7.

Security Operations

2
 Basics of Security Operations
• Security Operations team is responsible for performing defensive activities for the organization

• They aim to protect critical organization assets from threat actors

• Employee equipped with different expertise work together on protecting the organization infrastructure
• SOC procedural workflow :

• Collect Logs from each and every system devices, networks etc.
1
• Analyse the logs to remove false positives and detect anomaly 2
• Regularly scan the organization assets to detect mis-configurations / vulnerability
3 • Act on possible ways to remediate the identified threat 4
• Document the findings and prepare sustainable incident response plan for possible

future cyber attack.

 Security Operations Center

Monitor Detect Remediate

IT Threats

Applications Systems Locations

Devices Network

ASSETS
• Three main functions of SOC
• Technology

• For SOC Team members, technology is their weapon, they use it to collect
different type of logs (login events, activities etc).

• Security Monitoring :

Log
Collection

Log
Development
Analysis
of detection
(events,
rules
incidents)
• Threat Hunting:

Collected Logs
(events, incidents)

Active search for new threats Suspicious Anomaly

• Threat Intelligence

Threat Intel
Data1 Data2
Information

Data Source
Data Source 1
2 Data Source
Data source 2
1
Data Source Data Source
3 3
• Continuous OSINT Gathering

•Selling •Social
breached Media
information

Internal
Credentials
documents

On-Premise
Certificates
Locations

•Leaked •Dark / Deep

Documents Web
• People

• Team comprises of people uses least amount of resources to get good visibility into active and emerging
threats.

• Continuous consolidation of technologies and effectively organizing team is required

ROLE DESCRIPTION RESPONSIBILITIES

Jr. Security Analyst [Tier-1]
Security Analyst [Tier-2]
Senior Security Analyst [Tier-3]
SOC Manager
Triaging security incidents Triage alerts acc. to urgency and
relevancy. Manages & configures
security monitoring tools
Incident Responder Reviews triaged alerts, identify
scope of the alert. Perform
remediation and recovery efforts
Threat Hunter Conducts pentesting on production
env. Optimizes SOC tools based on
threat hunting
Chief of SOC Hiring, training & assessing staff.
Measures SOC performance &
communicates with CISOs
• Processes
• Process ensures timely synchronization and execution of various activities performed by the
SOC.

1.
4. Assessment Event
and Auditing Classification &
Triage

SOC PROCESS

2.
3. Remediation
& Recovery Prioritize &
Analysis
• Security Information and Event Management (SIEM) WorkFlow

Relevant Security Data

Firewall File Server DNS Server Web Network Devices Cloud Providers
Applications

Log Management / Analytics Tool

Anomaly Rule Traffic

Detection Implementation Visualization
• Industry recognized SIEM Tools

• Feed data from organization resources and they provide deep level insights of the assets
day to day operations
• SIEM Detection Rule
• Device integration with SIEM Tools

Reference : https://nxlog.co/agent-based-versus-agent-less
• Exercises :

• Setting-up the environment for attack and defense visualization

Host based Defence
• Host includes physical / virtual OS that are allocated to the employee of organization

• Enterprise majorly have the following OS’s:

• Windows

• Linux

• Mac

• Tools like OSQuery (cross-platform), Sysmon (Windows) etc can be used to collect
and transmit logs for analysing performance of hosts devices.
• Host Firewall - Windows

• Defender host firewall present in Win Vista, 7, 8, 10, 11 & server edition.

• It helps secure the devices by in-bound & out-bound rules.

• The rules states which network traffic can go in and out from the device

• The firewall works on 3 different network types : Private, Public & Domain
• Inbound Rules : Network traffic coming from the external device. Ex : Someone tries to
connect to FTP Server on host machine.

• Outbound rules : Network traffic originating from the host device. Ex : Host machine tries to
connect to a web server.

• Connection Rules : Used to filter the network traffic going in and out the host device.
 Traffic Flow Diagram

Internet

Outbound Traffic Web Server

Firewall

Host Device

Inbound Traffic
DEMO : Block Google Chrome
from accessing the internet
 Outbound
Setting
Exercise 1 : Isolate Machine from Internet

Inbound
Setting
Exercise 2 : Block ICMP packets originating from Internet
towards your hosts machine
• Host Firewall – iptables

• Firewall utility that comes in-built in most Linux operating systems.

• It is a command line utility, that filters network traffic going-in or going-out of

the system.

• Iptables has 3 different chains, namely:

• Input : Controls incoming connections. Ex : SSH into host machine with iptables enabled

• Output : Controls outgoing connections. Ex : Sending ICMP packets to a destination

• Forward : Helpful during routing scenarios, utilizes traffic forwarding utilities to sent data
to destined address.
• Check the current configuration of iptables.

