CHAPTER-10: INCIDENT RESPONSE
Shahab Al Yamin Chawdhury
Cybersecurity Consultant | Enterprise Architect | Mentor by Life
Your knowledge mapping is the first milestone a SOC can have who can describe clearly, what’s happened, how things got compromised and what action has been taken for future? Remember, SOC forms with you, not WITHOUT you. You are Important! with your mindset, knowledge, disciplined and PASSIONATE.
There are different frameworks and methodologies available in the web for incident response, but they generally share some common steps:
Incident Response Roles
Source: Computer incident response team roles and responsibilities ( rolesresponsibility.netlify.app )
Generic Incident Response Playbook
Download the freely provided and a useful template from CM-Alliance: Cybersecurity Incident Response Plan Template and Example UK - Cyber Management Alliance ( cm-alliance.com )
Prioritizing Log Sources
There are several factors to consider when it comes to prioritizing log sources for a Security Information and Event Management (SIEM) system.?One approach is to focus on logs coming from security devices such as firewalls, IDS, content filtering and proxy servers, identity management systems, proxies, VPN concentrators, end-point detection and response systems, etc. Another approach is to evaluate the relevance of each log source to your organization’s security goals. Focus on log sources that provide information about potential threats or vulnerabilities that align with your security goals.?Consider legal and compliance requirements specific to your industry. For organizations with compliance requirements, compliance frameworks offer a good starting point.?It is also important to consider the potential impact and severity of each log source.?By prioritizing log sources based on their relevance and potential impact, organizations can allocate resources effectively and focus on the most important security risks.
Windows Event Logs Artifact The artifact contains Event Logs in Windows operating systems. The details you can view include:
1.?????? Level?- Event log level/type. This can be information, warning, error, success/failure audit.
2.?????? Channel?- Event log channel or category. Security, Application, System etc.
3.?????? Computer?- Local system name.
4.?????? Event ID?- Event identification number. By filtering according to ID we can get the important events.
5.?????? Keywords?- They are used to group the event with other similar events based on the usage of the events.
6.?????? Opcode?- The activity or a point within an activity that the application was performing when it raised the event.
7.?????? Provider GUID?- The unique GUID for the provider. It is useful when performing research or operations on a specific provider.
8.?????? Provider Name?- Name of event provider.
9.?????? Security User ID?- It is used to uniquely identify a security principal or security group.
10.?? Task?- Identifies the type of recorded event log. Application developers can define custom task categories for providing additional details.
11.?? Event Record Order?- Order of the event in the main event category.
12.?? Located At?- File offset location of the specific event.
13.?? Event Record ID?- Event record identification number in the main category.
14.?? XML?- XML view of the event,
15.?? Record Length?- Length of the event.
Windows Reports – What to look for?
As a security-conscious administrator, you want to keep an eye on a number of events such as:
1.?????? Successful or failed login attempts to the Windows network, domain controller or member servers.
2.?????? Successful or failed attempts of remote desktop sessions.
3.?????? Password lockouts after repeated login attempts.
4.?????? Successful or failed login attempts outside business hours.
5.?????? Adding, deleting, or modifying local or domain user accounts or groups.
6.?????? Adding users to privileged local or active directory groups.
7.?????? Clearing event logs in domain controllers or member servers.
8.?????? Changing local audit policies and group policies.
9.?????? Changing or disabling Windows firewall or firewall rules.
10.?? Adding new services, stopping or deleting existing services.
11.?? Changing registry settings.
12.?? Changing critical files or directories.
Common Windows Log Events Used in Security Investigations
Here are a few common event codes on Windows 7/Vista/8/10 and Windows Server 2008/2012R2/2016/2019 (previous versions of Windows have different codes), commonly used in security investigations:
Pls check the original pdf of the book for the full ist
Furthermore, the following table contents also will be helpful for SOC feed for Network Traffic Analysis:
Pls check the original pdf of the book for the full ist
Windows Events: Valuable, but Expensive?
