CS0-003 Security Operations

Security Operations Detailed Explanation

1. Security Monitoring and System Hardening

Security Monitoring and System Hardening involves protecting systems and networks through architectural design, reducing their attack surface, and continuously monitoring their behavior to identify security threats.

1.1 System and Network Architecture

Understanding System Components

Let’s begin with the basic components of a network and system infrastructure:

Component	Description
Servers	Centralized machines that host applications, databases, or services.
Endpoints	Devices like desktops, laptops, mobile phones, and IoT devices.
Firewalls	Security devices that filter incoming and outgoing traffic based on rules.
Routers	Devices that connect networks and direct traffic between them.
Switches	Devices that connect systems within the same network (Layer 2 communication).
Virtual Machines	Software-based systems emulating physical machines for resource efficiency.

Practical Example

Imagine an office network where employees use computers (endpoints). All traffic from those endpoints is managed by switches (internal network), which send data to the router for external communication (e.g., accessing the internet). Firewalls are placed to ensure only authorized traffic is allowed.

Network Segmentation

Network segmentation is like dividing a large house into locked rooms, where only authorized people can access specific areas. It prevents lateral movement—where an attacker compromises one system and moves to others.

1. Types of Segmentation:

• VLANs (Virtual Local Area Networks):
  • Logical separation of traffic within the same physical network.
  • Example: Finance and HR teams are on separate VLANs for better security.
• Subnetting:
  • Dividing IP address ranges into smaller segments to isolate network resources.
  • Example: Servers have IP addresses in one subnet (192.168.1.x), and endpoints use another (192.168.2.x).
• Micro-segmentation:
  • Extremely granular isolation, such as isolating traffic between applications on the same server.

Security Zones

Security zones organize networks into different trust levels, each with specific rules. These zones reduce the risk of unauthorized access.

Zone	Purpose	Example
DMZ	A Demilitarized Zone for public-facing services (e.g., web servers).	Hosting a company’s website.
Trusted Zone	Internal network with high security for trusted devices.	Office employee network.
Untrusted Zone	External networks, like the internet.	Internet traffic.
Secure Enclaves	Highly secure areas for sensitive systems (e.g., databases).	Financial records server.

Hardening Systems and Networks

System and network hardening reduce vulnerabilities by limiting unnecessary features and applying security controls.

Key Hardening Practices:

1. Secure Default Configurations:

• Change default usernames and passwords.
• Example: Never leave routers with the default "admin/admin" credentials.

2. Remove Unnecessary Services:

• Disable unused services (e.g., FTP, telnet) on servers.
• Example: If a server only needs HTTPS, disable other protocols like FTP or HTTP.

3. Baseline Security Templates:

• Follow security benchmarks such as:
  • CIS Benchmarks: Center for Internet Security provides templates for system hardening.
  • NIST Standards: National Institute of Standards and Technology offers security baselines.
• Example: Use the CIS Windows Server hardening guide to secure configurations.

Access Controls

Access control ensures only authorized users can access systems or resources.

1. Role-Based Access Control (RBAC):

• Users are assigned roles (e.g., admin, manager, employee), and permissions are based on their roles.
• Example:
  • Admin: Full access to servers.
  • Employee: Only access to email and web portals.

2. Least Privilege Principle (PoLP):

• Grant users only the permissions necessary to perform their tasks.
• Example: A marketing employee doesn’t need access to financial records.

3. Multi-Factor Authentication (MFA):

• MFA requires two or more authentication methods to access systems:

  • Something you know: Password.
  • Something you have: Mobile app code or token.
  • Something you are: Biometrics (fingerprint, facial recognition).

• Example: Logging into an email account requires a password (first factor) and a 6-digit code sent to a mobile app (second factor).

Summary

System and Network Architecture involves:

1. Understanding system components like servers, firewalls, and routers.
2. Implementing network segmentation to isolate networks and limit attacker movement.
3. Creating security zones to organize and secure trust levels.
4. Hardening systems using secure baselines, disabling unnecessary services, and changing defaults.
5. Applying access controls like RBAC, PoLP, and MFA to protect resources.

1.2 Log Management and SIEM Tools

What Are Logs?

Logs are records of activities that occur within a system, network, or application. Think of logs as diaries that systems maintain to track what happens—who accessed them, what actions were taken, and if anything suspicious occurred.

Log Types

Logs are categorized based on the source of the information:

Log Type	Description	Examples
System Logs	Records events related to system operations.	Boot events, crashes, errors.
Application Logs	Tracks activities within specific applications.	User logins, failed attempts.
Security Logs	Records events like logins, access attempts, and policy violations.	Authentication successes/failures.
Network Traffic Logs	Captures network activities like incoming/outgoing connections and traffic.	Firewall logs, packet captures.

