Security Operations
Mister_Security
SecOpsWeek1lesson2SOCtech.pptxSOC services and technologies
Learning objectives
Be familiar with the common services and technologies used in a SOC
Name the common services and technologies used in a SOC;
Know the activities involved in vulnerability management;
Given a scenario, analyze the output resulting from a vulnerability scan;
Understand the needs for SIEM and SOAR;
Know the difference among honeypot, sinkhole and sandbox.
3
https://www.youtube.com/watch?v=6LwyTWPKDnQ
SOC-CMM model
4
soc-cmm whitepaper page 2
Technology
Services
SIEM
Security analytics
IDPS
SOAR
Security monitoring
Security analysis
Threat hunting
Log Mgmt
Incident mgmt
Vuln mgmt
IT Infra
End-points
Servers
Applications
Databases
Network components
Security Components
info
incidents
Investi-gations
Other sources
incidents
Indication of compromise
Threat context
scans
Forensic analysis
Malware analysis
Threat intelligence
Vulnerability management
6
Vulnerability management
Identifying scan targets
Asset inventory provides the starting point for vulnerability scanning
Scope
Determine scan frequency (continues monitoring is an option) is influenced by
Regulatory and corporate requirements.
Consider risk appetite (its willingness to tolerate risk within the environment)
Technical constraints
Business constraints
Licensing issues may limit the ability to run scans
Consider vulnerability workflow
7
Quiz
8
You are performing a port scan of a critical server system. You observed the behavior shown in the network management software suite. What action should you take first?
A. Increase the number of concurrent scans.
B. Decrease the number of ports scanned.
C. Decrease the number of concurrent scans.
D. Increase the number of ports scanned.
Vulnerability management
Scan perspective
Network location affects scan results
Firewall settings, IDS/IPS rules and network segmentation all impact scan results
9
Vulnerability scanning methods 1/2
Agent-based scanning
‘Agents’ are a software package deployed to each device that needs to be tested;
The agent passes this data back to collection servers;
Agentless Scanning
No installation on devices; reaches out from the server to the assets;
a highly lightweight method
10
https://blog.beyondsecurity.com/agent-based-vs-agent-less-scanning/
Agent-Based Scanning
Agent-based scanning is suitable for organizations with a geographically diverse workforce, particularly if the organization includes remote workers. This is the more traditional type of vulnerability scanner.
‘Agents’ are a software package deployed to each device that needs to be tested. Once installed, the agent collects data that indicates whether the device may have security issues. The agent passes this data back to collection servers and information gathered across the entire infrastructure is then consolidated into a ‘single pane of glass’ interface for analysis. This simplifies the administration and analysis process for the security team and helps address adherence to regulatory data protection compliance requirements.
Agentless Scanning
Agentless scanning does not require agents to be installed on each device and instead reaches out from the server to the assets. While the data collected is similar to an agent-based approach, it eliminates installing and managing additional software on all devices. In this respect, this approach is a highly lightweight method to scan for security vulnerabilities.
Vulnerability scanning methods 2/2
Active scanning
Probes systems for issues
Can be detected, accidentally exploit vulnerabilities, miss some vulnerabilities due to firewall setting, network segmentation, IDS/IPS deployments
Passive scanning
Observe network traffic
Passive Footprinting: relies on logs and other existing data,
11
https://www.infosecurity-magazine.com/opinions/active-passive-scanning/
What is active scanning?
Active scanning of an environment, whether IT or OT, is one of the most important measures in cybersecurity. It is especially important to get an overview of the ongoing processes and to check the "health" of online systems. Important information can often only be found out through active requests and cannot be found in normal data traffic or automatically transmitted sent by the system.
Active scanning works by sending test traffic into the network and querying individual endpoints. Active monitoring can be very effective in collecting basic profile information such as device name, IP address, NetFlow or Syslog data, as well as more detailed configuration information such as make and model, firmware versions, installed software/versions and operating system patch levels.
By sending packets directly to endpoints, active scanning can accelerate data collection. However, this increases the risk of malfunctioning endpoints by sending incompatible queries or saturating smaller networks with high volumes of traffic. Furthermore, active scanning does not normally monitor the network 24 hours a day, so it may not detect temporary endpoints or listen-only devices.
Disadvantages of active scanning arise more often when applied to OT environments. These systems, especially the control software, are often not prepared to perform their tasks while receiving and returning traffic. The danger that the controllers become overloaded with signals and no longer know what their actual task is.
Many of these systems are proprietary and therefore react more sensitively to external influences. For this reason, passive scans are more likely to be the go-to scanning method performed in OT environments.
What is passive scanning?
A passive scan silently analyses network traffic to identify endpoints and traffic patterns. It does not generate additional network traffic and carries almost no risk of disrupting critical processes by interacting directly with the endpoints.
