Knowledge of security methods, tools and processes

VPN, Anti-mallware, acces control, firewall, wireless security

SaaS, PaaS and IaaS services

Saas – Office 365, Dropbox, Google Apps, Slack -- SaaS, which stands for software as a
service, is a software that you can access via your Internet browser without the need to
download it onto your computer, laptop or smartphone.

PaaS— Google App Engine, Openshift -- Cloud platform services, also known as Platform as
a Service (PaaS), provide cloud components to certain software while being used mainly for
applications. PaaS delivers a framework for developers that they can build upon and use to
create customized applications. All servers, storage, and networking can be managed by the
enterprise or a third-party provider while the developers can maintain management of the
applications.

Iass – Oracle Clooud, Google Cloud -- Cloud infrastructure services, known as Infrastructure
as a Service (IaaS), are made of highly scalable and automated compute resources. IaaS is
fully self-service for accessing and monitoring computers, networking, storage, and other
services. IaaS allows businesses to purchase resources on-demand and as-needed instead of
having to buy hardware outright.

SIEM tools and solutions

Security Information and Event Management (SIEM) is a set of tools and services offering a
holistic view of an organization's information security. SIEM tools provide: Real-time visibility
across an organization's information security systems. Event log management that
consolidates data from numerous sources.
SIEM software works by collecting log and event data generated by an organizations
applications, security devices and host systems and bringing it together into a single centralized
platform.
SIEM tools: SolarWinds Security Event Manager, Splunk Enterprise Security, McAfee
Enterprise Security Manager.
Notes: SIEM Tools provide real-time analysis of security alerts generated by application and
network hardware.
Incident Response

So, what is an incident response process?

At the end of the day, it’s a business process. In fact, an incident response process is a business process
that enables you to remain in business. Quite existential, isn’t it? Specifically, an incident response
process is a collection of procedures aimed at identifying, investigating and responding to potential
security incidents in a way that minimizes impact and supports rapid recovery

In order to be effective in defending your company’s network, you’ll need the right Ammunition, you’ll
aspire to identify proper Attribution, and you’ll focus on increasing Awareness as a way to reduce the
volume and impact of cyber incidents on your company. Still not clear on the A’s?

Ammunition: Most incident responders will want to spend most of their time here, downloading and
customizing incident response tools - open source as well as proprietary. Why? Because it’s fun, and
that’s what cyber geeks tend to like to do… code. We’ll mostly cover open source incident response
tools in this chapter, and we’ll also use the OODA loop framework from Chapter Two so you’ll know
when to use which tool and why.

Attribution: Understanding where an attack is coming from can help you understand an attacker’s
intention as well as their technique, especially if you use real-time threat intelligence to do so. We’ll
cover the basics of attribution, and include some free and open resources to keep you updated on who
might be attacking your company based on the latest collaborative threat intelligence.

Awareness: The most fundamental security control is an educated and aware user. While we plan to go
deep into incident response training in the next chapter, in this chapter we’ll cover some of the
highlights you’ll want to consider as you update your security awareness program. The biggest takeaway
here is that every incident should be examined as a way to improve your overall security program, with
awareness as a key part of that.

OODA LOOP:

Observe:
Use security monitoring to identify abnormal behavior that may require investigation

Tools for Observing:

Log Analysis, Log Management, SIEM, ( OSSIM )

Intrusion Detection Systems (IDS) — Network & Host-based ( Snort, OSSEC, Suricata ) | monitor server
and network activity in real-time, 

Netflow Analyzers ( Ntop, NfSen ) -- Netflow analyzers examine actual traffic within a network

Vulnerability Scanners ( OpenVAS ) - Vulnerability scanners identify potential areas of risk, and help to
assess the overall attack surface area of an organization, so that remediation tasks can be implemented.

Availability Monitoring ( Nagios ) -- The whole point of incident response is to avoid downtime as much
as possible. So make sure that you have availability monitoring in place, because an application or
service outage could be the first sign of an incident in progress

Web Proxies ( Squid Proxy, IPFire ) -- Web Proxies are thought of as being purely for controlling access
to websites, but their ability to log what is being connected to is vital. So many modern threats operate
over HTTP – being able to log not only the remote IP address, but the nature of the HTTP connection
itself can be vital for forensics and threat tracking.