Practical Examples:

1. System Log: If a server crashes, the system log records the event and reason for the crash.
2. Security Log: Tracks login attempts—failed logins may indicate brute-force attacks.
3. Network Log: Firewall logs show if unauthorized IP addresses attempted to connect to the network.

What Is Log Management?

Log management involves collecting, storing, and analyzing logs to detect threats and troubleshoot issues. It consists of:

1. Log Collection: Gathering logs from systems, applications, and network devices.
2. Log Aggregation: Centralizing logs into one location for easier analysis.
3. Log Retention: Storing logs securely for future audits or investigations.
4. Log Analysis: Reviewing logs to identify patterns, errors, or suspicious activities.

Introduction to SIEM Tools

SIEM (Security Information and Event Management) tools automate log management and help detect anomalies. A SIEM collects logs from multiple sources, correlates events, and generates alerts for unusual activities.

How SIEM Tools Work:

1. Log Collection: SIEM gathers logs from devices, servers, firewalls, and applications.
2. Normalization: Standardizes log formats so all logs are readable and comparable.
3. Correlation: Identifies relationships between log entries to detect suspicious patterns.
4. Alerting: Generates alerts for unusual activities, such as failed logins or unauthorized access.
5. Dashboards: Visualizes data using graphs and tables for quick analysis.

Popular SIEM Tools

1. Splunk:

• Description: A leading SIEM tool for log collection, analysis, and visualization.
• Features:
  • Real-time log monitoring.
  • Searchable interface for analyzing logs.
  • Alert generation for anomalies.
  • Custom dashboards to visualize security data.
• Example Use Case: Detecting failed login attempts across servers and alerting the admin.

2. IBM QRadar:

• Description: IBM’s SIEM tool for advanced log correlation and threat detection.
• Features:
  • Collects and normalizes logs from diverse sources.
  • Uses AI to detect advanced threats.
  • Visual dashboards and automated reporting.
• Example Use Case: Identifying suspicious network activity like data exfiltration.

3. Elastic Stack (ELK):

• Description: Open-source log management tool consisting of three components:
  • Elasticsearch: Stores and indexes logs.
  • Logstash: Collects, processes, and sends logs to Elasticsearch.
  • Kibana: Visualizes logs with graphs, charts, and dashboards.
• Example Use Case: Visualizing system logs for CPU spikes across servers.

4. ArcSight (Micro Focus):

• Description: A SIEM tool for large enterprises.
• Features:
  • Centralized log collection and real-time correlation.
  • Event analysis for detecting advanced persistent threats (APTs).

Log Analysis Techniques

1. Pattern Detection

• Identify common patterns in logs, such as repeated failed login attempts.
• Example:
  • If a user account has 20 failed login attempts within 10 minutes, it could indicate a brute-force attack.

2. Filtering Logs with Regex (Regular Expressions)

• Use regular expressions to filter relevant data from large log files.

• Example:

  • Search for specific error codes or user accounts:

    grep "Failed login" /var/log/auth.log
    

3. Detecting Privilege Escalations

• Analyze logs for actions that increase user privileges (e.g., sudo commands).
• Example:
  • Detect when a non-admin user executes commands requiring admin access.

4. Timestamp Analysis

• Logs include timestamps that show when events occurred.
• By analyzing timestamps, you can identify anomalies, such as:
  • Login attempts at unusual times (e.g., midnight).
  • System reboots outside of maintenance windows.

Key Log Fields to Focus On

When analyzing logs, focus on critical fields that provide insights:

Field	Description	Example
Timestamp	Date and time of the event.	2024-06-01T12:30:45
Source IP	IP address from where the activity originated.	192.168.1.100
Destination IP	IP address of the targeted system.	10.0.0.5
User Account	User performing the action.	admin or guest
Event ID	Unique identifier for the type of event.	4625 for failed login.
Action Taken	The activity recorded (e.g., login, file access).	File deleted, Login success

Summary

1. Logs are critical records of system, application, and network activities.
2. Log Management involves collecting, storing, and analyzing logs to detect suspicious behavior.
3. SIEM Tools (e.g., Splunk, QRadar, ELK) automate log management, analyze data, and generate alerts.
4. Log Analysis techniques include pattern detection, filtering, and focusing on key fields like timestamps, IP addresses, and user accounts.

1.3 Continuous Security Monitoring

What is Continuous Security Monitoring?

Continuous Security Monitoring (CSM) is the ongoing process of monitoring systems, networks, and applications to detect and respond to security incidents quickly. Unlike periodic audits, CSM operates 24/7 to identify unusual activities and malicious behaviors in real time.

