSI model primarily deal with?

Datagram

What is the main purpose of the Physical layer in the OSI model?

Transmission and reception of raw bit streams

Which protocol is not part of the TCP/IP model?

X.25

What layer of the OSI model interacts directly with end-user applications?

Application

Study Notes

Tier 3 Security Operations Center (SOC)

• Primary Function: Handles complex incidents requiring deep technical expertise and investigations.
• Focus: Advanced threat analysis, malware analysis, incident response planning, and incident containment.
• Responsibilities: Investigate high-profile incidents, collaborate with other teams, and drive incident response procedures.
• Expert Level: Tier 3 SOC analysts are highly skilled cybersecurity professionals.

Incident Response Lifecycle: Preparation

• Phase: Preparation
• Objective: Prepare tools and resources for prompt incident response.
• Key Activities: Develop and maintain up-to-date response plans, ensure tool availability and functionality, conduct regular drills, create templates for incident documentation, and establish communication channels.

SOAR

• Stands for Security Orchestration, Automation, and Response.
• Purpose: Automates and streamlines repetitive tasks in security operations.
• Benefits: Enhanced incident response efficiency, reduces human error, and frees up security professionals for more complex tasks.

Containment, Eradication, & Recovery Phase

• Goal: Isolate the compromised system or network to prevent further spread, remove malware from affected devices, and restore systems to their pre-incident state.
• Key Activities: Disconnecting compromised systems, isolating infected devices, removing malware, restoring data from backups, and hardening systems to prevent future attacks.

Tier 2 Security Operations Center (SOC)

• Function: Investigates and analyzes alerts generated by security tools and investigates potential incidents.
• Responsibilities: Analyze alerts, correlate events, determine the severity and scope of incidents, and escalate incidents to Tier 3 when necessary.
• Technical Skills: Tier 2 analysts possess strong security knowledge and understanding of common attack techniques.

Incident Detection & Analysis

• Sources: Security tools logs, intrusion detection systems (IDS), security information and event management (SIEM) systems, network traffic analysis, endpoint monitoring tools, and threat intelligence feeds.
• Process: Analyzing data from various sources to identify suspicious activity, correlating multiple events, and determining the nature and scope of potential incidents.

Detection & Analysis Phase

• Focus: Identifying and analyzing incidents, correlating events, and determining the scope and severity of the incident.
• Key Activities: Analyzing security alerts, investigating suspicious activity, gathering evidence, and determining the root cause of the incident.

Post-Incident Activity Phase

• Outcome: Documenting the incident, analyzing the incident to identify weaknesses, implementing corrective actions, and updating security policies and procedures to prevent future incidents.
• Key Activities: Documenting the incident response process, conducting a post-mortem analysis, implementing remediation measures, updating security policies, training teams, and reporting incident details to stakeholders.

Command and Control (C2) Server

• Function: In malware infections, a C2 server serves as a communication point between infected systems and attackers.
• Purpose: Receives commands from attackers, sends updates, and relays stolen data.

VirusTotal

• Not Advisable: Uploading entire hard drives to VirusTotal, as it can violate privacy policies and overload the system.
• Best Practices: Use it for suspicious files, analyzing malware samples, and verifying the legitimacy of software.

Trickbot Malware

• Indicator of Compromise: Commonly utilizes domain generation algorithms (DGAs) to generate a vast number of random domains for its C2 servers, making detection difficult.
• Behavior: Trickbot is known for credential harvesting, banking trojan activity, and spreading to other vulnerable systems.

Dridex Malware

• Digital Certificate Properties: While Dridex often uses SSL/TLS encryption for communication, the digital certificates used for encryption might not conform to industry standards or have suspicious origins.

Symmetric Encryption

• Characteristic: Uses the same key for both encryption and decryption.
• Example: AES (Advanced Encryption Standard)

Trickbot TCP Port

• Uncommon Port: Trickbot typically avoids commonly used ports but can use port 4444 for communication.

TCP Stream Analysis

• Sequence: Open a TCP stream, select the relevant session, go to the "Follow" menu, and choose "TCP Stream".

Identifying HTTP Client

• Method: Analyze HTTP requests in network traffic for unique identifiers like User-Agent strings, IP addresses, or cookies.

Malware Analysis: File Behavior

• Information: Process calls, file modifications, network connections, registry changes, and interaction with other systems.

DNS Record: NS

• Significance: An NS record maps a domain name to a name server that holds its DNS records.

Wireshark Packet Identification

• Method: Wireshark displays packets by their protocol, source IP address, destination IP address, and packet number.

Wireshark Filtering: Subnet

• Filter: ip.addr == 192.168.20.0/24

Exporting Data from Wireshark

• Option: Export the data as a "PCAP file".

DNS Record: CNAME

• Information: A CNAME record provides an alias for a canonical name, mapping a domain name to a different domain name.

Command-line Checksum Utility

• Utility: Use the "md5sum" command to compute the MD5 checksum for files.

Wireshark Built-in Functionality

• Allows: Packet dissection, filtering, traffic analysis, and export of data.

OSI Model: Transport Layer

• Responsibility: Data transmission reliability, error control, and flow control.

TCP/IP Model: Session Layer

• Equivalent: The Transport Layer in the TCP/IP model.

OSI Model: Presentation Layer

• Function: Handles data formatting, encryption, and decryption, ensuring data is transmitted in a compatible format for the receiving application.

OSI Model: Network Layer

• Addressing and Routing: Responsible for addressing and routing data packets across networks.

OSI Model: Transport Layer Data Units

• Data Units: Segments

OSI Model: Physical Layer

• Purpose: Transmits data over physical media like cables or wireless signals.

TCP/IP Model: Non-Included Protocol

• Protocol: IPX (Internet Packet Exchange)

OSI Model: Application Layer

• Interaction: Interacts directly with end-user applications.

Description

Explore the various threat actors in cybersecurity, including amateurs, hacktivists, financially motivated criminals, and nation-state actors. Understand their distinct motivations and techniques used in cyber operations. This quiz will enhance your knowledge of the cybersecurity landscape.