Appliance Monitoring

10. Analysis of Security Appliances (OBJ 3.2)

Security appliances In this lesson, we're going to do some analysis of security appliances. Specifically, we're going to be looking at a seam known as the Security Onion. Now, we also know how to do packet analysis using things like wire shark, right? But by doing that, we spend a lot of time because we have to capture all those packets and then search through them individually line by line until we find the malicious packet that we're looking for. Well, we've also talked about IDs and IPS, which go ahead and use signatures to detect those things inside the packet. And so we can use that to then login inside of a theme, and that way we can look through it and identify what we want quicker. When we use Security Onion, it has a lot of different security tools inside of it because it is a Security Information and Event Management System or a seam.

It includes things like Snort, Circada, and Zeek, also known as Bro, to be able to be used as an ID package. Plus, we have the ability to process and analyse all these different alerts that they generate. So in this lab, we're really going to focus on learning how to use some of these tools inside a security onion. Now, the first thing we're going to do is configure sniffing. If you look at my network here, you're going to see that we have a bunch of switches and a couple of routers, and we have a Seam, a DC, and a Lamp server. Now, as we look at this network, we want to be able to deploy our IDs, and to do that, we have to make sure we have sniffing enabled and we're on a port that allows us to do that. So you can see I have that sensor line going from Vlocal into C one, and this allows us to tap into that network and be able to identify the different traffic going across it. So once I've configured that sensor and I've attached it, I'm now going to be able to start seeing all the traffic going across this part of the network. In this case, what network am I looking at? I'm looking at ten 10 00:24, which in this case is the domain controller of DC One, which is a Windows domain controller on the IP address of ten 10 One.

Now, as we go into scene one, we're going to start looking at some things, and we're going to start out by using Squeal. Now, Squeal is an application inside of Security Onion, and it's the way that we're going to be able to deal with real-time alerts. So as things are being generated by different detection systems, squeal will be able to see those and then we can view those alerts and identify different options to pivot between analysis tools to be able to look at the different indicators. So I can go from packet analysis to log entries and things like that. Now, the first thing I have to do when I start at Squeal is log in. And so I'm going to log into it using Seem and my password of password. From here, I'm going to select the network I want to monitor. In my case, it's seam ETH one. And then I'm going to click. Begin squealing. Now, once I do this, it's already going to bring some information up. Now, this isn't live information. Instead, this is just showing me what the tool will look like based on some sample packet captures it already has. Now, if you see on the left, there's a color-coded priority. This is the first field. This is going to tell us the priority for each of those alerts. "Red" is going to be the highest priority.

The yellow is going to be a little bit less, and then you can keep going down the scale from there. Now, as we start looking at all these different alerts, we can see they occurred within a very close time period because of the way these samples were replayed through the sensor. Now, if I select the first alert here, I can go to ID 3.119. Now, as I look at that, you're going to notice the event message here. The Et is going to be the rules set that produced this match. Essentially, what was that signature? So on the right-hand side, you see this was a scan that had potential SSH vulnerabilities. Now the next thing we're going to look at is in the lower right hand panel. And if you check the show rule box, you're going to be able to see the rule that created this alert. So this is basically an ID or snort rule. Notice it says alert, TCP dollar sign Home Net any to the external network over port 22. And then the message is Esan, a potential SSH scan outbound. And this tells you what this rule is looking for. This format should be familiar to you because we've gone through what an ID rule looks like. So what is this rule trying to do for us? Well, it's trying to detect any connection going from the internal network Home Net to the external network over port 22. Is somebody trying to go outbound with SSH? If so, it's going to go ahead and log this rule. Now, if we continue looking at this rule, you'll see the count says five and the seconds is 120. What does that mean?

This rule will only fire if it sees five packets going to port 22 within 120 seconds. So if they're trying to connect to port 22 five times within two minutes, then it's going to go ahead and alert us. Now note, if we go to 320, we see there's another match for the same rule. If we go down to 327, there's a match for an Nap scan. Remember, the purpose of Squeal is to manage these events as they come in. So as you get an event and you see this alert, you can right click on those fields to bring up contextual menus with different types of actions. For instance, if I right click on the value of four in the CNT field for the alert of 3.27, that N Map scan. I can then select View correlated events. This is going to show me the individual packets that were identified as that single event. And I can go through and do a really basic packet analysis here. Then I can click "close." Let's right click on the value of 327 in the Alert ID field. This way, I can view menu options without selecting anything. Now this is going to allow me to pivot to viewing other source data in a tool such as Wireshark, Network, Minor, or even Bro, which is that IDs. Alright, let's go ahead and press Escape. That will cancel the menu. Now, if I right click on the value in SourceIP, I can view menu options here as well. This allows me to pivot to information already stored about that value elsewhere in the database. So I might do a quick lookup for it using an Internet threat intelligence service.

