CFSS Cyber & Forensics Security Solutions

CFSS

CFSS SOC ANALYST PROJECT

*Theory

1. What is the purpose of a firewall ?

A firewall serves as a security barrier between your computer

network and the outside world, usually the internet. It monitors incoming
and outgoing traffic, enabling only safe data to get through while
preventing any potentially hazardous content, To put it simply, it acts as
a network security guard by filtering traffic

Here are some key things a firewall does:

Controls traffic flow: It determines whether data can enter or exit your
network based on a set of criteria

Blocks malicious traffic: It prevents viruses, malware, and other risks

from entering your devices
Protects privacy by preventing unauthorised access to your network and
data.

2.Is social media secure?

The security of social media platforms varies depending on a number of

factors, including the platform's security mechanisms, user behaviour,
and external threats Encryption, authentication methods, and frequent
security upgrades are some of the security measures that social media
platforms utilise to secure user data and privacy

Despite these precautions, social media networks may still be vulnerable

to security breaches, hacker attempts, and data leaks. Users might also
unintentionally jeopardise their own security by using weak passwords,
disclosing sensitive information publicly, or falling prey to phishing
attacks
Users must take efforts to improve their social media security, such as
adopting strong, unique passwords, enabling two-factor authentication,
exercising caution when sharing information online, and staying up to
date on security best practices
Overall, while social media networks strive for security, users play an
important role in protecting their personal data and privacy.

3.How do you report risks?

Reporting cybersecurity risks involves a systematic process of

finding, assessing, and communicating potential threats or
vulnerabilities to key stakeholders. Here's an organised approach
to reporting cybersecurity risks:
● Identify the risk. Begin by determining the exact
cybersecurity threat or vulnerability. This could involve
malware infections, data breaches, phishing attacks,
software flaws, or insider threats.
● Assess Impact: Determine the probable impact of the risk on
the organisation, its assets, and activities. Consider the
severity of the danger, the possibility of exploitation, and the
possible implications of a successful attack.

● Gather evidence to support your risk assessment. This could

contain logs, system alarms, network traffic analysis,
vulnerability scan results, or other forensic information.

● Determine Root Causes: Look into the reasons behind the

danger that has been found in order to learn how it came to
be and why the security measures in place haven't been able
to stop it. Analysing system configurations, security
measures, user behaviour, or organisational procedures may
be necessary for this.

● Recommend Suggestions: Make suggestions for reducing or

taking care of the danger that has been identified. This could
be dedicating funds for cybersecurity projects, improving
security rules and processes, putting in place technical
controls, or training users.
● Effective Communication: Make sure all pertinent
stakeholders are aware of the risk that has been discovered,
 as well as its possible impact, underlying causes, and
suggested remedies. Make your message specific to the
technical proficiency of the audience and give priority to
takeaways.
● Reporting Requirements: Keep a record of your conclusions,
suggestions, and correspondence regarding the
cybersecurity risk. Keep a record of all pertinent data,
including dates, actions performed, and results.

● report to leadership: Deliver a thorough report to the CEOs,

board members, and other decision-makers who make up
the organisational leadership. Emphasise the significance of
resolving the detected risk and offer a remediation plan.

● Coordinate Response: To successfully execute the

suggested solutions and reduce the risk, collaborate with
pertinent teams including IT, security operations, legal, and
compliance.

● Review and Monitor: Keep an eye on the situation to make

sure the risk is adequately reduced and that the controls put
in place continue to work over time. Regularly examine and
update your cybersecurity plan to find new threats and make
any adjustments.
You may improve your organization security posture and
properly report cybersecurity risks by using this approach.

4.What is an incident and how do you manage it?

 Any occurrence that jeopardises data or information systems security
is considered an incident. It may be inadvertent (like a cyberattack) or
intentional (like a system misconfiguration), and it may range in severity
from a little problem to a serious emergency. An overview of
cybersecurity incidents and their management is provided below:

Cybersecurity Incident Types:

● Data breaches: Sensitive information accessed or disclosed

without authorization.

● Attacks by malicious software, such as viruses, ransomware, or

spyware, that compromise a device.

● Attacks known as denial-of-service (DoS) involve flooding a

system with traffic in order to prevent legitimate users from
accessing it.

● Phishing attacks: False emails or texts that deceive recipients into

divulging personal data.

● Insider threats are acts of maliciousness committed by authorised

personnel inside a company.

