The sheer volume of data generated is staggering in the modern digital landscape. As cyber threats become more sophisticated, it becomes crucial for organizations to store, analyze, and derive insights from this data to bolster security. Enter the concept of the Security Data Lake.
What is a Security Data Lake?A Security Data Lake is a centralized repository that allows organizations to store structured and unstructured data at any scale. Unlike traditional databases, which are designed to store structured data, a data lake can store vast amounts of raw data in its native format until needed.
When we apply this concept specifically to cybersecurity, the data lake is optimized to collect, store, and analyze massive volumes of security event data, logs, threat intelligence feeds, and more. This setup enables advanced analytics, correlation, and threat detection.
When we think of threats to our businesses, the image that might come to mind is a masked hacker typing away in a dimly lit room, infiltrating our systems remotely. Yet, a less conspicuous but equally dangerous adversary exists, the insider threat.
What is an Insider Threat?An insider threat arises when someone within the organization who has inside information concerning its security practices, data, and computer systems misuses, which somehow leads to harm to the organization. This can encompass employees, former employees, contractors, or business partners.
Why is it Significant?Unlike external threats, insiders have access to critical systems and data. They understand the internal processes, know the weak spots, and can exploit them effectively. Insiders may inadvertently leak sensitive information, while others might have malicious intentions driven by personal vendettas, financial gain, or espionage.
Types of Insider Threats:
By staying informed, leveraging technology, fostering open communication, and building solid relationships with employees, businesses can prevent insider threats and create an atmosphere of trust and collaboration.
In the digital age, where data is a prized asset and threats lurk around every corner, disregarding insider threats is not an option. It's crucial to acknowledge, understand, and actively work against these risks to safeguard the future of any organization.
The Certified Information Systems Security Professional (CISSP) is a professional certification for individuals working in the field of information security. It is a globally recognized standard of achievement that demonstrates an individual's knowledge and experience in the field.
To prepare for the CISSP exam, there are a few steps you can follow:
Understand the exam content: The CISSP exam covers a wide range of topics, including security and risk management, asset security, security engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security. Familiarize yourself with the exam content outline and make sure you have a good understanding of each of the domains.
Get hands-on experience: While the CISSP exam tests your knowledge of theory, it is important to have practical experience in the field. Consider internships, on-the-job training, or other opportunities to gain hands-on experience in information security.
Take a training course: Many individuals choose to take a training course to prepare for the CISSP exam. These courses are typically led by experienced professionals who can provide in-depth knowledge of the exam content and help you understand the key concepts.
Use study materials: There are a variety of study materials available to help you prepare for the CISSP exam, including textbooks, practice exams, and online resources. Make use of these materials to reinforce your understanding of the exam content and identify areas where you need additional study.
Take practice exams: Practice exams can be a useful tool for identifying your strengths and weaknesses and helping you focus your study efforts. Take multiple practice exams to get a feel for the exam format and to identify any areas where you need additional study.
Remember to allow yourself enough time to study and prepare for the exam. It is also a good idea to take breaks and avoid trying to study for long periods of time without a break. Good luck!
Data Exfiltration and Data Loss Prevention (DLP) is one of key topic of our discussion today. One of the ways to detect APT Groups and advanced ransomwares at early stage is by analyzing the outbound traffics. Most of the advanced treats will try to establish a C2 connection.
Profile 'outbound' traffic data:
Some outliers can be:
Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns:
#Comment if you have additional tips.
I have to build many SOC teams in my professional career. In this post, I’d like to declutter some of the myths about SOC. Let’s start with the basics.
One of the most important questions is why your organization needs a SOC?
Enterprise often collects a large amount of data in the form of logs. Simply storing the data is not valuable. The humongous amount of information needs to be searched for malicious activities. If there is malicious activity, you need a human to respond to it intelligently. SOC team members will do the Detection, Investigation, and Response to the incident. Another critical aspect of the SOC team (often overlooked) is the post-incident reviews.
What are the sub-team/sub-group in a SOC?
Key Roles in a SOC Team?
Types of Security Operation Center (SOC)
Fully Outsourced SOC: Hiring, Building, and retaining SOC Teams are challenging and expensive. There are not a lot of experienced Cyber Security Analyst and Engineers out there in the market. It’s honestly a new career option. To avoid the hassle, the organization often decide to outsource the security operation fully to Managed Security Service Providers (MSSP).
There are a few advantages and disadvantages of having a fully outsourced SOC. The most significant benefit is the speed; you can have someone start looking at your data/alerts as soon as you sign the contract.In there is any anamoly, MSSP will do the hunt, investigation and escalated it to you pretty quickly.
The biggest downside is the knowledge gap. All the knowledge/intelligence about your network/endpoint stays with the MSSP. As soon as you cancel the contract, it’s gone. Another significant disadvantage is the MSSP is expensive. You have to pay a lot of money out of your budget for the SOC. In some cases, the quality of the investigation can be poor too.
Even after outsourcing your SOC, mitigating a malicious and compliance stays with the organization only. Usually, companies in the early stage will go for this model. MSSP will care more about the SLA’s rather that the quality of the investigation. If you are adopting this model, please ensure to discuss all the norms upfront, including the resume/profiles fo the Analysts.
Hybrid SOC: It’s a combination of the MSSP + In-house SOC team. Usually, the Detection, response, and forensics team will be in-house, and the Tier-1 & 2 Analyst will outsource. The majority of the pros and cons of MSSP mentioned above applies here as well. The benefit is you keep your institutional knowledge. If your want to run your SOC 24/7 and your security team is only in one country this model will be helpful in terms of coverage and control.
