Cyber Security - Cyber Security Analyst- Cyber Security Incident Response - IT Risk Management - MAS TRM - MAS TRMG - MAS TRM Guideline - Vulnerability Management - Penetration Testing -Cloud Security - Information Security - SOC Analyst - Incident Response - VAPT – DFIR-Risk Management- Audit - IT Audit- Internal Audit - Network Concept - MAS TRM Guideline - ISO 27001 Implementation – Cybersecurity- cybersecurity - AI Incident Response-Operational Risk management-Security Policy

Cyber Security Analyst

A security operations center (SOC) is a centralized security operations center that monitors and analyzes an organization’s network to detect and respond to threats and vulnerabilities. A SOC isn’t always a physical place — it’s a philosophy, approach and process that can be housed in a number of physical or virtual locations. A SOC typically includes analysts, managers, and tools to monitor security events and alerts in real-time across multiple systems and applications.

SOC analyst person must be aware of alert monitoring ( SIEM solution, IDS alert , Endpoint detection..etc), event analysis, log analysis ,Malware investigation and other processes. Good to have knowledge of Network Concept, TCP/IP model. Few basic concepts of SOC analyst or Incident Response :

Event Analysis

Windows event analysis is a place where you can start findings before going to any SIEM solutions, IDS/IPS alert or Endpoint ..etc. This will give you and idea when going on your machine. Lets start with one Illustration -

To View/Analysis Windows Event ID - Search in Type bar Event Viewer or open Command Prompt and Type eventvwr. Mentioned below:

There are thousands of Event ID which give us indications of basic investigations :

Examples :

Logon and logoff

Event ID = 4624 - Successful logon

Event ID = 4625 - Failed logon

Account management

Event ID = 4740 - User account locked out.

Object access

Event ID = 4663 - Attempt made to access object

Microsoft describes the Windows Security Log as "your best and last defense," and rightly so. The Security Log helps detect potential security problems, ensures user accountability, and serves as evidence during security breaches.

One real time use case of Event ID Cyber Investigation:

Go through the below sequence how attacker successfully breached the network

Time Event ID Actions

11:00:00 4624 Attacker Network Logon

11:00:02 4672 Attacker get into Admin rights

11:00:15 5140 Start mounting network share

Before going to next sequence , An advanced persistent threat (APT), otherwise known as an APT attack or persistence, refers to an attack where a hacker gains entrance into an environment and is able to maintain long-term. One of the way to create Schedule job . Which can execute on certain time (i,e Friday 9:00 PM) or based on event.

11:01:00 106 Task Scheduled

11:02:05 200 Task Executed ( Can get the details what malicious script executed)

11:05:12 201 Task Completed

11:05:14 141 Tasks Removed

For more details go through each event id / task details to complete the investigations

log analysis

log analysis can be done different ways - By using SIEM solutions ( i,e Splunk, LogRhythm ..etc) , Log can be transfer from any SIEM solutions to open source log analysis tools ( i,e ELK Stack). Log analysis is very important for SOC analyst or Incident Response team

a) A log is a stream of time sequenced messages that record occurring events.

b) Log analysis is the process of making sense of the record captured in the logs.

c) Types of logs :

Application logs

Firewall logs

Intrusion logs

Security logs

System logs

d) The cost of log analysis using free V/s paid tools can be calculated depending on time Vs money . A paid tool can give more more insight compare with free tools. Its depend on your organizations or business needs.

Why log analysis are important ?

Logs are important as they are used for :

Compliance
Detection of Unwanted activity
Identifying behavioral pattern
Forensic Investigation
Improve recourse usage
Cyber security Incident response
Log analysis supports the Zero trust model

Illustration how log analysis looks like in SIEM solution - Splunk or ELK stack :

Splunk - Use search engine to perform analysis

ELK Stack (Elasticsearch, Logstash, and Kibana ) - Kibana module can be use to perform log analysis

Lets discuss about setup best SOC process to perform analysis :

Its depend what kind of SIEM tools or other system available in your organizations. Next Generation SIEM (i,e LogRhythm) is always good and recommended . It has multiple capabilities - SOAR, NDA, UEBA..etc. Other SIEM solutions also can be use for the same.

SOAR (security orchestration, automation and response) :

(a) SOAR help security teams to integrate security tools by using API. SOC team can co ordinate their work with playbook.

(b) Automate repetitive and manual tasks

Examples : Splunk Phantom Module and LogRhythm has multiple SOAR capabilities (i,e PIE - Phishing Intelligence Engine ..etc)

SOC analysis/ Incident response person should be aware of :

Network Security and TCP/IP Model :

Network Security

Under this view, cybersecurity is a subset of information security that deals with protecting an organization's internet-connected systems from potential cyberattacks; and network security is a subset of cybersecurity that is focused on protecting an organization's IT infrastructure from online threats.

TCP and IP are different protocols of Computer Networks. The basic difference between TCP (Transmission Control Protocol) and IP (Internet Protocol) is in the transmission of data. In simple words, IP finds the destination of the mail and TCP has the work to send and receive the mail. UDP is another protocol, which does not require IP to communicate with another computer. IP is required by only TCP. This is the basic difference between TCP and IP.

