0% found this document useful (0 votes)
20 views13 pages

CA Module 4

The document provides an overview of Linux's role in Security Operations Centers (SOCs), highlighting its flexibility and the use of tools like Security Onion and Sguil for cybersecurity analysis. It details various SOC tools such as network packet capture software, malware analysis tools, and intrusion detection systems, as well as best practices for server hardening and monitoring. Additionally, it discusses client-server communications, common ports for services, and the importance of log management and rootkit detection in maintaining Linux security.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
20 views13 pages

CA Module 4

The document provides an overview of Linux's role in Security Operations Centers (SOCs), highlighting its flexibility and the use of tools like Security Onion and Sguil for cybersecurity analysis. It details various SOC tools such as network packet capture software, malware analysis tools, and intrusion detection systems, as well as best practices for server hardening and monitoring. Additionally, it discusses client-server communications, common ports for services, and the importance of log management and rootkit detection in maintaining Linux security.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Linux Overview

Linux in the SOC


• The flexibility provided by Linux is a
great feature for the SOC. The entire
operating system can be tailored to
become the perfect security analysis
platform.
• Sguil is the cybersecurity analyst
console in a special version of Linux
called Security Onion.
• Security Onion is an open source
suite of tools that work together for
network security analysis.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Linux Overview
Linux in the SOC (Contd.)
The following table lists a few tools that are often found in a SOC:

SOC Tool Description

• A crucial tool for a SOC analyst as it makes it possible to observe


Network packet capture
and understand every detail of a network transaction.
software
• Wireshark is a popular packet capture tool.

• These tools allow analysts to safely run and observe malware


Malware analysis tools
execution without the risk of compromising the underlying system.

• These tools are used for real-time traffic monitoring and inspection.
Intrusion detection
• If any aspect of the currently flowing traffic matches any of the
systems (IDSs)
established rules, a pre-defined action is taken.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Linux Overview
Linux in the SOC (Contd.)
SOC Tool Description

• This software is used to specify, based on pre-defined rules, whether


Firewalls
traffic is allowed to enter or leave a network or device.

• Log files are used to record events.


Log managers • Because a network can generate a very large number of log entries, log
manager software is employed to facilitate log monitoring.

Security information and • SIEMs provide real-time analysis of alerts and log entries generated by
event management (SIEM) network appliances such as IDSs and firewalls.

• Task ticket assignment, editing, and recording is done through a ticket


Ticketing systems management system. Security alerts are often assigned to analysts
through a ticketing system.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Linux Overview
Linux Tools
• Linux computers that are used in the SOC
often contain penetration testing tools.
• A penetration test, also known as PenTesting,
is the process of looking for vulnerabilities in
a network or computer by attacking it.
• Packet generators, port scanners, and proof-
of-concept exploits are examples of
PenTesting tools.
• Kali Linux is a Linux distribution which
contains many penetration tools together in a
single Linux distribution.
• Notice all the major categories of penetration
testing tools of Kali Linux.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Linux Servers and Clients
An Introduction to Client-Server Communications
• Servers are computers with software
installed that enables them to provide
services to clients across the network.
• Some provide external resources such
as files, email messages, or web pages
to clients upon request.
• Other services run maintenance tasks
such as log management, disk scanning
and so on.
• Each service requires separate server
software.
• The server in the figure uses file server
software to provide clients with the ability
to retrieve and submit files.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Linux Servers and Clients
Servers, Services, and Their Ports
• A port is a reserved network resource used by a service.
• While the administrator can decide which port to use with any given service, many clients are
configured to use a specific port by default.
• The following table lists a few commonly used ports and their services. These are also called
as well-known ports.

Port Description
20/21 File Transfer Protocol (FTP)
22 Secure Shell (SSH)
23 Telnet remote login service
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name System (DNS)
67/68 Dynamic Host Configuration Protocol (DHCP)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Linux Servers and Clients
Servers, Services, and Their Ports (Contd.)
Port Description

69 Trivial File Transfer Protocol (TFTP)

80 Hypertext Transfer Protocol (HTTP)

110 Post Office Protocol version 3 (POP3)

123 Network Time Protocol (NTP)

143 Internet Message Access Protocol (IMAP)

161/162 Simple Network Management Protocol (SNMP)

443 HTTP Secure (HTTPS)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Linux Servers and Clients
Clients
• Clients are programs or applications
designed to communicate with a
specific type of server.
• Clients use a well-defined protocol to
communicate with the server.
• Web browsers are web clients that are
used to communicate with web servers
through the Hyper Text Transfer
Protocol on port 80.
• The File Transfer Protocol client is
software used to communicate with an
FTP server.
• The figure shows a client uploading files
to a server. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Basic Server Administration
Hardening Devices
• Device hardening involves implementing proven methods of securing the device and
protecting its administrative access.
• Some of these methods involve maintaining passwords, configuring enhanced remote login
features, and implementing secure login with SSH.
• Depending on the Linux distribution, many services are enabled by default. Stopping such
services and ensuring they do not automatically start at boot time is another device hardening
technique.
• OS updates are extremely important to maintaining a hardened device. OS developers create
and issue fixes and patches regularly.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Basic Server Administration
Hardening Devices (Contd.)
The following are basic best practices for device hardening:
• Ensure physical security
• Minimize installed packages
• Disable unused services
• Use SSH and disable the root account login over SSH
• Keep the system updated
• Disable USB auto-detection
• Enforce strong passwords
• Force periodic password changes
• Keep users from re-using old passwords
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Basic Server Administration
Monitoring Service Logs
• Log files are the records that a computer stores to keep track of important events. Kernel,
services, and application events are all recorded in log files.
• By monitoring Linux log files, an administrator gains a clear picture of the computer’s
performance, security status, and any underlying issues.
• In Linux, log files can be categorized as:
• Application logs
• Event logs
• Service logs
• System logs
• Some logs contain information about daemons that are running in Linux. A daemon is a
background process that runs without the need for user interaction.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Working on a Linux Host
Malware on a Linux Host
• Linux malware includes viruses, Trojan horses,
worms, and other types of malware that can
affect the operating system.
• A common Linux attack vector is its services
and processes.
• The command output shows an attacker using
the Telnet command to probe the nature and
version of a web server (port 80).
• The attacker has learned that the server is
running nginx version 1.12.0. The next step
would be to research known vulnerabilities in
the nginx 1.12.0 code.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Working on a Linux Host
Rootkit Check
• A rootkit is a type of malware designed to increase an
unauthorized user’s privileges or grant access to portions
of the software that should not normally be allowed.
• A rootkit is destructive as it changes kernel code and its
modules, changing the most fundamental operations of
the OS itself.
• Rootkit detection methods include booting the computer
from a trusted media.
• Rootkit removal can be complicated. Re-installation of the
operating system is the only real solution to the problem.
• chkrootkit is a popular Linux-based program designed to
check the computer for known rootkits.
• The command output shows the output of chkrootkit on
an Ubuntu Linux.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

You might also like