2. Who I am?
Amir Zargaran (LPIC2, ITILV3, Splunk Power User, ACSA)
Cyber Security Consultant and Instructor
- Designing and Implementation of Enterprise SOC
- Administration and Analyst of ArcSight ESM
- Power User of Splunk
- Network Security and sysAdmin of Linux
Zargaran@mail.com
https://www.linkedin.com/in/amirzargar
+98 9129355339
2
3. Agenda:
Day 1
Introduction
Most Famous Attacks and the confronting ways
What is Security Operations Center
Day 2
Key features and modules
Processes and Procedures
People
Day 3
Technology
Network Monitoring and Investigations
Correlation
Lab
3
6. Eavesdropping
Data Modifications
Identify Spoofing (IP Address Spoofing)
Password-Based Attacks
Denial of Services
Man in the Middle
Compromised-key Attack
Application-Layer Attack
6
7. In general, the majority of network communications occur
in an unsecured or "clear text" format, which allows an
attacker who has gained access to data paths in your
network to "listen in" or interpret (read) the traffic. When an
attacker is eavesdropping on your communications, it is
referred to as sniffing or snooping. The ability of an
eavesdropper to monitor the network is generally the
biggest security problem that administrators face in an
enterprise. Without strong encryption services that are
based on cryptography, your data can be read by others as
it traverses the network.
7Eavesdropping
8. After an attacker has read your data, the next logical step is
to alter it. An attacker can modify the data in the packet
without the knowledge of the sender or receiver. Even if you
do not require confidentiality for all communications, you
do not want any of your messages to be modified in transit.
For example, if you are exchanging purchase requisitions,
you do not want the items, amounts, or billing information
to be modified.
8Data Modifications
9. Most networks and operating systems use the IP address
of a computer to identify a valid entity. In certain cases, it
is possible for an IP address to be falsely assumed
identity spoofing. An attacker might also use special
programs to construct IP packets that appear to originate
from valid addresses inside the corporate intranet.
After gaining access to the network with a valid IP
address, the attacker can modify, reroute, or delete your
data. The attacker can also conduct other types of
attacks, as described in the following sections.
9Identify Spoofing (IP Address Spoofing)
10. A common denominator of most operating system and network
security plans is password-based access control. This means your
access rights to a computer and network resources are
determined by who you are, that is, your user name and your
password.
Older applications do not always protect identity information as
it is passed through the network for validation. This might allow
an eavesdropper to gain access to the network by posing as a
valid user.
When an attacker finds a valid user account, the attacker has the
same rights as the real user. Therefore, if the user has
administrator-level rights, the attacker also can create accounts
for subsequent access at a later time.
10Password-Based Attacks
11. Obtain lists of valid user and computer names and
network information.
Modify server and network configurations, including
access controls and routing tables.
Modify, reroute, or delete your data.
11What Happen After Password
Attack?
12. Imagine you're sitting in traffic on a one-lane country road,
with cars backed up as far as the eye can see. Normally this
road never sees more than a car or two, but a county fair
and a major sporting event have ended around the same
time, and this road is the only way for visitors to leave town.
The road can't handle the massive amount of traffic, and as
a result it gets so backed up that pretty much no one can
leave.
12
Denial-of-Service Attack
15. What Happen in DoS Attack?
That's essentially what happens to a website during a denial
of service (DoS) attack. If you flood a website with more
traffic than it was built to handle, you'll overload the
website's server and it'll be nigh-impossible for the website
to serve up its content to visitors who are trying to access it.
15
17. As the name indicates, a man-in-the-middle attack occurs
when someone between you and the person with whom
you are communicating is actively monitoring, capturing,
and controlling your communication transparently. For
example, the attacker can re-route a data exchange. When
computers are communicating at low levels of the network
layer, the computers might not be able to determine with
whom they are exchanging data.
17
Man-in-the-Middle Attack
19. Compromised-Key Attack
A key is a secret code or number necessary to interpret secured
information. Although obtaining a key is a difficult and resource-
intensive process for an attacker, it is possible. After an attacker
obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a
secured communication without the sender or receiver being
aware of the attack. With the compromised key, the attacker can
decrypt or modify data, and try to use the compromised key to
compute additional keys, which might allow the attacker access
to other secured communications.
