3.

0 Security Operations and Monitoring

3.2 Given a scenario, implement configuration changes to existing controls to improve security

• Permissions
-Permissions are the access privileges that administrators and resource owners grant to users to various resources.
-users should have only the minimum number of permissions possible.
-‘principle of least privilege’ - A best practice for both software developers and systems administrators. This policy ensures that a user or function has
the lowest level of access required to accomplish necessary tasks. This means that processes should never run as root and that user should avoid
logging in as administrators.

• Allow list (previously known as whitelisting)

- whitelisting is among the most effective methods of preventing unfamiliar applications from installing and executing. By allowing only
known good applications and preventing everything else from executing.
-can effectively protect organizations against the introduction of known malware, variants of old malware, and even unknown malware.
- configure application whitelisting using the Security Policy Editor for local machines and the Group Policy Editor for domains.

• Blocklist (previously known as blacklisting)

-List of known threats /malicious apps/Ips/Domains blocked by admins.
-However, blacklisting is not really effective against new actors and attack patterns never seen before, such as zero-day threats.

• Firewall
-block or allow incoming or outgoing traffic based on rules, typically used between different trust zones.
-Firewalls use explicit rules that control how they handle traffic, with many set to deny all incoming connections and allow all outgoing connections
by default.

-When building firewall rules, there are 2 approaches: either

(i)deny everything by default and explicitly allow selected traffic, or
(ii)allow everything first and deny selected traffic.
-It’s far more efficient and safer to deny all traffic by default and allow only the specific communication that you need to pass through.
• Web Proxies
-Web proxies are typically focused on the client, ensuring that it does not access or upload disallowed content, while protecting it from
downloading malicious data.
- Web proxies are versatile and capable of acting as filters for malicious traffic and unwanted network content. Additionally, they
may be able to increase the speed of loading web pages by creating local copies of frequently accessed sites.

• Intrusion prevention system (IPS) rules

-Intrusion detection systems (IDSs) is to identify suspicious behavior. - matching to previously identified malicious activity or by analyzing network
traffic for indicators.
-IPS is IDS + functionality to act on recognition of malicious activity and to stop traffic or quarantine hosts.
-Most commonly deployed IPS technologies are Zeek (formerly known as Bro), Suricata, and Snort.
-Suricata, a free and open-source tool, was designed to inspect network traffic using a similar set of rules and signature language. Suricata stands out in
that it can handle multiple gigabits of traffic, it provides an intuitive user interface, and it’s capable of sending alert messages through a number of
methods.

Snort Rule Building

- Snort does not automatically log everything it sees on the network, which may be attractive if you have limited means to store large amounts of event
data.

Zeek Logs
-Zeek does two things: it captures all sorts of events (labeling them neither good nor bad) and then runs scripts that analyze the events looking for
anomalies that may indicate a security incident.

Suricata Rule-Building
-Suricata was built to be a high-performance IDS, IPS, and network monitoring tool (full feature set of inspection, detection, and network capture
capabilities)
-Suricata rules consist of 3 components that work together to deal with traffic extremely quickly.
(i)The first component is action taken if match of the rule --pass, drop, reject, and alert. A packet may generate an alert action, which will notify the
administrator of the event.
(ii)The second component - the header, --- which defines the protocol, addresses, ports, and direction of the rule.
(iii) Third component - options component is used to add definition to the rule.

• Data loss prevention (DLP)

-Security tools used to recognize and identify data that is critical to organization and to ensure its protection – protect data from leaving the
organization.
-Targets data in motion, data in use, data at rest and endpoint system.
-DLP use content inspection.

• Endpoint detection and response (EDR)

-use endpoint data gathering and monitoring capabilities paired with central processing and analysis to provide high levels of visibility into what occurs
on endpoints.
-endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware.
-Monitor, Detect, Respond
-Monitor Log and aggregate endpoint activity to facilitate trend analysis.
-Detect Find threats with the continuous analysis of monitored data.
-Respond Address malicious activity on the network by stopping activity or removing the offending asset.

-EDR tool should offer advanced threat detection, investigation & forensic analysis and automatic response capabilities — including incident data
search and investigation alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.

• Network access control (NAC)

-A technology that requires a system to authenticate before it can connect to a network (to perform policy enforcement checks before the device is
allowed to connect to the network).
- The IEEE 802.1X standard was the de facto NAC standard for many years.
-NAC require agent or may be agentless.
• Sinkholing
-Redirect traffic from its supposed original destination to a destination of your choice. Common implementation of sinkholing is done via DNS – to
prevent traffic from being sent to malicious websites.
-A technique used to mitigate malicious and abusive traffic by routing it to an internal server or dropping it altogether.

• Malware signatures
-The use of Signature-based detection.
-YARA rules are useful for identifying and classifying malware based on a well-defined rule-based approach. These rules were designed to be easy to
understand and consist of two parts: the strings definition and the condition.

-Development/rule writing
YARA rules consist of two parts: the strings definition and the condition.
(i)The strings definition portion ---specifies the patterns that will be searched for in the file. Each string is described with identifier consisting
of a $ character followed by a name. Text, hexadecimal, and regular expression (regex) characters can be used to describe the pattern.
(ii) The condition - defines the logic under which the rule is rule, using Boolean expressions.

• Sandboxing
-Executing malicious apps/system/process in isolated environment. Normally used virtualization environment to execute malicious process and
monitor the behavior.

• Port security
-monitor MAC address of devices that connecting to switch ports. Action to allow//deny access to network based on MAC.

Port;
Ports 0 – 1023 (UDP and TCP) -- well- known ports, commonly used services. Some notable well-known ports are 20 (FTP), 22 (SSH), 25 (SMTP), and 80
(HTTP).
Ports 1024 to 49151 -- registered ports,
Ports above 49151 -- ephemeral or dynamic ports.

Common port targeted by attacker;

20,21 (FTP), 22 (ssh), 23 (telnet), 80 & 443 (http, https), 3389 (rdp), 445 & 139 (SMB), 1433 (MSSQL),