And that way, I can say, what do I know about this IP address? Is this something that's attacked me before? Is this something that's been attacking the rest of the world? And it gives me those details. Next, I can right click on the value in the field and from here I can click Update Event Status. Cat 6 Reconnaissance Probes and scans Now if I press F six, this will categories the other scan alerts in the exact same way. This is how I can say I've seen this, I've looked at it and I know what it is. It was reconnaissance, a probe or a scan. It's a cat six vulnerability. So this is the basic way to be able to use Squeal, and there are lots of other ways to go through and learn about this. I do recommend that you download Security Onion and play with it on your network. Now let's go through and analyses and priorities some events. When we get an alert that is presented as a high priority by a rule set, you want to priorities it for investigation. Now, if I look at alert 335, we have a higher pack account as a large amount of data was being downloaded. If I right click on the value of 335 and select Bro, it's going to open up inside of that intrusion detection system. And so I can analyses that traffic content shown in the new window by going through that row alert. Now, notice the content type here. It says it's an HTML or text file. But if I look at the magic number at the beginning, those first couple of bytes are going to tell me what type of file it really is.

So even though it's labelled as a text or HTML file, That binary code is showing me it's an executable because it says MZ, and MZ is the magic number for a binary code in a Windows executable. Now I can look at this code and I can start doing reverse engineering if I copy it out. I can extract it using something like net minor or Wireshark and then run it in a sandbox and do some dynamic or static analysis on it. This is how we use these tools, and we use one tool to link to another tool to get to what we want next. Let's go ahead and close that. Let's take a look at alerts 390 and 391. Here we can detect a different kind of threat. This one's going to reference common vulnerabilities and exposure numbers. So we have a CVE number associated with it. And this signature tells us that it detected an attempt to exploit the shell shock vulnerability to run an arbitrary command through a web server shell. This again would be something we'd want to fix. So, using Squeal, we can see that an attack was taking place on this server and then determine whether or not we are vulnerable to it. Now the last set of events we want to look at are things from alert 395 and beyond. This is going to show us another Trojan that was being downloaded over port 80. This was followed up by some suspicious outbound traffic over port four four three. So this would be something like a piece of malware being downloaded and executed.

That Trojan is now executed and it's making a connection call out back over port four-three to the malicious attacker to get its command and control instructions. Now if I right click on the alert value of 3148, I can select Wireshark and I can analyses that traffic notice here with port four four three, which is HTTPS. We would expect to see an illegitimate session starting with an SSL or TLS handshake and then proceed to the exchange of encrypted packets. But these packets are using a plaintext HTTP post connection and an encrypted message. Now this tells me there is something wrong with this, so we would want to look into this further and be able to go through and do more analysis. Now let's go ahead and right click on the IP address that starts at 24. Normally, we'd want to match this IP address to a blacklist of known bad actors. But this system isn't connected to the Internet because it's isolated. Now most of your commercial sites will be able to have the ability to right click on something and immediately find out where it is based on a local database or an Internet connected database. But in my case, I'm offline, so I can't do that. Let's go ahead and hit escape. It's going to cancel that menu. Okay, next we want to develop our own custom rules for IDs. To do this, I'm going to open up a terminal and go to pseudo space, nano space, etc.

NSM rules and local rules And this is going to allow me to go into that rule set file and start making some changes. Now let's go in here and we're going to add a line that says hashtag five, one five, support space, local space, ICMP, space detection, space rules. Now, because it has a hashtag at the front, this is a comment line and it's not going to be a process rule just like the couple that you see here on the screen already. Now if I want to make an alert that's going to fire, I'm going to leave off that hashtag. all right? So I'm going to type in alert Accompany, the arrow to the right dollar sign Home Net any, and then parentheses message ICMP detected, Sid 10001 semicolon, and end the parentheses. Now this rule has a header and a body. The header is telling me what it's going to do. In any case, notify ICMP. This says anytime you see ICMP traffic going from any IP on any port to your home network, I want you to send out the body, which in this case is the message. And so the message is ICMP detected. And then we have this sid, which is a signature ID. And it has to start with the number 1 million or higher. And this tells me it's a local rule that I've created and then rev. This tells me what revision of this rule it is. This is my first revision. Each part of your body is going to be separated by semicolons, and you can have lots of different pieces of information in here. Now if I want to save that, I'm going to hit CTRL-o and then hit enter. That saves the file and then controls xand that will exit the nano program. Now if I want to update this rule, I have to run the update command and I do this by typing in pseudo rule update. And this will pull in that updated set of new rules into your intrusion detection system.