Orient:
Evaluate what`s going on in the cyber threat landscape & inside your company.

Asset Inventory: In order to know which events to prioritize, you’ll need an understanding of the list of
critical systems in your network, and what software is installed on them. Essentially, you need to
understand your existing environment to evaluate incident criticality as part of the Orient/Triage
process. The best way to do this is to have an automated asset discovery and inventory that you can
update when things change (and as we know, that’s inevitable).

Threat Intelligence Security Research: Threat intelligence gives you global information about threats in
the real world. Things like indicators of compromise (IoCs), bad reputation IP addresses, command-and-
control servers and more, can be applied against your own network assets, to provide a full context for
the threat.
Decide:
Based on observation & context, choose the best tactic for minimal damage & faster recovery.

Act:
Remediate & Recover. Improve incident response procedure based on lessons learned.

Data Capture & Incident Response Forensics Tools: Data Capture & Incident Response Forensics tools is
a broad category that covers all types of media (e.g. memory forensics, database forensics, network
forensics, etc.). ( SIFT – SANS Investigate Forensics Toolkit)

System Backup & Recovery Tools: System backup and recovery and patch management tools might be
something you’ve already got in place, but it’s important to include them here since an incident is when
you’ll likely need them most.

Security Awareness Training Tools and Programs: Security awareness training tools and programs are
an essential way to improve your overall security posture and reduce the likelihood of incidents

Vulnerability management tools and procedures

Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of
these vulnerabilities are evaluated. ... Vulnerability management is
the process surrounding vulnerability scanning, also taking into account other aspects such as risk
acceptance, remediation etc

What are vulnerability management tools?

Also called vulnerability scanning tools, these applications will help you identify the weaknesses in your
security system. All of them have some sort of classification system (weak to critical) that is designed to
show you the degree of exposure to malicious attacks. Apart from vulnerability classification, these tools
also offer some insight into how to fix the discovered issue. Some tools have add-ons that will partly fix
some of those issues, whether they’re network- or endpoint-related.

Tools: Wireshark, Nmap 

 How to solve the most common network vulnerabilities:

1. Too many admin rights

There’s a reason why every company should start embracing the Zero Trust model – if one device
hooked up to the network, becomes compromised, the other ones will quickly follow. Malware will try
what is called rights escalation to propagate throughout the network. This one of the many reasons why
you should instate an access governance program. Working with existing AG frameworks like Microsoft
Azure’ Active Directory can be challenging and, in the end, utterly useless, scalability-wise.
2. (Regular) Data Backups

I know that it sounds like a no-brainer, but the fact of the matter is that many people, including those
handling highly sensitive data, forget to make backup copies. Why should you stress the importance of
regularly backing up your work? In case of a ransomware attack, the backup can make the difference
between telling the hacker to go take a hike (ransomware-encrypted data can easily be restored from
backups) and having to pay a truckload of money to get your data back.

3. Weak passwords

Passwords are your first lines of defense in case of a malicious attack. Weak passwords can be quickly
bypassed. So, do yourself a world of good and put in place some sort of password-changing policy. More
than that, you must also make sure that your employees abide by it.

SOAR AND ERD Solutions

What is SOAR?

SOAR (Security Orchestration, Automation, and Response) refers to a collection of software solutions
and tools that allow organizations to streamline security operations in three key areas: threat and
vulnerability management, incident response, and security operations automation.

To break it down further, security automation is the automatic handling of security operations-related

tasks. It is the process of executing these tasks—such as scanning for vulnerabilities, or searching for
logs—without human intervention. Security orchestration refers to a method of connecting security
tools and integrating disparate security systems. It is the connected layer that streamlines security
processes and powers security automation.

Este o colectie de solutii software si tooluri care permit organizatiei sa eficientizeze : threat and
vulenerability management, incident response si security operation automation.