Tools for Continuous Monitoring

Different tools are used to monitor various parts of the IT infrastructure:

1. Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS)

• Purpose:
  • IDS detects malicious activity and generates alerts.
  • IPS goes a step further by automatically blocking suspicious activity.
• How They Work:
  • Use signature-based detection (predefined attack patterns) or behavior-based detection (anomalies in system behavior).
• Example Tools:
  • Snort: Open-source IDS/IPS for packet analysis.
  • Suricata: High-performance IDS/IPS capable of handling large traffic volumes.
• Practical Example:
  • If an attacker scans your network for open ports, the IDS detects and alerts you, while the IPS may block the scanning IP address.

2. Endpoint Detection and Response (EDR)

• Purpose:
  • EDR tools monitor and protect endpoints (e.g., laptops, servers) from malware, unauthorized access, and abnormal behavior.
• How They Work:
  • Continuously collect and analyze endpoint data to identify suspicious activities.
• Example Tools:
  • CrowdStrike Falcon: Monitors processes, file activity, and user behavior on endpoints.
  • Microsoft Defender for Endpoint: Provides real-time endpoint monitoring and threat blocking.
• Practical Example:
  • If malware attempts to execute on an employee’s laptop, the EDR tool blocks the malware and alerts the security team.

3. Security Information and Event Management (SIEM)

• SIEM tools, like Splunk or IBM QRadar, are central to continuous monitoring.
• Role:
  • Aggregate and correlate logs from across the infrastructure.
  • Detect real-time security events and generate actionable alerts.
• Example:
  • Detecting a user attempting multiple failed logins across different systems within seconds.

4. Network Traffic Analysis Tools

• Purpose:
  • Monitor traffic across the network to identify anomalies or unauthorized data movement.
• Example Tools:
  • Wireshark: Packet capture and analysis.
  • Zeek (Bro): Detects suspicious patterns in network traffic.
• Practical Example:
  • Detecting a sudden surge of outbound traffic could indicate data exfiltration.

Metrics for Continuous Monitoring

To effectively monitor systems, you need to track specific metrics that highlight abnormal behavior:

Metric	Description	Example
CPU Utilization Spikes	High CPU usage over a short period could indicate malware activity.	CPU jumps to 100% unexpectedly.
Network Bandwidth Anomalies	Sudden surges or drops in network traffic could indicate a DoS attack or data theft.	Huge outbound traffic at 2 a.m.
Unauthorized Access Attempts	Repeated login failures, privilege escalations, or access outside working hours.	50 failed logins from one IP.
New Processes or Files	Unexpected processes or files appearing on endpoints.	“cmd.exe” running unexpectedly.

Automated Monitoring Techniques

1. Scripts and Cron Jobs

• Scripts automate repetitive monitoring tasks, such as:
  • Checking for high CPU usage.
  • Identifying unauthorized login attempts.
  • Monitoring file changes on servers.
• Cron Jobs:
  • Scheduled tasks (used in Linux/Unix) that run scripts at regular intervals.

Practical Example:

A cron job runs every 5 minutes to check system resource usage:

#!/bin/bash
top -b -n1 | grep "Cpu(s)" > /var/log/cpu_usage.log

• This script logs CPU usage for analysis.

2. Alerts and Notifications

• Security teams set up automated alerts to trigger when specific conditions are met, such as:
  • More than 10 failed login attempts from a single IP in 1 minute.
  • An endpoint attempting to access a restricted network.
• Example Tools:
  • Splunk Alerts: Custom alert rules based on log thresholds.
  • Nagios: System and network monitoring with email notifications.

3. Real-Time Dashboards

• Dashboards visually represent the health and security of systems and networks.
• Example:
  • A SIEM dashboard might show:
    • Failed logins in the last hour.
    • Top 5 systems with the highest CPU usage.
    • Network traffic anomalies (spikes or drops).

Practical Workflow of Continuous Monitoring

1. Log Collection:

• Logs are collected from firewalls, endpoints, servers, and applications.

2. Analysis:

• SIEM tools or network analysis tools identify suspicious activity.

3. Alerts:

• Alerts are triggered for anomalies (e.g., brute-force login attempts).

4. Response:

• Security teams investigate and respond to the alert.

5. Reports:

• Dashboards and reports provide insights into overall security health.

Example Scenario: Detecting a Brute-Force Attack

1. Log Data:

• The security logs show failed login attempts:

  Timestamp: 2024-06-12 01:00:30  
  User: admin  
  Source IP: 192.168.1.10  
  Action: Login Failed  
  

2. Alert:

• The SIEM detects 50 failed logins in 2 minutes and sends an alert to the security team.

3. Response:

• The security team blocks the source IP address (192.168.1.10) using the firewall.

Summary of Continuous Security Monitoring

1. Tools for Monitoring:

• IDS/IPS for network threat detection.
• EDR tools for endpoint monitoring.
• SIEM tools for aggregating and analyzing logs.

