Defensive Security Intro
What is this page about?
Hello everyone, this is NotAlive.
On this page, I will be summarizing the Defensive Security Intro room from TryHackMe.
If you are new, I would recommend not reading this, as it is mainly meant for revision.
Let's get started.
1. Introduction to Defensive Security
In the previous write-up, we learned what Offensive Security is. This is similar to that, but now we are going to see what Defensive Security is.
In this, we have two main tasks:
1. Preventing intrusions from occurring
2. Detecting intrusions when they occur and responding properly
Tasks related to Defensive Security:
- User cybersecurity awareness: This is about teaching users about cybersecurity to help make sure they stay secure.
- Documenting and managing assets: We need to know what we have in order to manage and protect it.
- Updating and patching systems: Making sure that software is properly updated and patched.
- Setting up preventative security devices: Adding prevention systems like firewalls, IPS (Intrusion Prevention System), and more.
- Setting up logging and monitoring devices: Logging important activities like logins, logouts, and new device access, but without excessive bloat.
Categories of Defensive Security:
- SOC (Security Operations Center)
- Threat Intelligence
- Digital Forensics and Incident Response (DFIR)
- Malware Analysis
2. Areas of Defensive Security
The module covers two topics:
- Security Operations Center (SOC), where Threat Intelligence is covered within it.
- Digital Forensics and Incident Response (DFIR), where Malware Analysis is covered within it.
Security Operations Center (SOC)
A SOC is a team that monitors networks and systems to detect malicious cybersecurity events:
- Vulnerabilities: If a vulnerability is found, it is necessary to fix it by updating or patching. If those are not available, it is necessary to take measures to prevent it from being exploited. Also, finding vulnerabilities is not the main goal of SOC teams.
- Policy violations: It is the SOC team's duty to make sure no one violates company policy, for example, uploading confidential files to cloud storage.
- Unauthorized activity: It is the SOC team's job to make sure unauthorized users are not allowed access. If something like that happens, the user must be blocked before any damage is caused.
- Network intrusions: When a network intrusion is detected, it is necessary to block it before it causes any further damage.
Security operations cover various tasks to ensure protection; one such task is threat intelligence.
Threat Intelligence
This is about how well you know the enemy and who else could be a potential enemy. This helps us better prepare against potential adversaries.
Different companies have different adversaries. Some adversaries might seek to steal customer data from a mobile operator; however, other adversaries may be more interested in halting production in a petroleum refinery.
Example adversaries include a nation-state cyber army working for political reasons and a ransomware group acting for financial gain. Based on the company being targeted, we can expect different types of adversaries.
Intelligence needs data, and data needs to be collected.
Data can be gathered from sources like network logs and public sources; this process can also be called OSINT.
So basically, Threat Intelligence is all about predicting who might be a potential threat to the company and understanding their tactics, techniques, and procedures so that we can mitigate the consequences.
Digital Forensics and Incident Response (DFIR)
We are going to cover:
- Digital Forensics
- Incident Response
- Malware Analysis
Digital Forensics
Forensic science emerged from the need to investigate crimes and establish facts. In digital forensics, this is all about discovering how and who is behind a cyberattack.
In the world of cybersecurity, digital forensics is not just about solving past crimes; it is a critical pillar of defensive security. Instead of looking at physical evidence, experts investigate digital footprints to uncover what happened.
- File system: Analyzing a digital forensic image (a low-level copy) of a system’s storage reveals a lot of information, such as installed programs, created files, partially overwritten files, and deleted files.
- System memory: If the attacker runs their malicious program in memory without saving it to the disk, taking a forensic image (a low-level copy) of the system memory is the best way to analyze its contents and learn about the attack.
- System logs: Each client and server computer maintains different log files about what is happening. Log files provide plenty of information about what happened on a system. Even if the attacker tries to clear their traces, some traces will remain.
- Network logs: Logs of the network packets that have traversed a network can help answer more questions about whether an attack is occurring and what it involves.
Incident Response
An incident usually refers to a data breach or cyberattack; however, in some cases, it can be something less critical, such as a misconfiguration, an intrusion attempt, or a policy violation.
Incident response specifies the methodology that should be followed to handle such a case. The aim is to reduce damage and recover in the shortest time possible. Ideally, you would develop a plan that is ready before an incident occurs.
The four major phases of the incident response process are:
- Preparation: This requires a team trained and ready to handle incidents.
- Detection and Analysis: The team must have the necessary resources to detect any incident; moreover, it is essential to analyze any detected incidents.
- Containment, Eradication, and Recovery: Once an incident is detected, it is necessary to stop it, eliminate it, and recover from it.
- Post-Incident Activity: After a successful recovery, a report is produced, and the lessons learned are shared to prevent similar future incidents.
Malware Analysis
Malware comes in many forms, such as:
- Virus: A virus is a piece of code that attaches itself to a program. It is designed to spread from one computer to another and works by altering, overwriting, and deleting files once it infects a computer. The result can range from the computer becoming slow to becoming unusable.
- Trojan: A Trojan is a malicious program that appears legitimate and is executed when the user runs it or when it is triggered.
- Ransomware: Ransomware is a malicious program that encrypts the user’s files. Encryption makes the files unreadable without the correct decryption key or password. The attacker offers to provide it if the user is willing to pay a ransom.
Malware Analysis aims to learn about such malicious programs using various means:
- Static analysis: Static analysis works by inspecting the malicious program without running it. This usually requires solid knowledge of assembly language.
- Dynamic analysis: Dynamic analysis works by running the malware in a controlled environment and monitoring its activities. It lets you observe how the malware behaves while running.
3. Practical Example of Defensive Security
They simulated the threat by giving us a UI of an SOC panel and walking us through it.
It will be a little difficult to copy the IP in the task, so just copy the IP given below.
143.110.250.149email: admin@notalive.in
discord: _i_am_innocent_
github: github.com/notalive24