Management of Cybersecurity Incidents:

● This methodical technique aims to locate, contain, eliminate, and

recover from any cyber incident. The typical phases are as follows:
 ● Preparation: It's important to have a plan in place before an
incident happens. Roles, communication methods, and procedures
for various event types must all be defined.
● Identification and Detection: User reports and security
mechanisms aid in the identification of possible occurrences. To
reduce damage, early detection is essential.

● Containment: is to prevent the issue from getting worse and

inflicting more damage. This could entail preventing malicious
traffic or isolating compromised systems.

● Eradication: This stage entails getting rid of the malware or

addressing vulnerabilities that are the source of the issue.

● Recovery: is the process of getting impacted systems and data

back to normal. Backups are essential at this point.

● Post-Incident Review: Review the situation after it has occurred to

determine what went wrong, how it happened, and how to stop it
from happening again.

5.In a situation both open source and licensed software to get a job
done . What should be preferred and why ?
A Comparison of Open Source and Licenced Software

Introduction:
In today's digital landscape, organisations must decide whether to use
open source or licensed software for operational purposes.
1. Cost considerations:
- Open source: Lower initial cost, but may result in greater long-term
support and maintenance costs.
- Licenced software: A higher initial expenditure, but potentially a
cheaper total cost of ownership with time.

2. Open source allows for great degrees of flexibility and customisation

to meet individual company needs.
- Licenced software is typically less versatile, with customisation choices
limited by vendor constraints.

3. Support and Maintenance: - Open source: Depends on community

support and may lack dedicated customer care, posing issues in
troubleshooting.
- Licenced software: Typically includes dedicated customer support and
maintenance services, which ensures that issues are resolved on time.

4. Security Implications: - Open source: Transparency enables

community inspection, perhaps leading to speedier identification and
resolution of issues.
- Licenced software: Often has strong security measures and regular
updates from the seller, reducing security risks.

5. Community and Ecosystems:

- Open source: Benefits from a thriving developer community that
contributes to continual improvement and innovation.
- Licenced software: Provides a well-established ecosystem of integrated
solutions and collaborations, resulting in a more unified software
landscape.

Conclusion: The choice between open source and licensed software

depends on budget, customisation needs, maintenance requirements,
and security concerns. Businesses can make better judgments about
their software infrastructure by carefully analysing these variables.

6.what are different levels of data classifications and why are they
required?
In cybersecurity, data classification entails categorising information
according to its sensitivity. Common classifications include:

Public information is accessible to anyone.

Internal Use: Data intended for internal consumption rather than public
publication.

Confidential:data is sensitive information that must be kept secure from

unauthorised access.
Restricted/Highly Confidential: Critical data with strong access
limitations.
Data classification is important because:

Guides security procedures for protecting sensitive data.

Ensures conformity with rules.
Helps to prioritise response efforts during security issues.
7.various response codes from different web application?

In a web application, response codes reflect the status of a client's

request to the server. Here are some typical HTTP status codes and their
meanings.

1. 200 OK: The request was successful, and the server returned the
requested resource.

2. 201 Created: The request was satisfied, resulting in the creation of a

new resource.

3. 204 No material: The server successfully processed the request but

did not return any material.

4. 400 Bad Request: The server is unable to process the request because
of incorrect syntax or missing arguments.

5. 401 Unauthorised: The request requires authentication, and the client

must give proper credentials.

6.403 Forbidden: The server understood the request but refused to

authorise it. The client is not authorised to access the requested
resource.

7.404 Not Found: The server could not find the requested resource.
8.405 Method Not Allowed: The requested resource does not support
the specified request method (GET, POST, PUT, DELETE, etc.).

9.500 Internal Server Error: The server encountered an unexpected

circumstance, preventing it from fulfilling the request.

10.503 Service Unavailable: The server is presently unable to process

the request due to temporary overload or maintenance.

These response codes are critical for both developers and users to
understand the results of their interactions with the web application.

8.what are the objects that should be included in a good penetration

testing report?

A comprehensive penetration testing report should include detailed

results and recommendations for improving the security posture of the
tested systems. The following are the main components that should be
included:

1. Executive Summary: - Provides a summary of the extent of the

penetration test.

- High-level conclusions and their implications for the organization's

security.
- Key recommendations for addressing identified risks.
2. Introduction: - Provides background information on the goal and
objectives of the penetration test.
- A description of the systems and networks tested.
- The scope and limits of the testing method.

3. Methodology: - Describe the testing approach and procedures

employed.
- A description of the tools and resources used during the penetration
test.
- An overview of the testing environment, including any custom
configurations or limits.
4. Findings: - Detailed explanation of vulnerabilities identified during
penetration testing.
- Vulnerabilities are classified according to their severity (critical, high,
medium, low).
- Proof of successful exploitation, such as screenshots, log files, and
exploit information.

