Академический Документы
Профессиональный Документы
Культура Документы
Zargaran@mail.com
https://www.linkedin.com/in/amirzargar
+98 9129355339
3
Agenda:
Day 1
Introduction
Most Famous Attacks and the confronting ways
What is Security Operations Center
Day 2
Key features and modules
Processes and Procedures
People
Day 3
Technology
Network Monitoring and Investigations
Correlation
Lab
4
Introduction
Eavesdropping
Data Modifications
Identify Spoofing (IP Address Spoofing)
Password-Based Attacks
Denial of Services
Man in the Middle
Compromised-key Attack
Application-Layer Attack
Eavesdropping 7
After an attacker has read your data, the next logical step is
to alter it. An attacker can modify the data in the packet
without the knowledge of the sender or receiver. Even if you
do not require confidentiality for all communications, you
do not want any of your messages to be modified in transit.
For example, if you are exchanging purchase requisitions,
you do not want the items, amounts, or billing information
to be modified.
Identify Spoofing (IP Address Spoofing) 9
DDoS Attack
Users
Users
Users
Target
17
Man-in-the-Middle Attack
Original Connection
New Connection
Advanced Attacks
Very Complex
Very Resistant
Very Targeted
Zero-Day
Attacks
24
What is Zero-Day Attack?
Detecting
Incursion
Discovery
Capture
Exfiltration
26
Most Complex Attack in the World
A Zero-Day Attack !
27
Anomaly Traffic
28
What is Anomaly Traffic detection?
Technology
Process
People
36
Process and Procedures
SOC
Processes 37
Ana lytic al Op era tional Tec hnolog ic a l Busine ss
p ro c e sse s Proc esses Pro c e sse s Proc esses
Intrusion Event
Analytical Management Design Process Metric Process
Process Process
Process
Daily Operation Configuration
Training Process Improvement
Process Management
Process
Business
Subtle Event Reporting System
Continuity
Process Process Administration
Process
38
Process and Escalation in SOC
Process
Technology
Escalation
1 People
5
Network
Incident And System Owners
2 Handler
Level 1 Level 2
4 6
3
Case Closed
Engineer
Correlation
Engine
39
Simple SOC triage
40
Start
Event
Detailed SOC triage
(Hack,
Malware)
Identify host
Analyzer Troubleshoot YES
& Incident
L1 & Resolve
Information
Escalation NO
Identify host
Analyzer Resolve YES
& Incident
L2 Incident
Information
Escalation NO
Update
Knowledge Base NO
Ticket
Escalation
YES
SOC Resolve
Manager Incident
Action Document,
NO Group Update
(NOC, &
Report Software Notification End
Dept., ) In
CSIRT& Knowledge
Forensics Base
People 41
724 People Skills 42
Forensic Knowledge
Proficiency in coding, scripting and protocols
Managing threat intelligence
Penetration testing knowledge
Data analysts
Minimum 2 years experience in monitoring and incident management
Experience reviewing and analyzing network packets capture
Experience Performing security/Vulnerability reviews of network environments
Possess a comprehensive understanding of the TCP/IP protocol, security
architecture and remote access security techniques/products
Strong research background, utilizing and analytical approach
Highly motivated individual with the ability to self-start, prioritize, multi-task and
work in a team setting
43
SOC People Skills
Level 1 L L L L L
Level 2 M L L L L M M M M
Level 3 H H M M M H H H H
Senior SOC
Engineer (Tier 3)
Tier 1 Operator Tier 1 Operator Tier 1 Operator Tier 1 Operator Tier 1 Operator
45
SOC Manager Roles
• Qradar
• Splunk
• LogRythm
• McAfee
• ArcSight
We Peruse ArcSight and Splunk in this 52
Course
53
ArcSight
Data Collection
Data Normalization
Data Protection
Data Distribution
56
Event Management
Event Correlation
Identification
Triage
Roles
Notification
Ticketing
Forensics
57
Incident Response
SOC Workflow
Personnel Shift Distribution
Shift Reporting
Shift Change
SOC Monitoring Suite
SOC Reporting Structure
Organizational Chart
59
Escalation Management
Escalation Procedures
Pre-Escalation Tasks
IT Security
Network Operation Center
Security Engineering
CERT Integration
Law Enforcement
3rd Party Service Provider and Vendors
60
Data Recovery Procedures
Disaster Recovery
High Availability
Backup Planning
61
Security Incident Procedures
Email Phishing
Virus and Worm Infection
Anti-Virus Management incident
Netflow Abnormal Behavior Incident
Network Behavior Analysis Incident
Distributed Denial of Service Incident
Host Compromise Web Application Security Incident
Network Compromise
Domain Hijack or DNS Cache Poisoning
Suspicious User Activity
Unauthorized User Access
62
Vulnerability and Patch Management
Vulnerability Research
Patch Management
Identifications
Compliance Monitoring
Network Configuration Base Line
Anti-Virus Signature Management
Microsoft and Linux Updates
63
SOC Technical SIEM Topologies
64
65
ArcSight
Topologies
(1)
66
ArcSight
Topologies
(2)
67
ArcSight
Topologies
(3)
68
Common Event Format (CEF)
2. MMM dd HH:mm:ss
3. MMM dd HH:mm:ss.SSS zzz
4. MMM dd HH:mm:ss.SSS
5. MMM dd HH:mm:ss zzz
6. MMM dd yyyy HH:mm:ss
7. MMM dd yyyy HH:mm:ss.SSS zzz
8. MMM dd yyyy HH:mm:ss.SSS
9. MMM dd yyyy HH:mm:ss zzz
70
Network Monitoring and Investigation
Network Operation Center
Report
Getting a specific
query generated from
this IP Address Finding 3 IP Address has
been generated this After that finding the
specific query .exe file executed in
the time
71
Correlation
Working Time:
8:00 AM – 17:00 PM
72
1
John
John`s PC
Shutting Down PC in
17:00 PM
Exit log
Generated at
17:05 PM
Corre
Engine
2: 17:05 | Exit Normaly | John | accessControl IP Addr | /Access/Device | /Success | Low | Exit John from Access Control
Working Time :
17:00 PM – 08:00 AM
73
4
David
John`s PC
Turn on John`s PC
by David !
Entering log
Generated at
17:00 PM
Corre
Engine
3: 17:05 | Exit Normaly | John | accessControl IP Addr | /Access/Device | /Success | Low | Exit John from Access Control
74
If {
AND( sourceAddress = “1.1.1.1” , categoryBehavior
=”/Authentication
/
Verify”, categoryOutcome = “/Success”, NOT(endTime Between08:00
“
AM-17:00 PM”))
}
Then{
Action = “Anomaly User Activity Correlated”
, “send Notification to
“John@Company.co”
Corre Engine
}
5: 18:05 |Anomaly User Behavior | ArcSight | 1.1.1.1 | /Found | /Attempt | Very High | Unauthorized User Login
75
SOC Tools and Sensors
Vulnerability Assessment
Patch Management
Ticketing
Dashboards
NTP Server
76
77
SCM – HIDS – FIM Roles
Identifying vulnerabilities
Quantifying vulnerabilities
Priorities vulnerabilities
Cataloging assets and capabilities
Risk analyzing
79
Lab