Monitoring of entire networks from the perspective of information security. That is, the emphasis is placed on:

• Identifying potential attacks and suspicious actions
  
• Identifying manifestations of security weaknesses
  
• Identifying the sources of all of these, and treating them accordingly.
  

SIEM

An automated system that monitors and collects security alerts and events relevant to security, from the entire network.

According to predetermined settings, the information is collected, concentrated and sent to the SOC engineer. The logs are saved in the system's database, and the system alerts in real time on occurrences that require immediate attention.

It actually does half the of the work for the SOC engineer, as all relevant material is collected and served to the engineer. The role of the SOC engineer is to know how to analyze the information properly, and react accordingly.

And in short, a system that looks for and collects "fishy" events on a particular network.

An example of a suspicious event: usage of the "Mimi Katz" program on the internal network is very fishy.

The work in a SOC (Security Operations Center) mainly consists of scanning logs and reading alerts. The enginneer needs to know how to search for logged events (as well as how to search for other related information) , and know what he/she needs to search for.

The record structure.

The log entries are arranged according to timestamps and each entry has a date and an exact timestamp of when it had occured.

In addition, the record will include the IP addresses involved in the event, the remote address and the address of the device within the network, the ports involved (local and remote), and whether the connection between the IP addresses is incoming or outgoing (that is, whether the local device is receiving or sending packets).

Suspicious activities on the local network:

• Creating new user accounts, or editing existing ones.
• Messing with registry entries.
• Connections to suspicious external parties, or ip addresses that there is no clear justification for communicating with (for example, an IP that is not known to belong to a customer, or communication with an IP address from a foreign country for no apparent reason).
• Attempts to turn off/mess with the firewall and/or antivirus. (eg. trying to turn them off via Powershell).

Ways of dealing with and managing events in real time:

The most effective way - disconnecting the network cable/turning off the router physically, or turning off the network adapter through the computer's settings.

No communication => no threat. But this is considered OVERKILL and a particularly extreme action that will only be carried out in extreme cases when there is no other choice. Companies need their servers, and any time their servers are offline they lose money.

Another method - closing all of the ports (both necessary and unnecessary) on the firewall. As well as closing all unnecessary and necessary network available services.

Yet another, more granular solution is closing all of the suspicious ports/services specifically on the firewall but leaving the rest of them open and available.. By suspicious I mean potentially utilized as an attack vector.

Important signs and commands in the SOC field.

In the SOC field it is important to know how to look for signs of suspicious events, as a backup or as an additional measure to the SIEM system. The engineer can thus confirm the suspicions that had arisen as a result of the SIEM monitoring, or alternatively, check manually as an alternative to an improperly configured/temporarily non-functioning SIEM. The engineer can connect to the relevant computer/network component via SSH and look for signs of a security problem.

1. Checking the startup folder which contains files and programs that are configured to automatically run when the computer starts. (A hacker can plant files there in order to gain permanent access to the system.)

In order to get to the startup folder, press the winkey+r key -> in the new window that will open (the Windows run window), type "msconfig" without quotes, and press enter. -> The msconfig settings window will open-> click on the "boot"\startup tab.-> Located here are all of the files that are configured to run when the computer is restarted. Check that all of the files are legitimate, and if not deactivate them. (By marking the file and selecting the "Disable" option).

2. Checking in the task scheduler regarding triggers entered to activate suspicious files. Again, here too, a hacker can insert triggers in order to achieve automatic activation of files/viruses and thus achieve persistence on the system.

In order to get to the event scheduler, press winkey+r-> in the window that opens, type taskschd.msc and press enter -> here all the triggers appear (events defined as those in response to which a file will be activated), and the files they are configured to activate. -> Search for files that should not run on the computer, and set the activated event as "inactive".

3. Searching for registry values in folders that are designed to hold keys of values that are activated at the computer's startup. These values are links to different files, and if the hacker creates a key with a value that links to the virus he had planted, he will be able to gain access to the system.

In order to check the values in the registry: press the winkey+r-> in the dialog box that opens, type regedit -> the registry will open -> check all of the links to files found in the key values in the relevant hives.

* There are four registry hives (registry folders) that are designed to contain key values with links to files to be activated when the computer boots/starts up:

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT_VERSION/RUN

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENT_VERSION/RUN_ONCE

HK_LOCAL_USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN

HK_LOCAL_USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN_ONCE

Important commands - for verifying threats or strengthening suspicions.

Netstat -nbt | find “ESTABLISHED” - Displays a detailed list of all active network connections including their respective ports

On the left will be the local IP (that is, the local device's IP address, and the local port, and to the right will be the remote IP address and the remote port. The "-nbt" flag shows the user which software/service the connection is using, and filters the output to only actively ongoing connections. The command without the pipe character ("|") and the second half of the command (that is just typing "netstat -nbt" without the pipe) produces more output which is non-specific to active connections (it's actually the same command without filtering for active connections only).

If there is an unexplained connection, you can take the remote IP address and perform the 'nslookup' command on it at the command prompt:

nslookup <ip address> - and it will find information about the IP address, if such information is available (although in most cases an attacker will use a proxy anyway).

Another way to gather information about the suspicious IP address: go to Google -> type in the search field: 'whois <suspicious ip address>' and search the whois databases that will be found.

Net users - This command will display a list of all local user accounts on the computer. If an illegitimate account was added, it will appear in the list that will be returned in response to this command...

UNLESS a dollar sign was appended to the end of the username of the illegitimate account. In that case the illegitimate user account will be hidden from the Command Prompt.

In order to find the details of such a local account you can: press winkey+r -> the Windows startup window will appear -> type netplwiz in it (this command will show all user accounts (including those hidden by an appended dollar sign, or even by a special value that the attacker added to a particular registry key. There is no way to hide a user account from this method).

Appendix - how to add firewall rules and close ports.

Every computer has a different firewall, Linux operating systems utilize iptables, in Windows the default is the Windows firewall (comes with the defender).

To get to the firewall settings:

1. Enter the control panel. You can press winkey+r and type in "control panel".
2. In the control panel, enter security settings.
3. From here you have to enter the firewall settings.