19
20. Sniffer Attack
A sniffer is an application or device that can read, monitor, and
capture network data exchanges and read network packets. If
the packets are not encrypted, a sniffer provides a full view of
the data inside the packet. Even encapsulated (tunneled) packets
can be broken open and read unless they are encrypted and the
attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
Analyze your network and gain information to eventually
cause your network to crash or to become corrupted.
Read your communications.
20
21. Application-Layer Attack
An application-layer attack targets application servers by deliberately causing
a fault in a server's operating system or applications. This results in the
attacker gaining the ability to bypass normal access controls. The attacker
takes advantage of this situation, gaining control of your application, system,
or network, and can do any of the following:
Read, add, delete, or modify your data or operating system.
Introduce a virus program that uses your computers and software
applications to copy viruses throughout your network.
Introduce a sniffer program to analyze your network and gain information
that can eventually be used to crash or to corrupt your systems and
network.
Abnormally terminate your data applications or operating systems.
Disable other security controls to enable future attacks.
21
22. But it is not sufficient !
Many Attacks does not
have any Structured
Mechanism!
22
24. What is Zero-Day Attack?
24
A zero-day vulnerability, at its core, is a flaw. It is an
unknown exploit in the wild that exposes a vulnerability
in software or hardware and can create complicated
problems well before anyone realizes something is
wrong. In fact, a zero-day exploit leaves NO opportunity
for detection ... at first.
28. What is Anomaly Traffic detection?
28
Independent detection from Rules or Signatures
Approach to network security threat detection
Complementary technologies to detect Security threats
based on packet signatures
Continuous monitoring unusual traffic and events
In data mining, anomaly detection is the identification
items, events or observation witch do not confirm to an
expected patterns
30. What is SOC ?
Operates 24x7 from central offsite location
Complete and proactive in response to security incidents
Predict the security attacks and minimize the impact
Implement security policy across the enterprise
Reduce cost of security supports by providing centralized
support
SOC delivered:
Incident management
Governance risk compliance
Monitoring and management of device/Events
Implement security policies
30
31. How a SOC Works
Rather than being focused on developing security strategy,
designing security architecture, or implementing protective
measures, the SOC team is responsible for the ongoing,
operational component of enterprise information security.
Security operations center staff is comprised primarily of
security analysts who work together to detect, analyze,
respond to, report on, and prevent cybersecurity incidents.
Additional capabilities of some SOCs can include advanced
forensic analysis, cryptanalysis, and malware reverse
engineering to analyze incidents.
31
32. First Step !
The first step in establishing an organization’s SOC is to clearly define
a strategy that incorporates business-specific goals from various
departments as well as input and support from executives. Once the
strategy has been developed, the infrastructure required to support
that strategy must be implemented. According to best practices,
typical SOC infrastructure includes firewalls, IPS/IDS, breach detection
solutions, probes, and a security information and event management
(SIEM) system. Technology should be in place to collect data via data
flows, telemetry, packet capture, syslog, and other methods so that
data activity can be correlated and analyzed by SOC staff. The security
operations center also monitors networks and endpoints for
vulnerabilities in order to protect sensitive data and comply with
industry or government regulations.