2. Metrics to Monitor:

• CPU spikes, network anomalies, and unauthorized access attempts.

3. Automation Techniques:

• Scripts, cron jobs, and alerts for real-time detection and response.

4. Workflow:

• Collect logs, analyze data, generate alerts, and take action.

2. Threat Detection and Analysis

Threat detection involves identifying malicious activities, while threat analysis determines the nature, scope, and impact of those threats. Together, they help security teams detect, understand, and respond to cyber threats effectively.

2.1 Indicators of Compromise (IoCs)

What Are IoCs?

Indicators of Compromise (IoCs) are pieces of evidence that suggest a system has been compromised. Security analysts use IoCs to detect and respond to security incidents.

Types of IoCs

1. File-Based Indicators:

• Detect changes to files or the presence of malicious files.

• Common examples:

  • Hashes: Unique identifiers for files (e.g., MD5, SHA-1, SHA-256).
  • File Names: Suspicious or unusual filenames like malware.exe.
  • File Sizes: Malicious files might have specific sizes.

• Practical Example: If you download a suspicious file, the security team compares its SHA-256 hash to known malware hashes on VirusTotal. If it matches, the file is flagged as malicious.

2. Network-Based Indicators:

• Track suspicious activities across the network.

• Examples:

  • Malicious IP Addresses: IPs known to distribute malware or launch attacks.
  • Domains: Websites hosting phishing pages or malware.
  • Unusual Ports: Ports outside the norm (e.g., SSH using port 2222 instead of 22).

• Practical Example: If network logs show outbound traffic to badwebsite.com, this indicates data exfiltration.

3. Behavioral-Based Indicators:

• Detect abnormal or unauthorized behavior within systems.

• Examples:

  • Unexpected process execution: Malware spawning processes like cmd.exe.
  • Privilege Escalation: A user gaining admin rights without authorization.
  • Unusual System Calls: Programs making unexpected registry changes.

• Practical Example: If a normal application suddenly tries to modify system files or launch new processes, this could indicate malware.

Using IoCs in Threat Detection

• IoCs are cross-referenced against:
  • Threat Intelligence Feeds: Public and private feeds with known malicious hashes, IPs, and domains.
  • Tools:
    • VirusTotal: Upload files or check IPs and hashes for malicious indicators.
    • MITRE ATT&CK Framework: Maps IoCs to known attacker techniques and procedures (TTPs).
    • SIEM Platforms: Detect IoCs in collected logs.

2.2 Threat Intelligence

What is Threat Intelligence?

Threat Intelligence provides contextual information about current and emerging cyber threats. It helps organizations identify attackers’ strategies, tools, and behaviors.

Types of Threat Intelligence

1. Strategic Threat Intelligence:

• High-level intelligence that focuses on long-term trends and attacker motivations.
• Audience: Executives and decision-makers.
• Example: Reports on increasing ransomware attacks in specific industries.

2. Tactical Threat Intelligence:

• Focuses on Tactics, Techniques, and Procedures (TTPs) used by attackers.
• Audience: Security teams and analysts.
• Example: Details of phishing attacks exploiting email attachments.

3. Operational Threat Intelligence:

• Real-time intelligence about ongoing attacks and threats.
• Examples:
  • Malicious IP addresses
  • Malware hashes
• Audience: SOC teams, incident responders.

4. Technical Threat Intelligence:

• Detailed technical data on IoCs like file hashes, domains, and URLs.
• Audience: Security analysts and automated detection tools.

Sources of Threat Intelligence

1. Open-Source Intelligence (OSINT):

• Publicly available intelligence feeds.
• Examples:
  • AlienVault OTX: Community-based threat sharing.
  • MalwareBazaar: Repository of malware hashes and samples.
• Benefits: Free, widely accessible.

2. Proprietary Threat Intelligence:

• Paid feeds from vendors offering premium, vetted intelligence.
• Examples:
  • FireEye Mandiant: Advanced threat detection.
  • IBM X-Force: Global threat intelligence.
  • Cisco Talos: Threat detection and analysis.
• Benefits: More reliable and up-to-date intelligence.

3. STIX/TAXII Standards:

• STIX (Structured Threat Information eXpression): Standard for sharing structured threat data.
• TAXII (Trusted Automated eXchange of Indicator Information): Protocol for automating threat data sharing between systems.

Practical Example: Threat Intelligence in Action

1. Scenario:

• A threat intelligence feed alerts your security team about a malicious IP address (192.168.10.50).

2. Action:

• Use network logs and firewall logs to identify communication with this IP.

3. Result:

• Block the IP at the firewall and investigate the systems that communicated with it.

2.3 Threat Analysis Techniques

When a threat is detected, analysts use various techniques to analyze it and determine its behavior.

1. Static Malware Analysis

• Definition: Analyzing malware without executing it.

