06 Cyber Infrastructure & Technology
What are Parsing Methods?
Regular Expression (Regex) - Matches a specified field value with an unanchored regular expression. Delimited - Parses fields using constant delimiters.
What are Logical Signature?
- Combines multiple signatures using logical operators - Enables more specific and flexible pattern matching - File extensions include *.ldb, *.ldu, and *.idb Using YARA Rules
What Is an Email Header?
- Contains metadata for the email - Sender, recipient, content type, email route, authentication details, and more - Always precedes the message body
What Is Surveillance?
- Continuous monitoring, and sometimes physical action, in surveyed areas - Facilities should remain under surveillance to ensure swift reaction to intrusions.
What are PhishSigs?
- Database of file signatures related to phishing - File extensions: *.pdb: URLs of potential phishing sites *.gdb: URL hashes *.wdb: Allow listed URLs
What are Honeypots?
- Decoy devices meant to lure attackers (such as APT Advanced Persistent Threat) - Service or OS implementation - Alerts are triggered when an attacker touches the trap. Honeypots, we want them to be a good thing. things that the bad guys are gonna go after. It's basically a high noise defender tool. You typically get a high level of alerts, but if Honeypot starts ringing the bell, then it's someone is into something they should not be doing. There are different types of honeypots, the cheapest one are going to tell you the IP Address of that device connecting to the system. Honeypots basically simulate a real computer, application, settings, and everything. It is completely isolated, and closely monitored.
Log Queries in SIEM?
- Dedicated requests - Retrieve information from SIEM - Many SIEM applications use proprietary query syntax. - Many features in Splunk are based on queries.
What is Mail Delivery Agent (MDA)?
- Sorting and delivery mechanism - Receives emails from MTA and delivers them to the recipient's inbox - Some MTAs can also act as MDAs.
SOAR Triage & Identification?
- A way to identify and prioritize alerts - SOAR triage is used in addition to the triage performed by the SIEM platform - Solves the issue of what is considered critical
What is a playbook?
A playbook is a flow of actions designed to reduce the need for human intervention in repetitive tasks. Playbooks can be fully automatic or may require human intervention at critical decision-making points. Playbooks work with conditions for many types of scenarios.
What does Honeypot Aims for?
Analysis - Analyze the attacker's movement and gain insight into the attacks. Collection - Collect forensic data needed to improve security methods
What are Signature Types?
Body-Based Signature - Compares specific sequences of suspicious file bytes with malware models stored in a database Hash-Based Signature - Compares the file hash checksums of suspicious files with malware models stored in a database Besides the signature types above, ClamAV allows the addition of custom signature files based on YARA rules.
What is Data Classification?
Data classification is the primary means by which data is protected based on categories of secrecy, sensitivity, or confidentiality.
What are False Positives & False Negatives?
False positive - A test result falsely indicates the presence of a condition. False negative - A test result mistakenly negates a condition.
What is ICS?
Industrial Control Systems (ICS) are units that monitor and manage industrial machinery used in critical infrastructure. ICS integrates hardware, software, and network connectivity to achieve remote support and management of critical infrastructure devices.
What is Aggregation Alerts?
It is recommended to consolidate logs with identical content in predefined fields and specific time frames. This mechanism detects attacks like brute-force and port scanning. For example, if something happens more than a specified number of times in a specified time frame, an alert will be triggered.
What are SIEM General Components?
SIEM Monitoring Features Include: Filters, Rules, Active Lists, Reports, and Trends
What is SOC vs NOC?
SIEM is the foundational platform of SOC.
Where is Log Gathering?
Syslog can use TCP/UDP when the default port is 514. Files: Some applications use files to write logs. Database: SIEM logs in to the database and extracts logs according to a predefined query.
What are Exclusions?
*.fp: MD5 signature *.sfp: SHA1 or SHA256 signature *.ign2: Specific signature These are allow list signature database file extensions.
Defense in Layers?
- A crucial aspect of physical security - An invader can maneuverer around a single layer of controls. - There must be a next layer of controls that can help stop the invader from advancing further.
What is Sandbox & File Extension Block List?
- A mail relay sandbox provides a platform for testing email attachments. - The sandbox scans the file's behavior and checks it for indications of malicious intent. - If it considers the file malicious, it drops the mail, and the recipient will not receive it. Blocking alone is not enough to prevent malicious files from being received.
What is Zero-Day?