These are Windows event codes that can be prohibitively expensive to log, as they can generate hundreds of events in a short period of time. However they provide a great level of insight into an environment, so if disk space – or log ingestion into a SIEM?– allows for these to be collected, I encourage them to be logged.??
Pls check the original pdf of the book for the full ist
Registry Keys to Monitor?
Below are some very solid registry keys to monitor, all of which cover the persistence methods discussed above. Rather than log all registry changes, instead focus on these locations to best detect suspicious registry behavior. Credit goes to?MITRE?ATT&CK for these paths below?–?https://attack.mitre.org/techniques/T1547/001/ ?
Run at startup keys:?
Startup folder items:??
Automatic service startups:?
Policy-driven startup programs:?
User Logon Program Launch – within “load” value:?
Autocheck?launch – within?BootExecute?value?
Which Are The Most Critical Linux Logs to Monitor?
Using Linux Event Logs for Security
The Linux operating system stores a timeline of events related to the server, kernel, and running applications. The main log categories are:
领英推荐
There are several ways to view logs in Linux:
Following are commonly used Linux log files:
Common Log Sources for Cloud Services
Determine the Best Log Data Sources
Below picture lists some common data sources in a suggested order of priority, starting with identity and access management (IAM) logs and primary security controls, and then the other categories as your program matures:
Logs to Avoid
There are also categories of data you should not consider logging, such as:
Best Practices for MacOS Logging & Monitoring
Organizations can pull the right logs to manage MacOS platforms in a variety of ways, including using endpoint detection and response (EDR) tools, integrating within Active Directory (AD) or leveraging a Mac management platform like Jamf. From there, it’s a matter of specifying the logs you want and sending them to your SIEM. This piece details the options and shows you how to build an optimal MacOS logging and monitoring capability.
Challenges of MacOS Logging
Local system logging in the MacOS world is a challenging endeavor due to a variety of reasons.
First, Microsoft is still the center of the enterprise computing landscape, and most organizations either don’t allow Macs or turn a blind eye to their use.
Second, Apple has typically been consumer-focused, so in cases like this, its solutions don’t quite fit the needs of the enterprise. That said, MacOS is an excellent operating system, and getting what you need is usually possible.
Choosing a MacOS Logging Method
A few years back, Apple rewrote the entire logging engine on its MacOS platform and retitled it unified logging. Unified logging normalizes the log engines across Apple’s iOS and MacOS platforms. This caused changes to every aspect of logging, including creating logs, storing logs and using logs.
One key change is that Mac converted all its log storage to a format called .tracev3, which is a compressed binary format. This means you must use native tools to get the logs back out. Also, you can’t write simple scripts to just copy certain log files off the underlying Unix file system.
There are a few different approaches to consider when trying to figure out how to get the appropriate logs to monitor:
EDR: The first, and perhaps easiest approach is to look at the capabilities of your EDR?tools. Tools such as CylanceOPTICS and CrowdStrike have extensive cross-platform telemetry monitoring and logging capabilities that may be able to get most of this data quite easily. Those systems will often already be integrated with your SIEM?solutions, easing the implementation burden.
AD: Another option is to explore integrating your Mac population into AD, so you can log any network logon events by default through the standard AD integration.
Mac management platforms: These provide another option for gathering and shipping log data from your fleet of systems. Jamf (aka Casper) is the de facto standard here, and it includes features similar to Microsoft System Center Configuration Manager (SCCM).
Jamf offers an enterprise log management framework for shipping logs to your SIEM. You must define specific predicates (i.e., queries) to filter down the stream of events to ship. (Beware shipping all events, because there is an extraordinary amount of logs with no apparent value.)
Choose What to Monitor in MacOS
Once you’ve got a solution to actually get the logs out, try to identify the specific logs you care about seeing. Consider a dedicated work effort with your Mac management team to pinpoint exactly the logs to search for.
