SOC Analyst

CIA Triad
ITSAFE - 5323800
CIA Triad
The CIA Triad is representing the 3 main principles in information security

• Confidentiality - How confidential is our information.

• Integrity – How trustable is our information.
• Availability – How available is our Information.
ITSAFE - 5323800

SOC Analyst
CIA Triad
Confidentiality - How confidential is our information.

• How secure is the information in my position?

• How secure is the information in my position should be?

• Physical Protection – Doors locked,ITSAFE

Security guards, Safes, Security camars and more..
- 5323800
• Logical Protection – Encrypted information, Passwords, Fw’s, 2FA and more..

Confidentiality failure is happening when someone can read

the information in my position without my permission.

SOC Analyst
CIA Triad
Integrity – How trustable is our information.

• Is the information in my postion is trusted?

• Is the information got changed when it was stored?
• Is the information got changed in the communication tunnel?
ITSAFE - 5323800
• Hashing – Hashing algorithm is a mathematical function that garbles data and makes it
unreadable.

• Checksum - checksum is a technique used to determine the authenticity of received data,

i.e., to detect whether there was an error in transmission or if the data was changed.

Integrity failure is happening if someone successfully changes

the information in my postion or interfer with communication tunnel
SOC Analyst
CIA Triad
Availability – How available is our Information.

• Is the systems providing information are available at any time?

• Is the information avalibale for all users at any time?

• Redundancy – redundancy is introduced

ITSAFEto- 5323800
improve reliability and ensure availability.

• Backups and DRP - Creating backups of all assets that provide availability of services and
creating a disaster recovery plan (DRP).

Availability failure is happening when users cannot reach the

information that should be available for them
SOC Analyst
 SOC Analyst
Risk consideration
ITSAFE - 5323800

SOC Analyst
Risk consideration
• Assets – Everything with a high value for the organization
• Information.

• Network devices.

• Clients and servers. ITSAFE - 5323800

• Softwars.

• Human resource.

• Work-flow and strategy.

SOC Analyst
Risk consideration
• Vulnerability – Any weakness in system design, implementation, code or lack of a
prevention mechanism.

• Software bugs.

• Clients and servers.

ITSAFE - 5323800
• Wrong software instllations.

• Wrong network devices installations.

• Wrong network architecture design.

• Defect in physical security.

• Employees without reliability check or background check.

SOC Analyst
Risk consideration
• Threat – Every threat that can cause damage or a breach on important asset

• Natural disaster.

• Cyber attack.

• Damaging information reliability

ITSAFE - 5323800
• Virus.

Security experts can control the threat, there job is to minimize their impact by Mitigation

SOC Analyst
Risk consideration

• Security experts must control risks and Identify them.

• Weaknesses and vulnerabilities are part of the organization's risk management

and it is necessary to determine how to deal with them in accordance with the
organization's policy and strategy. ITSAFE - 5323800

SOC Analyst
Risk consideration

Threat Asset

ITSAFE - 5323800

Vulnerability
RISK

SOC Analyst
Risk consideration

• Risk is the possibility that a Threat will occur.

Risk = Vulnerability
ITSAFE - 5323800
X Threat
• Vulnerability without threat and vice versa do not pose a risk.

SOC Analyst
 SOC Analyst
Identify Threats
ITSAFE - 5323800

SOC Analyst
Identify Threats
In order to Identify Threats we will divide our threats to 4 types:

• Adversarial Threats
• The bad guys - who want to harm and sabotage the working flow of the organization.

• Script kiddies – amateur attackers who-use

ITSAFE different tools without knowladge.
5323800

• Hacktivist – individual hacker or a group which motivated by agenda.

• Professional Criminal – Pro hackers that are motivated from a lot of mony.

SOC Analyst
Identify Threats
In order to Identify Threats we will divide our threats to 4 types:

• APT – Advanced Persistent Threat

• A country or government organization with a lot of knowledge, an unlimited budget
and sophisticated tools for exploiting vulnerabilities, for example Stuxnet which uses
unknown and unsigned vulnerabilities
ITSAFEand exploits in favor of attack.
- 5323800
Unknown attacks are known as Zero Days.

SOC Analyst
Identify Threats
In order to Identify Threats we will divide our threats to 4 types:

• The Insider

• Competitors
ITSAFE - 5323800
• Suppliers

• Clients

• Business partners

SOC Analyst
Identify Threats
In order to Identify Threats we will divide our threats to 4 types:

• Accidental Threats

• Occurs when a programming or configuration error occurs that may compromise the
security of the organization or affect the day-to-day
ITSAFE - 5323800 operations.

• Poor planning of adjustment adjustment procedure.

• Incorrect configuration in communication equipment or computing equipment.

• Amazon.

SOC Analyst
Identify Threats
In order to Identify Threats we will divide our threats to 4 types:

• Structural Threat

• Occurs when one of the critical organization services is down.

ITSAFE - 5323800
• Communication products or software redundancy fall.

• Failure of air conditioning that fails with cooling the servers room.

SOC Analyst
Identify Threats
In order to Identify Threats we will divide our threats to 4 types:

• Environmental Threat

• Occurs when a natural disaster or other malfunction occurs such as fire, flood, power
outage, loss of communication,ITSAFE
etc.. - 5323800

SOC Analyst
 SOC Analyst
Risk Assment
ITSAFE - 5323800

SOC Analyst
Risk Assment
Risk management - assessing the level of risk in the face of weaknesses,
threats and the ability to minimize them in the organization.
• Organizations need to perform risk management routinely on a regular basis.

• NIST - National Institute of Standards and Technology.

ITSAFE - 5323800
• NIST Spaecial publication 800-30.

SOC Analyst
Risk Assment
Risk assessment process according to NIST 800-30

ITSAFE - 5323800

SOC Analyst
Risk Assment
The steps we will take - Preparation for risk assessment - Step 1

• Setting a goal for the required risk assessment.

• Determining a scoop for risk assessment.

ITSAFE - 5323800
• Identify constraints and assumptions to be considered in risk assessment.

• Identify sources of information for risk assessment.

• The choice of the risk assessment model and the analytical approach that we will follow.

SOC Analyst
Risk Assment
The steps we will take - Perform a risk assessment- Step 2

• Identify the sources of threats relevant to the organization.

• Identify the events that may be caused by the threats.

ITSAFE - 5323800
• Identify vulnerabilities in the organization's assets that may be used in the threats.

• Identify and assess the likelihood of any threat that may occur.

• Identify and evaluate the impact of any threat that may occur.

• Identifying and assessing risks as a combination of likelihood and impact.

SOC Analyst
Risk Assment
The steps we will take - Risk assessment sharing - Step 3

• View the risk assessment in a report or dashboard for mailing and sharing the risk
assessment.

• Presenting the results of the risk assessment to the organization's management.

ITSAFE - 5323800

• Sharing risk assessment results in accordance with countries and organization guidelines.

SOC Analyst
Risk Assment
The steps we will take - Maintenance and control- Step 4

• Ongoing control of risk assessment.

• Updating the risk assessment for new risks, lowering irrelevant risks, updating the impact
or likelihood of a threat occurring.ITSAFE - 5323800

SOC Analyst
 SOC Analyst
Risk Controls
ITSAFE - 5323800

SOC Analyst
Risk Controls
With a proper risk management and various controls it is possible to minimize
the risks in the organization.

• There are four ways to deal with risk:

• Risk Acceptance
ITSAFE - 5323800
• Risk Avoidance

• Risk Mitigation

• Risk Transfer

SOC Analyst
Risk Controls

Risk Acceptance
• The organization accepts the risk when the risk is low or requires a high
financial investment.

ITSAFE - 5323800
Risk Avoidance
• The organization avoids risk because the risk is high. There are changes to
the organization's policy or system settings or network architecture, in order to avoid
the risk associated with a particular vulnerability.

SOC Analyst
Risk Controls

Risk Mitigation
• The goal is to minimize the risk to a level acceptable to the organization,
but not necessarily to prevent it.

• We will do this by adding variousITSAFE

controls- 5323800
in the policy, system settings or in the
policy or architecture.

Risk Transference
• If the organization can not afford to accept, prevent or minimize the risk, it can
transfer the risk to another company for example an insurance company.

SOC Analyst
Risk Controls

Controls - The controls can be divided into two parts:

• Technical Controls - Systems, equipment, CIA enforcement software like Firewalls,
AntiVirus etc.

• Operational Controls - ProcessesITSAFE

and procedures
- 5323800 to improve the organization's
information security, such as compliance with regulations, employee awareness,
checking procedures, Pentest and policies.

SOC Analyst
 SOC Analyst
Cyber Security
ITSAFE - 5323800 Fundamentals

SOC Analyst
AAA Security
Security Framework that defines three important concepts in the world of
information security:

• Authentication - User identification.

• Authorization - Permissions granted to the user according to his role.

ITSAFE - 5323800
• Accounting - Disabling all user actions in accessing an asset.

SOC Analyst
AAA Security
Authentication, Authorization and Accounting (AAA)

ITSAFE - 5323800

Authentication – Who is allowed to access?

Authorization – What resources are allowed to access?

Accounting – What is being accessed?

SOC Analyst
Multi Factor Authentication (MFA)
All the Authentication options available today:

• Something you have

• Something you know

ITSAFE - 5323800
• Something you are

• Somewhere you are

SOC Analyst
 SOC Analyst
Hashing
ITSAFE - 5323800

SOC Analyst
Hashing
Displays each type of information in the form of a text string of a fixed size.

• One way trip - Creates a single-valued string for the original information.

• Called Digest or Hash.

ITSAFE - 5323800
• It is impossible to return from the hash to the original information.

• Used for storing passwords, signing files and maintaining confidentiality.

• File verification and digital signature.

SOC Analyst
Hashing
Displays each type of information in the form of a text string of a fixed size.

• One way trip - Creates a single-valued string for the original information.

• Called Digest or Hash.

ITSAFE - 5323800
• It is impossible to return from the hash to the original information.

• Used for storing passwords, signing files and maintaining confidentiality.

• File verification and digital signature.

SOC Analyst
Hashing

MD5 Hash
• Creating a string of 128bits (16 bytes).

ITSAFE - 5323800

f030cb933e45a4509363a570ab1ab73a
SOC Analyst
Hashing

SHA256 Hash
• Creating a string of 128bits (16 bytes).

ITSAFE - 5323800

4ACDA93BB9B12663FB87E2DB8FAF2CC0B8117EF1B626EBC9821F95672D446C3E
SOC Analyst
Hashing

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
Cryptography
ITSAFE - 5323800
And Encryption

SOC Analyst
Cryptography
And Encryption
• Cryptography, or cryptology is the practice and study of techniques for secure communication in
the presence of adversarial behavior More generally, cryptography is about constructing and
analyzing protocols that prevent third parties or the public from reading private messages.

• The cipher is a sequence of signs that no one understands and hides secret text.
ITSAFE - 5323800
• The cipher is not decipherable, but only for those who have the key to restoring the encrypted
text to its original and readable state. The key is actually the algorithm with which the text is
encrypted.

