Security Data Analysis - CBT Nuggets
security log: Analyzing Security Logs
simply a documentation, of events that may be saved in a text format, so it's easy to read, or in a binary format, which makes it a little more proprietary but faster to load and unload in many situations. end workstations or servers, routers, or switches, firewalls, or intrusion detection systems or intrusion prevention systems or VPN concentrators that use logs
artificial intelligence (AI): Reviewing Security Information and Event Management (SIEM)
adding to the ability to create new definitions automatically to acquire information about what's valid in the network and define it is a part of a trusted pool and the ability to create conditional rules to specify that when we see things that are out of bounds.
phishing (social engineering): Analyzing potentially malicious e-mail
a form of cyber attack in which attackers impersonate legitimate entities, such as organizations or individuals, to deceive individuals into providing sensitive information, such as passwords, credit card numbers, or personal details. how it works It typically involves sending fraudulent emails, instant messages, or text messages that appear genuine and urgent, often with a sense of urgency or fear, to manipulate recipients into taking actions that benefit the attackers. These actions can include clicking on malicious links, downloading infected attachments, or entering sensitive information on fake websites. why aim to exploit human vulnerabilities and trick individuals into divulging confidential information, which can then be used for identity theft, financial fraud, or other malicious purposes.
flow analysis: Network Data Analysis
a method used to analyze the traffic patterns and behavior of data flows within a network. how it works It involves collecting and analyzing metadata about network traffic, such as source and destination IP addresses, port numbers, packet counts, and duration of communication. This information is used to gain insights into the overall network activity, understand communication patterns between hosts, identify trends, detect anomalies, and detect potential security incidents. benefits monitor network performance, optimize network resources, and identify any suspicious or malicious behavior that may require further investigation
syslog server log: Components of Windows OS Event Log - Analyzing Security Logs
a way to aggregate logs. We can have a central database in which log information from multiple sources can be stored, and then an administrator can review the most pertinent events by connecting that syslog server and seeing what's inside that database which is pulling from all of the other locations.
proxy server log: Analyzing Security Logs
will show when websites were loaded and cached and who loaded which sites, and web application firewalls that are blocking things like SQL injection attacks and cross-site scripting will also identify those specific incoming HTTP requests that they blocked in order to defend against the network.
Network Data Analysis
done by things like firewalls and next generation firewalls, proxying components, and intrusion detection systems and intrusion prevention systems. we think of traffic in terms of the current TCP/IP five-layer model that looks at applications (like HTTP and HTTPS, or DNS) over transports (like TCP and UDP) over network protocols (like IPv4 an IPv6) over data link tools, like Wi-Fi and ethernet over their respective physical topology (5-gigahertz bandwidth, category 6 network cabling) primarily going to focus on application level elements-- things like URL and DNS discovery-- and on transport and network elements where we're looking at protocols, packets, and flows. we need to find malicious domains. identify false DNS information.
Application: Components of Windows OS Event Log - Analyzing Security Logs
focused on logged events from specific applications that choose to write to that log.
get- eventlog: Writing Queries to Get More Relevant Data Faster
getting events out of the Windows Event Log using PowerShell.
heuristic analysis: Heuristics and Trend Analysis in Security Monitoring
it's a process of looking for threats by evaluating processes and code. looking for are specific commands or instructions that have potential danger-- typically things that are going to trigger the installation of a Trojan or replicate a virus or distribute a worm. And in some cases, we are looking at miniature signatures that are going to be recognized as potentially causing one of these things that are going to be inside that heuristic analysis database. ex: observing code execution in a sandbox code analysis of unexecuted files
syslogs: Components of Windows OS Event Log - Analyzing Security Logs
logs about the operating system. Found on every type of device. they're all trying to document their own processes-- the boot process, loading of the operating system, and system level errors and issues that come into play. are going to describe the events using different types of levels like, for example, saying something is informational versus it's a warning versus it's an error. things like log-ons by administrators are going to be logged here as well-- certainly
Reviewing Security Information and Event Management (SIEM)
software on a particular endpoint is to be able to get all of those logs aggregated to one location benefits: aggregation correlation - Maybe we see a connection from a specific location to a specific router out here. And we see five failed logins from different user names followed by one successful log in to this device recognizing that this is the pattern of something that might be a known attack, looking for default usernames that might be used with default passwords on a specific device and someone's trying to break in order to take over this device. create our own definitions of things that are trustworthy, that are good and that are bad. conditional rules - if, then, type of statements where they're set up to say, if you see this event and maybe it's coming from this definition of a bad IP address range or if you see this and a additional log event is found over here.
software attachment: Analyzing potentially malicious e-mail
software that could be installed directly from it how it works our servers are scanning our emails and scanning the attachments and looking for things like executables or batch files, scripts of all type. opening up compressed files, like zips or tar files, and maybe even looking for things that don't have a specific file extension but are looking for signatures as they delve into the content looking for things that could potentially be used against us that, if clicked, could install or execute a process that could take over a host and then launch a Trojan or malware or virus or any of those negative things we just don't want to see.