- A newly discovered flaw in a program - Exploited before a vendor can patch it - Zero-day flaws are highly sought after by both hackers (offense) and enterprise security teams (defense).
What Is a Physical IDS?
- A perimeter-scanning device - Sensitive to changes in the environment - Can detect a wide variety of changes
What Is Mail Relay?
- A server that routes emails to their correct destinations - Email clients do not know how to send and deliver mail. They rely on mail relay. - Provides a way to guarantee message authenticity
What Is an Endpoint Security Solution?
- A suite of tools that helps protect workstations - Secures end-user devices (desktops, laptops, etc.) - Actively defends against risky activity and/or malicious attacks - Operates as an enterprise security perimeter and is best suited for bring your own device (BYOD) You are essentially following a checklist. So that's why we checklist our devices are configured before we start installing suite of tools to help protect laptops, and those checklists will be there as well.
What are YARA Rules?
- A way of describing a pattern to identify files - Rules are written to meet specific conditions. - Mainly used to classify particular strains or entire malware families YARA Rule Signature - ClamAV accepts YARA rules with certain limitations. - The extensions .yar and .yara are parsed as YARA rules. So the rules would be processed in those file types that we created. - Maximum of 64 strings per rule In the image, inside the brackets are statements given to the Example rule above the bracket.
What is EDR vs. AV?
- AV has a single purpose: detecting and removing malware. - EDR includes an AV. - EDR can protect against sophisticated threats (APT). If you're on blue team, always assume breach, always. EDR has a much more simplified purpose beyond just an AV.
What are Antivirus Components?
- AV signatures must always be updated. - Designed to detect and remove viruses, trojans, worms, etc. - Can quarantine or delete files
What is Allow Listing?
- AVs can mistakenly identify files as malicious. - ClamAV includes an option to allow listing applications.
What is YARA Rules & Signatures?
- AVs rely on signatures. - Vendors have different signature formats. - ClamAV supports signatures written in YARA format.
Firmware Information Gathering?
- As much information as possible should be gathered about firmware to ensure in-depth analysis. - Entropy measures the randomness of data to check for compression or encryption. - Firmware can be encrypted. XOR and AES are commonly used. Common tools to use for security are: DD HexDump Strings BinWalk qemu
What are Industrial Applications of IoT?
- Automate time-consuming tasks to increase efficiency and reduce busywork. - Remote asset monitoring and deployment of IoT in challenging environments. - Predictive maintenance for safety and cost efficiency.
Windows Logs?
- Classifies events in several categories - Each entry is defined by its type to identify the severity of the event. - In the Event Viewer, events are listed with headers and descriptions.
What are Honeypot Attributes?
- Deliberately vulnerable information - Logs the attacker's actions - Identifies and defends against APT - Catches the bad guys in the act You basically want your honeypot to look vulnerable and desirable, such as HR server, finance, etc.
What is Closed-Circuit Television (CCTV)?
- Detects, follows, and exposes intruders - Can operate in internal and external facility areas - Must be integrated with other security controls
What are Network Architecture Considerations?
- Different topologies suit different needs. - Planned prior to the deployment of hardware. - Network architecture must be secured to compensate for the lack of TCP/IP safety.
Motion Detection Motion Detection
- Electrical device that detects object motion - Alerts staff by triggering alarms (silent or audible)
UNIX Logs?
- Every day, a new file is created in sequential order and backs up the previous log. - Daemons may group the journals in a dedicated folder. - Some Linux distributions have tools to view the logs graphically.
What are Device Control & BYOD?
- Expand the enterprise security perimeter. - Employees connect private devices to the company network. - Potential of passing malware through company defenses. BYOD = Bring Your Own Device
What are Honeytokens?
- Fake IT resources, like fake user name accounts, fake email address, etc. - Designed to attract the attacker's attention - Typically found in public areas (websites, documents, etc.) Honeytoken Types, such as: Bogus Email Addresses False Database Data Forged Executable Files Phone Home Embedded Links Web Beacons Browser Cookies
What are False Positive (F/P) Causes?
- Heuristics: AVs evolve and so do viruses - Behavioral Analysis: Legitimate apps behaving like malicious apps - Machine Learning: Mistakes in training data fed to software
What is IoT?
- Internet of Things - Devices that are connected to the internet - Everyday objects modified for the internet IoT usage provides a way to control multiple smart devices from a phone or computer via apps.
Lighting in Physical Security?
