Scribd
Upload
3 views3 pages

Notes

Vulnerability management is a proactive approach to protect systems from cyberattacks by identifying and fixing security flaws. Key tools and processes include Nessus for vulnerability scanning, Burp Suite for web application security, Wireshark for network analysis, and Splunk for log management. The document also discusses incident response, digital forensics, and threat intelligence as essential components of a comprehensive security strategy.

Uploaded by

Ushasri Prasad99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
3 views3 pages

Notes

Vulnerability management is a proactive approach to protect systems from cyberattacks by identifying and fixing security flaws. Key tools and processes include Nessus for vulnerability scanning, Burp Suite for web application security, Wireshark for network analysis, and Splunk for log management. The document also discusses incident response, digital forensics, and threat intelligence as essential components of a comprehensive security strategy.

Uploaded by

Ushasri Prasad99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

Vulnerability management is proactive, and frequently

automated activity that protects computer systems, networks and applications


from cyberattacks and data breaches.
it is a vital component in security program.
By discovering and fixing potential security flaws,
can help businesses to avoid attacks.

We do Vulnerability Scanning in Vul Mang for vul scan incase of nessus we have four
major steps
1. Port scanning - detrmines which hosts are alive and which ports are open on
those hosts
2. service detection - in this we can discover which services are running on those
ports
and version numbers.
3. Vulnerability Identification - In this nessus going to compare what it discovers
about
each service detected on host with its database of known vulnerabilities and
version numbers
4. Probing step - in this nessus is actually verifies if it is a false positives or
vulnerability actually exists.

In Nessus Based on CVEs we can identify a vulnerability that may be exploited to


launch an attack.

And based on CVSS scores we can determine the severity of vulnerabilities if the
score
is in between 9.0 to 10 then it is most severe vulnerability.

Nessus - we have button New scan to launch a scan


also have plugin rules to hide or change the severity
host discovery scans allows us to view what hosts are alive

Incidence response -
1. whose account was used? 2. where did the logon occured from?
3. where was that account being used before the logon?
Event that triggered the alert is an incident
EDR and AV alerts - on specific host attempts made to monitor
the keystrokes of a user.
Network Tap Alert - there could be an alert that a host is scanning
other hosts in the estate.
SIEM alert - if the event matches the custom rules eg: a user's account
is being logged in from two different countries simultaneously.

As Tier1 SecEng mainly focuses on security monitoring performing initial


triage looking for false positives and true positives, if it is major incident
then we escalate to relevant teams like SOC tier2 or DFIR or Incidence Response
teams

Digital Forensics:
Sometimes the alert information is not sufficient and we have to gather
more information This process is usually referred to as Digital Forensics.
Here, we perform a much more hands-on investigation like:
1.Recovering the hard disk from the infected host to investigate how the
malware got on there in the first place.
2.Recovering the data from volatile memory (such as from the computer's RAM)
from the infected host to investigate how the malware works.
The biggest mistake that is performed during incidents is shutting the host down
A significant amount of important evidence is found in volatile spaces,
meaning it is lost as soon as the device loses power, so we need to ensure that
evidence is preserved then we can disable network access or shutting down the
host.
3.Recovering system and network logs from several devices to uncover
how the malware spread.

Burpsuite: Burp Suite is a powerful web vulnerability scanner and proxy tool
Burpsuite can scan for common security issues like
SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF)
Burp Suite can intercept and enables manipulation of HTTP requests and responses,
it acts as a proxy between a browser and web server
for ex: using proxy tab we can intercept user inputs like form submissions, url
parameters
If it is vulnerable to sql injection then we can send the request repeater and
inject
sql payloads like ' OR '1'='1, we can analyse the response by checking database
errors
Other features of Burp Suite include:
Repeater: A tool that allows us to manually craft and send HTTP requests
Intruder: A tool that automates customized attacks on a web application

Wireshark:
Wireshark is an open source network packet analyser tool capable of sniffing and
investigating live traffic and inspecting packet captures(PCAP). There are multiple
uses
Detecting and troubleshooting network problems, such as network load failure points
and
congestion.
Detecting security anomalies, such as rogue hosts, abnormal port usage, and
suspicious
traffic.
Investigating and learning protocol details, such as response codes and payload
data.

Snort:
Snort is a open-source and rule-based Intrusion Prevention System. Snort uses a
series
of rules that help define malicious activity and to find packets that match against
them
and generates alerts.
Capabilities of Snort:
Live traffic analysis, Attack and probe detection, Packet logging, Protocol
analysis
Real-time alerting
Snort has three main modes: Sniffer mode(read IP pack), Packet Logger Mode(log
packe),
NIDS and NIPS mode(Log or drop malicious packe accord to rules)

IDS is a passive monitoring solution for detecting possible malicious activity,


abnormal
incidents, and policy violations. Responsible for generating events for each
suspicious
events. Two types:
NIDS : monitors the traffic flow from various areas of network to investigate the
traffic
on the entire subnet. If a signature is identified then alert is generated.
HIDS : monitors the traffic flow from a single endpoint device.
IPS is a active protecting solution for detecting possible malicious activity,
abnormal
incidents, and policy violations. Responsible for stopping/preventing/terminating
the
suspicious event as soon as the detection is performed

Kevin Mitnick. Kevin Mitnick after stealing


computer code from tech companies like Nokia and Motorola.

Splunk is one of the leading SIEM solutions in the market that provides the
ability to collect, analyze and correlate the network and machine logs in real-
time.
Splunk has three main components, namely Forwarder, Indexer, and Search Head
Forwarder - installed on the endpoint and its main task is to collect
the data and send it to the Splunk instance.
Indexer - normalizes the data into field-value pairs
Search Head - is the place within the Search & Reporting App where users can search

the indexed logs using the Splunk Search Processing Language


To upload data we have 5 steps
select source - where we select the log source
select source type - type of logs (App, DB, mail, web)
Input settings - we need to select the index where these logs will be dumped and
give
hostname
Review
done

Threat Intelligence and Analysis:


Threat Intelligence is the analysis of data and information using tools and
techniques
to mitigate against potential threats to an organization.
we gather info about threats from various sources like OSINT tools like shodan,
maltego
following threat platforms like MISP
using virusTotal tools also we can analyse IOCs like IP add, URLs, Hashes

Nmap

You might also like