Automation is task based --, Orchestration is taking all the automation task and run then in a predefined
order.

What is EDR?

Practic este un software, o combinatie de next gen antivirus cu tooluri pentru Securitate, care
scaneaza real-time reteaua, monitorizeaza traficul, recunoaste mallwart, phishing attacks, etc si poti
crea reguli automate ca sa blocheze anumite tipuri de atacuri si cum. Iti arata un overwiew mult mai
bun asupra dispozitivelor din compania. Iti inregistreaza orice executie de fisier si modificare,
modificare de registry pe toate endpointurile orgaizatiei.
Endpoint Detection and Response (EDR) is an integrated, layered approach to endpoint protection
that combines real-time continuous monitoring and endpoint data analytics with rule-based
automated response.

Endpoint Detection and Response (EDR) platforms are cyber security systems that combine elements of
next-gen antivirus with additional tools to provide real-time anomaly detection and alerting, forensic
analysis and endpoint remediation capabilities.

By recording every file execution and modification, registry change, network connection and binary
execution across an organisation’s endpoints, EDR enhances threat visibility beyond the scope of EPPs.

Why is EDR Important?

EDR is designed to go beyond detection-based, reactive cyber defense. Instead, it provides security
analysts with the tools that they need to proactively identify threats and protect the organization. EDR
provides a number of features that improve the organization’s ability to manage cybersecurity risk, such
as:

 Improved Visibility: EDR security solutions perform continuous data collection and analytics,
and report to a single, centralized system. This provides a security team  with full visibility into
the state of the network’s endpoints from a single console.

 Rapid Investigations: EDR solutions are designed to automate data collection and processing,
and certain response activities. This enables a security team  to rapidly gain context regarding a
potential security incident and quickly take steps to remediate it.

 Remediation Automation: EDR solutions can automatically perform certain incident response

activities based upon predefined rules. This enables them to block or rapidly remediate certain
incidents and reduces load on security analysts.

 Contextualized Threat Hunting: EDR solutions’ continuous data collection and analysis provide
deep visibility into an endpoint’s status. This allows threat hunters to identify and investigate
potential signs of an existing infection.

Next-Generation Antivirus (NGAV)

Next-Generation Antivirus takes traditional antivirus software to a new, advanced level of endpoint
security protection. It goes beyond known file-based malware signatures and heuristics because it’s a
system-centric, cloud-based approach. It uses predictive analytics driven by machine learning and
artificial intelligence and combines with threat intelligence to:

 Detect and prevent malware and fileless non-malware attacks

 Identify malicious behavior and TTPs from unknown sources

 Collect and analyze comprehensive endpoint data to determine root causes

  Respond to new and emerging threats that previously go undetected.

Using the EDR solution, security professionals can monitor endpoints and take security actions manually.
However, the SOAR tool allows SOC teams to investigate alerts, query endpoints, and orchestrate
immediate changes across all the endpoints at once. SOAR also can ingest alerts generating from
endpoints based on the predetermined rules. The hash value of suspicious files is also considered. After
that, contextual data is used to support security alerts to achieve more accurate alerts. Once these
alerts are enriched with contextual data, the Sandbox is used to grab and detonate the file for analysis
purposes.

SOAR can take a variety of actions based on the results produced by the Sandbox. For example, if the
malicious file is detected in any of the endpoints, then SOAR can kill the process, block the hash, or
quarantine the infected endpoint (s).

Security Threat Intelligence services

Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data,
threat intelligence gives you context that helps you make informed decisions about your security by
answering questions like who is attacking you, what their motivations and capabilities are, and what
indicators of compromise in your systems to look for.

e.g [ Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators,

implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This
intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard. ]

Threat inteliigent -- colection of information ( collegction of data is information ) that allows you to
take action against a threat agains you people,data that is valueble,costumers

Cisco Security Services, Webroot® Threat Intelligence,

Services :

Sophos Professional Services,

Symantec Managed Security Services
Elasticsearch

Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store,
search, and analyze big volumes of data quickly and in near real time. It is generally used as the
underlying engine/technology that powers applications that have complex search features and
requirements. Elasticsearch provides a distributed system on top of Lucene StandardAnalyzer for
indexing and automatic type guessing and utilizes a JSON based REST API to refer to Lucene features.