• How It Works:

  • Extract metadata (e.g., file names, hashes, file size).
  • Use tools to examine the file’s internal structure.

• Tools:

  • strings: Extract readable text from binary files.
  • pefile: Inspect PE (Portable Executable) file headers.
  • Binwalk: Analyze firmware and binary images.

• Practical Example:

  • Use strings malware.exe to identify hardcoded URLs or commands within a malware file.

2. Dynamic Malware Analysis

• Definition: Executing malware in a controlled environment (sandbox) to observe its behavior.

• How It Works:

  • Run the malware in a virtualized environment.
  • Monitor changes to the file system, registry, and network connections.

• Tools:

  • Cuckoo Sandbox: Open-source automated malware analysis.
  • Hybrid Analysis: Online sandbox for malware behavior reports.

• Practical Example:

  • Run a suspicious malware.exe file in Cuckoo Sandbox and observe it creating outbound connections.

3. Behavioral Analysis

• Definition: Observing malware behavior, such as:

  • Processes spawned by malware.
  • Registry modifications.
  • Unusual file writes.

• Tools:

  • Windows Sysinternals Suite (e.g., Process Monitor, Autoruns).

4. Packet Analysis

• Definition: Examining network traffic to identify malicious activities.
• How It Works:
  • Analyze packets captured using tools like Wireshark or Zeek.
  • Look for suspicious traffic patterns:
    • Unusual ports: Malware using port 8080 for communication.
    • Lateral Movement: Traffic between internal systems.
    • Data Exfiltration: Large amounts of outbound traffic.

Summary

1. Indicators of Compromise (IoCs) help detect malicious activity (file hashes, IPs, abnormal behavior).
2. Threat Intelligence provides contextual data about threats to help identify attack patterns.
3. Threat Analysis Techniques include:

• Static Analysis: Analyze files without execution.
• Dynamic Analysis: Observe malware behavior in sandboxes.
• Behavioral Analysis: Monitor system activity.
• Packet Analysis: Analyze network traffic for anomalies.

3. Threat Hunting

What is Threat Hunting?

Threat Hunting is a proactive and iterative process of searching for threats or malicious activities within an organization’s systems, networks, or endpoints that may have bypassed existing security controls.

• Goal: Identify and stop ongoing or undetected threats.
• Why It Matters: Not all threats trigger automated alerts. Advanced attackers use stealthy techniques to evade detection, and threat hunting aims to uncover these hidden activities.

3.1 Proactive Threat Hunting

Definition

Proactive Threat Hunting involves actively searching for threats without waiting for automated alerts. It is driven by:

• Hypotheses
• Threat intelligence
• Data analysis

Methodologies of Threat Hunting

1. Hypothesis-Driven Hunting

• Definition: Start with a hypothesis based on known attacker behaviors, threat intelligence, or prior incidents.

• Steps:

  1. Develop a hypothesis: "Attackers may use PowerShell for lateral movement."
  2. Investigate logs or data sources for PowerShell activity.
  3. Confirm or reject the hypothesis.

• Example:

  • Hypothesis: "An attacker compromised an endpoint and used it for unauthorized file transfers."
  • Investigation:
    • Analyze logs for unusual outbound traffic.
    • Look for large file transfers to external IPs at odd hours.
  • Tools: SIEM (e.g., Splunk) and network monitoring tools (e.g., Wireshark).

2. Data-Driven Hunting

• Definition: Start by analyzing logs, traffic flows, and endpoint data to identify anomalies without a specific hypothesis.

• Steps:

  1. Collect large amounts of security data.
  2. Use statistical analysis or machine learning to identify anomalies.
  3. Investigate suspicious findings.

• Example:

  • Use a SIEM to analyze logs for user login patterns.
  • Identify if any accounts logged in from unusual IP addresses or outside working hours.

Tools for Threat Hunting

1. SIEM Dashboards:

• Use SIEM tools like Splunk, IBM QRadar, or Elastic Stack to aggregate and analyze logs.
• Query logs to look for anomalies.

2. EDR Platforms:

• CrowdStrike Falcon and SentinelOne provide real-time endpoint data (e.g., running processes, file changes).

3. Memory Analysis Tools:

• Tools like Volatility help analyze system memory to detect in-memory malware.

4. Threat Intelligence Platforms:

• Threat intelligence feeds provide IoCs to support hunting activities.
• Example: Look for IP addresses or file hashes provided by threat feeds in your environment.

Practical Example: Threat Hunting Workflow

1. Hypothesis:

• "An attacker may be using PowerShell scripts for lateral movement."

2. Data Collection:

• Collect PowerShell execution logs (e.g., Microsoft-Windows-PowerShell/Operational log).

