Chapter 1. Cybersecurity and the Security Operations Center
The danger
War stories
Hijacked People
Fighters in the war against cyber-crime
Threat actors
While in a coffee shop, Alice connected to a "rogue" wireless hotspot, Alice logged onto her bank's website. A hacker hijacked her session and gained access to her bank accounts.
Ransomed companies
Bob works in the finance department and he received an email with information related to some earnings in a PDF file, he didn't know about this and he opened the file because he was curious. The file was a ransomware (a type of malicious software) and it gather all the information in the computer and encrypted it, the hacker was asking for a ransom to decrypt the data.
🎥 Ransomware - Anatomy of an Attack, See how an effective ransomware attack comes together. This is why today's enterprises require effective security.
Targeted Nations
Experts believe that some "malicious software" (malware) are so sophisticated that only one nation could develop them, targeting other nations to attack their vulnerable infrastructure, e.g. water system
Stuxnet worm was a malicious which infected USB drives
What's next after this chapter
Zero days (movie), it talks about the Stuxnet worm (trailer)
Learn about the wannacry ransomware worm: https://www.avast.com/c-wannacry
It was designed to infiltrate Windows operating systems and then target Step 7 software.
Step 7 was developed for programmable logic controllers (PLCs). Stuxnet targeted a specific PLCs that controls the centrifuges in nuclear facilities. The worm was transmitted from the infected USB drives into the PLCs and eventually damaged many of these centrifuges.
Lab – Installing the CyberOps Workstation Virtual Machine
Import the OVA in your visualization program: http://static-course-assets.s3.amazonaws.com/CyberOps/cyberops_workstation.ova (during this process and if you are using VirtualBox make sure to check the "Reinitialize the MAC address of all network cards")
Once you import the OVA, then start the virtual machine. If you get a box, click Change Network Settings and set your Bridged Adapter. Click the dropdown list next the Name and choose your network adapter (will vary for each computer).
Note: If your network is not configured with DHCP services, click Change Network Settings and select NAT in the Attached to dropdown box. The network settings can also be access via Settings in the Oracle VirtualBox Manager or in the virtual machine menu, select Devices > Network >Network Settings. You may need to disable and enable the network adapter for the change to take effect
Username: analyst
Password: cyberops
Amateurs
Also known as script kiddies, have little or no skill. They often use existing tools or instructions found on the Internet to launch attacks. Some are just curious, while others try to demonstrate their skills by causing harm. Even though they are using basic tools, the results can still be devastating.
Hacktivists
hackers who protest against a variety of political and social ideas. Hacktivists publicly protest against organizations or governments by posting articles and videos, leaking sensitive information, and disrupting web services with illegitimate traffic in distributed denial of service (DDoS) attacks.
Motivation
Financial Gain: Much of the hacking activity that consistently threatens our security is motivated by financial gain. These cybercriminals want to gain access to our bank accounts, personal data, and anything else they can leverage to generate cash flow.
Trade Secrets and Global Politics
Nation states are:
-hacking other countries
-interfering with internal politics
-interested in using cyberspace for industrial espionage.
The theft of intellectual property can give a country a significant advantage in international trade.
How Secure is the Internet of Things?
The IoT helps individuals connect things to improve their quality of life. For example, many people are now using connected wearable devices to track their fitness activities.
Many devices on the Internet are not updated with the latest firmware. Some older devices were not even developed to be updated with patches. These two situations create opportunity for threat actors and security risks for the owners of these devices.
In October 2016, a DDoS attack against the domain name provider Dyn took down many popular websites.
The attack came from a large number of webcams, DVRs, routers, and other IoT devices that had been compromised by malicious software.
These devices formed a “botnet” that was controlled by hackers. This botnet was used to create an enormous DDoS attack that disabled essential Internet services
Threat impact
Lost Competitive Advantage
Companies are worried about corporate espionage in cyberspace. An additional major concern is the loss of trust that comes when a company is unable to protect its customers’ personal data. The loss of competitive advantage may come from this loss of trust rather than another company or country stealing trade secrets.
PII and PHI
One of the more lucrative goals of cybercriminals is obtaining lists of PII that can then be sold on the dark web. The dark web can only be accessed with special software and is used by cybercriminals to shield their activities. Stolen PII can be used to create fake accounts, such as credit cards and short-term loans.
