Professional Documents
Culture Documents
• Permissions
-Permissions are the access privileges that administrators and resource owners grant to users to various resources.
-users should have only the minimum number of permissions possible.
-‘principle of least privilege’ - A best practice for both software developers and systems administrators. This policy ensures that a user or function has
the lowest level of access required to accomplish necessary tasks. This means that processes should never run as root and that user should avoid
logging in as administrators.
• Firewall
-block or allow incoming or outgoing traffic based on rules, typically used between different trust zones.
-Firewalls use explicit rules that control how they handle traffic, with many set to deny all incoming connections and allow all outgoing connections
by default.
Zeek Logs
-Zeek does two things: it captures all sorts of events (labeling them neither good nor bad) and then runs scripts that analyze the events looking for
anomalies that may indicate a security incident.
Suricata Rule-Building
-Suricata was built to be a high-performance IDS, IPS, and network monitoring tool (full feature set of inspection, detection, and network capture
capabilities)
-Suricata rules consist of 3 components that work together to deal with traffic extremely quickly.
(i)The first component is action taken if match of the rule --pass, drop, reject, and alert. A packet may generate an alert action, which will notify the
administrator of the event.
(ii)The second component - the header, --- which defines the protocol, addresses, ports, and direction of the rule.
(iii) Third component - options component is used to add definition to the rule.
-EDR tool should offer advanced threat detection, investigation & forensic analysis and automatic response capabilities — including incident data
search and investigation alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.
• Malware signatures
-The use of Signature-based detection.
-YARA rules are useful for identifying and classifying malware based on a well-defined rule-based approach. These rules were designed to be easy to
understand and consist of two parts: the strings definition and the condition.
-Development/rule writing
YARA rules consist of two parts: the strings definition and the condition.
(i)The strings definition portion ---specifies the patterns that will be searched for in the file. Each string is described with identifier consisting
of a $ character followed by a name. Text, hexadecimal, and regular expression (regex) characters can be used to describe the pattern.
(ii) The condition - defines the logic under which the rule is rule, using Boolean expressions.
• Sandboxing
-Executing malicious apps/system/process in isolated environment. Normally used virtualization environment to execute malicious process and
monitor the behavior.
• Port security
-monitor MAC address of devices that connecting to switch ports. Action to allow//deny access to network based on MAC.
Port;
Ports 0 – 1023 (UDP and TCP) -- well- known ports, commonly used services. Some notable well-known ports are 20 (FTP), 22 (SSH), 25 (SMTP), and 80
(HTTP).
Ports 1024 to 49151 -- registered ports,
Ports above 49151 -- ephemeral or dynamic ports.