3. Analysis:

• Use a SIEM to filter for suspicious PowerShell commands:

  EventID=4104 AND CommandLine=*Invoke-Command*
  

4. Results:

• Identify systems where PowerShell was used to run commands remotely.
• Investigate further for unauthorized lateral movement.

3.2 Threat Hunting Techniques

Threat hunters use specific techniques to identify threats. Here are three common methods:

1. Anomaly Detection

Definition: Identify unusual patterns or activities compared to baseline behaviors.

• Steps:
  1. Define normal activity (baseline) for a system, user, or network.
  2. Look for deviations from the baseline.
• Examples:
  • A user logging in at midnight when they normally work from 9 a.m. to 5 p.m.
  • A sudden increase in CPU usage on a server hosting a single application.
• Tools:
  • SIEM dashboards to visualize activity.
  • Statistical analysis to measure deviations.

2. TTP Mapping

Definition: Map threats to known attacker Tactics, Techniques, and Procedures (TTPs) using the MITRE ATT&CK Framework.

• Steps:
  1. Use threat intelligence or incident reports to identify the techniques attackers commonly use.
  2. Map observed activity in your environment to known techniques.
• Example:
  • ATT&CK Technique: T1078 - Valid Accounts (using stolen credentials).
  • Look for:
    • Multiple failed logins followed by a successful login.
    • Logins from unusual geographic locations.
• Tools: MITRE ATT&CK Navigator, SIEM tools.

3. Use of Threat Intelligence Platforms (TIPs)

Definition: Use threat intelligence feeds to identify IoCs and hunt for threats.

• Steps:
  1. Import threat feeds (IP addresses, domains, hashes) into tools like MISP or AlienVault OTX.
  2. Search your environment for matches.
• Example:
  • A feed reports that 192.0.2.10 is a known command-and-control server.
  • Check firewall and network logs for traffic to this IP address.

Practical Workflow for Threat Hunting

1. Preparation:

• Gather tools, threat intelligence, and logs.

2. Hypothesis or Data-Driven Search:

• Form a hypothesis or analyze data for anomalies.

3. Investigation:

• Analyze endpoints, network traffic, and user activity.

4. Correlation:

• Map findings to MITRE ATT&CK TTPs.

5. Response:

• Isolate affected systems, block malicious traffic, or reset compromised credentials.

6. Documentation:

• Record findings, methods used, and lessons learned.

Example Scenario: Hunting for Lateral Movement

Objective: Identify unauthorized lateral movement across systems.
Steps:

1. Hypothesis: "An attacker may have compromised one system and moved to others using SMB (Server Message Block)."

2. Data Collection: Gather Windows logs and network traffic data.

3. Indicators:

• Log entries showing failed authentication attempts.
• Unusual use of tools like PsExec or PowerShell for remote execution.

4. Analysis:

• Use tools like Splunk to filter for:

  EventID=4624 AND LogonType=3
  

• Analyze SMB traffic in Wireshark for suspicious connections.

5. Response:

• Block the compromised system.
• Investigate all systems accessed from the source machine.

Summary of Threat Hunting

1. Proactive Threat Hunting:

• Combines hypothesis-driven and data-driven approaches to detect hidden threats.

2. Techniques:

• Anomaly Detection: Identify deviations from baselines.
• TTP Mapping: Use the MITRE ATT&CK framework to understand attacker behaviors.
• Threat Intelligence: Leverage feeds to identify IoCs in logs.

3. Tools:

• SIEM dashboards, EDR platforms, and TIPs (e.g., MISP, AlienVault).

4. Tools and Technologies

4.1 Security Tools

1. Network-Based Tools

Network-based tools focus on monitoring and securing network traffic. These tools help detect malicious activities like intrusions, data exfiltration, or denial-of-service attacks.

1. Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS)

• Definition:
  • IDS: Detects malicious activities and generates alerts.
  • IPS: Takes additional action to block the malicious activity.
• How They Work:
  • Signature-Based Detection: Looks for known attack signatures (e.g., a malware hash or exploit pattern).
  • Behavior-Based Detection: Identifies anomalies compared to baseline behavior.

Tool	Description	Use Case
Snort	Open-source IDS/IPS that analyzes packet traffic.	Detecting port scans, DDoS attacks.
Suricata	High-performance IDS/IPS with multi-threading.	Handling high-bandwidth networks.
Zeek (Bro)	Network security monitor for traffic analysis.	Identifying unusual traffic flows.

• Practical Example:
  • If a user scans multiple ports on the network, Snort detects this as a port scan and generates an alert.

2. Packet Analyzers

Packet analyzers capture and inspect network packets for suspicious activities.

Tool	Description	Use Case
Wireshark	Open-source tool for analyzing captured network packets.	Identifying unauthorized traffic.
tcpdump	Command-line packet sniffer.	Capturing packets for analysis.