• This is how only those who know how to decipher the code can understand the text. Sometimes,
the key is a simple key, i.e. an algorithm that can be cracked by a computer.

SOC Analyst
Cryptography
And Encryption

ITSAFE - 5323800

SOC Analyst
Cryptography
And Encryption
Encryption
Encryption describes hiding the meaning of a readable message using an algorithm, which is actually a function that
accepts the type of encryption key as a parameter and turns the readable message into a sequence of incomprehensible
signs for a person, which is actually the encrypted text.

Decryption ITSAFE - 5323800

Decryption describes the restoration of the encrypted text to its readable state using an appropriate inverse function
with the appropriate decryption key.

Cipher - Refers to the encryption algorithm. Plaintext - The visible and readable text.

Ciphertext - The encrypted text

SOC Analyst
Cryptography
And Encryption
Symmetric Encryption
• The same key is used both to encrypt the visible information, and to decrypt the encrypted information.

• The key passes over a communication network securely.

ITSAFE - 5323800
• Common encryptions are no longer used: DES (64 bit), 3DES, WEP.

• Commonly used encryptions: AES, WPA, IDEA.

SOC Analyst
Cryptography
And Encryption
Symmetric Encryption

Love U AK$!4z Love U

Granny ITSAFE - 5323800
0v2+s= Granny
TraY/jh
Plain Encruption Chiper Encruption Plain
Text Algorithm Text Algorithm Text

Shared Key
SOC Analyst
Cryptography
And Encryption
Asymmetric Encryption
• Creating 2 keys, Private and Public Keys.

• The private key is the only one that can decrypt information encrypted by the public key.
ITSAFE - 5323800
• Sending the public key from the source to the destination, the target encrypts its visible information with
the public key of the source and sends back to it.

• The source decodes the information using its private key.

• Common encryptions are: RSA, DSA, Diffie Hellman.

SOC Analyst
Cryptography
And Encryption
Asymmetric Encryption

ITSAFE - 5323800
Different Key’s

Public Key Secret Key

AK$!4z
0v2+s=
TraY/jh
Plain Text Cipher Text Plain Text
Encryption Decryption
SOC Analyst
 Cryptography
And Encryption
Digital Signatures
• Sign documents securely from source to destination by digital signature.

• Hashing a file and its encryption by the user's private key creates a digital signature that is sent with
the document to the destination. ITSAFE - 5323800

You’re s8cBAEEBCAAQBQJZ
Hired, You’re
Bob
zBIbCRAW8ZAwUfg
Hired,
Plain Text Hash of Plain text Bob
s8cBAEEBCAAQBQJZ Gmd8kelopt8
zBIbCRAW8ZAwUfg hF85TetMS
Hash Encryption Gmd8k
Digtal Signature elopt8h
Alice’s Computer Hashing Algorithm Hash of Plain text F85Tet
MS
Plain Text
Alice’s Private Key And Digital
Signature

SOC Analyst
Cryptography
And Encryption
Digital Signatures
• The destination receives the information and decodes it with the help of the public key of the source.

• Performs a hash on the readable file and compares it to the hash received from the source to what it received
ITSAFE - 5323800

You’re You’re
Hired, Hired,
Bob Gmd8kelopt8hF85
Bob
TetMS
Gmd8k Digtal Signature Plain Text
elopt8h s8cBAEEBCAAQBQJZ s8cBAEEBCAAQBQJZ
F85Tet Decryption zBIbCRAW8ZAwUfg Hash zBIbCRAW8ZAwUfg
MS
Hash of Plain Text
Plain Text Bob’s Computer
And Digital Hashing
Signature Algorithm
Alice’s Public Key

SOC Analyst
 SOC Analyst
The Web
ITSAFE - 5323800

SOC Analyst
WebSite
• Our goal in this lesson is to learn about Internet traffic security.

• We will understand how HTTPS & HTTP Internet protocols work.

ITSAFE - 5323800

SOC Analyst
HTTP
• Hyper Text Terminal Protocol.

• The protocol works in a client-server method where the client sends a request and the server
returns a response.

• Responsible for transferring HTML pages and

ITSAFE - 5323800
the objects in them from the server to the client.

• Works in the seventh layer of the OSI model.

• Stateless

• Works at Port 80.

SOC Analyst
HTTP Requests
• GET - Designed to receive an object located on the server, at the address given at the beginning of
the message, GET requests are the most common

• POST - Requests that contain certain input in the body of the message, POST requests are usually
used to send data from HTML forms to the server for processing.
ITSAFE - 5323800

SOC Analyst
HTTP Status Codes
• 200 - The request arrived and was successfully processed by the server.

• 300 - The address specified in the request is outdated and the object it previously referred to is now under
a new address.

• 400 - The server cannot or will not processITSAFE - 5323800

the request a client error.

• 401 - indicates that the client request has not been completed because it lacks valid authentication.

• 403 - indicates that the server understands the request but refuses to authorize it.

• 404 - indicates that the server cannot find the requested resource.

SOC Analyst
HTTPS
• Secure Hyper Text Terminal Protocol.

• The protocol is responsible for transmitting encrypted HTTP messages.

• Designed to transfer all information mainly private information between the WEB server and the Web
ITSAFE
Browser in an encrypted manner and to prevent - 5323800
Man-in-the-middle attacks.

• Works in the seventh layer of the OSI model.

• Works at port 443.

SOC Analyst
SSL
• Secure Socket layer.

• An encryption protocol designed to provide HTTP encryption over the Internet.

• Responsible for identifying the WEB server and the Client and encrypting the information transmitted
between them. ITSAFE - 5323800

• As of 2018, most servers use the latest version of SSL which is SSL 3.0, but it is no longer safe to use after a
critical vulnerability (POODLE Attack) was discovered in it.

SOC Analyst
TLS
• Transport Layer Security

• An encryption protocol designed to provide HTTP encryption over the Internet.

• The latest standard in encryption protocols, based on SSL principles

ITSAFE - 5323800
• As in SSL, it is responsible for identifying the Web Server Client and encrypting the information transmitted
between them.

SOC Analyst
Digital Certificate
• Transport Layer Security

• The problem with a digital signature as we learned about in a previous lesson is that it does not verify the
identity of the sender.

• An attacker could exploit this vulnerability,ITSAFE

perform-a5323800
Man-in-the-middle to impersonate the sender, and
create their own keys, thus modifying the content of the message regardless of the verification performed
on the other side of the target.

• The solution to this problem is to verify the identity of the sender and we will do this with the help of
Digital Certificate.

• Digital Certificate is responsible for verifying the sender on verifying that the public key is indeed that of the
sender.

SOC Analyst
Digital Certificate
• Certificate holds inside:

• The name of the owner to whom the Certificate was provided.

• The owner's public key and its expiration date.

ITSAFE - 5323800
• Name of the certificate provider.

• The digital signature of the certificate provider that includes the Hash algorithm.

SOC Analyst
Digital Certificate Example

ITSAFE - 5323800

The name of the site to which

the certificate was provided

The name of the site to which

the certificate was provided

SOC Analyst
Digital Certificate Example

ITSAFE - 5323800

Hash Algorithm

The date of establishment and

expiration of the key

SOC Analyst
Digital Certificate Example

ITSAFE - 5323800

DNS

Public Key

SOC Analyst
Digital Certificate Example

ITSAFE - 5323800

Main Supplier

Supplier Provider Hierarchy

SOC Analyst
 SOC Analyst
SSL TLS Handshake

ITSAFE - 5323800

SOC Analyst
SSL TLS Handshake

• First step
• The Client sends a Hello message that includes the type of encryption
SSL \ TLS, the encryption algorithm and the compression method.

Hello
ITSAFE - 5323800

ClientHello
1. SSL or TLS Version.
2. Cryptographic algorithms
3. Data Compression methods
Client Server

SOC Analyst
SSL TLS Handshake

• Seconde step
• The Web server returns a Hello message that includes agreement on the encryption
algorithm, Session ID, Certificate of the server and the public key.

ITSAFE - 5323800

ServerHello
1. Cryptographic algorithm agreement.
2. Session ID
3. Server’s digital certificate
Client 4. Server’s public key Server

SOC Analyst
SSL TLS Handshake

• Third step
• The Web Browser checks the Digital certificate with the (CA) Certificate Authority.

Certificate Authority (CA)

ITSAFE - 5323800

Client Server

SOC Analyst
SSL TLS Handshake

• Fourth step
• The Web Browser sends a shared key for symmetric encryption encrypted by the server's
public key.

ITSAFE - 5323800

ClientKeyExchange

A shared secret key encrypted with the server’s public

key
Client Server

SOC Analyst
SSL TLS Handshake

• Fifth step
• The Web Browser sends end messages encrypted by the shared key, indicating the end of the
key-handshake on the part of the Web Browser.

ITSAFE - 5323800

Finished(Client)
The finish message is encrypted with the shared secret
Key-handshake complete.
Client Server

SOC Analyst
SSL TLS Handshake

• Sixth step
• The Web server decrypts the shared key using its private key, and then decodes the Web
Browser termination message by the shared key. At the end, it sends itself an encrypted end
message.

ITSAFE - 5323800

Finished(Server)
The finish message is encrypted with the shared secret
key-handshake complete
Client Server

SOC Analyst
SSL TLS Handshake

• Seven step
• Exchanging the information encrypted between the Web server and the Web Browser in
symmetric encryption by the common key between them.

ITSAFE - 5323800

Exchange Messages

Client Server

SOC Analyst
SSL TLS Handshake

ClientHello
ServerHello
ClientKeyExchange
ITSAFE - 5323800

Client Finished(client) Server

Finished(Server)

SOC Analyst
SSL TLS Handshake

ITSAFE - 5323800

SOC Analyst
HTML
• Hyper Text Terminal Protocol.

• Tag language for displaying and designing web pages and display content in Web Browser.

• The central tag language in the world of the Internet, which is a skeleton for most content pages
on the Internet. ITSAFE - 5323800

• Saved with the suffix Htm or Html.

SOC Analyst
SQL
• Structured Query Language.

• Computer language for handling and processing information in databases, the language allows
data to be retrieved, updated and a table created and modified.

• SQL was one of the first languages ​designed

ITSAFE - 5323800
for a database and is the most common language for
querying relational databases.

SOC Analyst
 SOC Analyst
Malware Types
ITSAFE - 5323800
Malware Types
What is a Malware?

• Malware Includes all types of malicious actions that aim to harm, hack, control,
spy, obtain information and more .. By exploiting vulnerabilities in the victim's assets.

• There are many types of malware, ITSAFE

each with a different purpose, which we will learn in this
- 5323800
lesson.

SOC Analyst
Malware Types
Virus
• Software that can duplicate itself without permission or user update.

• Needs to run the software by the user.

• There are types of Viruses, there are some- that

ITSAFE are completely hidden from the user and
5323800
there are those that make noise in the form of the appearance of many advertisements, an
increase in the consumption of computer resources and various software crashes.

