soc
Monitoring of entire networks from the perspective of information security. That is, the emphasis is placed on:
SIEM
An automated system that monitors and collects security alerts and events relevant to security, from the entire network.
According to predetermined settings, the information is collected, concentrated and sent to the SOC engineer. The logs are saved in the system's database, and the system alerts in real time on occurrences that require immediate attention.
It actually does half the of the work for the SOC engineer, as all relevant material is collected and served to the engineer. The role of the SOC engineer is to know how to analyze the information properly, and react accordingly.
And in short, a system that looks for and collects "fishy" events on a particular network.
An example of a suspicious event: usage of the "Mimi Katz" program on the internal network is very fishy.
The work in a SOC (Security Operations Center) mainly consists of scanning logs and reading alerts. The enginneer needs to know how to search for logged events (as well as how to search for other related information) , and know what he/she needs to search for.
The record structure.
The log entries are arranged according to timestamps and each entry has a date and an exact timestamp of when it had occured.
In addition, the record will include the IP addresses involved in the event, the remote address and the address of the device within the network, the ports involved (local and remote), and whether the connection between the IP addresses is incoming or outgoing (that is, whether the local device is receiving or sending packets).
Suspicious activities on the local network:
Ways of dealing with and managing events in real time:
The most effective way - disconnecting the network cable/turning off the router physically, or turning off the network adapter through the computer's settings.
No communication => no threat. But this is considered OVERKILL and a particularly extreme action that will only be carried out in extreme cases when there is no other choice. Companies need their servers, and any time their servers are offline they lose money.
Another method - closing all of the ports (both necessary and unnecessary) on the firewall. As well as closing all unnecessary and necessary network available services.
Yet another, more granular solution is closing all of the suspicious ports/services specifically on the firewall but leaving the rest of them open and available.. By suspicious I mean potentially utilized as an attack vector.
Important signs and commands in the SOC field.
In the SOC field it is important to know how to look for signs of suspicious events, as a backup or as an additional measure to the SIEM system. The engineer can thus confirm the suspicions that had arisen as a result of the SIEM monitoring, or alternatively, check manually as an alternative to an improperly configured/temporarily non-functioning SIEM. The engineer can connect to the relevant computer/network component via SSH and look for signs of a security problem.
1. Checking the startup folder which contains files and programs that are configured to automatically run when the computer starts. (A hacker can plant files there in order to gain permanent access to the system.)
In order to get to the startup folder, press the winkey+r key -> in the new window that will open (the Windows run window), type "msconfig" without quotes, and press enter. -> The msconfig settings window will open-> click on the "boot"\startup tab.-> Located here are all of the files that are configured to run when the computer is restarted. Check that all of the files are legitimate, and if not deactivate them. (By marking the file and selecting the "Disable" option).
2. Checking in the task scheduler regarding triggers entered to activate suspicious files. Again, here too, a hacker can insert triggers in order to achieve automatic activation of files/viruses and thus achieve persistence on the system.
In order to get to the event scheduler, press winkey+r-> in the window that opens, type taskschd.msc and press enter -> here all the triggers appear (events defined as those in response to which a file will be activated), and the files they are configured to activate. -> Search for files that should not run on the computer, and set the activated event as "inactive".
3. Searching for registry values in folders that are designed to hold keys of values that are activated at the computer's startup. These values are links to different files, and if the hacker creates a key with a value that links to the virus he had planted, he will be able to gain access to the system.
In order to check the values in the registry: press the winkey+r-> in the dialog box that opens, type regedit -> the registry will open -> check all of the links to files found in the key values in the relevant hives.
* There are four registry hives (registry folders) that are designed to contain key values with links to files to be activated when the computer boots/starts up:
HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT_VERSION/RUN
HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT_VERSION/RUN_ONCE
HK_LOCAL_USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN
HK_LOCAL_USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN_ONCE
Important commands - for verifying threats or strengthening suspicions.
Netstat -nbt | find “ESTABLISHED” - Displays a detailed list of all active network connections including their respective ports
On the left will be the local IP (that is, the local device's IP address, and the local port, and to the right will be the remote IP address and the remote port. The "-nbt" flag shows the user which software/service the connection is using, and filters the output to only actively ongoing connections. The command without the pipe character ("|") and the second half of the command (that is just typing "netstat -nbt" without the pipe) produces more output which is non-specific to active connections (it's actually the same command without filtering for active connections only).
If there is an unexplained connection, you can take the remote IP address and perform the 'nslookup' command on it at the command prompt:
nslookup <ip address> - and it will find information about the IP address, if such information is available (although in most cases an attacker will use a proxy anyway).
Another way to gather information about the suspicious IP address: go to Google -> type in the search field: 'whois <suspicious ip address>' and search the whois databases that will be found.
Net users - This command will display a list of all local user accounts on the computer. If an illegitimate account was added, it will appear in the list that will be returned in response to this command...
UNLESS a dollar sign was appended to the end of the username of the illegitimate account. In that case the illegitimate user account will be hidden from the Command Prompt.
In order to find the details of such a local account you can: press winkey+r -> the Windows startup window will appear -> type netplwiz in it (this command will show all user accounts (including those hidden by an appended dollar sign, or even by a special value that the attacker added to a particular registry key. There is no way to hide a user account from this method).
Appendix - how to add firewall rules and close ports.
Every computer has a different firewall, Linux operating systems utilize iptables, in Windows the default is the Windows firewall (comes with the defender).
To get to the firewall settings:
A.
B.
This is the new window that will open.
Here you can add new rules to the firewall.
Here you must select the "new rule" option in the toolbar to the right.
A. Does the rule refer to a program, a port, a unique connection to the Windows OS, or one that will be defined by the user.
B. the source/destination port itself (depending on whether you are defining a rule which applies to incoming or to outgoing traffic), or the program depending on the previous option selected.
C. The action that the rule dictates - prohibition, secure enabling, or complete enabling of traffic through the port.
D. the Windows network profile for which the rule will be valid (private or public - of the domain).
E. Its name, so that the user can easily recall his action, according to how it appears in the list.
And.. now we have a shiny new rule.
It is important to note that if there are two (or more) conflicting rules on the list, the uppermost one will take precedence over the others (ie the one added last). You can change the order of the items in the list (move the top ones to lower places, etc.).