32
33. The Benefits of Having SOC
Improvement of security incident response
24/7 service monitoring gives organizations an advantage
to defend against incidents and intrusions regardless of
source, time of day, or attack types
The gap between attackers’ time to compromise and
enterprises’ time to detection is well documented in
Verizon’s annual Data Breach investigation reports and
having a security operations center helps organizations
close that gap and stay on top of the threats facing their
environments
33
34. The Best Practices of SOC
Focus on human resources rather than technological
resources
Continued recognition of threats
Human analysis
Update the latest threats and use it to defend
Awareness of the vulnerability within the organization
and its relationship with external threats
34
37. SOC
Processes
Analytic al
proc esses
Operational
Processes
Tec hnologic al
Processes
Business
Processes
Intrusion
Analytical
Process
Training Process
Subtle Event
Process
Event
Management
Process
Daily Operation
Process
Reporting
Process
Design Process
Configuration
Management
System
Administration
Metric Process
Process
Improvement
Process
Business
Continuity
Process
37
38. Process and Escalation in SOC
38
Level 1 Level 2
Engineer
Network
And System Owners
Correlation
Engine
1
2
3 4
5
6
Escalation
Case Closed
Process
People
Technology
Incident
Handler
42. People Skills 724
Forensic Knowledge
Proficiency in coding, scripting and protocols
Managing threat intelligence
Penetration testing knowledge
Data analysts
Minimum 2 years experience in monitoring and incident management
Experience reviewing and analyzing network packets capture
Experience Performing security/Vulnerability reviews of network environments
Possess a comprehensive understanding of the TCP/IP protocol, security
architecture and remote access security techniques/products
Strong research background, utilizing and analytical approach
Highly motivated individual with the ability to self-start, prioritize, multi-task and
work in a team setting
42
43. SOC People Skills
Most Wanted Skills
Skills Windows Linux
Scripting /
Writing
C/Java/
Python
Pen Testing
Packet
Analysis
Forensics Networking SIEM
Level 1 L L L L L
Level 2 M L L L L M M M M
Level 3 H H M M M H H H H
Low=L , Medium=M , High=H
43
45. SOC Manager Roles
Leadership to take all stakeholders together
Stitch the solutions from different teams and drive it to
conclusion
Understand security posture and able to guide the team
Good communication skills
Verification about knowledge base update
Escalation tasks and tickets to CIERT
45
46. Senior SOC Engineer (Tier 3) Roles
Forensic Analytics action
Investigation intrusion attempts and perform in-depth analysis of exploits
Task assigning to other operators with SOC manager confirmation
Design and implementing the all use cases
Provide information regarding intrusion events, security incidents, and
other threat indications and warning information
Training
SOC Tools Administration
46
47. Tier 2 Analyst Roles
Searching and Investigation incident triggered
Update knowledge base
Escalation all Non-Solved incident
Analyzing incidents with correlation
Set the priority of assets
Creation the scheduler task for back up
Making back up planning
Analyzing in raw logs and
Researching and development (R&D) Continuously
47
48. Tier 1 Operators Roles
Deep analyzing any raw channel and reports
Investigating on correlated events
Escalating any Non-resolved incident
Making analysis dashboards immediately
Making analysis reports immediately
Monitoring Continuously queued incidents and raw events
Supervision on all tools health
Researching and development
Self-study and make own up to date in security investigation knowledge
Ticket creating for any incident analysis (for knowledge base updating or
escalation)
48
50. SIEM
Security Information and Event Management provide
real-time analysis of security alerts generated by
applications and network hardware.
Vendors sell SIEM as software, as appliances or as
managed services; these products are also used to log
security data and generate reports for compliance
purposes.
50
51. Most SIEMs in the world
51
• Qradar
• Splunk
• LogRythm
• McAfee
• ArcSight
53. ArcSight
53
Micro Focus ArcSight is a cyber security company founded in
2000 that provides big data security analytics and intelligence
software for SIEM and log management solutions. ArcSight is
designed to help customers identify and prioritize security
threats, organize and track incident response activities, and
simplify audit and compliance activities. It became a subsidiary
of Hewlett-Packard in 2010. It was merged with Micro Focus on
September 1, 2017. ArcSight is headquartered in Sunnyvale,
California USA, with sales offices in other countries.