- Lights should be installed with overlapping zones. - More light should be used at entrances, less light at guard locations. - Lighting redundancy should be implemented in case of a power outage. Poorly lit or unlit areas invite trespassers.
What are Common IoT Attacks?
- MiTM on unencrypted communication components. - DoS/DDoS on an IoT device and using multiple IoT devices as a botnet - Replay attacks that replay authentication messages to deceive the destination server.
What is Local Agent Protection?
- Monitor and block the printing of confidential material. - Review the clipboard and block the copying of sensitive content. - Analyze and block email messages sent to specific destinations.
What are Network & Host Device Review?
- Most devices that connect to a network are hosts. - Host devices include computers, IoT and more. - Node include hosts and intermediary devices. - The devices must have an IP address.
Research Honeypots?
- Not meant for direct security value - Can be used to research possible future threats - Complex deployment and maintenance - Not generally used by commercial organizations The research helps gather information about a hacker's methods.
Multi-Engine Antivirus Scanning?
- Only one AV should be installed on a workstation. - Different AVs, different methodologies, and block lists. - Scanning with multiple engines simultaneously
What is ClamAV?
- Open-source and cross-platform AV software - Mainly a CLI tool, although a GUI is available - Most features require initial configuration It is not the most impressive AV, it's not an EDR, it's a free application that's not recommended for work standards.
What is Endpoint Detection & Response (EDR)?
- Originally known as ETDR - Provides high visibility of endpoints, meaning you wanna see what kind of things are going on. Like seeing user behavioral detection. - Focuses on detecting and responding to malicious activity on the host - Best use case: search manually for threats.
Why Physical Security?
- Physical barriers are essential in any organization. - Cybersecurity is irrelevant if anyone can walk into the server room and steal or damage the server. - Physical security must be layered for maximum protection. Physical Security Goals? The intention of physical security is to provide a safe environment for all important assets and resources in an organization. When designing physical security, intruders and natural disasters must be considered, as well as every organization's most important asset—human beings.
EDR Visibility & Response?
- Securing endpoints requires real-time visibility of all activities on the endpoint. You can actually disconnect a machine from the the network and lockdown a machine as you analyze it. - Pinpoint malicious behavior. - Act swiftly to prevent an attack from becoming a breach.
What is Firmware?
- Semi-permanent software for hardware - Written on dedicated board flash memory - Instructs devices on how to communicate with other hardware and software Firmware updates are not as frequent as software updates. What is the purpose? Firmware provides basic operational instructions for hardware. It can be updated to add functionality or make it more efficient and secure, although updates for firmware are infrequent and typically inconsistent. People can attack firmware, why? Firmware breaches provide high-level privileges, stronger persistence, and better chances of bypassing security controls. How? Software down, such as exploiting a lack of updates and patches. Hardware up, such as injecting malicious firmware via a USB device Firmware can be breached to allow attackers to access systems, often without the owner knowing about it.
How Do Honeypots Work?
- Simulate the behavior of a real system - Placed in accessible network areas - Have intentional security flaws The security flaws may be a lack of security updates or unnecessarily enabled services. Production Honeypots - Emulate real production systems - Emulate services or operating systems - Learn the way attackers exploit vulnerabilities - Minor or no false positives
How do Antivirus work?
- String/byte signatures - Hash signatures - Heuristic detection Antivirus is just looking for specific hashes and strings in specific files to see if it's trouble or not. Common Antivirus programs from vendors include: Symantec Endpoint Protection Check Point Endpoint Security Kaspersky Endpoint Security McAfee Endpoint Protection
What is Anomaly Exploration?
- Studies environment trends - Looks for any deviation from the norm - Detects suspicious behavior - Uses a timeline to study behavior
What are ICS Components?
- Supervisory Control and Data Acquisition (SCADA) - Human-Machine Interface (HMI) - Programmable Logic Controllers (PLC) - Remote Terminal Units (RTU) - Supervisory control and data acquisition (SCADA) is a computer system that monitors, controls, and collects data at an industrial facility. Although the terms ICS and SCADA are often used interchangeably, SCADA is a component of ICS. - The Human-Machine Interface (HMI) is a user interface or dashboard that connects a person to a machine, system, or device. - Programmable Logic Controllers (PLCs) are control units that can be programmed to collect information, resolve control-related logic, and run processes in accordance with the requirements of equipment they are connected to. - Remote Terminal Units (RTU) include microprocessors and are used to connect hardware devices to SCADA systems.
