Introduction to Cybersecurity Operations

Questions and Answers

What is the primary function of Tier 3 in a Security Operations Center?

• Threat hunting and development of preventive measures (correct)
• Initial incident confirmation and triage
• Deep-dive incident analysis and remediation advice
• Isolation of affected systems during an incident

During which phase of the Incident Response Lifecycle are tools and resources prepared for immediate use?

• Post-Incident Activity
• Containment, Eradication & Recovery
• Preparation (correct)
• Detection & Analysis

What does SOAR stand for in the context of security operations?

• Security Operations and Risk
• Strategic Operations for Automated Responses
• Security Orchestration, Automation and Response (correct)
• Systematic Operations Against Risks

What is the primary goal of the Containment, Eradication & Recovery phase?

Isolating affected systems and restoring normal operations (B)

Which of the following best describes the function of Tier 2 in a Security Operations Center?

Conducting in-depth incident analysis and recommending remediation (A)

Which sources are typically used for detection and analysis of incidents?

SIEMs, IDPSs, and antivirus software (C)

What is the primary focus of the Detection & Analysis phase in the Incident Response Lifecycle?

Identifying attack vectors and signs of an incident (A)

What is the outcome of the Post-Incident Activity phase?

Developing new policies to prevent future incidents (D)

What is the primary function of a Command and Control (C2) Server in malware infections?

To centralize control over all infected machines. (D)

Which method is NOT advisable when using VirusTotal for file analysis?

Uploading the file directly for analysis. (C)

What characteristic is typical of the Trickbot malware when identifying indicators of compromise?

It sends requests to external IP checking sites. (A)

Which property would you NOT expect to find in the digital certificate used for Dridex malware's SSL/TLS encryption?

All fields properly populated with relevant information. (C)

Which cryptographic method uses the same key for both encryption and decryption?

Symmetric Key Cryptography (D)

When analyzing network traffic of an infection, which of the following is an uncommon TCP port typically used by Trickbot?

TCP 8082 (B)

To follow a TCP stream and save it in a specific format, which sequence of actions should be taken?

Right click frame > Follow > TCP Stream > ASCII to Raw > Save As. (A)

Which method could be used to identify a specific HTTP client in network traffic?

Use the 'Follow HTTP Stream' option (A)

What type of information typically indicates the behavior of a file in a malware analysis context?

File aliases and its communicated IP addresses. (D)

What is the significance of an ‘NS’ DNS record?

It specifies which DNS server to query for a domain (A)

How does Wireshark identify a packet within its framework?

Designating each packet as a 'frame' (A)

To effectively display traffic belonging to the subnet 192.168.20.0/24 in Wireshark, which filter should be applied?

ip.addr == 192.168.20.0/24 (B)

When exporting files transmitted via TCP port 4444 from Wireshark, which option is most appropriate?

Export Objects > TCP (B)

What information does a ‘CNAME’ DNS record provide?

It links to another domain's A record. (D)

Which command-line utility is suggested for computing checksums for files exported from Wireshark?

sha256sum (D)

What does a built-in functionality in Wireshark allow users to do?

Extract files uploaded or downloaded in network traffic (B)

Which layer of the OSI model is primarily responsible for the reliable transmission of data frames between two nodes?

Data Link (B)

In the TCP/IP model, which layer is equivalent to the OSI model's Session layer?

Transport (B)

What is the primary function of the Presentation layer in the OSI model?

Translation of data between networking services and applications (D)

At which OSI layer does addressing and routing occur?

Network (C)

Which of the following data units does the Transport layer in the OSI model primarily deal with?

Datagram (D)

What is the main purpose of the Physical layer in the OSI model?

Transmission and reception of raw bit streams (D)

Which protocol is not part of the TCP/IP model?

X.25 (D)

What layer of the OSI model interacts directly with end-user applications?

Application (B)

Flashcards

OSI Model

A 7-layer network model that defines how data is transmitted and received over a network. Each layer is responsible for a specific function. The layers are Application, Presentation, Session, Transport, Network, Data Link, and Physical.

Application Layer

The highest layer of the OSI model. Responsible for interacting with applications and providing services like email, web browsing, and file sharing.

Presentation Layer

The layer that handles data formatting, encryption, and decryption. Ensures data is understood by the receiving application.

Session Layer

Responsible for managing communication sessions between applications. It sets up, coordinates, and terminates communication.

Transport Layer

Ensures reliable data transmission between machines. It segments data into packets, provides error checking, and ensures packets arrive in the correct order.

Network Layer

Responsible for addressing and routing data packets. It determines the path data takes from source to destination.

Data Link Layer

Handles error detection and correction within a local network segment. Ensures data arrives at the intended destination.