Other common internet protocols:

The TCP/IP model covers many internet protocols, which define how data is addressed and sent over the internet. Common internet protocols include HTTP, FTP, and SMTP, and all three are often used in conjunction with the TCP/IP model.

HTTP (Hypertext Transfer Protocol) governs the workings of web browsers and website.

FTP (File Transfer Protocol) defines how files are sent over a network.

SMTP (Simple Mail Transfer Protocol) is used to send and receive email.

Network Layer Protocols

ICMP (Internet Control Message Protocol) and ARP (Address Resolution Protocol) are both networking protocols, but they serve different purposes and operate at different layers of the OSI model:

ICMP is primarily used for network management and error reporting within IP networks.

Example: It provides feedback about network conditions, like unreachable hosts or network congestion, through messages such as "ping" and "traceroute." ICMP operates at the network layer (Layer 3) and is an integral part of the IP protocol suite.

ARP is used for mapping an IP address to a physical MAC (Media Access Control) address on a local network segment.

It helps devices on the same local network discover each other's MAC addresses to facilitate data frame forwarding within the same network. ARP operates at the data link layer (Layer 2) and is essential for Ethernet and similar technologies.

What is DHCP ?

A DHCP Server is a network server that automatically provides and assigns IP addresses, default gateways and other network parameters to client devices. It relies on the standard protocol known as Dynamic Host Configuration Protocol or DHCP to respond to broadcast queries by clients.

UDP port 67 on the server side and UDP port 68 on the client side.

How rule work ? DHCP server look for incoming and outgoing UDP packets (DHCPv4 and DHCPv6 to support IPv4 and IPv6) and source details (X) , Have it in Port 67. Target details (Y) , does not match it will through an alert .

What is Malware ( Malicious + Software = Malware )

Malware is a software intentionally designed to cause damage or gain access to a computer network , server , client ..etc.

Slow down your system
Creating annoying pop-ups
Install Other application
Steal sensitive data
Delete/Encrypt files
Stop services and shutdown systems

How System/Machine can be affected with Malware ?

External Storage device
Direct access to the target computer
Email

Phishing

Attachment

Drive by download
Malvertising

APT Malware

Specific Target (achieve via reconnaissance)

Use Zero days vulnerabilities and exploits

Very sophisticated skills

Commodity Malware

No Specific Target

i,e. WannaCry

Well known vulnerability / Average skills

Different Types of malware

Virus
Trojan
Worm
Ransomware
Spyware

Adware
Botnets
Rootkits
Key Logger
Scareware

Malware is any software used to gain unauthorized access to IT systems in order to steal data, disrupt system services or damage IT networks in any way. Ransomware is a type of malware identified by specified data or systems being held captive by attackers until a form of payment or ransom is provided.

Its good to have some understanding of Libraries and Functions

One of the most common executable file format on windows environment is PE

PE stands for Portable Executable.
All the .exe and .dll are PE files.

Contains information the Operating system needs to run the executable

PE file format includes - DOS header, DOS Stub,PE header, section table ..etc

Obfuscation Techniques

Techniques to use hiding/masking meaningful information

Obfuscation makes process harder to understand

Few components of it -

Packers
Polymorphic Malware and Metamorphic Malware
Dead code insertion
Subroutine reordering

Practical example of Packet capture Malware Analysis by using Wireshark

o Login to Wireshark

o Select the different source you want to collect the data

o Click on capture options

o Two different options to capture network traffic pcap and pacpng

o Save the file in some location. It’s good to have to store data without C drive

o There are different options you can collect data with first 64 MB ..etc

o Data collected here with pcap with complete dump

o This file can be used later for further analysis

Wireshark - Malware traffic Analysis -

Start collecting all the IOC ( Indicator Of Compromise). Listed below :

IP Address
Domain Name
User Agent
Host Name
File Hashes (SHA)
Specific Pattern

Upload the file in Wireshark
Arrange the Wireshark screen to make analysis easier
Go to Statistics and Protocol hierarchy select IPV4 ( UDP and TCP protocol)
UDP is mainly to get machine related application (i,e. DHCP , DNS ..etc)
TCP is more focus on application (HTTP) related information.
Based on HTTP request right click and select the files

Once you have the files - It could be .jar , .exe , .swf extension

Use some tool to get the file Hashes ( Hash Tool one of them)
Use that hashes and put into VirusTotal ( One free tool) to identify file is affected or not.
Put that Hashes into Wireshark and search other necessary details
Find out the IP address / Host name link with that hashes
Start collecting all the IOCs to map with the MAC address to identify which machine is affected.