SOC Analyst
Malware Types
Worm
• Software that can duplicate itself without permission or user update.

• Does not need to run the software by the user, quickly distributes itself to computers or
other systems based on vulnerability exploitation.
ITSAFE - 5323800
• In order to prevent the spread of Worm, segmentation must be conducted in the
organization and the policy of the FW's rigid and well-founded laws, thanks to which we
will perform Risk Mitigation.

SOC Analyst
Malware Types
Ransomware
• Malware that encrypts all information on the computer, and requires a payment via Bitcoin
or other cryptocurrencies in exchange for decryption.

• Users encrypt the information of the attacker with the help of their public key, so that it is
not possible to decrypt the information
ITSAFEwithout the private key.
- 5323800

• There are ransomware that can also encrypt online-synchronized backups in a backup
system.

• In order to avoid this attack, backups with priority for offline backups should be performed.

• Wannacry

SOC Analyst
Malware Types
Trojan Horse
• Software that impersonates legitimate software to deceive the user, but contains malicious
code designed to gain control of the computer.

• After running the software, a backdoor to the attacked computer is enabled, and allows
you to connect to it remotely, access files, -use
ITSAFE camera, record a screen, upload files and
5323800
more.

• RAT - Remote Access Trojans - Enables management interface on the computer attacked
from a remote computer through the Backdoor.

SOC Analyst
Malware Types
Rootkits
• Software that edits system files with access to the highest privileges, hence the name
Rootkit after the root user which is the most powerful user in Linux system with access to
the Kernel.

• Because it runs on the core of the system,

ITSAFE -it5323800
cannot be seen from the operating system and
therefore AntiVirus protections will not help in such a case.

SOC Analyst
Malware Types
Keyloggers
• The goal is to record all the input from the victim and send it to the attacker.

• Keyloggers are available in two configurations

• Hardware Keyloggers - A physical connector

ITSAFE designed to perform the input recording.
- 5323800

• Software Keyloggers - Malware that aims to make the input recording.

SOC Analyst
Malware Types
Adware and Spyware
• Adware - is software designed to display advertisements as PopUp to the user.

• Spyware is designed to spy on the user for information gathering, advertising or malicious
purposes such as revealing passwords, browsing history and more.
ITSAFE - 5323800

SOC Analyst
Malware Types
Botnets
• Robot Networks - exploiting the vulnerability of multiple computers and creating a network
of "zombie" computers controlled by the attacker's computer.

• In most cases the user does not know he is a victim of this attack.
ITSAFE - 5323800
• Input Vectors -
• Trojan horse
• OS or Application Vulnerability

• Are used for a joint attack, waiting for a command at a certain time from the attacking
computer.

• Botnet map
SOC Analyst
Malware Types
Logic Bomb
• An attack waiting for a particular signal to act.

• In most cases, the Insider user has high privileges.

• Based on 2 types of signals. ITSAFE - 5323800

• Time Bomb - Occurs at a specific time according to the attacker's decision.

• User Event - Occurs when it detects a particular activity on the computer.

SOC Analyst
 SOC Analyst
Layer 2 Attacks
ITSAFE - 5323800
Layer 2 Attacks
MAC Attack
48 Bit Hexadecimal (Base16) uniqe layer Two Address

1234.5678.9ABC
First 24 bits = Manufacture code Seconde 24 bits = Specific interface
Assigned by IEEE ITSAFE - 5323800Assigned by Manufacture
0000.0cXX.XXXX XXXX.XX00.0001

All F’s = Broadcast

FFFF.FFFF.FFFF

• In the switches each MAC record is stored in a dedicated memory called CAM which is Content Addressable Memory

SOC Analyst
Layer 2 Attacks
MAC Attack

• Mac Attack is an attack in which it periodically takes advantage of the memory limit in the CAM table and fills it
with random records until it is completely filled.

• We create the random records using a tool called Dsniff and run a MACof command.

• Once the table is filled, any new computer that ITSAFE

sends a message on the network will be sent as a BroadCast message
- 5323800
because the computer cannot associate the MAC with a particular port, and is distributed to all computers on the
network also to the attacking computer.

SOC Analyst
Layer 2 Attacks
MAC Attack

• It appears in the diagram that the CAM table of the switch can contain up to 3 records.

• The computer with MAC C sends a BroadCast message with many different MAC addresses and fills in table Y and X.

MAC Port
X 3
Y
ITSAFE
3
- 5323800
C 3
Port 1 MAC B

MAC A
X is on
Port 3
Y is on
Port 3
MAC C

SOC Analyst
Layer 2 Attacks
MAC Attack

• When computer A sends a message to computer B, it is distributed to all ports and is also directed to the attacking
computer.

MAC Port
X 3
Y 3
ITSAFE
C - 5323800
3

A-> B
MAC B
Port 1
MAC A

B Unkonwn..
Flood the Frame
MAC C

SOC Analyst
Layer 2 Attacks
MAC Attack

• Macof Command - You can see the many MAC addresses sent towards the switch.

ITSAFE - 5323800

SOC Analyst
Layer 2 Attacks
MAC Attack

• A Macof command can create 155,000 MAC records at a per minute switch.

• The table will be completely filled after 131,052 records in the average switch.

• Once complete idle, traffic without an existing record in the CAM table will be distributed to the entire network.
ITSAFE - 5323800
• It should be noted that when we have filled the CAM table of one switch we can also fill the neighboring switches.

SOC Analyst
Layer 2 Attacks
Vlan Hopping ATTACK

• This attack has taken advantage of the TRUNK's ability to move all VLANs on a single physical link.

• Our goal is to impersonate Fort TRUNK and obtain or distribute information about the network or its direction.

• This will be possible thanks to the DTP protocol that allows automatic identification in front of the port for ascent to
TRUNK. ITSAFE - 5323800
Trunk
Port

Trunk
Port

SOC Analyst
Layer 2 Attacks
Vlan 1

• VLAN 1 This is the Default Vlan on which ports are defined.

• Even if we do not enable VLAN 1 on the TRUNK it will still be active in transmitting control protocols like VTP and CDP
due to the Native Vlan

• This means that a new computer or network switch associated

ITSAFE with Vlan1 can receive VTP messages, with VTP being
- 5323800
responsible for automatically distributing the Vlan on the network.

• In addition it can receive CDP messages which is a proprietary protocol for Cisco to detect Devices on the network,
so a switch or a foreign computer can recognize its server on the network.

SOC Analyst
 SOC Analyst
Layer 3 Attacks
ITSAFE - 5323800
Layer 3 Attacks
IP Spoofing

• The attacker's impersonation of an IP address is different from his own on the same segment.

• It will validly send packets on a network with an IP address from a different source than its real address.

• The purpose of this attack is to steal the identity of another computer or impersonate another computer in order to
gain privileges or access. ITSAFE - 5323800

SOC Analyst
Layer 3 Attacks
IP Spoofing

• The attacker's impersonation of an IP address is different from his own on the same segment.

• The attacker will send the ICMP Echo Request with the victim's Source IP to the broadcast address of that network.

• All equipment on the network will return ICMP Echo Replay to the same attacked computer, which may disable service
due to the load of messages received by the victim.
ITSAFE - 5323800
• Denial of service - DOS

SOC Analyst
Layer 3 Attacks
Routing Attack

• In the old routing protocols there is no emphasis on identification and there are no tests that the information sent is
indeed true. An attacker could therefore use the information packets transmitted by the protocols to update the
routing on the network.

• An attacker can first send routing messages saying that his position (address X) is the best way (according to the type
of protocol) to reach each destination. Hence, all the routers
ITSAFE on the network will forward all the packets to the
- 5323800
attacker and he can read them and do as he pleases.

SOC Analyst
Layer 3 Attacks
Ping Of Death Attack

• In this attack the attacker has to create an IP Packet that hits the ICMP Request with the maximum size that allows us
to set 65536 Bytes.

• When these messages are sent to a destination, the bandwidth of the interface on the destination is loaded until it is
filled, which can cause service downtime due to the message load that the attacker receives (DOS).
ITSAFE - 5323800

SOC Analyst
Layer 3 Attacks
ARP Poisoning Attack - MITM

• Sending fake ARP messages on the local network which contain the MAC addresses of the attacker with
impersonation to the IP address of the router which is the Default Gateway which will mislead the various computers
on the local network, without their knowledge.

• With this you can transfer the network communication in a different configuration than it was originally, thus causing
the transport to reach the attacking computer. ITSAFE - 5323800

• The attacking computer will transmit the messages on the network to the attacker's station, thus assimilating itself in a
transparent way to the user.

SOC Analyst
Layer 3 Attacks
ARP Poisoning Attack - MITM

• A command that displays the attacking computer as the Default Gateway of the local network and impersonates the
network router.

• Also defined as a Man-In-The-Middle attack.

ITSAFE - 5323800

SOC Analyst
Layer 3 Attacks
ARP Poisoning Attack - MITM

Original Connection

ITSAFE - 5323800
Victim Server
Hacked Connection

Hacker

SOC Analyst
Layer 3 Attacks
Evil Twin

• Creating an impersonating Wifi network, similar in name to the original network.

• Once the victim connects to the impersonating network, all network traffic coming out of his computer passes through
the attacker's impersonating Wifi network, without the victim's knowledge.

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
Attack Types
ITSAFE - 5323800
Attack Types

• In this section we will learn about different types of cyber attacks.

• Cyber ​attacks can be carried out both by physically accessing assets and by various manipulations in order to gain
access to assets and by intentionally causing damage.

• OWASP is a voluntary organization that aims toITSAFE

enable organizations
- 5323800to develop, acquire, maintain applications and
develop software securely.

• OWASP publishes the OWASP TOP 10, which among them presents the ten most common web attacks of that year.

SOC Analyst
Attack Types
Tailgating and impersonation
• Tailgating is a method in which a person tries to gain access to a secluded area by utilizing another person's access or
impersonating an authorized person (cleaner, messenger, etc.) in order to allow physical fleeing to the area.

• Impersonation is impersonating someone else in order to obtain information or get a victim to perform actions you
want. Impersonation can be done by phone, email or by physical access.
ITSAFE - 5323800

SOC Analyst
Attack Types
Tailgating and impersonation
• Prevention methods:

• Policy for visitors - Applying a visitor's entry policy, assigning a visitor's tag after full identification by ID card,
taking a cell phone and more.

• Single entrance - doors or turnstiles that allow single-entry.

ITSAFE 5323800
• Employee awareness.

SOC Analyst
Attack Types
Dumpster Diving
• Attempt of the attacker to obtain sensitive information by rummaging through garbage bags.

• In the United States, searching for documents in the trash is perfectly legal, and gives legal validity to anyone trying to
extract sensitive information from the bins closest to the organization.

• Prevention methods: ITSAFE - 5323800

• Locking private bins.

• Shredding sensitive documents.

• Employee awareness.

SOC Analyst
 SOC Analyst
Attack Types
ITSAFE - 5323800 Social Engineering
Social Engineering

• Exploiting the psychological traits of the victim that may lead him to obey the attacker requests is called
social engineering.