Physical Layer

The lowest layer of the OSI model. Responsible for transmitting raw data, such as electrical signals, over physical media.

Threat Actors

Individuals or groups who pose a threat to cybersecurity. They can be motivated by financial gain, political activism, or other reasons. They can include hackers, nation-states, and organized crime.

Security Operations Center (SOC)

A team of cybersecurity professionals who monitor and respond to security incidents. They use various technologies to detect threats, analyze incidents, and take corrective actions.

SOC Tier Descriptions

Different levels of expertise and responsibility within a SOC. Tier 1 deals with initial analysis and incident confirmation, Tier 2 performs deep-dive analysis, and Tier 3 focuses on threat hunting and preventive measures.

SOAR

A platform that automates and orchestrates security tasks. It aggregates security alerts, automates incident investigations, and executes predefined response actions. It focuses on efficiency and speed in handling security incidents.

Incident Response Lifecycle

A structured process for responding to security incidents. It consists of several phases, including preparation, detection & analysis, containment, eradication & recovery, and post-incident activity.

Preparation (IR Lifecycle)

The first phase of incident response. It involves preparing tools, resources, and procedures to effectively handle security incidents. Being ready at a moment's notice is key.

Detection & Analysis (IR Lifecycle)

Identifying potential attacks and determining if an actual security incident has occurred. It involves analyzing security data from various sources to identify suspicious activities and attack vectors.

Containment, Eradication & Recovery (CER) (IR Lifecycle)

Taking actions to isolate the incident, remove affected components, and restore systems to normal operation. This phase focuses on limiting damage and restoring functionality.

What is a frame in Wireshark?

In Wireshark, each captured network packet is called a frame. This refers to the entire data packet, including headers and payload.

What is a 'display filter' in Wireshark?

A display filter in Wireshark is used to select specific network traffic based on various parameters like IP address, protocol, or port number. It allows you to focus on relevant traffic.

What is an 'A' record in DNS?

An 'A' record in DNS is a mapping of a domain name to its corresponding IPv4 address. This allows the DNS to resolve a domain name to a numerical IP address for the internet.

What is a 'CNAME' record in DNS?

A 'CNAME' record is a DNS record used to create an alias or nickname for an existing domain name. It allows you to point a new domain to an already existing one.

What is a 'NS' record in DNS?

An 'NS' record in DNS specifies which DNS server holds authoritative information for a particular domain name. It acts like a directory for specific domain data.

How can Wireshark help with artifact analysis?

Wireshark helps in artifact analysis by providing tools to extract files from captured network traffic. You can export files, calculate checksums, and submit files to VirusTotal for analysis.

What is file carving in Wireshark?

File carving is a technique in Wireshark used to extract files from network packets even without the original file headers. This can be useful for recovering lost or fragmented files.

How to export files from Wireshark?

You can use Wireshark's File > Export Objects feature to download files transmitted via various protocols like HTTP or SMB. This helps in retrieving files sent over the network.

VirusTotal

A website that analyzes files for potential malware and provides information about their origins and behaviour.

File Attribution

The process of identifying the origin, purpose, and behaviour of a file, especially when it might be malicious.

C2 Server

A central server used by malware to control and communicate with infected machines.

Symmetric Key Cryptography

A type of cryptography that uses the same key for both encryption and decryption.

Asymmetric Key Cryptography

A type of cryptography that uses separate keys – one for encryption and another for decryption.

Trickbot Malware

A type of malware that targets Windows systems and steals credentials and financial data.

Dridex Malware

A type of malware that steals banking credentials by intercepting communication between users and their banks.

Indicators of Compromise (IoCs)

Specific patterns or characteristics that indicate a potential security compromise, like unusual network traffic or certificate anomalies.

Study Notes

Tier 3 Security Operations Center (SOC)

• Primary Function: Handles complex incidents requiring deep technical expertise and investigations.
• Focus: Advanced threat analysis, malware analysis, incident response planning, and incident containment.
• Responsibilities: Investigate high-profile incidents, collaborate with other teams, and drive incident response procedures.
• Expert Level: Tier 3 SOC analysts are highly skilled cybersecurity professionals.

Incident Response Lifecycle: Preparation

• Phase: Preparation
• Objective: Prepare tools and resources for prompt incident response.
• Key Activities: Develop and maintain up-to-date response plans, ensure tool availability and functionality, conduct regular drills, create templates for incident documentation, and establish communication channels.

SOAR

• Stands for Security Orchestration, Automation, and Response.
• Purpose: Automates and streamlines repetitive tasks in security operations.
• Benefits: Enhanced incident response efficiency, reduces human error, and frees up security professionals for more complex tasks.