Specific logs can be loosely attributed to a few different key items (see Table 1).
Identifying the logs you want to track can be done with a log viewer like Consolation 3 (shown in Figure 1). Use its user interface (UI) to define search criteria and review and tune the results. Then, take the “predicate” generated at the bottom and use that in your log shipping solution to pluck those logs from the log stream and send them to your logging solution.
Logging Solution for MacOS
There is no dedicated, one-size-fits-all logging solution for MacOS that directly correlates to traditional Windows logging. To get a workable solution in place:
Be systematic: Apple has highly verbose logs, but they can be culled down through a dedicated process.
Realize you can’t set it and forget it: Apple’s logging standards should be considered subject to change as they don't typically have the longevity of Windows logs. Expect logging standard to change and also anticipate maintenance with each OS upgrade.
Common Ports Monitored by The SOC Analysts
Pls check the original pdf of the book for the full ist
Common Tools Used by SOC
Security Operations Centers (SOCs) use a variety of tools to monitor, detect, and respond to security incidents. Here are some of the common tools used by SOCs:
Most used tools:
·???????? A-poc/RedTeam-Tools: Tools and Techniques for Red Team / Penetration Testing ( github.com )
·???????? A-poc/BlueTeam-Tools: Tools and Techniques for Blue Team / Incident Response ( github.com )
·???????? bigb0sss/RedTeam-OffensiveSecurity: Tools & Interesting Things for RedTeam Ops ( github.com )
Best Linux Distros for Cybersecurity
Each distribution of the Linux operating software was developed by individuals or by a community who want to custom tailor it to what they feel is the best version for cybersecurity purposes. Each one will have different advantages and shortcomings. If you are unsure about which Linux distribution will best suit you, the best detail is that you can try them all out without a penalty since they are all open-source and will not cost you a dime. However, if reviews are any indication, Kali Linux appears to be the top contender. Choose the one that aligns best with your needs and expertise!
?_____________________________________________________________________________________________________
?? FREE eBook - 476 Pages
?? Complete Guide to Cyber Security Operation Center??
I’ve recently completed a book on SOC, a project close to my heart, that delves into the exciting realm of Security Automation, Orchestration, and Hyper-automation platforms in the SOC. If you’ve ever found yourself overwhelmed by the multitude of cybersecurity solutions, this post is designed to be your personal guide on developing a fully functional SOC.
This eBook comes with plenty of examples and illustrations to help you understand complex concepts, data collection requirements to incident response, automations, playbooks, integrations requirements under the scope of IT, IS and Cybersecurity.
A big shout out to Brad Voris for his review of the book, his insights made this book even richer.
Knowledge Areas Covered
? Enterprise architecture strategy to better formulate your SOC.
? Visibility & data ingress requirements for your SOC
? SOC functions, KPI’s, processes, frameworks, and automation requirements
? Derive your Analyst-JD aligned to international frameworks
? SOC organogram with Red, Blue, Purple team’s maturity, tactics, functions, activities
? SIEM & SOAR architecture design guidelines to achieve more from these integrations.
? Detection engineering with OSINT, CTEM.
? Incident response with CSIRT, DFIR.
? Tabletop exercises explained and operationalized
? Artificial Intelligence & Data Science in SOC
? How to develop your Open-source based SOC, full hardware BoQ, Network Design is provided
? Bonus Chapters: IT Project Management, VA/PT Plan, ITIL Strategy Frameworks, Jurisdiction Assignment Matrix etc.
?? Download the eBook
?? Download this eBook (pdf): https://lnkd.in/gTRnhmPp
?? 1500+ curated list of VA/PT tools as job aids.
?? 200+ References to support your SOC operations even further.
?? Download all the available documents from here: https://lnkd.in/eNNUm9XW
?? Download Job Aids: https://lnkd.in/gCKq6R-D
If you find it useful and informative, please share/repost the book with your network.