• This method makes it possible to bypass all information security mechanisms, and is based on the fact that
all information systems are designed to provide services to their users and those users have the means to
ITSAFE
access the information that the attacker wants - 5323800
to obtain.

• Many information security managers today estimate that this threat is significantly greater than any
technological threat.

SOC Analyst
Phishing

• Phishing is a method of social engineering that aims to trick the user into performing an action that
reveals information about him by deceiving, intimidating or developing expectations.

• The theft of the information will usually be done by impersonating a legitimate party who wants to receive
the information. The attacker sends an SMS or email called a reputable website, in which the user is asked
to click on a link. ITSAFE - 5323800

SOC Analyst
Phishing

ITSAFE - 5323800

SOC Analyst
Phishing

ITSAFE - 5323800

SOC Analyst
Phishing

ITSAFE - 5323800

SOC Analyst
Spear Phishing

• Addressing the recipient directly and attempting to attack one entity in different targeted ways, i.e.
targeting the attack on a very specific person.

• This attack is usually done on people with high privileges or senior executives.

ITSAFE - 5323800

SOC Analyst
BEC Attack

• Business Email Compromise.

• This attack is done by impersonating a manager in a company to cause the victim to perform legitimate
actions that come from a senior manager.

• Prevention methods: ITSAFE - 5323800

• Employee awareness.

• Phishing button in the corporate email.

• SPAM detection by email services

SOC Analyst
 SOC Analyst
Attack Types
ITSAFE - 5323800 Password Cracking
Password Cracking
Brute Force Attack
• Guessing the user's password by trying all available options.

Dictionary Attack
• Guessing the user's password by a dictionary of common passwords that have apparently been used
by this or that user. ITSAFE - 5323800

Rainbow Table Attack

• Creating lists of passwords against hashes so that at the moment of obtaining the DB where users in
front of Hash of Rainbow Table will already contain the password.

SOC Analyst
Password Cracking
Risk Mitigation:

• Strong Password - Minimum 12 characters and use special characters, lowercase and uppercase
letters.

• Unique Password - Use a unique password for each account on different sites.
ITSAFE - 5323800
• Password Changing Policy - Change password every three months.

Controls:

• Creating an alert to the extent of the detection of many failures by the user.

• Lock users after many failures.

SOC Analyst
 SOC Analyst
Attack Types
ITSAFE - 5323800 Network Scanning
&
DNS Poisoning
Network Scanning
Horizontal Scanning:
• Scan an IP address range with the same Destination port.

Vertical Scanning:
• Checking one IP address with all possible ports.

ITSAFE - 5323800
Tools that enable network scans:

• Nmap
• IP Scanner

SOC Analyst
Network Scanning
Risk mitigation:
• Definition of a rigid firewall constitution, which allows only the traffic that is relevant to the
organization's activities.

• Setting up a local firewall on servers / workstations.

Controls: ITSAFE - 5323800

• Create an alert in the event of a network scan being detected by the FW logs.

• Blocking IP address scans in BlackList.

• Enable scanning addresses in WhiteList.

SOC Analyst
DNS Poisoning
• Exploiting DNS server vulnerabilities, connecting to a server and changing the IP address directed to the
organization's IP address to the attacker's IP address.

• Change Host file in the attacker.

• Sending a response message to DNS Query UDP is legitimate in a fake message directed to the attacker's
IP by impersonating the DNS server or afterITSAFE
taking over the server.
- 5323800

• Domain Hijacking - Taking over the organization's domain registration account, by obtaining the password
and changing the DNS Hosting

SOC Analyst
 SOC Analyst
Attack Types
ITSAFE - 5323800 Cookie Stealing
,PE,Zero Day
Cookie Stealing
• An attack in which the attacker manages to obtain the Session ID of the victim in front of the website, and
uses Sniffing with the help of a tool like Wireshark and can connect to the account of the victim on the
server as soon as he obtains it.

• In the case of an HTTPS connection, although the cookie is transmitted in an encrypted manner, an
attacker can trick the victim into visiting a site to which the traffic is allegedly encrypted.
ITSAFE - 5323800

• As soon as the attacker points to the URL, all the information will pass through the network in an exposed
manner, so that the attacker will have access to the information.

• This attack can be prevented by adding a Secure Flag to a cookie which prevents the browser from
sending the cookie in the exposed form.

SOC Analyst
Defacement Attack
• An attack in which the attacker manages to change the appearance of the attacked site at will.

• Installation is enhanced by exploiting a vulnerability in the WEB server or by exploiting a server

vulnerability.

• The attacker will replace the main page of the site with its own web page.
ITSAFE - 5323800
• This attack is common in attacks by activists, to demonstrate power or convey a message is also called
"digital graffiti"

SOC Analyst
Defacement Attack

ITSAFE - 5323800

SOC Analyst
Defacement Attack

ITSAFE - 5323800

SOC Analyst
Defacement Attack

ITSAFE - 5323800

SOC Analyst
Privilege Escalation
• Exploiting system vulnerabilities by using Exploit or misconfiguration to gain high privileges on the system.

• An attacker would normally be able to crack a password for a simple user with low privileges on the system,
in order to get high privileges he should look for Privilege Escalation methods to gain a grip on the system
and obtain maximum privileges on the system.

• Privilege Escalation attacks are designed toITSAFE

gain the-permissions
5323800 of powerful users in the system like ROOT
user in Linux and Administrator in Windows or users who are Domain Admins in the Windows Domain
environment.

SOC Analyst
Zero Day Attacks
• All computer and communication systems have weaknesses due to the way they are developed,
implemented or defined. If a vulnerability is found by the company, researchers, White hat hackers The
company takes care of issuing a security update that corrects the vulnerability that was discovered.

• All the vulnerabilities of the various systems listed as CVE are published in CVE.mitre.org

ITSAFE - 5323800
• In addition to all the efforts of the "good attackers" to find vulnerabilities, the attackers tagged as Black Hat
also investigate the system to find new vulnerabilities known only to them for malicious purposes, so that
they can not get a security update.

SOC Analyst
OWASP TOP 10
OWASP TOP 10 - 2017

A1:Injection

A2: Brojen Authentication

A3: Sensitive Data Exposure

A4: XML External Entities (XXE)

ITSAFE - 5323800
A5: Broken Access Control

A6: Security Misconfiguration

A7: Cross-site Scripting (XSS)

A8: Insecure Deserialization

A9: Using components

A10: Insufficient logging & monitoring

SOC Analyst
 SOC Analyst
Indicators Of Compromise
IOC

ITSAFE - 5323800
Indicators Of Compromise

• The attacker does his best to hide and disguise all the actions he performed and the fingerprint he left when
performing the attack until the grip on the organization's property, but most of the time the actions leave
traces in the attacker's organization network and manner of attack.

ITSAFE - 5323800

SOC Analyst
Indicators Of Compromise

• The Indicators of compromise or IOC for short are in fact all the forensic findings of the Fingerprint and the
events that an information security researcher found that indicate activity of validity in the organization.

External IP
Hashes
Address
ITSAFE - 5323800

Changed
DNS Domain
Registry Values

Logs Detections Suspected Files

SOC Analyst
Indicators Of Compromise

• Once the analyst documents all of the attacker's IOCs he can prevent the organization from attacking others
by the same attack by identifying them in defense systems or blocking and distributing the IOC’s to other
organizations to prevent harm from that attacker or identify the attacker's actions if he has already
penetrated the organization.

ITSAFE - 5323800

SOC Analyst
Attack
ITSAFE - 5323800

Scenario

SOC Analyst
Attaker Mission

• A group of hackers set themselves the goal of taking over a senior bank employee's computer.

• The hackers want to do this by connecting remotely, without any physical access to the bank.

• We will see the whole assault process carried out by the group.

ITSAFE - 5323800

SOC Analyst
Reconnaissance

• The hackers will gather intelligence about the bank by the means we talked about in the previous lesson.

• Hackers want to carry out an attack remotely without physical access.

• The hackers chose the email channel as a vector entry to the organization.

• The hackers need to map out all the corporate email- 5323800
ITSAFE addresses of the employees of the company,
especially the senior employees or the license holders.

SOC Analyst
Wepaonization

• At this point the hackers will prepare the malicious file that matches the entry vector - the email channel.

• Take for example the creation of an Excel file containing a Macro, as an example of a Trojan horse.

• We will use social engineering and enter interesting data in the file itself, we will define an attractive name
for the file so that the relative will click on the file.
ITSAFE - 5323800

SOC Analyst
Delivery

• The stage of carrying out the attack, after the stage of gathering information and preparing the offender.

• A dedicated email is opened for the benefit of the attack, and the malicious Excel file is sent to all the
victims with logical text in favor of misleading the victim.

• We will try to send the email without identification in the defense systems or the postal service on the way.
ITSAFE - 5323800

SOC Analyst
Exploitation

• Once the victim is tempted and opens the Excel file, the hacker gets a full grip on his PC without the victim's
knowledge.

• The script written in Visual Basic through the Macro runs, creating a Session of the victim's computer in
front of our computer.

• At this point, any action on the hacker user's permissions

ITSAFE can see for itself, including gathering information,
- 5323800
viewing the camera, accessing the speaker and more.

SOC Analyst
Installation

• At this point the hacker uses the grip he has gained to create Persistence on the computer, i.e. achieving a
permanent and constant grip despite stopping the process or shutting down the computer.

• In addition, it hides the malicious files from the user's eyes.

• Persistence is performed in this example by adding a fixed scheduled script in the Task Scheduler.
ITSAFE - 5323800

SOC Analyst
Command & Control (C2)

• The hacker got a full shell on the victim's computer with user privileges and controls the computer remotely.

• The hacker will do everything in his power to establish the grip on the computer, in order to maintain
continuous contact with the victim's computer even in the event of a discovery or rebooted.

ITSAFE - 5323800

SOC Analyst
Action on object

• Because the hacker received privileges only at the user level according to the example, the hacker will try to
perform privilege escalation to gain access to powerful users in the organization.

• In addition, the hacker will try to make a lateral movement, in order to gain access to critical assets in the
organization that can cause more significant damage through them.

ITSAFE - 5323800

SOC Analyst
IOC’s
ITSAFE - 5323800

From the attack

SOC Analyst
Indicators Of Compromise

• Once we understand the specific attack that the hackers carried out on the organization, we will list the IOCs
we can obtain that are related to external IP addresses:

THE IOC:
ITSAFE - 5323800
• IP address of the mail servers
External IP Address that sent the malicious mail.

• IP address of the C2 Server.

SOC Analyst
Indicators Of Compromise

• Once we understand the specific attack that the hackers have carried out on the organization, we will list the
IOCs that we can obtain that are related to DNS addresses and Mail addresses:

THE IOC:
ITSAFE - 5323800
• C2 server URLs.
DNS Domain
• The email address that sent
the malicious email.