A subset of PII is protected health information (PHI). The medical community creates and maintains electronic medical records (EMRs) that contain PHI.
In the U.S., handling of PHI is regulated by the Health Insurance Portability and Accountability Act (HIPAA)
Personally identifiable information (PII) is any information that can be used to positively identify an individual.
Name, Social security, number, Birthdate, Credit card numbers, Bank account numbers, Government, issued ID, Address information (street, email, phone numbers,
Politics and National Security
Stuxnet is a prime example of a network attack motivated by national security concerns. Cyberwarfare is a serious possibility. State-supported hacker warriors can cause disruption and destruction of vital services and resources within an enemy nation
Hacker: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term. See also: cracker. (RFC 193)
Definición de la RAE: Persona con grandes habilidades en el manejo de computadoras que investiga un sistema informático para avisar de los fallos y desarrollar técnicas de mejora.
Types
Gray hat hacker: find vulnerabilities without permission but create reports to alert companies about it
White hat hackers: they find and exploit vulnerabilities with prior permission
Black hat hackers: exploit vulnerabilities WITHOUT permission and to obtain a benefit
Becoming a Defender
The Modern Security Operations Center
Enterprise and Managed Security
Organization will benefit from implementing an enterprise-level SOC. The SOC can be a complete in-house solution. However, many larger organizations will outsource at least part of the SOC operations to a security solutions provider.
Cisco has a team of experts who help ensure timely and accurate incident resolution. Cisco offers a wide range of incident response, preparedness, and management capabilities:
Cisco's Safety and Physical Security Program
Cisco Tactical Operations (TacOps)
Cisco Managed Services
Cisco Computer Security Incident Response Team (CSIRT)
Cisco Product Security Incident Response Team (PSIRT)
Cisco Smart Net Total Care Service for Rapid Problem Resolution
Elements of a SOC
Security Operations Centers provide a broad range of services, from monitoring and management, to comprehensive threat solutions and hosted security that can be customized to meet customer needs
elements
People: The SANS Institute (www.sans.org) classifies the roles people play in a SOC into four job titles:
Tier 1 Alert Analyst : These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.
Tier 2 Incident Responder: These professionals are responsible for deep investigation of incidents and advise remediation or action to be taken.
Tier 3 Subject Matter Expert (SME)/Hunter: These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. They are experts at tracing the processes of the malware to determine its impact and how it can be removed. They are also deeply involved in hunting for potential threats and implementing threat detection tools.
SOC Manager: This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.
This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst.
Processes
If a ticket cannot be resolved, the Tier 1 Analyst will forward the ticket to a Tier 2 Analyst for deeper investigation and remediation. If the Tier 2 Analyst cannot resolve the ticket, she will forward it to a Tier 3 Analyst with in-depth knowledge and threat hunting skills.
The day of a Tier 1 Analyst begins with monitoring security alert queues. A ticketing system is frequently used to allow analysts to select alerts from a queue to investigate.
One job of the Tier 1 Analyst might be to verify that an alert represents a true security incident. When verification is established, the incident can be forwarded to investigators or other security personnel to be acted upon, or resolved as a false alarm.
Technology
A SOC needs a security information and event management system (SIEM), or its equivalent
SOC technologies include one or more of the following: Event collection, correlation, and analysis, Security monitoring, Security control, Log management, Vulnerability assessment, Vulnerability tracking, Threat intelligence,
Security vs. Availability
Most enterprise networks must be up and running at all times. Security personnel understand that for the organization to accomplish its priorities, network availability must be preserved.
Each business or industry has a limited tolerance for network downtime.
security cannot be so strong that it interferes with the needs of employees or business functions. It is always a tradeoff between strong security and permitting efficient business functioning.
Certifications
(ISC)² Information Security Certifications
(ISC)² is an international non-profit organization that offers the highly-acclaimed CISSP
CompTIA Cybersecurity Analyst Certification (CySA+)
CCNA Cyber Ops
Global Information Assurance Certification (GIAC)
Further Education
Degrees
Python Programming
Sources of Career Information
CareerBuilder.com
Indeed.com
USAJobs.gov
Getting Experience
Temporary Agencies
Internships
Your First Job: Working for a call center or support desk may be your first step into gaining the experience you need to move ahead in your career.