All right, if we want to see if that rule has been loaded, we can do this using the tail command. If you remember, in Linux, the tail command shows you the last thing inside of a file. So I'm going to type tail, etc. NSM rules, download the rules, and hit enter here. We should see at the end of that file our rule that we just entered. That's awesome. That means it worked. All right, so we've made a rule. We updated it. But this rule is not a very good rule. Why? Because this rule is going to create so much noise in our sensor, anytime somebody pings into your intral network, it's going to create a huge number of false positives. So we want to tune that rule and make it more specific. To do this, we're going to go back into nano by going pseudo nano, etc. NSM rules and local rules And then we're going to edit that rule that we just made. Let's go ahead and edit it. So it says alert, ICMP, dollar sign, external net to HomeNet, and the message of an external ICMP probe detected. And then we're going to keep the rule number two and we're going to make this revision number two.

This way, we're only going to log things that go from the external network to the internal network. This will solve a lot of the false positives because I'm really not worried if somebody internal to my network is pinging things on the network because we do that all the time for troubleshooting. But I am worried if somebody is doing it from the external network to my internal network because that means they might be doing reconnaissance and scanning me. All right, let's go ahead and hit CTRL O and then Enter to save the file, and then control X to exit again. We need to update the rule. So we use a pseudo rule update and hit enter. We're going to go back into the terminal. I'm going to change another rule. So we're going to go back into the NSM rule set. And this time I want to edit the existing line so it looks like this. I'd like to say alert, ICMP dollar sign, any external net to Home Net. And then I want to type eight semicolon message colon, external ICMP probe detected, semicolon detection underscore filter, colon track by source, comma count20 comma seconds, 30 semicolon priority four semicolon class type ICMP event semicolon Sid 1,000,001 semicolon rev three semicolon.

Wow, that is a much more complex rule. Let's see if we can look at it and see what it does. When I started out, I used I type eight. What is that? Well, I type eight says it should only match ping echo requests. Not any ICMP, but just pings. And that's what an I type eight is. Now the detection filter here is also going to set a threshold for this alert. That's what a detection filter does. And the track method means it's going to keep track over a certain amount of time. So what we're trying to find is, do we find a count of 20 within 30 seconds? So if I do 20 pings within 30 seconds, that is going to classify as an alert. If I do ten pings within 30 seconds, it’s not going to fire this alert. That's what we're trying to do. So if I perform a basic connection test by pinging a server four times, I'm not going to trigger the alert this time. So let's go ahead and save this CRLO. Enter and then control to exit. Now we're going to update our rules again by typing "pseudo-rule update" and hitting enter. So I hope you've enjoyed this lesson as we went through the security onion and started playing with some of these tools. I do highly recommend downloading Security Onion. With Security Onion, you can actually download existing malware samples and different traffic that's already been captured for you to play with. You can do this by going online and downloading them from security onion's website. Or if you have one of these security onion Visit’s already located in there for you under the opt samples directory, and you can use TCP replay to actually play back that PCAP file through your Ethernet connection. As a result, squeeze bill will notice and be alerted.

Endpoint Monitoring

1. Endpoint Monitoring (Introduction)

In this section of the course, we’re going to cover COVID endpoint monitoring. Our focus in this section is going to continue to be in domain three with objectives three one and three two. Now, objective three states that, given an scenario, you must be able to analyses data as part of security monitoring activities. In this particular section, we're going to focus on the security monitoring activities that are associated with endpoint devices. We'll also cover objective three, which states that given a scenario, you must implement configuration changes to existing controls to improve security. This will include things like sandboxing, endpoint Detection, Response, or EDR and creating whitelists and blacklists to control access and permissions to execute various files. As we move through this section, we're going to start with a discussion of the different methods of endpoint data collection and analysis that we can use within our organizations. After that, we're going to explore the concept of sandboxing and how it's used in malware analysis. Speaking of malware analysis, we're also going to briefly cover the idea of reverse engineering, where an analyst tries to take a compiled malicious piece of software and determine how it really operates. We're also going to discuss the different types of malware exploitation techniques such as droppers, downloaders, shellcode code injection, and living off the land. After all that, we're going to utilize the use of behavioral analysis to identify good and anomalous behaviors. And then I'm going to perform a hands-on demonstration to show you how to conduct malware analysis using things like Process Explorer, Net stat, Process Monitor, System Monitor, Auto Runs, and much more. Finally, we're going to discuss the configuration changes that are used with endpoint detection, response, or EDR to increase the security of your endpoints and how you can use blacklisting and whitelisting inside your configurations to better protect those devices. It really is going to be a busy semester with a lot of important subjects. So let's go ahead and jump right in.