What is TCP/IP Security?
- TCP/IP was not designed with security in mind. - TCP/IP flaws fall into two categories: - Implementation flaws - Protocol flaws Both were addressed via new technology.
Splunk Installation in Windows?
- The Splunk Windows installation follows steps that are similar to a Linux installation. - Credentials for the system are provided during the installation process. - Splunk Forwarder should be installed separately (on Linux, Windows, or Mac).
Log Collection for OS Logs?
- UNIX systems usually save logs in the /var/log directory - In Windows, logs can be viewed in Event Viewer. - Mac uses Console.app, which is similar to the Windows Event Viewer.
What are Canary Traps?
- Used to identify internal data leakers - An almost identical copy of a document - Leaked data is traced to the receiving person. Changes in the documents are tailored to the recipient. A canary trap is a method for exposing an information leak by giving different versions of a sensitive document to each of several suspects and seeing which version gets leaked. It could be one false statement, to see whether sensitive information gets out to other people as well.
What are SIEM Dashboards?
- Various dashboards can be created in Splunk. - Granular dashboard configuration via SPL or XML - Splunk has plugins for certain types of dashboards.
What are ICS Protocols?
- When ICS protocols were designed, no one believed it was possible to connect industrial machines to the internet. - ICS can operate with the following protocols: RS-485, Modbus, DNP3, TASE 2.0, CIP, PROFIBUS, BACnet, and others. However, most of them were designed for systems that do not have internet connectivity and are vulnerable to security issues.
How Does IIoT Work?
A complete Industrial IoT system includes the following components: • Sensors and devices • Connectivity • Data analysis and processing • User interface IoT System Components: Sensors and devices are responsible for data collection. Some examples of sensors could be a humidity detector, a light sensitivity detector, or a device (such as a smartphone) that holds a bundle of sensors. Connectivity includes Wi-Fi, cellular, and satellite, which all transmit and receive data to and from the cloud for processing. Data analysis and processing form a system that produces useful information from data collected by sensors and devices. Examples can include light sensitivity readings that are used to adjust the lights in a house or smart buildings that adjust the temperature in lobbies based on the number of people present. A user interface is the component that enables users to manage sensors and devices to obtain data and work with it. An example is a dashboard that receives an alert from a device, such as a light that sends a message that it was turned on or off.
Splunk Components?
A parser is a compiler or interpreter component that breaks data into smaller elements for easy translation into another language.
What is a SIEM Workflow?
Popular SIEMs: QRadar, ArcSight, AlienVault, Splunk
What is Auditing Physical Access?
Access Logs - Access logs are used to identify people who enter the facility. Such logs need to be reviewed periodically by facility managers. Access logs are not preventive measures but are used in investigations and forensics. Logged Information - Logged information consists of dates and times of access to the facility, IDs of users who attempt to enter the facility, and successful and unsuccessful entry attempts.
What is Agent and Agentless?
Agentless monitoring is a form of network monitoring where a monitor collects performance metrics from devices without needing to install a software agent on the devices or servers being monitored. An Agent however does need a software agent.
Types of Alerts?
Alerts may be generated in the following instances: • Internal/external attacks • Compromised user account or workstations • Abuse of privileges • Fraud • Port scanning • Compromised websites
What Is an Alert?
An alert is a message that informs a cybersecurity professional about a possible anomaly, threat, or attack based on predefined criteria. An alert can be sent via email, Simple Network Management Protocol (SNMP), syslog, automatic scripts, or directly to situation management systems like SIEM.
What is an Event?
An event is a specific issue logged in the system, such as an authentication failure. Events do not necessarily indicate that a cyber threat or incident has occurred. Flags can be created due to a common bug or mistake.
What is Cortex XSOAR?
Cortex XSOAR (Demisto) is a SOAR product that integrates with many other cybersecurity technologies via APIs. This product helps to improve SOC management by adding more automation using playbooks that enable the SOC team to run and report security incidents for the company.
What are Technological Asset Types?
Hardware Software Data Communications Each of these assets can be an attack vector and must be monitored continuously.
What is Internet Data?