• Iptable accept, deny chains:

“Linux” Host “Windows”

Iptables
Device External Device
• DROP the connection in INPUT chain :

• ACCEPT the connection in INPUT chain :

• DROP the connection in OUTPUT chain :

• ACCEPT the connection in INPUT chain :

• Connection Specific Responses

• ACCEPT : Allow the connection

• DROP : Drop the connection without sending any errors
• REJECT : Drop the connection but send back an error response

• Block connection from a range of IP address:

• Block connection to a specific service port (SSH) over TCP

SSH from another machine

• Save the configured rules

• Flush the rules:

 OUTPUT
Setting
Exercise 1 : Block ICMP packets using iptables

INPUT
Setting
Exercise 2 : Block ICMP packets originating from Internet
towards your hosts machine
• Anti-Virus
• In General Terms, it is a computer program used to prevent, detect and remove malicious s/w.

• They continuously scan incoming files (coming to system from everywhere) and if any anomaly is
detected, it is quarantined / removed.

• The Landscape of security has moved a lot from focusing only a single device to end-point devices
like Cell-phone, Enterprise laptop, Tablet, Servers, Computers etc.

• End Point Security protects network, using a combination of FireWall, AntiVirus, Anti-Malware etc.

• They are explicitly designed for enterprise clients to protect all their endpoints devices like servers,
computers, mobile etc.
• Endpoint Detection & Response (EDR)
• Understanding Naming Context, it is clear that EDR is a solution that
continuously monitors, stores endpoint-devices behaviour to detect and
block suspicious / malicious activities and also provides remediation
facilities all at one place (single dashboard).

• Some unique key features of EDR are :

− Visibility
− Continuously updating Telemetry Database
− EDR Focus more on Indicator of Attack (IOA, Detecting the intention of an Adversary)
− Detailed Insights to the environment
− Precision & Accuracy in response
− Integrated with Cloud Based Solution
− Real-Time Monitoring and insights on a single dashboard
• But why?
− Big enterprises with more endpoint devices have more sensitive data
− Adversaries targeting endpoint servers / computers to establish foothold
− Detailed Insights to the environment
− Enterprise Adoption of SaaS based solutions is growing
− More Scalability and ease of configuration
− EDR includes fine-tuned multiple security solutions (focus on consolidation)

• Examples of EDR in market (not particularly in order of performance):

− FireEye Endpoint Security
− CrowdStrike Falcon Insight
− Microsoft Defender Advanced Threat Protection (ATP)
− VMware Carbon Black EDR
− Symantec Endpoint Protection
− SolarWinds Endpoint Detection and Response etc

33
Microsoft Defender for Endpoint
• Centralized platform to manage all the organization endpoint devices in a single dashboard
• Works on agent based methodology, it needs to be installed on endpoints which collects the data &
send the telemetry to dashboard
Microsoft Defender for Endpoint sign-up procedure

1. Sign-up with the Defender for Endpoint account

2. Login to the portal & select the platform agent

3. Download the agent to the endpoint and on-board it.

Endpoint will be visible in the dashboard within 30 minutes

4. Manage the endpoint from the defender for endpoint dashboard

 Defender Dashboard
Prioritize Alerts & Check incidents

Write custom queries to track

missed alerts

Overall threat Analytics

of on boarded
endpoints

Score as per MS
recommendations
DEMO : MS Defender for Endpoint
Demonstration

37
 Exercise 1

Onboard a Windows Machine and check it’s status in dashboard

Exercise 2

Onboard a Linux Machine and check it’s status in dashboard

Network based Defence
• Network comprises of multiple hosts present in the organization

• Network are segregated using firewalls, switches etc

• Collecting logs from network devices becomes difficult as they have a ton of data
regularly processing in the production
• Snort

• Open-Source Intrusion prevention system (IPS) developed by Cisco

• This software is capable of performing real-time traffic analysis and packet

logging on IP networks

• It can also be used to detect a variety of attacks and probes

• It has 3 modes:
• Packet Sniffer (like tcpdump)
• Packet Logger
• Full-blown IPS
• Download the software from here: https://www.snort.org/downloads

• The software can also be downloaded using the apt from already added
repository

• Snort performs real-time monitoring of packets using rules that are present in the
configuration file.
 Snort Rule Header

Type of Target IP & Port

traffic

[action] [protocol] [sourceIP] [sourceport] -> [destinationIP] [destport] ( [Rule Options] )