However, passive monitoring may require more time to collect asset data because it must wait for network traffic to or from each asset to generate a complete profile. In some cases, not all areas of the network are available, which can limit the ability to passively monitor traffic across the entire OT environment.
Nevertheless, active scans should be performed from time to time. Certain preparations must be made, however, to avoid failures or even physical damage to ICSs. Such scans are best performed when the machinery and production lines are at a standstill. This is because even if only latency periods occur, there is no guarantee that other problems will not.
Solutions for detecting and monitoring OT environments now combine both active and passive scanning technologies. They allow OT teams to achieve greater transparency in their ICS environments. They enable them to use the right approach for each subsystem.
The solutions must also ensure that the risk of interruption is reduced to zero if possible. One example of such a risk is an endpoint malfunction caused by passive monitoring of the network. However, a countermeasure to this and other similar issues is that passive scanning has the ability to limit the number of simultaneous queries to avoid overloading lower bandwidth OT networks.
Scanner maintenance
Scan engine updates
Software updates – to the scanner itself
Plug-in updates
Vulnerability feeds updates
12
Software updates: Fix bugs and add new features
Feeds: Provide the scanner the information about current vulnerabilities
Prioritizing remediation
Impact: what is the highest data classification handled by the system?
Likelihood: what is the network exposure? What services are exposed?
Criticality: what impact does the system have on business operations?
Setting priorities
System criticality
Information sensitivity
Vulnerability severity
Remediation difficulty
Vulnerability exposure
13
Remediation workflow
Use IT incident management tool for remediation workflow whenever possible
Automation opportunities
Open new tickets when vulnerabilities arise
Prioritize vulnerabilities automatically
Assign remediation to the correct team
Perform remediation validation
Close resolved tickets
14
OpenVas
15
https://securitytrails.com/blog/openvas-vulnerability-scanner
https://technowikis.com/12315/how-to-install-openvas-on-kali-linux-2020
Quiz 1
16
Which one of the following vulnerabilities would you give the highest priority:
A. Severity 5 vulnerability in the workstation
B. Severity 1 vulnerability in the file server
C. Severity 5 vulnerability in the web server
D. Severity 1 vulnerability in the mail server
Quiz 2
17
Which vulnerability should be highest priority to fix, assuming all three fixes are of equal difficulty?
Vulnerability 1: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Vulnerability 2: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Vulnerability 2: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Quiz 3
18
Which protocols would an attacker use to exploit this vulnerability?
Which actions could be taken to remediate the underlying issue without disrupting business activity?
If an attacker is able to exploit this vulnerability, what is the probable result that will have the highest impact on the organization?
Quiz 4
19
What operating system is most likely running on the server in this vulnerability scan report?
Which service should he inspect to identify the issue?
Which protocols/versions would you suggest to resolve the issue?
Quiz 5
20
What priority should be placed on remediating this vulnerability?
What operating system is most likely running on the server in this vulnerability scan report?
What would you suggest to resolve the issue?
SIEM
21
SIEM
22
Security Information Event Management (SIEM) systems provide real time reporting and long-term analysis of security events.
SIEM includes the following essential functions:
Forensic analysis – The ability to search logs and event records from sources throughout the organization. It provides more complete information for forensic analysis.
Correlation – Examines logs and events from different systems or applications, speeding detection of and reaction to security threats.
Aggregation - Aggregation reduces the volume of event data by consolidating duplicate event records.
Reporting - Reporting presents the correlated and aggregated event data in real-time monitoring and long-term summaries.
23
Ten Strategies of a World-Class Cybersecurity Operations Center – page 155
Magic Quadrant for SIEM 2020
24
https://www.gartner.com/doc/reprints?id=1-1YEDHXVD&ct=200219&st=sb
SOAR
Security Orchestration, Automation, and Response (SOAR) platforms enhance SIEM capabilities
Workflow orchestration
Automating threat intelligence
Example use cases: Phishing, malware
Automating incident response
25
26
Quiz
Which device integrates security information and event management into a single platform?
Which device integrates orchestration tools and resources to automatically respond to security events?
SIEM
SOAR
Threat Hunter
Firewall
Vulnerability scanner
Sandboxing
27
Sandboxing is a technique that allows suspicious files to be analyzed and run in a safe environment (based on behavior rather than signatures)
Cuckoo Sandbox for example, is a free malware analysis system sandbox. It can be run locally and have malware samples submitted to it for analysis.
Honeypot and DNS sinkholes
28
Honeypots are systems intentionally created to appear vulnerable due due to services they run, vulnerabilities they contain, or sensitive information that they appear to host.
DNS sinkholes provide false information to malicious software, redirecting queries to prevent malware from contacting command-and-control systems
Discussion
29
Where would be the best location for a honeypot and sandbox?
1 – 2 - Sandbox
4 Honeypot -- 4 heeft geen symbols