Cookie ID - Cookies let websites remember you, your website logins, shopping carts and more. But they can also be a treasure trove of private info for criminals to spy on. Guarding your privacy online can be overwhelming. Fortunately, even a basic understanding of cookies can help you keep unwanted eyes off your internet activity. Hashed Email Addresses - Email hashing is a cryptographic function, which is a fancy way of saying it's a method of coding an email address for privacy. A hashing algorithm transforms email addresses into hexadecimal strings, so each email becomes an unrecognizable jumble of numbers and letters. Mobile Advertising IDs — or MAIDs, for short — are strings of digits assigned to mobile devices. Android assigns them. So does Apple. If you're into cooking, news apps use them to float food-related content to the top of your feed. Instagram will use them to serve you ads for blenders.
What is DKIM?
DKIM = DomainKeys Identified Mail - Email validation technique - Performed on the server level• - DKIM uses digital signatures.
What is DMARC?
DMARC = Domain-based Message Authentication, Reporting, and Conformance - The following DMARC policies can be used if an email fails a DMARC check: Monitor, Quarantine, Reject. - DMARC can generate a report about outgoing emails.
What Are DNS Records?
DNS records (aka zone files) are instructions that live in authoritative DNS servers and provide information about a domain including what IP address is associated with that domain and how to handle requests for that domain. As an example, an A Record is used to point a logical domain name, such as "google.com", to the IP address of Google's hosting server, "74.125. 224.147". These records point traffic from example.com (indicated by @) and ftp.example.com to the IP address 66.147. 224.236.
What is DLP (Data Loss Prevention) Purpose?
Data loss prevention (DLP) makes sure that users do not send sensitive or critical information outside the corporate network. The term describes software products that help a network administrator control the data that users can transfer. Data loss prevention (DLP) refers to the software tools and processes used to protect sensitive data and detect the presence of malicious actors looking to get their hands on your data. In other words, data loss prevention is just what it sounds like — preventative measures to ensure your data isn't lost. How DLP Works? - Content inspection and contextual analysis - Based on rules and policies - Uses regex pattern matching
IDS Types?
Electromechanical Systems: Detect changes or breaks in a circuit. Can be a magnetic contact switch, pressure plate, etc. Photoelectric/Photometric Systems: Emit beams of light and generate alarms when the beam is interrupted. Passive Infrared Systems: Monitor room temperature and report when the temperature rises Acoustic Detection Systems: Highly sensitive microphones that detect possible forced entry sounds Wave-Pattern Motion Detectors: Generate wave patterns, transmit them to receivers, and if the returned pattern is different, an intruder is likely present Proximity/Capacitance Detectors: Emit magnetic fields and generate alarms if the field is disrupted.
Mail Protocol?
Email protocol is a method by which a communication channel is established between two computers and email is transferred between them. When an email is transferred, a mail server and two computers are involved. One computer sends the mail and the other one receives it. The mail server stores the mail and lets the receiving device access it and download it if needed. There are four different mail protocols. These protocols differ in the way by which they establish connections and allow user access to emails.
Encoding and Ciphering?
In computers, encoding is the process of putting a sequence of characters (letters, numbers, punctuation, and certain symbols) into a specialized format for efficient transmission or storage. Decoding is the opposite process -- the conversion of an encoded format back into the original sequence of characters. Cipher is basically the same thing, the definition goes put (a message) into secret writing; encode.
What are Endpoint Security Components?
Internal Firewall: Blocks incoming/outgoing connections to/from the workstation HIDS/HIPS: Detects, protects, and alerts upon malicious activity Sandbox: Restricted environment used to run suspicious programs and files A network sandbox is an isolated testing environment that enables security teams to observe, analyze, detect, and block suspicious artifacts traversing the network. A network sandbox provides an additional layer of defense against previously unknown attack vectors.
What are IIoT Devices?
IoT facilitates automation via sensors and controllers. IIoT is used in industrial settings. Examples of IIoT devices include: • Traffic lights • Surveillance cameras • Engine and machine sensors • Centrifuges IoT helps achieve automation via sensors and controllers.
What is Mail Transfer Agent (MTA)?
MUA = Mail User Agents - The application side of mail servers - Responsible for forwarding email to and from MUAs and other MTAs - MTAs add tags on top of message headers.
Antivirus & CDR for Mail Relay?
Mail Server Antivirus - Scans incoming messages before they reach users and outgoing messages before they leave the computer CDR = Content Disarm & Reconstruction - Sanitizes files attached to emails
Securing the Physical Structure?
