L1-6 ICRM Cybersecurity Operations PDF
Document Details
Uploaded by AvailableComet6247
Tags
Related
- Application Security Frame PDF
- Vulnerability Response Implementation PDF
- Understanding Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) PDF
- Introduction to Cybersecurity in Business PDF
- CISSP All-in-One Exam Guide Chapter 21: Security Operations PDF
- Introduction to Cybersecurity Operations PDF
Summary
This document provides an introduction to cybersecurity operations. It covers threat actors, security operation centers (SOC), and incident response lifecycles. Concepts like security orchestration, automation, and response (SOAR) and the Lockheed Martin's cyber kill chain are discussed.
Full Transcript
L1 - Introduction to Cybersecurity Operations Threat Actors Threat Actors Security Operations Center (SOC) Tier Descriptions Tier 3 – Threat hunting + develop preventive measures. Tier 2 – Deep-dive incident analysis + advise remediation Tier 1 – Triage (initial anal...
L1 - Introduction to Cybersecurity Operations Threat Actors Threat Actors Security Operations Center (SOC) Tier Descriptions Tier 3 – Threat hunting + develop preventive measures. Tier 2 – Deep-dive incident analysis + advise remediation Tier 1 – Triage (initial analysis + incident confirmation) Security Operations Center (SOC) Technologies and Terminologies SOAR Security Orchestration, Automation and Response Platform that performs: Aggregation of security alerts Automate incident investigation and response workflows (via playbooks) Incident Response Lifecycle Why is the SOC structure like that? In terms of Incident Response, the process itself has several phases. Different tiers of the SOC structure cater to the IR lifecycle (diagram on the right) Incident Response Lifecycle Incident Response Lifecycle Phase Brief Description Preparation To be ready in responding to incidents. Tools and resources are to be ready at a moment’s notice. Detection & Analysis Focuses on identifying attack vectors and signs of an incident. Usage of precursors and indicators using a variety of sources for analysis (e.g SIEMs, IDPSs, antivirus softwares) Incident Response Lifecycle Incident Response Lifecycle Phase Brief Description Containment, Eradication & Containment involves identifying and Recovery (CER) isolating the main assets responsible for the incident Once incident has been contained, eradication may be necessary to remove affected components. Recovery involves restoring of affected systems back to normal operations. Post-Incident Activity Discuss on the lessons learned from the incident. Provide actionable steps / recommendations to ensure that the incident does not happen again. L2 Tactics, Techniques and Procedures Lockheed Martin’s Cyber Kill Chain MITRE ATT&CK Framework https://attack.mitre.org/tactics/ Wireshark Basics 101 Network Fundamentals (Recap) OSI Model Layer Protocol Function Data Unit (PDU) 7. Application High-level APIs, including resource sharing, remote file access 6. Translation of data between a networking service and an application; including character encoding, data compression and Presentation Data encryption/decryption 5. Session Managing communication sessions, i.e. continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes. 4. Transport Datagram Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing 3. Network Packet Structuring and managing a multi-node network, including addressing, routing and traffic control 2. Data Link Frame Reliable transmission of data frames between two nodes connected by a physical layer 1. Physical Symbol Transmission and reception of raw bit streams over a physical Network Fundamentals (Recap) TCP/IP Model Layer Protocol Function Data Unit (PDU) High-level APIs, including resource sharing, remote file access Translation of data between a networking service and an application; including character encoding, data compression and 4. Application Data encryption/decryption Managing communication sessions, i.e. continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes. Reliable transmission of data segments between points on a 3. Transport Datagram network, including segmentation, acknowledgement and multiplexing Structuring and managing a multi-node network, including 2. Internet Packet addressing, routing and traffic control Reliable transmission of data frames between two nodes connected by a physical layer. 1. Network Frame Interface Transmission and reception of raw bit streams over a physical medium. Wireshark Basics In Wireshark, each packet is called a frame. For example, the selected frame is the 164th frame. display filter to use to show network traffic that belong to the 192.168.20.0/24 subnet ip.addr == 192.168.20.0/24 HTTP how can we identify a HTTP client? use “Follow HTTP Stream”: DNS Common DNS Records of Interest in a DNS server: ‘A’ record – IPv4 address of a domain ‘AAAA’ record – IPv6 address of a domain ‘CNAME’ record – link to another ‘A’ record (more like an alias) ‘NS’ record – informs which DNS server to talk to when querying for the targeted domain. DNS What Is A DNS NS Record? A Complete Guide To NS Records Notice that there is a ‘NS’ record? This means to tell the Internet: “If you need to know more about the ‘example.com’ domain, talk to my server ‘ns.example.com’ (192.0.2.2) What if we can modify this entry to our own DNS server? L5 - Basic Artifact Analysis Analysis - Exporting Objects/Files from Wireshark 1. Exporting Objects/Files from Wireshark & (save them within the separate folder) 2. Computes File and Checksums (sha256sum) for files. (use Linux command-line utility) 3. Go to VirusTotal - to analyzes files / URLs for viruses, worms, trojans, and other kinds of malicious content. Export Objects/Files from Wireshark Wireshark has some built-in functionalities to extract out files that are uploaded/download. Go to File > Export Objects > select your protocol HTTP SMB And many more.. Artifact Analysis Example Export HTTP files > found mimikatz.exe > G0082 as APT Manual File Carving in Wireshark When exporting objects/files from Wireshark, which option would be the best to download files transmitted via TCP port 4444? Right click frame > Follow > TCP Stream > ASCII to Raw > Save As File Attribution VirusTotal Website Main website used not JUST to check for malware/trojans To look for other IP addresses that the program communicates with Can use WHOIS info to determine country of origin Determine what are the file aliases. Depict file behaviour (not covered for this module) Malware Analysis (MALS) subject in year 3 elective. File Attribution How to use? Generate SHA256 hash value of file. Copy hash and paste it into VirusTotal search bar. Note: It is NOT ADVISABLE to upload the file directly into VirusTotal (for confidentiality reasons) Dealing with PCAPs sensitive in nature Analysis not meant for ‘public’ view. L6 – Malware Infection Analysis Analysing Network Traffic of an Infection What is a C2 Server? Command and Control Server Centralised platform to manage all infected machines. Example of C2 Frameworks: Metasploit, Sliver, Merlin, etc. Common Malware Infections Symmetric / Asymmetric Key Cryptography Symmetric Key Asymmetric Key Cryptography Cryptography (Same key to encrypt (One key to encrypt, AND decrypt) one key to decrypt) Trickbot Malware Indicators of Compromise The infected Windows host sends a request to an IP address checking site (e.g checkip.amazonaws.com, myexternalip.com) HTTPS/SSL/TLS traffic over uncommon TCP ports such as TCP 447 and TCP 449 HTTP traffic over uncommon TCP ports such as TCP 8082 HTTP requests ending in.png that return Windows executable files Dridex Malware Indicators of Compromise The digital certificate used for SSL/TLS encryption has the following properties within the ‘Certificate Issuer Data’ The ‘countryName’ and ‘localityName’ values are related to one another. Other fields are populated with random string content.