• Practical Example:
  • Use Wireshark to analyze outgoing traffic. If you see communication with a malicious IP address, it could indicate data exfiltration.

3. NetFlow Analysis Tools

NetFlow tools analyze network flow data to detect anomalies and suspicious patterns.

Tool	Description	Use Case
SolarWinds NetFlow	Monitors and visualizes network flow data.	Identifying traffic anomalies.
Plixer Scrutinizer	Provides flow analysis and reporting.	Detecting large file transfers.

• Practical Example:
  • Use NetFlow tools to detect unexpected spikes in network traffic, which may indicate a DDoS attack or data exfiltration.

2. Endpoint Tools

Endpoint tools focus on securing devices like servers, desktops, laptops, and mobile devices. They detect and respond to threats targeting endpoints.

1. Endpoint Detection and Response (EDR)

• Definition: EDR tools continuously monitor endpoints to detect malicious activity and provide response capabilities.
• Features:
  • Monitors processes, file changes, and user activity.
  • Detects malware, ransomware, and suspicious behaviors.
  • Provides investigation and remediation tools.

Tool	Description	Use Case
CrowdStrike Falcon	Cloud-based EDR for real-time monitoring.	Detecting malware execution.
SentinelOne	AI-driven endpoint security and response platform.	Blocking ransomware attacks.
Microsoft Defender	Built-in EDR for Windows systems.	Monitoring Windows endpoints.

• Practical Example:
  • If ransomware attempts to encrypt files on a laptop, CrowdStrike Falcon detects and blocks the process before it spreads.

2. Antivirus and Anti-Malware Tools

• These tools scan files, processes, and system memory for malicious code.

Tool	Description	Use Case
Malwarebytes	Anti-malware software for real-time protection.	Detecting and removing malware.
Kaspersky Endpoint	Antivirus tool with behavioral analysis.	Blocking viruses and spyware.

3. Automation and Orchestration Tools

Security Orchestration, Automation, and Response (SOAR) tools automate repetitive tasks, integrate security tools, and orchestrate incident response workflows.

Tool	Description	Use Case
Palo Alto Cortex XSOAR	SOAR platform for automated incident response.	Automating phishing incident response.
Splunk SOAR (formerly Phantom)	Integrates SIEM and tools for security automation.	Automating alert triage.

• Practical Example:
  • A SOAR tool automatically blocks an IP address at the firewall when a malicious IP is detected by the SIEM system.

4.2 Security Frameworks

Security frameworks provide guidelines and best practices for implementing and managing cybersecurity processes. Organizations use these frameworks to ensure security controls are effective and aligned with industry standards.

1. MITRE ATT&CK

• Description: A knowledge base of adversary Tactics, Techniques, and Procedures (TTPs) used in cyberattacks.

• Key Components:

  • Tactics: Adversary goals (e.g., initial access, privilege escalation).
  • Techniques: How attackers achieve these goals (e.g., phishing, PowerShell execution).
  • Procedures: Specific implementation examples of techniques.

• Practical Use:

  • Security teams map observed activities to MITRE ATT&CK to identify attack patterns and missing defenses.

2. NIST Cybersecurity Framework

• Description: A risk-based framework for managing and improving cybersecurity posture.

• Core Components:

  • Identify: Understand risks, assets, and vulnerabilities.
  • Protect: Implement controls to prevent incidents.
  • Detect: Monitor for security events.
  • Respond: Develop incident response processes.
  • Recover: Plan for system recovery after incidents.

• Practical Use:

  • Align an organization’s security strategy to NIST’s five functions for a comprehensive approach.

3. CIS Controls

• Description: A prioritized set of 18 security controls to improve cybersecurity hygiene.

• Examples of Controls:

  • Inventory and Control of Hardware/Software: Maintain an inventory of assets.
  • Secure Configuration of Systems: Apply secure system settings.
  • Continuous Vulnerability Management: Identify and fix vulnerabilities.

• Practical Use:

  • Use CIS Controls as a baseline to harden systems and prevent common threats.

Summary of Tools and Technologies

1. Network-Based Tools: IDS/IPS (Snort, Suricata), packet analyzers (Wireshark), and NetFlow tools for network monitoring.
2. Endpoint Tools: EDR solutions (CrowdStrike, SentinelOne) and antivirus tools to protect devices.
3. Automation Tools: SOAR platforms automate repetitive tasks and incident response workflows.
4. Security Frameworks:

• MITRE ATT&CK: Maps attacker behaviors to techniques.
• NIST Framework: Comprehensive cybersecurity strategy.
• CIS Controls: Practical controls for improving system security.

Security Operations (Additional Content)

1. Offensive and Defensive Case Analysis

APT Attack Chain and Log Tracing

Advanced Persistent Threats (APTs) involve multi-stage, long-duration attacks often using stealthy techniques. Understanding how to trace an APT through logs is a core skill for security analysts.