5. Risk Assessment: Analyze the impact and likelihood of exploitation for

identified vulnerabilities.
- Prioritisation of vulnerabilities according to risk severity and business
effect.
- Recommendations for addressing high-risk vulnerabilities.

6. Recommendations: - Provide specific instructions on how to address

detected vulnerabilities.
- Best practices for enhancing the overall security posture.
- Action steps and dates for implementing proposed solutions.
7. Conclusion: A summary of significant findings and recommendations.
- Evaluate the overall effectiveness of the security controls evaluated.
- Future considerations for continued security improvements.

8. Appendices: - Technical details about vulnerabilities, including CVE

numbers, CVSS scores, and references.
- Additional supporting documentation, including network diagrams,
configuration files, and testing logs.
- A glossary of words and acronyms used throughout the paper.

By including these components into a penetration testing report,

organisations can receive important insights into their security
weaknesses and take proactive steps to reinforce their cyber defences.

9.How do you keep yourself updated with information security news?

To stay updateted with information security news, I use a variety of
methods:

1. Security News Websites: Pay regular visits to sites such as

SecurityWeek, Threatpost, and Krebs on Security.
2. Follow security blogs and forums for updates and discussions.

3. Vendor Advisories: Get security notifications from vendors and

organisations like CERT/CC.
4. Webinars and Conferences: Participate in virtual events hosted by
industry professionals and organisations.
5. Social Media: Follow cybersecurity professionals and organisations
on sites such as Twitter and LinkedIn.
6. Research Papers: Read academic papers and publications from
credible sources.
7. Training and Certifications: Continue your training and certifications to
stay current.

8. Networking: Connect with peers via professional networks and online

communities.

These methods allow me to stay up to date on emerging threats,

vulnerabilities, and cybersecurity best practices.

10.The world has recently been hit by …... .Attack/Virus etc. what have
you done to protect your organisation as a security profissional?
As a security professional, I responded to the recent [Attack/Virus] by
taking various proactive steps to defend my organisation:

1. Patch Management: Ensured that all systems and software were up to

date with the most recent security patches and upgrades to address
known vulnerabilities exploited by the [Attack/Virus].

2. Security Awareness Training: Conducted specialised training sessions

for staff to educate them on the [Attack/Virus], its possible impact, and
best practices for infection prevention, such as recognising phishing
attempts and avoiding suspicious links or files.
3. Enhanced Monitoring: Improved monitoring and detection capabilities
to detect any signals of suspicious behaviour or indicators of
compromise related to the [Attack/Virus], allowing for faster response
and containment.
4. Incident Response Plan: Reviewed and updated the organisation's
incident response plan to incorporate specific processes and protocols
for handling occurrences involving the [Attack/Virus], ensuring a
coordinated and effective response in the event of an outbreak.

5. Endpoint Protection: Enhanced endpoint protection measures,

including antivirus software, intrusion detection systems, and endpoint
security controls, to identify and block harmful behaviour connected with
the [Attack/Virus] on staff devices and network endpoints.

6. Network Segmentation: Network segmentation was implemented to

protect important systems and sensitive data from potential risks posed
by the [Attack/Virus], reducing the breadth of impact in the event of a
successful breach.

7. Regular Backups: Set up regular backup procedures to safeguard the

availability and integrity of essential data in the event of a ransomware
attack or data loss caused by the [Attack/Virus].

8. Collaboration with Industry Partners: Worked with industry partners,

security vendors, and relevant authorities to share threat intelligence,
exchange information about the [Attack/Virus], and use pooled
experience to improve defensive measures and response capabilities.

By implementing these preventative steps, I hoped to improve the

organisation's security posture, reduce the danger of exposure to the
[Attack/Virus], and minimise the potential impact on business
operations and data integrity.

11 HIDS vs NIDS which one is better and why?

HIDS (Host-based Intrusion Detection Systems) focus on individual

hosts, offering detailed visibility into actions but potentially affecting
performance. NIDS (Network-based Intrusion Detection Systems)
monitor network traffic, providing greater visibility but requiring
additional resources to deploy. Both are useful, with HIDS designed for
host-specific threats and NIDS for network-wide attacks. Deployment is
contingent on certain security requirements and infrastructure.

*PRACTICAL

1 TOMCAT TAKEOVER BLUE TEAM LAB

1. Given suspicious activity detected on the web server, the pcap
analysis shows series of requests across various ports, suggesting
a potential scanning behaviour .Can you identify the source ip
 address responsible for initiating this requests on our sever?

