🐉 neospace ~

📝 Latest Posts

Defensive Security Intro

Jan 17, 20259 min read

Table of Content

Introduction to Defensive Security

Summary

This TryHackMe room introduces defensive security, contrasting it with the offensive security concepts learned in a prior room. Defensive security focuses on preventing and detecting intrusions. The room covers key aspects of defensive security, including user awareness training, asset management, patching, preventative security devices (firewalls, IPS), logging and monitoring, and an overview of related fields like SOC, threat intelligence, and DFIR.

Key Concepts

  • Defensive Security: Preventing and detecting security intrusions.
  • Blue Team: Security professionals focused on defensive security measures.
  • User Cybersecurity Awareness Training: Educating users to reduce human error vulnerabilities.
  • Asset Management: Documenting and managing all systems and devices to be protected.
  • Patch Management: Regularly updating and patching systems to address known vulnerabilities.
  • Preventative Security Devices: Firewalls and Intrusion Prevention Systems (IPS).
  • Logging and Monitoring: Detecting malicious activities and unauthorized access.
  • Security Operations Center (SOC): A centralized team managing security monitoring and response.
  • Threat Intelligence: Gathering and analyzing information about potential threats.
  • Digital Forensics and Incident Response (DFIR): Investigating security incidents and recovering from attacks.
  • Malware Analysis: Identifying and understanding malicious software.

Relationship to Offensive Security

This room provides a complementary perspective to offensive security, highlighting the importance of a strong defense against the attacks described in the prior Offensive Security Intro Room

Areas of Defensive Security

SOC?

img Security Operations Center (SOC) is a team of cybersec professionals monitor the network and its system to detect malicious cyber security events

1. Vulnerabilities:

  • Description: System weaknesses (design flaws, coding errors, etc.) that can be exploited by attackers.
  • SOC Role: While remediation (applying patches or mitigations) isn’t always a direct SOC responsibility, the SOC plays a crucial role in detecting vulnerabilities through vulnerability scanning and monitoring tools. They then escalate findings to the appropriate teams for remediation.

2. Policy Violations:

  • Description: Actions by users or systems that violate established security policies. Examples include uploading sensitive data to unauthorized cloud services or using unapproved software.
  • SOC Role: The SOC monitors for policy violations through Security Information and Event Management (SIEM) systems and other monitoring tools. They may trigger alerts, generate reports, and escalate incidents to relevant teams for investigation and disciplinary action.

3. Unauthorized Activity:

  • Description: Access to systems or data by unauthorized individuals. This may result from credential theft, phishing attacks, or other methods of bypassing authentication.
  • SOC Role: The SOC actively monitors for suspicious login attempts, unusual access patterns, and other indicators of compromise (IOCs). They take immediate action to block unauthorized access, often through real-time threat detection and response systems.

4. Network Intrusions:

  • Description: Breaches of network security, often involving malicious actors exploiting vulnerabilities or gaining unauthorized access. This can stem from user actions (e.g., clicking malicious links) or direct attacks on network infrastructure.
  • SOC Role: The SOC uses intrusion detection/prevention systems (IDS/IPS), network traffic analysis, and SIEM tools to detect intrusions. They respond by isolating compromised systems, containing the threat, and initiating incident response procedures.

In summary: The SOC acts as the first line of defense, detecting and responding to a wide range of security incidents to minimize damage and maintain the integrity of the organization’s systems and data. While not directly responsible for all remediation, their detection and response capabilities are critical for effective defensive security.

Threat Intelligence

Threat intelligence is the collection, processing, analysis, and dissemination of information about potential threats to an organization’s systems and data. “Threats” are actions that could negatively impact an organization’s operations or assets.

Purpose: To enable a threat-informed defense. This means proactively preparing defenses based on an understanding of specific threats, their tactics, techniques, and procedures (TTPs), and the likely actors (adversaries) behind them.

Adversaries: The types of adversaries vary greatly depending on the organization. Examples include:

  • Nation-state actors: Government-sponsored groups conducting cyber espionage or attacks for geopolitical reasons.
  • Organized crime groups: Financially motivated groups using ransomware, data theft, or other methods.
  • Hacktivists: Groups motivated by ideology or political causes.
  • Insider threats: Malicious or negligent employees.

The Threat Intelligence Process

img

  1. Data Collection: Gathering information from various sources, including:

    • Internal sources: Network logs, security alerts, incident reports.
    • External sources: Public threat feeds, security advisories, forums, dark web monitoring.

  2. Data Processing: Organizing and structuring the collected data into a usable format for analysis. This may involve techniques like data normalization, enrichment, and correlation.

  3. Data Analysis: Interpreting the processed data to identify patterns, trends, and potential threats. The analysis aims to:

    • Identify the threat actor (adversary).
    • Determine their motives and goals.
    • Understand their TTPs.
    • Predict their likely actions.