Natural Access Control - Natural access controls are used to guide people to proper facility entrances via indirect means. They are supplemented with landscaping, as well as lighting, fences, and doors to show people where they should and should not go. Designing a Physical Security Program - When planning physical security, it is important to study the use of construction materials, power distribution systems (the electrical feed between substations and consumer outlets), communication types, and external elements. Window Types? - Standard windows: Very low level of protection - Non-glass windows (acrylic): Better protection - Laminated or wire layer: Best protection
What Is OpenDLP?
OpenDLP is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool. Given appropriate Windows domain credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application.
Useful Commands for POP3?
POP3 (Post Office Protocol 3) This is a simple, standardized protocol that allows users to access their mailboxes on the Internet and download messages to their computers. The simple design of POP3 allows casual email users who have a temporary Internet connection (dial-up access) to access emails. They can read their emails, draft new emails or reply to emails while they are offline, and can send these emails when they are back online.
What is Log Parsing?
Parsing is the process of splitting unstructured log data into attributes (key/value pairs). You can use these attributes to facet or filter logs in useful ways. This in turn helps you build better charts and alerts. Parsing organizes logs into fields with the format [key: value], such as [host: "Johnd-PC"].
What are Data Leak Channels?
Physical Components: - Information can be leaked by employees or stolen by cyberthieves. - USB ports should be locked down, and portable device disks should be fully encrypted. So any portable devices such as a USB should be encrypted. - Webcams, network printers, and guest Wi-Fi should be secured and segmented. Network: - Sharing websites are typically permitted on company networks. - Full TLS inspection is not enabled on many sites. - Web filtering is often not strict enough. TLS inspection is a method in which TLS traffic is decrypted and inspected. Malware: - Multi-staged malware can be crafted by a variety of tools. - Social media can be used to trigger payloads of dormant malware. - New payloads are not uploaded to online scanners because they send new signatures to AV vendors. Protocol Abuse: - DNS Tunneling: Embedding encrypted chunks of data in DNS queries - File Server Traffic: Protocol like SFTP is permitted in outbound traffic. - ICMP Tunneling: Sending data using echo packets
What Is Regex?
Regex, or regular expression, is a pattern matching engine used to find or parse text and outputs for specified patterns. Regex is built into tools like Vim, grep, and even Python! - A method used to describe a specific pattern of characters - Highly flexible, with customizable search parameters - Text processing tools, like PowerGREP, enable easier query crafting. Regex Uses: - Searches for text and replaces text - Text input validation - Less code that does more work Regex for DLP (Data Loss Prevention) Filter outbound emails to look for: - Credit card numbers - Social security information - Custom dictionary phrases - Specific data types
What is SIEM?
SIEM stands for security information and event management. It's a system that collects log files, security alerts, and events into one place, so security teams can more easily analyze data. You can think of a SIEM as a log management system, specialized for security. SIEMs collect all this information from other security systems, like endpoint security, firewalls, IDS IPS Systems, and email security. The logs and alerts from these systems needed to be stored centrally, so analysts didn't have to go to each individual security product to gather the investigation. SIEMs offer powerful log search features, the ability to trigger alerts using rules, and reports that organization can provide to auditors.
Useful Commands for SMTP?
SMTP (Simple Mail Transfer Protocol) As the name suggests, SMTP is a simple, text-based protocol that works best when devices are interconnected to each other. However, SMTP protocol can only be used to send emails.
What is SPF?
SPF = Sender Policy Framework - Email authentication protocol - SPF records store information about which IPs can send emails from a domain. - Does not work when forwarding emails
What is SOAR?
Security Orchestration, Automation, Response (SOAR) is a category of products designed to reduce the need for human assistance during incident response. It receives incidents from various systems (not just SIEM) and executes automated actions as incident response functions. SOAR complements SIEM. SOAR can receive incidents from multiple sources. A SOAR stack is used to create playbooks that contain actions to be taken upon the detection of specific events. The primary benefit of SOAR is that its automation eliminates the need for Tier 1 analysts, thereby reducing incident response time. This approach saves both time and money, which are crucial factors for many businesses. - Like SIEM, SOAR receives events from multiple sources. - SOAR automates actions upon detection of specific events.
What is Shodan?
Shodan is a search engine that can be used to find and view IoT devices, products, and related information. Unlike search engines that perform scans of websites, Shodan targets the "backhaul" part of the network and scans for servers, webcams, printers, routers, and any other similar device connected to the internet. The engine runs 24/7 and collects dynamic information on approximately 500 million connected devices and services each month. The Shodan search engine scans IoT devices online using random IPv4 and port numbers.