Most Common Types Of Cyber Attacks

Ransomware
Phishing
SQL Injection
DoS and DDoS Attacks
Cross-Site Scripting (XSS)
Man-in-the-Middle (MitM)
Cryptojacking
Password Attack
Insider Threat
DNS Tunneling

Ransomware

Ransomware is malware that encrypts a victim’s computer files, making them inaccessible, and demands a ransom be paid to restore access. This type of attack is usually carried out using a Trojan that masquerades as a legitimate file or program to trick the victim into downloading and executing it. Once executed, the ransomware encrypts files on the local computer and any connected network drives. The victim is then presented with a ransom demand, which typically requests payment in Bitcoin or another cryptocurrency.

How to Prevent Ransomware Attacks

Best practices that can help prevent ransomware attacks:

Backup data regularly and keep backups offline. Then, in the event of an attack, backups can be used to restore encrypted files.
Educate employees about avoiding suspicious emails and links.
Use reputable security software, and keep it up to date.
Restrict user permissions. Users should only have access to the data and systems they need to do their jobs.

Phishing

Phishing is a social engineering attack that tricks victims into revealing sensitive information, such as login credentials or credit card numbers. Phishing attacks are typically carried out using email or instant messages. The attacker will send an email or message that appears to be from a legitimate source, such as a bank or website. The message will often include a link to a fake website that looks legitimate. When the victim enters their login credentials or other sensitive information, the attacker can use it to access accounts or commit fraud.

How to Prevent Phishing Attacks

Organizations can protect themselves from phishing attacks by implementing security awareness training for employees. This type of training can educate employees about spot phishing emails and what to do if they receive one. Additionally, organizations can use email filtering to block phishing emails from reaching employees.

SQL Injection

SQL injection is an attack that allows attackers to execute malicious SQL queries against a database. The attacker inserts malicious code into an input field, such as a login form; the database then executes that. This can allow the attacker to access sensitive data, such as customer records or credit card numbers. Additionally, SQL injection can modify data in the database or delete it entirely.

How to Prevent SQL Injection Attacks

Organizations can protect themselves from SQL injection attacks by using parameterized queries. This type of query defines each input field as a parameter, preventing malicious code execution. Additionally, organizations can use web application firewalls (WAFs) to detect and block SQL injection attempts.

More details click - SQL Injection

DoS and DDoS Attacks

A denial-of-service (DoS) attack is an attack that prevents users from accessing a system or service. A distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from multiple sources. DoS and DDoS attacks are typically carried out by flooding the target system with traffic, overwhelming it, and preventing legitimate users from accessing it. These types of attacks can be carried out using botnets and networks of infected computers that an attacker can control.

How to Prevent Dos and DDoS Attacks

Organizations can protect themselves from DoS and DDoS attacks by implementing rate-limiting. This type of protection limits the amount of traffic sent to a system, making it more difficult for attackers to overwhelm it. Additionally, organizations can use firewalls and intrusion detection/prevention systems (IDS/IPS) to block malicious traffic.

Malware

Malware is a type of malicious software that can be used to damage or disable computers, networks, and systems. For example, malware can steal sensitive data, such as login credentials or credit card numbers. Additionally, malware can be used to hijack computers and use them to carry out attacks, such as DDoS attacks. There are many different types of malware, including viruses, worms, Trojans, and rootkits.

How to Prevent Malware Attacks

Organizations can protect themselves from malware attacks by using security software, such as antivirus and anti-malware programs. These programs can detect and remove malware from computers and networks. Additionally, organizations should keep their operating systems and software up-to-date, as this can help prevent malware from being able to exploit vulnerabilities.

Man-in-the-Middle Attacks

A man-in-the-middle (MITM) attack is a type of attack where the attacker intercepts communication between two parties. The attacker can then eavesdrop on the conversation or even modify the exchanged data. MITM attacks can be carried out using various methods, such as ARP spoofing and DNS poisoning.

How to Prevent Man-in-the-Middle Attacks

Organizations can protect themselves from MITM attacks by using encryption. This type of protection makes it more difficult for attackers to eavesdrop on communications. Additionally, organizations can use firewalls and intrusion detection/prevention systems (IDS/IPS) to detect and block MITM attacks.

Password Attacks ( Brute Force Attack )

A password attack is a type of attack that attempts to guess or brute force a password. Password guessing can be done using common passwords, such as "password" or "123456". Additionally, attackers can use brute force methods to try every possible combination of characters until the correct password is guessed. Password attacks can also be carried out using phishing emails or malware.

How to Prevent Password Attacks

Organizations can protect themselves from password attacks by implementing strong password policies. These policies should require employees to use complex passwords that are not easily guessed. Additionally, organizations can use two-factor authentication (2FA), which requires a second form of verification, such as a one-time code and a password.

Insider Threats

An insider threat is a type of attack that comes from within an organization. Insider threats can be carried out by malicious insiders, such as disgruntled employees, or by careless insiders, such as employees who accidentally leak data. Insider threats can be difficult to detect and prevent because the attackers already have access to the organization's systems and data.

How to Prevent Insider Threats Attacks

Organizations can protect themselves from insider threats by using security software, such as activity monitoring and data loss prevention (DLP) programs. These programs can help organizations detect and prevent malicious or accidental data leaks. Additionally, organizations should provide employees with security training to educate them on proper security procedures.

Google Sites

Report abuse