  4. Dissemination: Sharing the analyzed intelligence with relevant teams (SOC, incident response, security engineering) to inform defensive strategies and proactive measures. This may involve creating alerts, reports, or threat models.

Benefits of Threat Intelligence

  • Proactive Defense: Allows for the development of targeted security measures to mitigate known threats.
  • Improved Incident Response: Faster identification and response to security incidents.
  • Resource Optimization: Focuses resources on the most significant threats.
  • Risk Reduction: Reduces the likelihood and impact of successful attacks.

In short: Threat intelligence transforms raw data into actionable insights that enable organizations to better defend against sophisticated and evolving cyber threats.

Digital Forensics and Incident Response (DFIR)

I. Digital Forensics

  • Definition: The application of scientific methods to investigate digital devices and systems, extracting evidence for legal or security purposes. In defensive security, it focuses on analyzing evidence from security incidents (attacks, data breaches, etc.) to understand the attack, identify perpetrators, and aid in recovery.

  • Key Areas of Analysis:

    • File Systems: Examining storage for installed programs, created/modified/deleted files, and artifacts of malicious activity.
    • System Memory: Analyzing RAM for active malware or processes that might not have left traces on disk.
    • System Logs: Reviewing logs from operating systems and applications to reconstruct events.
    • Network Logs: Analyzing network traffic to identify attack vectors and communication patterns.

II. Incident Response

img

  • Definition: The process of handling security incidents, aiming to minimize damage and restore systems to a secure state. A well-defined incident response plan is essential.

  • Four Phases of Incident Response:

    1. Preparation: Proactive measures, such as establishing response teams, developing procedures, and implementing security tools.
    2. Detection & Analysis: Identifying and investigating potential security events. Determining the severity and scope of the incident.
    3. Containment, Eradication, & Recovery: Isolating affected systems, removing malware, restoring data, and patching vulnerabilities.
    4. Post-Incident Activity: Creating reports, conducting lessons learned reviews to improve future responses, and updating security procedures.

III. Malware Analysis

img

  • Definition: The process of examining malicious software (malware) to understand its functionality, behavior, and potential impact.

  • Techniques:

    • Static Analysis: Examining malware without executing it, often involving disassembling the code to understand its functionality.
    • Dynamic Analysis: Running malware in a controlled environment (sandbox) to observe its behavior and network activity.

Relationship to Other Defensive Security Areas

DFIR strongly interacts with other areas:

  • SOC: The SOC often detects incidents that trigger the DFIR process.
  • Threat Intelligence: Threat intelligence helps inform incident response by providing context about potential attackers and their TTPs.

In summary: DFIR combines forensic investigation with a structured response process to effectively handle security incidents, minimize damage, and improve future defenses. The combination of digital forensics and incident response is critical for effective post-incident recovery and improved security posture.

Practical Example of Defensive Security

The Scenario

Let us pretend you are a Security Operations Center (SOC) analyst responsible for protecting a bank. This bank’s SOC uses a Security Information and Event Management (SIEM) tool, which gathers security-related information and events from various sources and presents them in one dashboard. If the SIEM finds something suspicious, an alert will be generated.

A monitor showing multiple alerts

Not all alerts are malicious, however. It is up to the analyst to use their expertise in cyber security to investigate which ones are harmful.

For example, you may encounter an alert where a user has failed multiple login attempts. While suspicious, this kind of thing happens, especially if the user has forgotten their password and continues to try to log in. 

Additionally, there might be alerts related to connections from unknown IP addresses. An IP address is like a home address for your computer on the Internet—it tells other computers where to send the information you request. When these addresses are unknown, it could mean that someone new is trying to connect or someone is attempting unauthorized access.

Simulating a SIEM

We have prepared a simplified, interactive simulation of a SIEM system to provide you with a hands-on experience similar to what cyber security analysts encounter.

To start this simulation, please click the “View Site” button below.

View Site (button to view the site)

This action will open a “static site” on the right side of your screen. Follow the step-by-step instructions provided within the simulation to navigate through the events and locate the “flag.” A flag is a series of characters with a format like this: “THM{RANDOM_WORDS}“. Use this flag to answer questions from rooms here in TryHackMe, like the one below.

What’s next?

In this room, we’ve discussed the different subfields (SOC, Threat Intelligence, Malware Analysis, and DFIR) and experienced firsthand how to deal with alerts in a simulated SIEM environment. While we’ve covered a lot, the depth and complexity of this field mean there’s more to learn and explore. The lessons learned here will serve as your foundation as cyber threats evolve, demanding continuous learning, vigilance, and adaptation.

Continue learning by checking out the next room in this series, “Search Skills.” This room will teach you valuable techniques for searching for information online to aid your investigations and learning.

If you want to skip ahead and learn more about the topics discussed in this room, the following rooms are recommended:

Graph View

Backlinks

  • No backlinks found