2. Based on the identified IP address associated with the attacker,

can you ascertain the city from which the attacker's activities
originated?

3.From the pcap analysis, multiple open ports were detected as a result
of the attacker's activitie scan. Which of these ports provides access to
the web server admin panel?
4.Following the discovery of open ports on our server, it appears that the
attacker attempted to enumerate and uncover directories and files on our
web server. Which tools can you identify from the analysis that assisted
the attacker in this enumeration process?

5.Subsequent to their efforts to enumerate directories on our web server,

the attacker made numerous requests trying to identify administrative
interfaces. Which specific directory associated with the admin panel was
the attacker able to uncover?

6.Upon accessing the admin panel, the attacker made attempts to brute-
force the login credentials. From the data, can you identify the correct
username and password combination that the attacker successfully used
for authorization?
7.Once inside the admin panel, the attacker attempted to upload a file
with the intent of establishing a reverse shell can you identify the name
malicious file from the captured data?
8.Upon successfully establishing a reverse shell on our server, the
attacker aimed to ensure persistence on the compromised machine.
From the analysis, can you determine the specific command they are
scheduled to run to maintain their presence?

7.Lets defend phishing callenge

 1. What is the return path of the email?

2.what is the domain name of the url in this mail?

A) storage.googleapis.com

3.Is the domain mentioned in the previous question suspicious?

A) yes
4.What is the body SHA-256 of the domain?

5.Is this email a phishing email?

A) Yes

8. Qradar101 Blue Team Lab

1. How many log sources available?
A)15
2. What is the IDS software used to monitor the network?
A) suricata
3. What is the domain name used in the network?
 A) hackdefend.local

4. Multiple IPs were communicating with the malicious server.

A) 192.168.20.20

5. One of them ends with "20". Provide the full IP

6. The attacker was searching for data belonging to one of the
company's projects, can you find the name of the project?
A) Project 48

7. What is the IP address of the first infected machine?

 A) 192.168.10.15

8. What is the username of the infected employee using

192.168.10.15?
A) nour
9. Hackers do not like logging, what logging was the attacker
checking to see if enabled?
A) powershell
10. Name of the second system the attacker targeted to
cover up the employee?
A) Mgnt-01

11. When was the first malicious connection to the domain

controller (log start time - hh:mm:ss)?
A) 11:14:10

12. What is the md5 hash of the malicious file?

A) 9D08221599FCD9D35D11F9CBD6A0DEA3

13. What is the MITRE persistence technique ID used by the

attacker?
A) T1547.001

14. What protocol is used to perform host discovery?

A) Icmp
15. What is the email service used by the company?(one
word)
A) office365
16. What is the name of the malicious file used for the initial
infection?
A) Important_instructions.docx

17. What is the name of the new account added by the

attacker
A) Rambo

18. What is the PID of the process that performed the

injection?
A) 7384

19. Attacker exfiltrated one file, what is the name of the tool
used for exfiltration?
A) Curl
20. Who is the other legitimate domain admin other than the
administrator?
A) adam
 21. The attacker used the host discovery technique to know
how many hosts available in a certain network, what is the
network the hacker scanned from the host IP 1 to 30?
A) 192.168.20.0

22. What is the name of the employee who hired the

attacker?
A) Semi

9.Lets defend suspicious browser extension

1. Which browser supports this extension?

 A) Google chrome extension

2.What is the name of the main file which contains metadata?

A) Manifest.json

3.How many js files are there? (Answer should be numerical)

 A) 2

4.Go to crxcavator.io and check if this browser extension has already

been analyzed by searching its name. Is it known to the community?
(Yes/No)
A) No

5.Download and install ExtAnalysis. Is the author of the extension

known? (Yes/No)
A) NO
7.Often there are URLs and domains in malicious extensions. Using
ExtAnlaylsis, check the ‘URLs and Domains’ tab How many URLs &
Domains are listed? (Answer should be numerical)
A) 2

8.Find the piece of code that uses an evasion technique. Analyse it,
what type of systems is it attempting to evade?
A) Virtual machine

9.If this type of system is detected what function is triggered in its

response?
A) chrome.processes.terminate(0)

10.What keyword in a user visited URL will trigger the if condition

statement in the code?
A) Login

11.Based on the analysis of the content.js, what type of malware is this?

A) keylogger
12.Which domain/URL will data be sent to?
A) https://google-analytics-cm.com/analytics-3032344.txt

12.As a remediation measure, what type of credential would you

recommend all affected users to reset immediately?
A) Password