What are Physical Security Threats & Solutions?
Shoulder Surfing: Drones - Drones can be used for shoulder surfing or facility reconnaissance. Mitigation: Use tinted windows. Open Space - Placing employees in an open space makes them vulnerable to shoulder surfing. Mitigation: Use anti-glare screens. Access Control: Access Card Duplication - Employee cards can be duplicated. Mitigation: Special wallets that block RFID Tailgating/Piggy-backing - Following behind an authorized user into a facility Mitigation: Posting a guard can deter this behavior. Physical Approach: - Connecting a USB device to a computer to run malware - Connecting a laptop to a switch to gain network access - Data theft of documents or other valuable assets Facility segregation should be designed to reduce the risk of an attacker freely entering an area.
How do you Write a Signature?
So here, we are creating a signature specifically for john\Downloads\test.exe, and we are putting it into a hdb file (hash database file). Note: You can always click and drag the file names into the CLI.
What is Antivirus Bypass Techniques?
So how do we sneak around Antivirus? These are techniques you can use if you have access to the operating system. There is a software called rootkit, root kits are malicious software that run in the root of the operating system before the operating system. So if I can have my software running before you get your software running I can do things like make your software not know that my software.
What are Advanced Queries?
Splunk can support some advanced syntax: • Pipe "|" forms a chain of commands (as used in UNIX). • Search retrieves events from an index or dataset. • AS renames a column. • BY is used to group by field. Splunk query syntax works with Search Processing Language (SPL) and is similar to SQL. There are common statistic functions, such as count(X), which returns the number of occurrences of the value of X; dc(X), which returns a count of the distinct value of X; and count by (X), which creates a table showing the count of events and a small line chart. For example: source="/var/log/apache2/access.log" | stats count by status_code
What are Operators?
Splunk supports Boolean operators, which are used to create complex statements or queries. There are three Boolean operators: AND - displays logs only if both parameters are true. OR - displays logs if one of the parameters is true. NOT - displays logs whose condition does not equal the value. Boolean operators must be written with capital letters. The query in the example searches for access logs or error logs and includes the OR operator to support this requirement. Splunk also supports the IN operator. IN specifies the field and a list of values to compare. If the specific value exists in the list, the expression returns true; otherwise, the expression returns false. In the following example, an AND expression is used to filter out all records in access.log with a status code in the list (e.g., 200 or 404). If the status code does not exist in the list, then no log will be displayed.
What Is Spoofing?
Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Spoofing can apply to emails, phone calls, and websites, or can be more technical, such as a computer spoofing an IP address, Address Resolution Protocol (ARP), or Domain Name System (DNS) server. Email Spoofing - Forging email headers to fool recipients into trusting the message DNS Spoofing - Creating fake DNS records to redirect traffic to a malicious website
What is Steganography?
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination. The use of steganography can be combined with encryption as an extra step for hiding or protecting data. - The art of concealing information within files - Hiding files within other files - An inconspicuous image can hide sensitive data.
What are the OWASP Top 10 IoT Vulnerabilities?
The OWASP Top 10 is an awareness framework that promotes enhanced secure development of cyber products based on security guidelines and open-source security-related tools. It represents a broad consensus on the most critical security risks to applications.
Where Is DNS Information Stored?
The domain name registrar keeps track of domain names and IP assignments. The domain name registry manages and maintains domain names. Domains are not owned but reserved for a limited amount of time.
What is Access Control Identification?
User-Activated Reader - The user is active in identification and authorization. Actions can include swiping a card, entering a PIN, and biometric identification. System Sensor Access Control Reader - The reader senses an approaching object and scans for a card or token. This type of reader is known as a transponder. Facilities should be segmented into areas. Each area should have a different purpose and different access controls. A locking mechanism should be in place at every entrance. Locks act as a delaying mechanism for intruders and vary in strength, quality, and functionality. Having a master key helps reduce the number of keys administrators need to carry around with them. Using this approach can avoid having to call a locksmith and can improve safety efficiency in the organization.
What is Correlation Alerts?
Various system products use similar alerts that indicate suspicious behavior by connecting the steps between events. An example of what could trigger a correlation alert is a user being added to a domain admin group that changes the password for all domain admin users. This logical correlation can imply a malicious hacking attempt. It does not necessarily mean that a cyber incident has occurred, however, and should be investigated by the SOC team for validation.