System: Components of Windows OS Event Log - Analyzing Security Logs
focused on operating system processes.
organizational (function) impact: Analyzing data to determine impact
It encompasses the broader implications that the incident has on the organization's operations, reputation, finances, compliance, and customer trust.. impact is going to be focusing on processes. what is affected can include financial losses, legal and regulatory consequences, damage to brand reputation, disruption of business operations, loss of intellectual property, and potential legal liabilities. why is it important crucial for understanding the full extent of the incident, formulating an effective response strategy, and implementing measures to mitigate the long-term effects on the organization's stability, trustworthiness, and continuity.
immediate impact: Analyzing data to determine impact
It refers to the initial damage, disruption, or harm caused by the incident as it occurs or shortly thereafter. how it works This can include unauthorized access to sensitive data, system downtime, service interruptions, financial losses, or reputational damage. Immediate impact focuses on the direct and immediate consequences that impact the availability, integrity, and confidentiality of systems and data. why its important Assessing the immediate impact helps organizations understand the severity of the incident, initiate incident response efforts, and take immediate action to mitigate the damage and restore normal operations.
select- string: Writing Queries to Get More Relevant Data Faster
It's a PowerShell commandlet that can be used to extract specific lines that we would like to pull out that match, what we're looking for.
sender policy framework (SPF): Analyzing corporate e-mail security infrastructure
an email authentication protocol used to prevent email spoofing and phishing attacks. It allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain. how it works SPF works by adding a DNS record to the domain's DNS configuration, which lists the authorized mail servers. When an email is received, the recipient's mail server checks the SPF record of the sender's domain to verify if the sending server is allowed to send emails for that domain. If the SPF check fails, the email may be marked as suspicious or rejected. Benefits helps to protect against domain forgery and helps improve email deliverability while reducing the risk of fraudulent emails.
Security Log: Components of Windows OS Event Log - Analyzing Security Logs
all about security events, like logging on or permissions failures or rights violations.
Domain Message Authentication Reporting and Conformance (DMARC): Analyzing corporate e-mail security infrastructure
an email authentication and reporting protocol that helps prevent email spoofing and phishing attacks. It allows domain owners to specify policies for handling unauthenticated emails that claim to be from their domain. how it works It works by combining the use of two existing email authentication methods, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and adds a reporting mechanism. domain owners can instruct email receivers on how to handle emails that fail authentication checks, such as marking them as spam or rejecting them outright. benefits provides valuable reporting data that allows domain owners to monitor and analyze email authentication results for their domain. This helps organizations protect their brand reputation and improve email deliverability while reducing the risk of email-based impersonation and fraud.
Domain Keys Identified Mail (DKIM): Analyzing corporate e-mail security infrastructure
an email authentication method that helps verify the integrity and authenticity of email messages. It uses cryptographic signatures to associate a domain name with an email message, allowing the recipient to verify that the message has not been altered during transit and that it indeed originated from the claimed domain. how it works works by adding a digital signature to the email headers, which can be validated using the public key published in the domain's DNS records. benefits organizations can protect against email spoofing and phishing attacks, as recipients can trust that the emails they receive are from legitimate sources and have not been tampered with.
Security Orchestration, Automation and Response (SOAR): Reviewing Security Information and Event Management (SIEM)
piece of software to go ahead and effect that change itself to reach out to all these things (SIEM) that have been feeding it information and to modify their settings. So user account that was detected to have successfully logged in after a series of failed logins were made on a particular device could be disabled. Or a particular service that was detected to be up and running and communicating on the network could be blocked, stopped or the whole device isolated on the network at the switch level that means that when we have a false positive kind like the difference between intrusion detection systems and intrusion prevention systems, false positives are more concerning in a prevention system because they're actually blocking traffic and stopping what could be valid traffic from doing its job.
embedded links: Analyzing potentially malicious e-mail
refer to hyperlinks that are contained within a document, email, or webpage how it works These links are designed to direct users to another location or resource, such as a website or file. However, links can also be used maliciously to deceive users and lead them to malicious websites or initiate harmful actions. Cyber attackers often employ techniques like phishing emails or malicious websites to trick users into clicking on embedded links, which can result in the installation of malware, theft of sensitive information, or other forms of cyber attacks. Remediation It is important for users to exercise caution when interacting with embedded links and ensure they are from trusted sources before clicking on them to mitigate the risk of falling victim to cyber threats.
hidden forwarder (forwarder redirection): Analyzing potentially malicious e-mail
refers to a technique used to redirect network traffic from one location to another. It involves the use of a forwarding device or mechanism to reroute incoming network packets or requests to a different destination than originally intended. how it works can be used to divert network traffic to unauthorized or malicious destinations, leading to data interception, eavesdropping, or other forms of cyber attacks. remediation It is important for organizations to monitor and secure their network forwarding mechanisms to prevent unauthorized redirection and ensure the integrity and confidentiality of their network traffic.