54. Splunk
54
Splunk is an American multinational corporation based in San Francisco,
California, that produces software for searching, monitoring, and analyzing
machine-generated big-data, via a Web-style interface. Splunk (the product)
captures, indexes, and correlates real-time data in a searchable repository
from which it can generate graphs, reports, alerts, dashboards, and
visualizations. Splunk's mission is to make machine data accessible across an
organization by identifying data patterns, providing metrics, diagnosing
problems, and providing intelligence for business operations. Splunk is
a horizontal technology used for application management ,
security and compliance, as well as business and Web analytics. As of early
2016, Splunk has over 10,000 customers worldwide.Splunk is based in San
Francisco, with regional operations across Europe, the Middle East, Africa,
Asia, and Australia
55. Data Security and Monitoring
Data Asset Classification
Data Collection
Data Normalization
Data Protection
Data Distribution
55
59. Escalation Management
Escalation Procedures
Pre-Escalation Tasks
IT Security
Network Operation Center
Security Engineering
CERT Integration
Law Enforcement
3rd Party Service Provider and Vendors
59
60. Data Recovery Procedures
Disaster Recovery
Recovery Time Objective
High Availability
Backup Planning
60
61. Security Incident Procedures
Email Phishing
Virus and Worm Infection
Anti-Virus Management incident
Netflow Abnormal Behavior Incident
Network Behavior Analysis Incident
Distributed Denial of Service Incident
Host Compromise Web Application Security Incident
Network Compromise
Domain Hijack or DNS Cache Poisoning
Suspicious User Activity
Unauthorized User Access
61
62. Vulnerability and Patch Management
Vulnerability Research
Patch Management
Identifications
Compliance Monitoring
Network Configuration Base Line
Anti-Virus Signature Management
Microsoft and Linux Updates
62
70. Network Monitoring and Investigation
Network Operation Center
Report
DNS Usage Threshold Raising
Find an IP Address Maximum Request
lookup in DNS
Report of All Traffic
Usage of IP Address
Maximum Login Failed in DB is
for This IP Address
Getting a specific
query generated from
this IP Address Finding 3 IP Address has
been generated this
specific query
After that finding the
.exe file executed in
the time
70
72. John
John`s PC
Working Time:
8:00 AM– 17:00 PM
Shutting Down PC in
17:00 PM
1
Microsoft Event Viewer
Generating (Stopping
Services , Logout John ,
Shutdown Windows ) at
17:00 PM
Corre
Engine
Record the exit
on Access
Control Device
2
Exit log
Generated at
17:05 PM
endTime | name | sourceUserName | sourceAddress | categoryBehavior | categoryOutcome | deviceSeverity | Message
1: 17:00 | Stop Service | John | 1.1.1.1 | /Operation Systems | /Success | High | Stop the explorer Service
2: 17:05 | Exit Normaly | John | accessControl IP Addr | /Access/Device | /Success | Low | Exit John from Access Control
72
73. David
John`s PC
Working Time :
17:00 PM – 08:00 AM
Turn on John`s PC
by David !
4
Microsoft Event Viewer
Generating (Log on John`s
PC, Start Services)
at 18:00 PM
Corre
Engine
Record the
Entering David in
Access Control at
17:00 PM
3
Entering log
Generated at
17:00 PM
endTime | name | sourceUserName | sourceAddress | categoryBehavior | categoryOutcome | deviceSeverity | Message
4: 18:00 | Turn on PC | John | 1.1.1.1 | /Operation Systems | /Success | Medium | Start Windows
3: 17:05 | Exit Normaly | John | accessControl IP Addr | /Access/Device | /Success | Low | Exit John from Access Control
73
74. Corre Engine
Conditions in Correlation Rule:
If{
AND( sourceAddress=“1.1.1.1”, categoryBehavior=”/Authentication/
Verify”, categoryOutcome=“/Success”, NOT(endTime Between “08:00
AM-17:00PM”))
}
Then{
Action=“Anomaly User Activity Correlated”, “send Notification to
“John@Company.co”
}
5: 18:05 |Anomaly User Behavior | ArcSight | 1.1.1.1 |/Found|/Attempt |Very High |Unauthorized User Login
74
75. SOC Tools and Sensors
FIM (File Integrity Management)
SCM (Security Change Management)
Vulnerability Assessment
Patch Management
Ticketing
Dashboards
NTP Server
75
77. SCM – HIDS – FIM Roles
File systems changes
All directories contains files changes
Microsoft windows registry changes
Service status changes
Policy changes (GPOs , Compliances)
User activities
Compliance Reports and Remediation
77
79. Lab
The Structures of a Log Managements
Famous features in Log Managements
Data Gathering Methodologies
Search and Query in Log Managements
Reports and Dashboards
Simple Scenarios (User Behavior Analysis)
79