Typical APT Stages (Based on MITRE ATT&CK Framework):

1. Initial Access – Phishing, drive-by downloads, etc.

2. Execution – Running malicious code on victim systems.

3. Persistence – Registry modifications, scheduled tasks.

4. Privilege Escalation – Token manipulation, kernel exploits.

5. Lateral Movement – Pass-the-Hash, Remote Desktop Protocol (RDP) usage.

6. Data Collection and Exfiltration – ZIP files sent to external IPs.

Log Tracing Example:

• Email logs show phishing delivery.

• EDR logs capture suspicious PowerShell execution.

• Windows Event Logs (4624, 4688) show abnormal logins and process creation.

• Firewall logs reveal traffic to suspicious external IPs (data exfiltration).

Learning how to correlate events across these logs helps detect each step in the kill chain.

Ransomware Lateral Movement Analysis

Modern ransomware campaigns often move laterally before detonating payloads.

Key Indicators in Logs:

• SMB traffic from infected host to others (port 445).

• Unauthorized use of credentials (Event ID 4624 with logon type 3).

• Suspicious use of psexec or remote WMI commands.

• Rapid file modifications or encryption patterns.

Practicing these case analyses using SIEM tools (e.g., Splunk, QRadar) builds detection and investigation capabilities.

2. Log Retention Policies and Compliance Requirements

Why Log Retention Matters

Security logs are critical for:

• Incident investigations

• Forensics

• Compliance audits

If logs are purged too early, crucial evidence may be lost.

Typical Retention Periods

• 90 Days: Minimum for detection and initial investigation.

• 180 Days to 1 Year: Common for compliance and internal audits.

• 7 Years or more: Required in some regulated industries.

Compliance Examples:

Standard	Retention Requirement
PCI DSS	Retain audit logs for at least 1 year, with 3 months immediately available.
HIPAA	6 years for policies and procedures (not logs specifically, but systems handling PHI must be auditable).
NIST 800-92	Recommends logs be retained long enough for forensics, legal, and compliance purposes.

Best Practices:

• Use centralized log management (e.g., SIEM).

• Classify logs by criticality (firewall, auth logs, endpoint activity).

• Use secure storage (WORM disks, encrypted archives).

• Implement access control and tamper detection.

3. Security Incident Lifecycle (NIST-Based)

The NIST SP 800-61 Rev.2 defines a widely used 5-phase incident response lifecycle:

1. Preparation:

• Tools, policies, response teams, runbooks.

• Training and simulation exercises.

2. Detection & Analysis:

• Identifying indicators of compromise (IoCs).

• Log review, correlation, threat intelligence usage.

3. Containment, Eradication & Recovery:

• Containment: Stop the spread (quarantine systems, block IPs).

• Eradication: Remove malware, fix vulnerabilities.

• Recovery: Restore operations, monitor for reinfection.

4. Post-Incident Activity (Lessons Learned):

• Review what worked and what didn’t.

• Update IR plans and detection tools.

• Document findings in final report.

Understanding this lifecycle is essential for anyone involved in SOC or blue team operations. Exams often test this framework directly.

4. Security Analyst Role Responsibilities (SOC Tiers)

Security Operations Centers (SOCs) are typically divided into tiers to handle alerts based on complexity.

SOC Tier Structure:

Tier	Role	Responsibilities
L1 (Tier 1)	Alert Analyst / Triage	Monitor dashboards, respond to alerts, escalate events. Basic log analysis.
L2 (Tier 2)	Incident Responder	Perform in-depth investigations, threat hunting, containment actions. Use threat intel.
L3 (Tier 3)	Threat Hunter / Forensics	Proactively hunt threats, perform root cause analysis, malware reverse engineering, develop SIEM rules.

Key Skill Progression:

• L1: Understanding log types, SIEM dashboards, false positive triage.

• L2: Using EDR/SIEM correlation, writing detection queries, hands-on containment.

• L3: Deep packet analysis, writing YARA/Sigma rules, building detection content.

Tools by Role:

• L1: Splunk, ServiceNow, basic scripting.

• L2: CrowdStrike, Sysinternals, VirusTotal, threat intel platforms.

• L3: Zeek, Wireshark, Velociraptor, Volatility, custom scripts.

Understanding these role distinctions helps in both career development and exam readiness.

Summary of Enhanced Topics for Security Operations

Topic	Value
APT/Ransomware Case Analysis	Builds practical detection skills through real-world scenarios.
Log Retention & Compliance	Prepares for regulatory topics and audit readiness.
NIST Incident Lifecycle	Essential framework for structured response.
SOC Tiered Roles	Clarifies duties and expected skills for L1–L3 analysts.