Action to Source IP & Port

take

Snort Rule Header Example

alert tcp $sourceIP $sourceport -> $destinationIP any

 Snort Rule Options

General Rule Options Detection Rule Options

Message: Meaningful msg Content: Search for a specific

stating the purpose of rule content in the packet payload

pcre : Regular expresssions

sid / rev: Unique identified
for each rule
Byte Test : It allows a rule to
test a number of bytes
Classtype : What the effect
against a specific value in
of successful attack would be
binar

Reference : External source

of information

Reference : For the rule to

fire, specifies which direction
the network traffic is going. Snort Infographic
• Snort configuration file location

/etc/snort/snort.conf

• Edit custom snort rules

/etc/snort/rules/local.rules

• Adding a rule in the local.rules

alert icmp any any -> 192.168.1.8 any (msg:”ICMP Test”; sid: 1000001; rev:1;)
• Starting snort and capturing traffic as per configured rules

sudo snort –T –i eth0 –c /etc/snort/snort.conf

sudo snort –A console –q –i eth0 –c /etc/snort/snort.conf

DEMO : Detect SSH Login Attempt
 Exercise 1

Detect ICMP packet heading towards the snort installed machine

https://www.youtube.com/watch?v=8lOTUqfkAhQ

Exercise 2

Detect failed FTP attempt using alert type

• Fortinet Fortigate Firewall

• Next-Generation firewall that provides ultimate threat protection for

businesses

• Mainly used in enterprises for the following purposes:

• VPN tunnels
• Network segmentation
• Web Filtering
• Secure Firewall Portal Access
• Easy integration with other Fortinet products
 INTERNET

AntiVirus Application Control

IPS SSL Inspection

FORTIGATE
FIREWALL

De-militarized
Militarized
Zone Zone
Network Access via VPN
Segmentation tunnel
 Exercise 1

Fortinet Fortigate Dashboard Demonstration

Exercise 2

Fortinet Fortigate Abuse Demonstration (RCE)

• Security Information and Event Management – Splunk

• It provides real-time data to perform analysis based on security events

• Tools like Splunk matches collected events against rules & analytics engines to
detect & analyse advanced threats

• Alert indexing is an important aspect that is covered by Splunk. It integrates

the events into alert workflow procedure

• Splunk and SIEM can be deployed in

• Single environment
• Distributed environment
• Splunk Working Modes
• Configuring Splunk

1. Download (as per platform)

2. Install & Begin

3. Forward data to the splunk

4. Search / Visualize / Raise

• Log Collection in Splunk (local setup)

• Select the following icon after signing up

• Navigate and choose the “Monitor” option, it will monitor the local splunk platform instance
• Choose the auth.log file that collects login attempts locally

• Select the source type as “linux_secure”

• Perform the final review and then start searching

• Monitor the events in real-time

• Log collection other sources

1 2

3 4
5
DEMO : Install Splunk in Linux Instance
 DEMO : Log forwarding to Splunk

1. Installing “sysmon” in Windows Machine

2. Collecting & Transferring logs via “Universal
Forwarder (UF)”
 DEMO : Log forwarding to Splunk

1. Installing “sysmon” in Windows Machine

2. Collecting & Transferring logs via “Universal
Forwarder (UF)”
• Security Orchestration, Automation and Response – Azure Sentinel

• It is a technology that allows organizations to collect data (alerts + events) &

allows analysts to respond to threats in real-time using repetitive tasks

Security OAR

Orchestration Automation Response

Threat & Automate particular Security Incident

Vulnerability areas of security Response to
Management operations strategically
increase the
effectiveness of
Security Operations
• OSQuery 101

• OSQuery framework originally developed by Meta, exposes an OS as a high-operational

database.

• Data like system network connection, running processes etc is stored in tables

• We can extract the system data using SQL queries from the tables

• Extracted information can then be feed to SIEM servers etc for further processing
 System information
stored in tables format
• Install OSQuery (Linux)

Link : https://osquery.io/downloads/
Exercise : Install OSQUERY in Linux Instance
• Run and check all the available tables:
• Check the structure of each table
• Query from a table and limit the results
• Selecting 2 columns from a table

• With Filtering
Exercise : Explore the Tables & Replicate
the above exercises
 Final Examination Instructions
• Once the self-paced materials are thoroughly completed, please reach
out at [email protected] to schedule the examination

• The exam project would be of 20 Days, starting from the day when the
Support team shares the details with you as per your schedule

• The project solution report must be in PDF format

 Final Examination Instructions
• Candidates can follow any report template, however the steps &
documentation must be clear & thorough

• Candidates can submit the PDF report via email within the mentioned
Duration (20 Days)

• Evaluators will provide the results within 3 working days

 Thank you!

For any technical support, please mail at:

[email protected]