Cyber Security Adventures with Damion

Security Operations (Day 5)

by

Damion Fidler
in ,

In this room https://tryhackme.com/room/securityoperations we learn about security operations including what a Security Operations Center (SOC) is, along with the responsibilities taken on by the SOC. We also learn about the services an SOC provides.

What is an SOC?

An SOC also known as a security operations center is a team of IT Security professionals that are responsible for monitoring a company’s network 24/7. The things they are monitoring for include:

  1. Vulnerabilities – while it is not the sole responsibility of the SOC to find vulnerabilities they help with locating them for instance if there is a patch released for a vulnerability that has been released in an online forum.
  2. Unauthorized Activity – imagine an attacker gets a legitimate employees credentials somehow and is able to access company resources. This needs to be stopped immediately by looking for unusual activity such as a login being detected from a location the legitimate user hasn’t logged in from previously.
  3. Policy Violations – each company has their own set of policies so the violations will vary from one company to the next. For instance, there could be a policy against access company data on a personal device or sharing company data via insecure means.
  4. Intrusions – when we hear intrusions you may just think of hacker getting into the network via exploiting a web application or another vulnerability, but an intrusion could also happen as the result of a user downloading a file or visiting a malicious site that they shouldn’t have.
  5. Support for Incident Response Efforts – an incident can be various things, such as an intrusion attempt, policy violation, an observation or something more serious such as a data breach

Data Sources an SOC Uses

There are multiple sources an SOC uses to monitor activity on a network to look for signs of intrusions or behavior that has malicious intent. Some sources include:

  1. Server Logs – There is a wide array of servers used by companies including, but not limited to; web servers, mail servers, ftp servers, and Active Directory servers. The logs contain crucial information such as successful/unsuccessful login attempts, when a resource was accessed is by who or what IP address along with a lot of other information
  2. DNS (Domain Name System) Activity – DNS is used to map a URL to an IP address. It’s like back when phone books were popular you would search the phone book for a person’s name (the URL in this metaphor) and next to it you would see their person’s phone number (the IP Address in this metaphor). When you want to go to a website such http://www.google.com your request gets sent to DNS server that in turn tells your computer the IP address for that resource. These are called DNS queries which get stored for later research. An SOC can use the logged DNS queries to determine if a computer/server on a network is querying the DNS for malicious domains in an attempt to connect to a malicious IP address.
  3. Firewall Logs – As explained in a previous article, firewalls are devices that allow, or block connections based on defined set of rules. Firewall logs can later be used to see what packets made their way in and/or out of the network.
  4. DHCP (Dynamic Host Configuration Protocol) Logs – DHCP is responsible for assigning devices an IP address that is not already in use when a device connects to a network. Similiar to when you go to food at a restaurant and your receipt # is unique to your transaction, no one else should have the same receipt # as you. Because of this DHCP logs can be analyzed to determine what all devices have connected to the network.
  5. SIEM (System Information Event Monitoring) – while a SIEM itself does not produce logs it helps the SOC analysts by aggregating all the data from various logs so you analysts can see all the information in one place and correlate the data to identify attacks.

Services Offered by SOCs

Proactive Services

Proactive services refer to the tasks handled by the SOC without any indicator of an intrusion. Example proactive services carried out by the SOC include:

  1. Network Security Monitoring (NSM) – focuses on monitoring and analyzing network traffic data for signs of intrusions.
  2. Threat Hunting – the act of treating the network as compromised and searching for a threat to confirm the assumption
  3. Threat Intelligence – gathering information to learn about potential threats/adversaries and their TTPs (Tactics, Techniques, and Procedures) to better protect the company’s network and have a threat informed defense.

Reactive Services

Reactive services refers to tasks started after an intrusion has occurred. Reactive services that are carried out by the SOC include:

  1. Monitor Security Posture – is the primary role of the SOC, and it includes monitoring the network and computers for security alerts and notifications and responding to them as the need dictates.
  2. Vulnerability Management – finding vulnerabilities in the company systems and patching (fixing) them, the SOC aids with this but does not necessarily take care of this themselves
  3. Malware Analysis – the SOC can do basic analysis of malware retrieved from infected devices, however the malware will need to be sent to a dedicated team for more advanced analysis
  4. Intrusion Detection – using an IDS (Intrusion Detetection System) the SOC’s job is to maintain such a system, monitor its alerts, and go through its logs as the need dictates.
  5. Reporting – report incidents and alarms, reporting is necessary to ensure a smooth workflow and to support compliance requirements.

Hands-On Experience

In this room the 3rd task is simulation of the server being attacked via multiple ports from a malicious IP address. To complete the task, after you start the simulation, you have to block all packets coming from the malicious IP address (where the red packets are coming from) and going to the server using Firewall rules. This way no packets reach the intended destination which allows authentic packets to pass through and server to be able to have the bandwidth to handle the packets.

Questions / Answers

Task 1:

  1. What does SOC stand for?
    A: Security Operations Center
  2. How many hours a day does the SOC monitor the network?
    A: 24

Task 2:

  1. What does NSM stand for?
    A: Network Security Monitoring

Task 3:

  1. Add the necessary firewall rules to block the ongoing attack. What is the flag that you have received after successfully stopping the attack?
    A: THM{ATTACK_BLOCKED}

Comments

Leave a comment