It is easy to set up out of the box since it ships with sensible defaults and hides complexity from
beginners. It has a short learning curve to grasp the basics so anyone with a bit of efforts can become
productive very quickly. It is schema-less, using some defaults to index the data.

In the case of consumers searching for product information from Ecommerce websites catalogs are
facing issues such as a long time in product information retrieval. This leads to poor user experience and
in turn missing the potential customer. Today business is looking for alternate ways where the big
amount of data is stored in such a way that the retrieval is quick.
This can be achieved by adopting NOSQL rather than RDBMS (Relational Database Management System)
for storing data.

Elasticsearch is standing as a NOSQL DB because:

 it easy-to-use

 Has a great community

 Compatibility with JSON

 Broad use cases

Backend components

To better understand Elasticsearch and its usage is good to have a general understanding of the main
backend components.

Node

A node is a single server that is part of a cluster, stores our data, and participates in the cluster’s
indexing and search capabilities. Just like a cluster, a node is identified by a name which by default is a
random Universally Unique Identifier (UUID) that is assigned to the node at startup. We can edit the
default node names in case we want to.

Cluster
A cluster is a collection of one or more nodes that together holds your entire data and provides
federated indexing and search capabilities. There can be N nodes with the same cluster name.
Elasticsearch operates in a distributed environment: with cross-cluster replication, a secondary cluster
can spring into action as a hot backup.

Index

The index is a collection of documents that have similar characteristics. For example, we can have an
index for a specific customer, another for a product information, and another for a different typology of
data. An index is identified by a unique name that refers to the index when performing indexing search,
update, and delete operations. In a single cluster, we can define as many indexes as we want. Index is
similiar to database in an RDBMS.

Document

A document is a basic unit of information that can be indexed. For example, you can have an index
about your product and then a document for a single customer. This document is expressed in JSON
(JavaScript Object Notation) which is a ubiquitous internet data interchange format. Analogy to a single
raw in a DB.
Within an index, you can store as many documents as you want, so that in the same index you can have
a document for a single product, and yet another for a single order.

Shard and Replicas

Elasticsearch provides the ability to subdivide your index into multiple pieces called shards. When you
create an index, you can simply define the number of shards that you want. Each shard is in itself a fully-
functional and independent “index” that can be hosted on any node in the cluster.
Shards is important cause it allows to horizontally split your data volume, potentially also in multiple
nodes paralelizing operations thus increasing performance. Shards can also be used by making multiple
copies of your index into replicas shards, which in cloud environments could be useful to provide high
availability.

The Elastic stack

Although search engine at its core, users started using Elasticsearch for logs and wanted to easily ingest
and visualize them. Elasticsearch, Logstash, Kibana are the main components of the elastic stack and are
know as ELK.

Kibana

Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack. You can select the way to
give shape to your data by starting with one question to find out where the interactive visualization will
lead you. You can begin with the classic charts (histograms, line graphs, pie charts, sunbursts, and so on)
or design your own visualization and add Geo data on any map.
You can also perform advanced time series analysis, find visual relationship in your data and explore
anomalies with machine learning features.
For more details have a look at the official page.

Cisco Threat Intelligence department uses Elastik to detect and analyze possible global scale threads
They detect new exploit kits by analyzing traffic patterns with ssh terminals and router honeypots to
collect anomalous behaviors like attempted logins using brute-force attacks to guess users and
passwords. In this way they record what commands attackers are using once they login, what file they
download and upload from and to the server (although difficult to believe, most credentials on the
internet are as simple as row password and username admin).

Apache Kafka

It`s a system to managed logs. It calls them topics ( ordered collection of events stored in a durable way
) Durable means that they are written to disk and they are replicated ( stored in more then one place ,
in more then one server )

Uses events. They are written into a log. ( state, description, what happened )