2. Endpoint Analysis (OBJ 3.1)

Endpoint analysis Now, endpoint analysis is used when we are conducting monitoring, logging, and analysis of our endpoints. An endpoint is simply any device that we may use to connect to our network. Now, for example, your desktop or your laptop at the office is considered an endpoint. So is your smartphone or your tablet. As a cyber security analyst, you must be able to use tools to identify behavioural anomalies and then identify the techniques used by malware to achieve privilege escalation and persistence on your host. Now, there are lots of different endpoint protection tools out there, and in this lesson we're going to cover five different endpoint security capabilities that we can use for analysis. These are antivirus host intrusion detection systems, host intrusion prevention systems, endpoint protection platforms, endpoint detection response platforms, and user and entity behavioural analytics. Let's talk about each of these in this lesson.

First, antivirus. It's capable of detecting and removing virus infections and, in most cases,other types of malware such as worms, Trojans, root kits, adware, spyware, passwords, crackers, network mappers,denial of service tools, and others. This is frequently referred to as "anti-virus" or "anti-malware." At this point in your career, you should be pretty familiar with what antivirus and antimalware are. The next one we're going to talk about is host-based IDs and IPS, which is HIDs or hips. This is a type of ID or IPS that monitors a computer system for unexpected behaviour and drastic changes in system state on a given end point. Most of these will now use signature-based detection via log or file monitoring systems to determine if something bad is attempting to happen to your end point.

They may use file system integrity monitoring too, to see if your operating system files have been changed, drivers have been changed, or an application has been changed. All of these things are things that a host-based intrusion detection system or intrusionprevention system can help you with. That's what a network-based intrusion detection or intrusion prevention system really can't see. Now the next one we have is an endpoint protection platform, or EPP. This is a software agent and monitoring system that performs multiple security tasks. It can do things like antivirus, and it can host intrusion detection or prevention systems. It can have a firewall, it can have data loss prevention, or DLP, and it can have file encryption. All of this in a single product. Essentially, it's your Swiss Army knife of security tools. We call this an EPP. Now there are a lot of epps on the market, and every year there's a thing called the Magic Quadrant that's put out by Gartner. Gartner goes and rates all the different systems to see who's the best, which ones are the leaders, who are the challengers, which of them are niche players, and which of them are visionaries. And you can see that here on the screen. As you can see, the top three are Microsoft, Crowd Strike, and Semantic, and all three of them have great endpoint protection platforms that you can choose from. The next one we're going to talk about is EDR, which is endpoint detection and response. EPP is mostly based on signature detection now, where EDR is focused more on behavioral and anomaly analysis. It starts logging the endpoints, observables, and indicators and combines that with analysis to try to figure out what's wrong.

So this is a software agent that's going to collect system data and logs for analysis by monitoring the system to provide early detection of threats. Now, because of that, the aim of EDR is not to prevent an initial execution but instead to provide runtime and historical visibility into a compromise. And once you've been detected, it can start responding to that, and it helps you as an incident responder to gather more information and facilitate your remediation to get it back to its original state. The final one we want to talk about here is UEBA, which is User and Entity Behavior Analytics. This is a system that can provide automated identification of suspicious activity by user accounts and computer hosts. Now this solution is less about endpoint data collection and more about the actual process of analyzing the data you're getting. The idea here is to have a baseline of good knowledge and then we're going to compare anything that goes outside that baseline to start thinking that it might be suspicious and look into it further. Now a lot of UEBA is focused on analytics, and because of that, there's a lot of data that has to be processed. So UEBA solutions are heavily dependent on advanced computing techniques — things like artificial intelligence and machine learning. There are a lot of these different players in the marketplace that are doing UEBA. Two of the big ones out there right now are Microsoft and Spelunk. Microsoft has Microsoft Advanced Threat Analytics. You can see this diagram here on the screen. Essentially, we have some unknown threat that comes in. It goes into some sort of sandbox environment for detonation.

Based on that, it creates a heuristic-based behavioral model of what it saw. It passes that into machine learning and, based on machine learning models, it will decide whether or not this is really a threat or not a threat. And based on that, it will let that message go through. Now, on the other hand, Spelunk is another one out there, and it's called Spelunk User Behavior Analytics. This tool will allow you to get all that data into a nice dashboard so your analysts can go through it and see what threats there are, what anomalies there are, how many users you have, how many devices you have, and all the different statistics. And you can drill down into each area of that and look at all the analytics and make your decisions based on that. Now I know we have just covered these five different technologies. And we try to keep it very clear-cut and say, "This one does this and that one does that." But as with everything in security, things evolve and things merge together. As a result, many companies are now beginning to market advanced threat protection (ATP), advanced endpoint protection (AEP), and Neaten AV (NGAV). And all of this becomes essentially a hybrid of the various technologies we discussed previously, such as the end point protection platform, end point detection response, or user and entity behavioral analytics.

Prepared by Top Experts, the top IT Trainers ensure that when it comes to your IT exam prep and you can count on ExamSnap CompTIA CySA+ Certification Exam (CS0-002) certification video training course that goes in line with the corresponding CompTIA CS0-002 exam dumps, study guide, and practice test questions & answers.