SOC Analyst
Indicators Of Compromise

• After we understand the specific attack that the hackers carried out on the organization, we will list the IOC
we can obtain that are related to hashes:

THE IOC:
ITSAFE - 5323800
Hashes • The hashes of the Excel file
with the malicious macro.

• The hashes of the additional

files that the hacker creates
at the victim station.

SOC Analyst
Indicators Of Compromise

• After we understand the specific attack that the hackers carried out on the organization, we will list the IOC
we can obtain that are related to Suspected files:

THE IOC:
ITSAFE - 5323800
Suspected Files • Excel file with the malicious
Macro.

• Suspicious files that a hacker

creates on the victim's
computer.

SOC Analyst
Indicators Of Compromise

• After we understand the specific attack that the hackers carried out on the organization, we will list the IOC
we can obtain that are related to Registry:

THE IOC:
ITSAFE - 5323800
• Registry values that
Registry Values
was ​changed from running
the malicious macro.

• Registry entries modified

from an attempt to obtain
Persistence on the victim's
computer.

SOC Analyst
Indicators Of Compromise

• After we understand the specific attack that the hackers carried out on the organization, we will list the IOC
we can obtain that are related to Logs Identification:
THE IOC:

• Malicious Mail Detection in Gayeway Mail

Systems.
Different logs ITSAFE - 5323800
• Detect Powershell runtime from running
collected from
Excel file with Macro.
Different systems
• Detecting suspicious traffic coming out of
the victim's computer to the C2 server
address in the communication equipment.

• Identification in the victim's computer

protection systems.

SOC Analyst
 SOC Analyst
Organzation Monitoring

ITSAFE - 5323800
SOC NOC ITOC
Organzation Monitoring
There are several types of monitoring teams that exist in the organization:

• ITOC - IT Operations Center.

• NOC - Network Operations Center.

ITSAFE - 5323800
• SOC - Security Operations Center.

SOC Analyst
ITOC
The role of the ITOC team in the organization:

• Responsible for managing the performance, availability and required volume of all the organization's IT
components.

• Responsible for control and monitoring of all the organization's IT components, both in terms of
ITSAFE - 5323800
applications, services, storage and communications.

• Responsible for the operation of both specific and street faults in front of the various technical factors.

• After checking the loads and availability of all the organization's servers to maintain availability and
proper functioning.

• An organizational change procedure that updates on manufacturing activity goes through the ITOC team
for approval.

SOC Analyst
NOC
Team role of NOC in the organization:

• Responsible for monitoring all communication components of the organization.

• Responsible for handling specific and horizontal communication failures in the organization.

• Responsible for monitoring activities of

ITSAFE - 5323800
upgrading, construction and changes made in the
communication components and network architecture.

• Responsible for managing conversations with suppliers and operating the fault in the event of a media
failure in the organization.

SOC Analyst
SOC
Team role of SOC in the organization:

• A dedicated team in the organization that aims to take all the IT environments in the organization, in
favor of identifying vulnerabilities, unauthorized or abnormal actions, violations of organizational
compliance, detection of intrusion and outgoing communication out of or within the corporate network.

• Responsible for providing an initial response

ITSAFE - 5323800
and response to all cyber incidents in the organization
before Cyber ​security incident response processes.

• Responsible for documenting the event and activating the relevant factors for the inclusion of the event.

SOC Analyst
 SOC Analyst
SOC Fundamentals

ITSAFE - 5323800
SOC Fundamentals
Each SOC organization has different goals and strategies according to the nature of the
company and the risk management performed, which set them a goal to maintain business
continuity, critical services and strategic secrets and serve the business goals of the
organization.

ITSAFE
Once the strategy and goals are defined - 5323800 components need to be softened:
the following

• People

• Process

• Technology

SOC Analyst
SOC Fundamentals

ITSAFE - 5323800

SOC Analyst
PEOPLE
ITSAFE - 5323800

SOC Analyst
Tier I – Security Analyst
• The first link that receives the identification.

• Responsible for real-time identification, uses procedures and follows response procedures.

• Responsible for monitoring cyber security events at SOC.

• Documentation, information gathering andITSAFE - 5323800

escalation if the event is not resolved by them.

• Usually work shifts.

SOC Analyst
Tier II – SOC Shift Lead
• Performs a more in-depth investigation than I Tier based on previous experience and knowledge, if necessary
performs an escalation toTier III .

• Contains the event, and is responsible for identifying trends and campaigns.

• Documents and updates Tier I and its managers.

ITSAFE - 5323800
• Establishes reports to check the amount of alerts received.

• The contact person in front of the SOC manager in front of the CISO and the management.

SOC Analyst
Tier III – Threat Hunting & Threat Intelligence Researcher
• Has extensive knowledge in investigating cyber security incidents.

• Has a wide forensic ability.

• Has an in-depth knowledge of the organization and the effects of cyber events on it while understanding the
effects. The operations depending on the event.
ITSAFE - 5323800
• Hunting Threat operation on a daily basis.

• Has the ability to analyze the big picture according to the resulting event.

• Responsible for intelligence gathering, with an emphasis on intelligence related to the nature of the
organization - IOC (Hashes, domain names, IP addresses).

SOC Analyst
TIER IV
• Sometimes, we will use a team of information security experts outside the organization (or clean up the
organization) in the event of a wide cyber incident it a has business effects on the organization so we call
them during a significant event.

• Has the ability to negotiate with hackers.

ITSAFE - in
• Has advanced capabilities and extensive experience 5323800
managing cyber events.

• Has extensive knowledge of the strategic effects of cyber events at both the organizational and state level,
and the creation of Collaborate with the various parties.

SOC Analyst
SOC Manager
• Comprehensive management of all Tiers in the SOC.

• Responsible for giving guidelines and making decisions during a complex event, determining the inclusion of
the event and mailing to management.

• Has a horizontal vision, in-depth knowledge of the organization, with the critical services and strategic
ITSAFE the
secrets of the organization in favor of determining - 5323800
priority of events.

• Responsible for developing a work process model for the event handling process and for methodological-
perceptual guidance.

• Monitoring Center It is customary for the Manager SOC to be directly subordinate to CISO, the information
security officer in the organization.

SOC Analyst
SIEM & IR
• Security Information Events Manager - SIEM Engineer

• Responsible for transferring the logs from all communication, computing and protection systems in the
organization to the SIEM system.

• Responsible for enforcing information security laws, improvements and exceptions that will pop up as an
alert in the SOC.
ITSAFE - 5323800
• Responsible for creating reports, automations and views in the system for the benefit of the SOC.

SOC Analyst
SIEM & IR
• Incident Response Engineer – IR:

• Responsible for writing response scenarios for all information security events in the organization for the
benefit of including and ending the event.

• With an in-depth knowledge of the organization and the effects of cyber incidents on it while
understanding the operational effects depending on the event.
ITSAFE - 5323800
• Assist in the SOC response during a complex or horizontal information security event in an organization.

SOC Analyst
Frontlines
Tier 1
Alert
Analyst
SME/
Hunter
Tier 1 Tier 2 (Malware
Incident RE)
Alert
Responder
Analyst

SME/ SME/
ITSAFE SOC
Hunter - 5323800 Hunter
Manager (Malware
(Network)
RE)

Tier 1 Tier 2
Alert Incident
Analyst Responder
SME/
Frontlines Hunter
(Endpoint)
Tier 1
Alert
Analyst

SOC Analyst
PROCESS
ITSAFE - 5323800

SOC Analyst
Event Collection
Gathering information security events from across the organization's systems is the first step in identifying
scenarios in the SOC.

• Information security event collection is usually done by the SIEM - Manager Events Information Security
system.

• All defense systems, communication components

ITSAFEand- 5323800
computing in the organization should send all the
events (logs) Their registrants are related to information security for the corporate SIEM system.

• If there is no enterprise SIEM system, the events reach the SOC by sending alerts from systems Protection
towards the SOC by email or by viewing all protection systems in multi-screen viewing.

SOC Analyst
Event Classification
Because at the event collection stage it is a huge amount of events that are received from the various
components of the organization, and can Reach tens of thousands of events per second (Second Per Events) it
requires creating alerts for the SOC And classify them according to priority.

• The alerts will be created in the SIEM system by establishing rules in the system that will be displayed to the
SOC with priority according to The criticality of the alert.
ITSAFE - 5323800
• The event stored in a particular component in the organization is called a Log, when the event is sent to the
SIEM system it is set to Event, Once the event is associated with a specific information security law in the
system and jumps to the SOC it is defined as Incident.

SOC Analyst
Prioritization and Analysis
Prioritizing the alert that reaches the SOC helps the SOC handle and investigate events according to the
criticality set in the alert.

• The criticality of the alert will be determined by the type of alert, the type of system that sends, the type of
user, the impact Ending business and type of corporate asset.

• The main responsibility of the SOC is to maintain

ITSAFE - 5323800
the business continuity of the organization, so care must be
taken and investigated Critical alerts first that could harm the organization.

SOC Analyst
Prioritization and Analysis
Behavior indicating an actor

Recon
Attempting to discover information
about organization
Low
Behavior indicating an attempted

Delivery
Delivery of an exploit
Low / Medium
ITSAFE - 5323800
Behavior indicating a successful

Exploitation
exploit of a vulnerability or backdoor
Being installed on a system Medium / High
Behavior indicating a compromised

System
system
High
compromise

SOC Analyst
Remediation and Recovery
After the investigation of the alert by the SOC, all actions taken to contain the incident must be documented
from the moment of receiving The alert until the full treatment and its end.

• The response procedures written for the nature of the alert must be followed in order to prevent the
damage that may occur.

• The following actions are part of the response

ITSAFE - 5323800
actions performed in the SOC to repair or prevent damage:
• Re – Image System - Reinstalling the system, server or stand and backing up.

• System Update or Patch - System update or security patch update.

• Re-Configure Access System - delete accounts in the system, reset passwords and more.

• Re-Configure Access Network - Creating blocking rules in FW, blocking malicious IP addresses.

• Running Scans Vulnerability - Runs a vulnerability scanner on the asset with the alert to identify the vulnerabilities
and for repair.

SOC Analyst
Assessment and Audit
The steps taken in routine mode in SOC, when we are on alert for incoming alerts:

• Compliance Policy of the organization.

• Proper monitoring of all components of the organization.

• Running Vulnerability Scanner in order to identify

ITSAFEweaknesses
- 5323800 in the organization's components.

• Update SOC response procedures .

• Simulations, exercises and tutorials.

SOC Analyst
TECHNOLOGY
ITSAFE - 5323800

SOC Analyst
SOC Tools
Each SOC selects the supporting systems and paths
Identification of all information security events in the organization,
But most SOC teams use technologies The following:

ITSAFE - 5323800

SOC Analyst
SOC Tools
SIEM - As mentioned, the system responsible for collecting events, creating alerts, creating rules in the system
for SOC, creating reports and views. The SIEM is the engine in the SOC array.

• Knowledge Base - Association of all organization procedures, response procedures, how to handle past
events and sources of knowledge.