local impact (informational): Analyzing data to determine impact
refers to the effects of a security incident or breach on a specific system, device, or localized area within an organization's network (concerning data). It pertains to the immediate consequences and damage caused by the incident on the specific asset or network segment where the breach occurred. how it works may include compromised data, unauthorized access, system disruptions, or unauthorized activities limited to a specific location or subset of systems. why is it important Assessing the local impact helps organizations understand the extent of the damage, isolate affected systems, and implement targeted remediation measures to contain the incident and prevent further spread within the network.
protocol analysis: Network Data Analysis
s network protocol analysis or packet sniffing, involves capturing and analyzing network traffic at the protocol level. how it works It focuses on inspecting the individual packets exchanged between network devices to understand the communication protocols and their behavior. This analysis includes examining packet headers, payload contents, and the sequence of packets exchanged during a communication session. benefits helps in identifying network issues, troubleshooting problems, and detecting anomalies or security threats. gain insights into the functioning of network protocols, identify performance bottlenecks, pinpoint configuration errors, and identify potential security vulnerabilities or attacks within the network. By examining the details of network protocols, protocol analysis provides valuable information for network optimization, troubleshooting, and ensuring the overall integrity and security of the network.
spoofing: Network Data Analysis
the act of falsifying or disguising certain information or identities to deceive or trick others on a network or system. how it works It involves creating or altering data packets, IP addresses, email headers, or other elements to make them appear as if they are coming from a different source or entity than they actually are. Can be used to carry out various malicious activities, such as impersonating a trusted entity to gain unauthorized access, launching phishing attacks, evading detection or bypassing security measures, or manipulating network traffic to divert or intercept data. Common types of include IP spoofing, email spoofing, ARP spoofing, and DNS spoofing. benefits authentication mechanisms and network monitoring, are crucial in detecting and mitigating these attacks to protect against unauthorized access and data breaches.
signature-based analysis: Heuristics and Trend Analysis in Security Monitoring
the classic typical anti-virus component where there's a file block that is downloaded, and then before we allow it to execute, we check to see, by running a hash against that file that generates a certain output, if that matches a hash that's in a known database. And if it does, don't let it execute. it requires that that signature of the entire file be found in the wild.
total impact: Analyzing data to determine impact
the overall consequences and effects of a security incident or breach on an organization or system. It encompasses the extent of damage, loss, disruption, or harm caused by the incident, taking into account various factors such as financial costs, reputational damage, operational disruptions, legal and regulatory consequences, and potential harm to individuals or critical assets. what to know goes beyond immediate impacts and includes long-term consequences, recovery efforts, and the overall resilience of the organization. Understanding the total impact helps organizations assess the severity of an incident, prioritize response and recovery actions, and make informed decisions regarding risk mitigation strategies and investments in cybersecurity controls.
trend analysis: Heuristics and Trend Analysis in Security Monitoring
the process of detecting patterns within a data set over time and using those patterns to make predictions about future we should understand what a baseline looks like, what our system normally looks like, and then what goes outside that trend. ex: Sometimes it's recognizing that a particular type of network traffic is a predecessor to a particular type of malware attack. Maybe it's recognizing that there are certain events or seasons that can trigger an attack.
packet analysis: Network Data Analysis
the process of examining and interpreting individual data packets that are transmitted over a network. It involves capturing network traffic, dissecting the packets, and analyzing their contents to gain insights into network behavior, troubleshoot issues, and detect security threats. how it works various attributes of the packets, such as source and destination IP addresses, port numbers, protocol information, and payload data, are examined to understand network communication patterns, identify anomalies, and uncover potential vulnerabilities or malicious activity. benefits diagnose network problems, optimize performance, and enhance network security
> (redirect command symbol): Writing Queries to Get More Relevant Data Faster
used to send the results of an onscreen command to a text file
| (pipe command): Writing Queries to Get More Relevant Data Faster
used to send the results of the first command into another command and often that's going to be used from one PowerShell command led to another.
Endpoint Data Analysis
we are going to need to extract information from logs in order to be able to identify problems and resolve security issues faster. from end servers and laptops and desktops and even mobile devices, is to ascertain what kind of incidents have happened. ex - Was there a breach, whether it's access to data or systems or credentials? Was there some type of incident that had occurred. Our goal being to find information that helps us see trends. Windows Event Logs - security, system, application. - looking for credential success/failure - system (which that happened because sometimes we're dealing with a server where things might have been connected to from remote systems and we can identify, in some cases, what we're being targeted from because there's all sorts of leapfrog operations that happen that we have to be concerned about in security.) - time & date we can establish a chain of events as we look at multiple systems and even aggregating the information across multiple logs POSIX - Unix & Linux /var/log auth.log(security log) authentication & authorization (faillog) - failed log-in attempts /syslog /messages