Containment, Eradication, & Recovery Phase

• Goal: Isolate the compromised system or network to prevent further spread, remove malware from affected devices, and restore systems to their pre-incident state.
• Key Activities: Disconnecting compromised systems, isolating infected devices, removing malware, restoring data from backups, and hardening systems to prevent future attacks.

Tier 2 Security Operations Center (SOC)

• Function: Investigates and analyzes alerts generated by security tools and investigates potential incidents.
• Responsibilities: Analyze alerts, correlate events, determine the severity and scope of incidents, and escalate incidents to Tier 3 when necessary.
• Technical Skills: Tier 2 analysts possess strong security knowledge and understanding of common attack techniques.

Incident Detection & Analysis

• Sources: Security tools logs, intrusion detection systems (IDS), security information and event management (SIEM) systems, network traffic analysis, endpoint monitoring tools, and threat intelligence feeds.
• Process: Analyzing data from various sources to identify suspicious activity, correlating multiple events, and determining the nature and scope of potential incidents.

Detection & Analysis Phase

• Focus: Identifying and analyzing incidents, correlating events, and determining the scope and severity of the incident.
• Key Activities: Analyzing security alerts, investigating suspicious activity, gathering evidence, and determining the root cause of the incident.

Post-Incident Activity Phase

• Outcome: Documenting the incident, analyzing the incident to identify weaknesses, implementing corrective actions, and updating security policies and procedures to prevent future incidents.
• Key Activities: Documenting the incident response process, conducting a post-mortem analysis, implementing remediation measures, updating security policies, training teams, and reporting incident details to stakeholders.

Command and Control (C2) Server

• Function: In malware infections, a C2 server serves as a communication point between infected systems and attackers.
• Purpose: Receives commands from attackers, sends updates, and relays stolen data.

VirusTotal

• Not Advisable: Uploading entire hard drives to VirusTotal, as it can violate privacy policies and overload the system.
• Best Practices: Use it for suspicious files, analyzing malware samples, and verifying the legitimacy of software.

Trickbot Malware

• Indicator of Compromise: Commonly utilizes domain generation algorithms (DGAs) to generate a vast number of random domains for its C2 servers, making detection difficult.
• Behavior: Trickbot is known for credential harvesting, banking trojan activity, and spreading to other vulnerable systems.

Dridex Malware

• Digital Certificate Properties: While Dridex often uses SSL/TLS encryption for communication, the digital certificates used for encryption might not conform to industry standards or have suspicious origins.

Symmetric Encryption

• Characteristic: Uses the same key for both encryption and decryption.
• Example: AES (Advanced Encryption Standard)

Trickbot TCP Port

• Uncommon Port: Trickbot typically avoids commonly used ports but can use port 4444 for communication.

TCP Stream Analysis

• Sequence: Open a TCP stream, select the relevant session, go to the "Follow" menu, and choose "TCP Stream".

Identifying HTTP Client

• Method: Analyze HTTP requests in network traffic for unique identifiers like User-Agent strings, IP addresses, or cookies.

Malware Analysis: File Behavior

• Information: Process calls, file modifications, network connections, registry changes, and interaction with other systems.

DNS Record: NS

• Significance: An NS record maps a domain name to a name server that holds its DNS records.

Wireshark Packet Identification

• Method: Wireshark displays packets by their protocol, source IP address, destination IP address, and packet number.

Wireshark Filtering: Subnet

• Filter: ip.addr == 192.168.20.0/24

Exporting Data from Wireshark

• Option: Export the data as a "PCAP file".

DNS Record: CNAME

• Information: A CNAME record provides an alias for a canonical name, mapping a domain name to a different domain name.

Command-line Checksum Utility

• Utility: Use the "md5sum" command to compute the MD5 checksum for files.

Wireshark Built-in Functionality

• Allows: Packet dissection, filtering, traffic analysis, and export of data.

OSI Model: Transport Layer

• Responsibility: Data transmission reliability, error control, and flow control.

TCP/IP Model: Session Layer

• Equivalent: The Transport Layer in the TCP/IP model.

OSI Model: Presentation Layer

• Function: Handles data formatting, encryption, and decryption, ensuring data is transmitted in a compatible format for the receiving application.

OSI Model: Network Layer

• Addressing and Routing: Responsible for addressing and routing data packets across networks.

OSI Model: Transport Layer Data Units

• Data Units: Segments

OSI Model: Physical Layer

• Purpose: Transmits data over physical media like cables or wireless signals.

TCP/IP Model: Non-Included Protocol

• Protocol: IPX (Internet Packet Exchange)

OSI Model: Application Layer

• Interaction: Interacts directly with end-user applications.

Description

Explore the various threat actors in cybersecurity, including amateurs, hacktivists, financially motivated criminals, and nation-state actors. Understand their distinct motivations and techniques used in cyber operations. This quiz will enhance your knowledge of the cybersecurity landscape.