• Reporting - Documenting how to handle an incoming event in a dedicated system or SIEM. There are systems
ITSAFE - 5323800
used And enable Security Orchestration, Automation and Response - SOAR called and automation for
documentation Automated response procedures with Playbook.

• Research - conducting research and forecasting for an incoming alert until the event is contained,
documented and completed.

• Threat Intelligence - Gathering intelligence relevant to the organization according to the IOC. Conducting
online research on future attacks Occur in a specific organization, an organization with similar goals or in a
country.

SOC Analyst
Escalation Procedure

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
The Adaptive
Security Architecture
ITSAFE - 5323800
The Adaptive Security Architecture
Prevention
All the actions that are taken to prevent an information security incident:

Segmentation + VLAN
Hardening Systems
usage
ITSAFE - 5323800

Security Awareness Systems Insulation

Prevention of attacks by
Security Policy
systems

SOC Analyst
The Adaptive Security Architecture
Detection
All the actions that are taken to detect an information security incident:

System alert detection

ITSAFE - 5323800

Visualization of logs

Prioritize alerts

SOC Analyst
The Adaptive Security Architecture
Response
All the actions that are taken to respond an information security incident:

Vulnerability Patch
ITSAFE - 5323800

Interrogation, Forensics,
Contentment

Policy Change

SOC Analyst
The Adaptive Security Architecture
Predict
All the actions that are taken while predicting an information security incident:

Threat Hunting Pentest + mitigation

ITSAFE - 5323800

Baseline System Info gathering

Vulnerability Scanner Risk Assessment

SOC Analyst
The Adaptive Security Architecture

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
SIEM Introduction

ITSAFE - 5323800
SIEM - Security Information and Events Manager
• A system used for receiving events from all the organization's information, computing and communication
systems.

• The system is responsible for normalizing, analyzing, parsing and storing the events.

• The system enables control of processes and events, and response to real-time information security events.
ITSAFE - 5323800
• The system enables the generation of reports, the establishment of dashboards and the retrieval of events if
necessary.

SOC Analyst
SIEM - Security Information and Events Manager

ITSAFE - 5323800

SOC Analyst
SIEM - Security Information and Events Manager

How SIEM system records events

Windows Event
SYSLOG
Forwarding/SMB
ITSAFE - 5323800

JDBC File Reader

SNMP API

SOC Analyst
SIEM - Security Information and Events Manager
The way events are parsed for SIEM system
• All SIEM systems have a parsing mechanism that allows you to normalize all logs received from all systems for collecting
known and fixed in the system. We as administrators will help the system to parse If the event comes in a different
format with the help of Parsing and Regex.

• Archsight works with CEF format.

ITSAFE - 5323800
• IBM Qradar works with LEEF format.

• Splunk works with JSON format.

SOC Analyst
SIEM - Security Information and Events Manager
The usage of events from SIEM system

Machine Learning &

Rules Detection Dashboards
AI
ITSAFE - 5323800

Incident Response Threat Intelligence Reports

Logs Forensics Behavior Analysis Automations

SOC Analyst
SIEM - Security Information and Events Manager

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
IBM QRADAR SIEM

ITSAFE - 5323800
IBM QRadar SIEM
• IBM SIEM System.

• Considered among the leaders today in SIEM products.

• The system consists of various components aimed at collecting events, real-time analysis and storage.

ITSAFE - 5323800

SOC Analyst
IBM QRadar SIEM
• QRadar Collectors

• The events received in the system can be collected from various and varied sources of information like
Windows Computer Events, Firewalls or Applications.

• QRadar Collectors are actually the servers responsible for collecting / receiving the information from the
various components. ITSAFE - 5323800

• There are many ways to get the information from the various sources of information, for example
receiving events in Syslog, Reading events from a file, retrieving events stored in the Database, etc ...

SOC Analyst
IBM QRadar SIEM
• QRadar Collectors

• After receiving the events, the QRadar Collector is responsible for normalizing the information to fixed
fields, filtering, cataloging And aggregation according to the Source Log Type.

• The normalization process has come to hold a standard. In an organizational environment there can be
ITSAFE
dozens of different types of Events, each - 5323800
component reported to QRadar Collector does so differently
and allows saving The events are in a uniform format according to fixed fields, and thus can be compared
and stored in a simple and regular manner.

SOC Analyst
IBM QRadar SIEM
• QRadar Collectors

• Event from Check Point Firewall:

• "14" "21Nov2005" "12:10:29" "eth-s1p4c0" "ip.of.firewall" "log" "accept" "www-http" "65.65.65.65"

"10.10.10.10" "tcp" "4" "1355" "" "" "" "" "" "" "" "" "" "firewall" "len 68“
ITSAFE - 5323800
• Event From Cisco Router Access List:

• Nov 21 12:10:27: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 65.65.65.65(1355) ->

10.10.10.10(80), 1 packet Cisco PIX: Nov 21 2005 12:10:28: %PIX-6-302001: Built inbound TCP
connection 125891 for faddr 65.65.65.65/1355 gaddr 10.10.10.10/80 laddr 10.0.111.22/80

SOC Analyst
SIEM - Security Information and Events Manager

• The normalization allows us to save the events in a uniform format according to fixed fields, and thus can be
compared And storage in a simple and regular manner, despite the great difference between the events and
the systems:

ITSAFE - 5323800

• Different components tend to keep multiple log lines on identical events. Collecting all the events can
Overload the organization's resources, so it is possible to collect all the logs for the registration of one event
indicating the In a specific field the number of logs. This is called aggregation.

SOC Analyst
SIEM - Security Information and Events Manager

All events, as mentioned, are transmitted to the Processor in a uniform format:

ITSAFE - 5323800

SOC Analyst
SIEM - Security Information and Events Manager

• The cataloging process is performed by associating each event in the system with the Name Event associated
and there is a Low Level Category - and High Level Category.

• After all the steps that the event went through in QRadar Collectors it moves to Processor Qradar in a LEEF
format on port 22.
ITSAFE - 5323800

SOC Analyst
SIEM - Security Information and Events Manager
• QRadar Collectors

Qradar
ITSAFE - 5323800
Collectors

Receive/Get Events
Normalization
Aggregation
Filter
Categorization

SOC Analyst
SIEM - Security Information and Events Manager
• QRadar Processor

• All Qradar Collectors pass the information collected directly to Processor Qradar.

• In Qradar Processor the events are processed in the engine engine - CRE Engine, and correlation is
performed between The events received and the rules defined in the system, if they match, an alert will pop
up. ITSAFE - 5323800

• All events will be transferred to storage in the database server for investigation, production of reports and
views.

SOC Analyst
SIEM - Security Information and Events Manager
• QRadar Console

• The management server of the system whose job is to manage the various components, viewing blogs,
producing reports And views.

• We will connect to the management server on the Web and manage the entire system in this way.
ITSAFE - 5323800
• All system operations are performed in a centralized manner only through the console Qradar management
server, from the add new Source Log, Publishing Information, Law Writing, Offenses Management System
Management and more.

SOC Analyst
SIEM - Security Information and Events Manager
• QRadar Console

ITSAFE - 5323800

SOC Analyst
SIEM - Security Information and Events Manager
• QRadar Processor + QRadar Console

Qradar
Processor
+
Qradar
ITSAFE - 5323800
Console
Get Events From Connectors
Correlation Rules
+
Manage
Offenses
Deploy
Reports
Dashboards

SOC Analyst
SIEM - Security Information and Events Manager
• QRadar DataBase

• The database is relational in an array of tables.

• The QRadar system is ARIEL-based database.

• The database works in Partitions, where each day is- a5323800

ITSAFE partition in itself.

• In this way the storage time in the system can be managed optimally.

SOC Analyst
SIEM - Security Information and Events Manager
• QRadar DataBase

Qradar
Ariel
Database
ITSAFE - 5323800

Ariel
Time Based Partitions

SOC Analyst
QRADAR SIEM
ITSAFE - 5323800
Events Process Summary

SOC Analyst
QRadar SIEM – Events Process Summary

Qradar
Processor Qradar
Qradar
+ Ariel
Collectors ITSAFE - 5323800
Qradar Database
Console
Receive/Get Events Get Events From Connectors Ariel
Categorization Correlation Rules Time Based Partitions
Normalization +
Aggregation Manage
Filter Offenses
Deploy
Reports
Dashboards
SOC Analyst
10,000 EPSITSAFE - 5323800

Enterprise Events Per Second

SOC Analyst
864,000,000
ITSAFE - 5323800

Enterprise Events Per Day

SOC Analyst
400 RULES
ITSAFE - 5323800

Enterprise SIEM

SOC Analyst
100 OFFENSES ITSAFE - 5323800

Enterprise Security Operation Center

SOC Analyst
 SOC Analyst
Windows Audit

ITSAFE - 5323800
Windows Audit

Event Viewer

• The Windows operating system records all actions performed in the Viewer Event
depending on the setting The audit defined in Policy Security Local or GPO in case it is a
computer in the domain. ITSAFE - 5323800
• The audit we will define under:

Security Setting → Local Policies → Audit Policy

• The entire policy list can be set up for monitoring in case of success / failure, after the
definition will be recorded The logs in Event Viewer

SOC Analyst
Windows Audit Logs

ITSAFE - 5323800

SOC Analyst
 Event Viewer

• Audit Account Logon Events

Documentation of domain-related actions such as: TGT renewal, TGT request and more

• Audit Account Management

ITSAFE - 5323800
Documenting the actions related to managing user accounts

• Audit Directory Service Access

Documenting actions related to directory A resource access actions

SOC Analyst
 Event Viewer
• Audit Logon Events
Document the actions related to the whole computer connection attempt

• Audit Object Access

Document file or folder access actions
ITSAFE - 5323800
• Audit Policy Changed
Documentation of policy-related changes began on the computer

SOC Analyst
 Event Viewer
• Audit Privilege Use
Documentation of some system operations performed using sensitive / insensitive
permissions for Dodge: Login As a service, backup operations, etc ..

• Audit Process Tracking

ITSAFE - 5323800
Documenting the rise / fall of processes created on a computer

• Audit System Events

Documentation of other system operations: system shutdown, shutdown of local
FW service, etc ...

SOC Analyst
 Event Viewer
• Successfully login to PC - Event ID 4624
An account was successfully logged on

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• Successfully login to PC - Event ID 4624
An account was successfully logged on

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• login failure to PC - Event ID 4624
An account failed to log on.

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• Creating a user - Event ID 4720
A user account was created.

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• Adding a user to the group - Event ID 4732
A member was added to a security-enabled local group. - Users

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• Add a user to the Administrators group - Event ID 4732
A member was added to a security-enabled local group. - Administrators

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• Removing a user from a group - Event ID 4733
A member was removed from a security-enabled local group.

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• Disable User - Event ID 4725
A user account was disabled.

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• Deleting a user - Event ID 4726
A user account was deleted.

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• TGT Request - Event ID 4768
A Kerberos authentication ticket (TGT) was requested.