In-house SOC: Fully In-house SOC Teams are high, usually big size organizations with big budgets will go for this model. I’d say having a functional in-house SOC is a sign of maturity of an overall cybersecurity program. If your company is global, you may want to have your SOC team in mutiple time zones.
Key Responsibilities of SOC
In this blogpost, we will discuss about the high quality Open source NSM Tools. Security Onion is one of the most common and popular NSM distribution.
Security Onion has Ubuntu based Linux distribution. It comes with a bunch of softwares:
Web Sessions are usually managed by a "Session Token". Session hijacking is a way of exploiting the web session control mechanism.It's a way to get an unauthorized access to the web-server by stealing a valid token.
Session Hijacking is a type of attack and it can use accomplished by using various techniques like Session Sniffing, Clint Side Attacks like XSS, Man in the middle/browser type of attacks.
Goal: The goal of the treat modeling is to redure the risk as can be applied as a repeatable process. It has numerous benefits. In this post, we will learn to answer following questions:
What is Threat Modelling?
You have build a Web App which allows visitors to subscribers to a mailing list and a sign-up for the account. When you list down systematically all the potential ways one can attack your application. That is Threat Modelling in a Nut Shell. Remember Two Key Terms - "Systematic Approach". Threat modelling should be a repeatable process in the SDLC. Second Important key term is "Abuse". You are constantly looking at the Attacks in order to find vulnerability. Another apporach is to develop a probable threat scenarios and list of threats. It's an holistic approach to reduce the risk of an application.
Bug - Software Defects
Vulnerability - Weakness that can be exploited
Attack/Incident - Needs a Target, Need a Threat Vector (Path an attacker can take to exploit the vulnerability) and a Threat Actor.
Threat Surface- Anything that can be obtainer, user or attacked by a threat actor
Risk - Risk = Impact * Liklihood
Why you should do Threat Modelling?
Remember the goal is to Risk Reduction. There are other methodology to serve the same purpose as well for example Penetration Testing, Source Code Analysis, Architectural Risk Analysis, Vulnerability Scanning. Lets discuss about the reasons to use Threat Modelling
Who Should Theat Model?
When to perform Theat modelling?
Threat Modeling Approachs
We will discuss about the following approaches of Threat Modeling. The End goal will be to Generate a list of Threats.
Example Scenario - A simple webapplication. Anonomayos users can visit the website. Sites runs a Content Management System and only authorized users can access it. Mailing Componenet to send out web mails
Asset-Centric/Risk Approach: In this approach we focus on the things you want to protect for example: Example : Databases, Email accounts, Account Credentials, Servers
Attacker-Centric/Security Approach:This apporach is preferred by Pentesters. You'll need a team of highly qualified Security Engineers to succeed in the approach.
Application-Centric Approach: Think about the Application and get famalier with the application. User Step 1: Draw a diagram of the application. For example: Data Flow Diagram
Step 2: List threts for each eleements. STRIDE (Threat Classification Model), OWASP Top 10
Step 3: Rank Threat using classification model
Threat Modeling Methodologies
In this section, we will discuss about the approaches for threat modeling focused towards the asset centric and application centric approach.
PASTA - Process for Attack Simulation and Threat Analysis
This is a threat modeling and threat analysis process. It's an asset centric approach with 7 Stages
Microsoft Threat Modeling
It's a Threat Modeling Framework. Focuses on Technical risk, It's a developer driven approach.
Octave - Operationally Critical Threat, Asset and Vulnerability Evaluation
Visual Agile Simple Threat Modeling
Two Threat Model Types
Good for companies following Agile
What is the best methodology?
Choose a methodology based on team, organization and objective.
Asset Centric - PASTA
Application Centric - Microsoft Threat Modeling
If you are working in the DFIR, you might have encountered Base64 Code many times. In this blog post, we will talk about the basics of base64 encoding.
ASCII Data - Each Character turns into one byte
A = 65 (Binary 0b01000001)
B = 66 (Binary 0b01000010)
C = 67 (Binary 0b01000011)
The 3 Letter String = 24 Bit
ABC = 0b010000010100001001000011
For base64 - we'll need ot break it in the group of 6 bits. 6 Bits will have 64 Combination and will need 64 Characters to encode it.
Characters used are as follows:
ABC...Z = 0-25
0123..9 = 52-61
+,/ = 62,63
I am going to use spaces for the ease of reading
ABC = 0b01000001 01000010 01000011
6-bit Groups = 0b010000 010100 001001 000011
Decimal = 16 20 9 3
base64 = Q U J D
In this post, I am going to talk about the basic fundamental and concepts of Cryptography. Let's start with Obfuscation and Encryption. In layman's language, encryption techniques are used to hide data or make is difficult to read. The term 'Crypto' become super popular because of the introduction of the currencies like Bitcoin, Litecoin, Ethereum etc. For us, it's just a form of protection, our focus will be on the cryptography applied to the communication, storage, messages etc. We will be using Python for the code nuggets. Lets start with the 'Caesar Cipher' and 'ROT13'
Caesar Cipher: It's an old trick where you just move every letter forward three character in the alphabet.
Plain Text - abcdefghijklmnopqrstuvwxyz
Cipher Text - defghijklmnopqrstuvwxyzabc
hello = khoor
Lets implement this in python!
beta = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
ROT13 will do the shift by '13' instead of '3'