ITSAFE - 5323800

SOC Analyst
 Event Viewer
• Process created - Event ID 4688
A new process has been created.

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
QRADAR Utils

ITSAFE - 5323800
Log Activity – Quick Filter
• View real-time events on real-time or in the past using fixed fields and time ranges.

• Qradar Console  Log Activity

• We will perform the search on using the "Add Filter" button and add our search and required fields.

• We will set the search time by selecting theITSAFE - 5323800

“View menu” and the type of display in the menu

SOC Analyst
Log Activity – Quick Filter
Select a search Search view
Adding New Saving Search
Search Results time window by fixed fields
Search Queries
or RT or Payload

ITSAFE - 5323800

SOC Analyst
Log Activity – Edit Search
• After receiving the results we can immediately perform Grouping according to fixed fields.

• We can do before running the search or use the fields as we wish by clicking the “Edit Search” button under
“Search” in the top tab.

• We can select a search that exists in the system and reload it.
ITSAFE - 5323800
• We can select additional fields that do not exist in the default search display and select which fields we want
to be displayed in the search.

SOC Analyst
Log Activity – Edit Search
Displays an
existing search
in the system

ITSAFE - 5323800

SOC Analyst
Log Activity – Edit Search
Fields on Fields to be
Parsed fields
which Group displayed in
in the system
By was used Log Activity

ITSAFE - 5323800

SOC Analyst
Log Activity – Practice
• Using Log Activity, find the following events received in the QRadar system:

1. The event from the Windows operating system that connect to your server in the lab. Specify the time
signature, username, IP address, event id, logon type and what other fields we can see.

2. Create a Log Activity that is set to Real Time and contains all the user creation events in the Windows
operating system and access your server, and ITSAFE
create- 5323800
a user named <yourname_test>. See if the event is
added to the View Interface in Log Activity in Qradar.

3. Create a Log Activity that looks for all the processes created on your server in the last day. Run an calculator
on the server, and see if that event appears in Log Activity. Note that the Audit on Process Creation is
enabled. The fields that will be on Grouping will be the Target Process Path and the fields displayed will be
the fields, Username and Count.

SOC Analyst
Log Activity – Practice

4. Find in Log Activitity the user who most recently logged in to the lab of all connected Windows systems, and
save the search.

5. Find in Log Activity the external (non-private) IP address that is in Source IP and appears the most on the last
day.
ITSAFE - 5323800
6. Find in Log Activity the number of users who had wrong password while login in just one line on the last day,
in addition find all the IP addresses and users who mistyped your server.

7. Create in one Log Activity all the actions that are performed on creating a QradarTest user, adding to the
Administrators group, performing Disable on the user and then performing Enable.

SOC Analyst
 SOC Analyst
QRADAR Utils

ITSAFE - 5323800
Log Sources
• Events from all network components are collected via the Log Sources collection components.

• There are dozens of parsers built into DSM for familiar systems such as: Windows, Check Point and more that
aim to normalize and spread the event to permanent fields.

• In addition to those built-in parsers, parsers can be configured in DSM independently, by creating a new Log
ITSAFE - 5323800
Source Type, and deploying the relevant fields.

• The most important thing to do when setting up a new Log Source Type is to map the events, and spread out
the Event Category and Event Id fields.

• As mentioned, the Connectors are responsible for Parsing, Normalization, Aggregation, Filter and sending
the information received / collected.

SOC Analyst
Log Sources
• We will manage all the Log Sources in a dedicated application in the Console.

• From QRadar version 7.4 we will manage the Log Source in an application called Log Source Manager only.

• In the Log Source settings we can set all the settings related to the log source:

ITSAFE - 5323800
• By receiving the log - Protocol Configuration

• Identifier

• IP address

SOC Analyst
Log Sources
• In the Log Source settings we can set all the settings related to the log source:

• By receiving the log - Protocol Configuration

• file name

• The name of the DB ITSAFE - 5323800

• To which Collector server to get the logs

• Definitions of Coalescing - Aggregation of Logs

• Save the payload

• Log encoding

• Save the Log Source in a dedicated folder

SOC Analyst
Log Sources - Configuration

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
QRADAR Console

ITSAFE - 5323800
Qradar Console
• Access to the management interface is via a WEB access.

• Through the QRadar Console, as we mentioned, we manage all components and system settings through
one key component.

• There are various settings that require deployment in the QRadar Console so that they can be a system, and
ITSAFE - 5323800
we will be notified in the management interface.

SOC Analyst
Qradar Console
• Under the Dashboard menu we can see all the defined dashboards

ITSAFE - 5323800

SOC Analyst
Qradar Console
• Under the Offenses menu we can see all the Offenses created by categories and we can set new rules in the
system.

ITSAFE - 5323800

SOC Analyst
Qradar Console
• Under the Log Activity menu we can search all the logs flowing in the system according to selected cuts.

ITSAFE - 5323800

SOC Analyst
Qradar Console
• Under the Network Activity menu we can perform a search in all incoming communication traffic by cuts.

ITSAFE - 5323800

SOC Analyst
Qradar Console
• As we have learned, we can see all the existing assets in our organization by identifying from the logs and
detailing them.

ITSAFE - 5323800

SOC Analyst
Qradar Console
• Under the Reports menu, we can create a report from the system as needed

ITSAFE - 5323800

SOC Analyst
Qradar Console
• Under Reference Data Management is a list management application in QRadar

ITSAFE - 5323800

There are different types of lists in the

QRadar system, for the sake of
documentation, exceptions and more

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Set up system
updates

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

System backup
Configurations

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Define the
organization's
local network
schema

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

View
management
and license of
all system
servers.

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

General system
settings.

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Streaming logs
to other
sources

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Installing apps
and extensions

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Users Settings

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Defining
permission
groups

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Access settings

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Setting up a
service that
accesses the
system

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Parsing
Configurations
by Log Source
Types

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Configure
WinCollect
Servers

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Configure New
Log Source

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Defining and
managing Log
Sources groups

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Managing and
creating new
fields

SOC Analyst
Qradar Console
• Under the Admin menu under System Configuration we will get all the following system administration
applications

ITSAFE - 5323800

Setting the time

of saving the
logs in the
system

SOC Analyst
Qradar Console
• There are other components that we did not delve into in the presentation:

• VA Scanner - A component for connecting Vulnerability Scanner systems to QRadar and acknowledging
all the weaknesses of the Assets throughout the organization.

• Define Action - Option to create scripts in the QRadar system.

ITSAFE - 5323800
• QDI application - an application used to monitor the system itself with the help of various views and
analyzes, which help the system administrator to see the system status at any given moment.

SOC Analyst
 SOC Analyst
QRADAR Building Block

ITSAFE - 5323800
QRADAR Building Block
• With the help of the Building Block we will tag certain events based on specific fields, values ​and legality.

• After creating the Building Block the event is tagged and used by us for quick searches, rules and more Utils
in the system.

• We will use Building Block as the basis for all Rules, Reports, Views and Quick Searches.
ITSAFE - 5323800
• In order to set up a new Building Block, enter the Rules Creation interface and from there choose to export
the law we created as Building Block.

SOC Analyst
QRADAR Building Block
• Go to the Rules interface under the Offenses tab, and select for example all the events that indicate a
successful connection to Microsoft.

ITSAFE - 5323800 We will first select all of the

upcoming Log Source Type events
from Microsoft

SOC Analyst
QRADAR Building Block
• Go to the Rules interface under the Offenses tab, and select for example all the events that indicate a
successful connection to Microsoft.

We will then select the EventID

ITSAFE - 5323800
field and set it to be equal to 4624,
to tag all of the successful
Microsoft login events

SOC Analyst
QRADAR Building Block
• After saving, we will move the BB to our dedicated folder
It should be noted that although
the BB was created it will still not
work. The BB will only work after
we assign it to some Rule

ITSAFE - 5323800

SOC Analyst
QRADAR Building Block - Practice
• Create a Building Block for the following events in favor of enforcing the rules:

1. All successful login events from the Windows operating system received in the system, and save the
BB in the folder under ITSafe Course in the name of your User.

2. All the failure events from your Log Source, and save the BB in the folder under ITSafe Course in your
User name. ITSAFE - 5323800

3. Include local group events from your Log Source, and save the BB in the folder under ITSafe Course in
your User name.

SOC Analyst
 SOC Analyst
QRADAR Rules

ITSAFE - 5323800
QRADAR Rules
• In the QRadar system on the Event Processor server there is the CRE Engine which is responsible for the
correlations and jumps of the rules in the system.

• A Rule is a set of logical conditions based on a certain logic, selection of specific fields, Building Block, Lists
and Assets and if the conditions are fully met the Rule will alert us.

ITSAFE
• If the Rule jumps, all the actions required by - 5323800
the Rule to take place are met.

• There are many actions that can be taken if the Rule jumps.

SOC Analyst
QRADAR Rules – CRE Engine
• The Correlation Engine is the place where a comparison is made between the events that reach the system
and the conditions defined in the Rule (Correlation Engine).

• The system's rules engine determines which events will be addressed:

• If an event fully meets a condition defined by Rule - the Rule jumps Threshold.
• If an event partially meets a condition ITSAFE - 5323800
defined by Rule - the event is kept in the engine of the Rules for
a defined period - partial matching.
• If an event does not meet any conditions in the Rule - the event is moved on to storage in DB.

SOC Analyst
QRADAR Rules – Rules Types
• There are 4 Rule types that we can create:

Event Rule Flow Rule

ITSAFE - 5323800

Common Rule Offense Rule

SOC Analyst
QRADAR Rules
• Create New Rule:

Selection ITSAFE - 5323800

according to
fixed logic

Rule Name

SOC Analyst
QRADAR Rules
• For example, we will create a Rule that will jump for us for every login error we receive from Windows
systems:

ITSAFE - 5323800
Rule Name

The selected logic,

We selected the BB
of all connection
errors to Windows
systems

SOC Analyst
QRADAR Rules
• After selecting the logic of the Rule, we will select the Action that the Rule will take if it jumps:

Choice of
priority for the
Rule

ITSAFE - 5323800

Creating Offense for

The choice of the field on which
SOC monitoring
the Offense will jump is significant,
according to a
since additional rules with the
specific field
same Offense Type will be added
to the same Offense until it closes,
Creating an Event and in addition will determine
in Response to the what the rule will jump on.
Rule
SOC Analyst
QRADAR Rules
• After selecting the logic of the Rule, we will choose the Response that the law will make if it jumps:

Creating New
Event

Sending Email ITSAFE - 5323800

as a response

Sending the
event as Syslog

Add or Remove
Reference Data

Script execution
SOC Analyst
QRADAR Rules
• After selecting the logic of the Rule, we will enable the Rule and select if necessary a control mechanism:

Control mechanism
in case of
"bombing" of the
Rule
ITSAFE - 5323800

Enable the Rule

SOC Analyst
QRADAR Rules - Practice
1. Create a simple Event Rule that pops up every time you add a user to a group on your computer. Create
Offense as Action when the Offense Type is the user who added the other user to the group.

2. Create a rule that pops up if 3 failures log in in 2 minutes on a Windows operating system with the same
username. Create Offense as Action for rule with Username as Offense Type.

3. Create a correlation rule between the firstITSAFE

event of-server
5323800
failure and then the success of connecting to
your Windows server. Create Offense as Action for rule with Source IP as Offense Type.

SOC Analyst
 SOC Analyst
QRADAR Offenses

ITSAFE - 5323800
QRADAR Offenses
• Offense is the same Ticket opened at the SOC for the purpose of investigating an information security
incident discovered by the Rule.

• One of the actions that can be performed for Rule is to create an Offense with Offense Type.

• Offense Type is a field that will consolidate all events according to it, until the Offense is closed by the SOC
including other rules that pop up on the sameITSAFE - 5323800
Offense Type.

SOC Analyst
QRADAR Offenses

ITSAFE - 5323800

SOC Analyst
QRADAR Offenses
• You can perform several actions on the Open Offense:

• Follow Up - Marking the Offense for follow-up

• Hide - Hides the Offense from the interface

ITSAFE
• Protect Offense - Lock Offense for change - 5323800
prevention

• Close - Closing Offense after the event is credited

• Email - Sending the Offense by email

• Add Note - Add a note in favor of documentation

• Assign - Assigning the Offense to the SOC Analyst

SOC Analyst
QRADAR Offenses - Practice
1. Find the Offense created due to the law you created in the previous practice.

2. Assign it to the Admin user, and add a note that this is a simulation performed by you in favor of examining
the rule.

3. Close the Offense.

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
QRADAR Reference Lists

ITSAFE - 5323800
QRADAR Reference Lists
• Using the Reference Lists we will create static / dynamic lists that contain information according to
structured fields.

• There are several types of Reference Lists:

• Reference Set - A list with only one column.

ITSAFE - 5323800
• Reference Map - A two-column list of Key and Value.

• Reference Map of Sets - A list with two positions of Key and Value, allows duplication of Key while
creating a Set.

• Reference Table - A list with the number of columns of Key and Inner Key according to the user's
decision.

SOC Analyst
QRADAR Reference Lists
• Log in to the Reference Data Management application we have installed and set up a new Reference Set:

We will chose a suitable

name for the Reference Set

ITSAFE - 5323800
We will define the type of
element

Set an entry time in the List,

until you exit the List

SOC Analyst
QRADAR Reference Lists
• Log in to the Reference Data Management application we have installed and set up a new Reference Set:

We will chose a suitable

name for the Reference Set

ITSAFE - 5323800 We will define the type of

element

Set an entry time in the List,

until you exit the List

Set a title for Key and

Value

SOC Analyst
QRADAR Reference Lists
• Create Reference Lists for the Application of the Rules:

• Download the CSV file from Google Drive and put it in Reference Set called User <Your Number>:
Malicious IPs

• Define a new Reference Map containing the Username field as Key and in Value the Source IP field. Enter
ITSAFE
in the Reference Map the user with whom - 5323800
you are connecting to the server and the public IP address
from which you are connecting.

• After creating the Reference Map in the previous section, create a law that alerts you if there is an
identification of a connection based on the parameters you entered. Reconnect to the server, and check
if the law has jumped.

SOC Analyst
 SOC Analyst
Threat Intelligence

ITSAFE - 5323800
 Threat Intelligence

"Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and
action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used
to inform decisions regarding the subject’s response to that menace or hazard”

ITSAFE - 5323800

SOC Analyst
 Threat Intelligence

• After obtaining the IOC we will work to get more information enrichment on the same indicator using the
following tools, in order to get more information about the same IOC

VirustTotal Whois Telegram/Twitter

ITSAFE - 5323800

Yara\Sigma
Darknet Shodan\IntelligenceX
YAML

• We will manage all the findings in the organization in a product called TIP - Threat Intelligence Platform

SOC Analyst
 Threat Intelligence

• There are several types of Threat Intelligence

Monitoring, Identification and Contextual

Finished intelligence
Response Intelligence - IOC intelligence
ITSAFE - 5323800

SOC Analyst
 Threat Intelligence

• The Indicators of Compromise - IOC are in fact all the forensic identifiers, fingerprints and events that the
information security researcher has found that indicate activity of validity in the organization.

External IP
Hashes ITSAFE - 5323800 DNS Domain
Address

Changed Suspected Aletrs from

Registry Values Files system logs

SOC Analyst
Threat Intelligence

• Work stages of the CTI:

• Collection - Collecting intelligence from all visible sources or purchasing a service.

• Analysis - Intelligence analysis to identify suitability for our organization and assets in order to prioritize
and perform prevention and identification actions.
ITSAFE - 5323800
• Attribution - Connection between the attack tactics (TTP) indicators and the Threat Actor group for the
purpose of identifying the motivation, identifying the attack infrastructure and identifying the tools by
profiling and investigating events.

SOC Analyst
 SOC Analyst
Windows Sysinternals

ITSAFE - 5323800
 Windows Sysinternals

• A collection of tools for managing, diagnosing, monitoring and troubleshooting Windows environments from
Microsoft.

• The collection contains about 72 tools and was developed by the development team of Winternals, which
was later acquired by Microsoft.
ITSAFE - 5323800
• Provides the user with many free tools, which are divided into six categories:

SOC Analyst
Windows Sysinternals

File Managment and

Security Tools Disk Managment
Networking

ITSAFE - 5323800

System Information Add-ons Process Managment

SOC Analyst
File And Disk Utilities
ITSAFE - 5323800

SOC Analyst
 Sigcheck

• Command Line utility that displays file version information, time signature, file hash and Certificate.

• You can use the tool to check the file against Virus Total, with the option of uploading the file or hash and
checking against a variety of antivirus engines.

• There are many ways to get the informationITSAFE

from the- 5323800
various sources of information, for example receiving
events in Syslog, reading events from a file, retrieving events stored in the Database, etc ..

SOC Analyst
Sigcheck

ITSAFE - 5323800

SOC Analyst
 Sigcheck

• Run Sigcheck on Calculator:

ITSAFE - 5323800

SOC Analyst
 Sigcheck

• Run Sigcheck on Calculator and test aginest VirusTotal:

ITSAFE - 5323800

SOC Analyst
 Sigcheck

• Running a Sigcheck for extracting file hashes:

ITSAFE - 5323800

SOC Analyst
 Sigcheck

• Running a Sigcheck on a malicious file:

ITSAFE - 5323800

SOC Analyst
 Sigcheck

• Running a Sigcheck on VirusTotal for testing a malicious file:

ITSAFE - 5323800

SOC Analyst
 Sigcheck

• Running a Sigcheck for extracting a malicious file hashes:

ITSAFE - 5323800

SOC Analyst
Networking
ITSAFE - 5323800

SOC Analyst
 TCP View

• A tool that displays a detailed list of all the connected TCP and UDP processes and those that are being
listened to.

• After initial activation, TCPView will be updated immediately and will show a wide list of processes: port
number, process name, software name, new processes (green), deleted processes (red).
ITSAFE - 5323800
• If malware detects it will close the connection immediately, in addition allows the user to close connections
that are in ESTABLISHED mode manually.

SOC Analyst
TCP View

ITSAFE - 5323800

SOC Analyst
Process
ITSAFE - 5323800

SOC Analyst
 Process Explorer - PROCEXP

• A tool that displays a detailed list of all the processes on your computer. It can be set up as a Super Task
Manager.

• The software allows the user to track a process and displays detailed and accurate information such as:
ITSAFE - 5323800
• Load DLL process. • Display a company name next to each process.
• Displays the commands that run each program. • Displays CPU activity, on the taskbar
• Keeps track of processes and presents issues • Change process priority.
• That may occur. • Data validation with Virus Total engine.
• Hierarchical view of running processes • Search for an object by name or event.
• Exit, pause and stop processes.

SOC Analyst
Process Explorer - PROCEXP

ITSAFE - 5323800

SOC Analyst
 Process Monitor - PROCMON

• A tool that keeps track of changes made to the file system and registry.

• The software allows the user to keep track of changes in the file system and registry editor and displays
detailed and accurate information such as:

• Precise Registry Changes. ITSAFE - 5323800

• Many monitoring and filtering option
• Process details include path, images, command line, user and session ID.
• Search for an object by name or event.
• Data validation and signatures
• A hierarchical view of internal processes.
• Moving on to processes and paths according to time.

SOC Analyst
Process Monitor - PROCMON

ITSAFE - 5323800

SOC Analyst
 SYSMON – System Monitor

• A tool that tracks changes in computer processes and reports them in detail in an event log.

ITSAFE - 5323800

SOC Analyst
 Auto run
• A tool that shows all the processes that have been set to run when the computer is up or when the user is
logged in.

• Displays all sources of process increase in Autorun and presents different fields for the benefit of process
analysis.

• Has a built-in search and filtering capabilityITSAFE

for quick-inquiry.
5323800

SOC Analyst
Auto run

ITSAFE - 5323800

SOC Analyst
 Strings
• A tool for using the Command Line that displays all the textual information that is revealed under the
executable file.

• When analyzing a runtime file that is malware you can see suspicious URLs or malicious external IP
addresses.

• The textual revelations can be uploaded to ITSAFE

the AV or- Virus Total engine to clarify the suspicious indicator.
5323800

SOC Analyst
Strings
• Running Strings on Calculator

ITSAFE - 5323800

SOC Analyst
 SOC Analyst
SOAR
ITSAFE - 5323800
 SOAR

• SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations
team. For example, alerts from the SIEM system and other security technologies where incident analysis and
triage can be performed by leveraging a combination of human and machine power help define, prioritize
and drive standardized incident response activities. SOAR tools allow an organization to define incident
analysis and response procedures in a digital workflow format.
ITSAFE - 5323800

SOC Analyst
 SOAR

• The disadvantages we experience within SIEM / SOC operations managers, which the SOAR has come to
solve.

System
Manual processes
Separation
ITSAFE - 5323800

Amount of security
Lack of manpower
events

SOC Analyst
 SOAR

• The solutions that SOAR offers in favor of addressing the disadvantages

Unified work surface

investigation
ITSAFE - 5323800 To SOC

Integration and
Documentation automation with
different systems

SOC Analyst
 SOAR
• The SOAR uses Playbooks for the purpose of managing an event automatically using a hierarchical diagram
according to actions, for example a Phishing event as described:

Playbook Start
Sending an email to the
ITSAFE - 5323800 user who received it, to
Suspicion of Checking the Check whether the sender is acknowledge whether he
Phishing incident Domain and URL in known from the interface to the expected to receive the
from Qradar SIEM Virus Total email systems email
NO

Confirmation from the

Interface to email
Document all actions and
systems and blocking the
close Offense YES
address and domain
Transfer the findings
SOC in favor of blocking
to the SOC, while
the Mail or Domain
opening an event
address

Playbook END SOC Analyst

Thank YOU
Comming up next
ITSAFE - 5323800

SOC Analyst