Task 1 Introduction to Defensive Security

Offensive security focuses on one thing: breaking into systems. Breaking into systems might be
achieved through exploiting bugs, abusing insecure setups, and taking advantage of unenforced
access control policies, among other things. Red teams and penetration testers specialize in
offensive security.

Defensive security is somewhat the opposite of offensive security, as it is concerned with two
main tasks:

1. Preventing intrusions from occurring

2. Detecting intrusions when they occur and responding properly

Blue teams are part of the defensive security landscape.

Some of the tasks that are related to defensive security include:

 User cyber security awareness: Training users about cyber security helps protect against
various attacks that target their systems.
 Documenting and managing assets: We need to know the types of systems and devices
that we have to manage and protect properly.
 Updating and patching systems: Ensuring that computers, servers, and network devices
are correctly updated and patched against any known vulnerability (weakness).
 Setting up preventative security devices: firewall and intrusion prevention systems (IPS)
are critical components of preventative security. Firewalls control what network traffic
 ‫‪can go inside and what can leave the system or network. IPS blocks any network traffic‬‬
‫‪that matches present rules and attack signatures.‬‬
‫‪‬‬ ‫‪Setting up logging and monitoring devices: Without proper logging and monitoring of the‬‬
‫‪network, it won’t be possible to detect malicious activities and intrusions. If a new‬‬
‫‪unauthorized device appears on our network, we should be able to know.‬‬

‫‪There is much more to defensive security, and the list above only covers a few common topics.‬‬

‫‪In this room, we cover:‬‬

‫‪‬‬ ‫)‪Security Operations Center (SOC‬‬

‫‪‬‬ ‫‪Threat Intelligence‬‬
‫‪‬‬ ‫)‪Digital Forensics and Incident Response (DFIR‬‬
‫‪‬‬ ‫‪Malware Analysis‬‬

‫‪Answer the questions below‬‬

‫?‪Which team focuses on defensive security‬‬

‫وظیفه ‪ 1‬مقدمه ای بر امنیت دفاعی‬

‫امنیت تهاجمی بر یک چیز متمرکز است‪ :‬نفوذ به سیستم ها‪ .‬نفوذ به سیستم ها ممکن است از طریق بهره برداری از اشکاالت‪ ،‬سوء‬
‫استفاده از تنظیمات ناامن‪ ،‬و استفاده از سیاست های کنترل دسترسی غیرقابل اجرا و موارد دیگر حاصل شود‪ .‬تیم های قرمز و تست‬
‫‪.‬کننده های نفوذ در امنیت تهاجمی تخصص دارند‬

‫‪:‬امنیت دفاعی تا حدودی متضاد امنیت تهاجمی است‪ ،‬زیرا با دو وظیفه اصلی مرتبط است‬

‫جلوگیری از نفوذ‬
‫شناسایی نفوذها در صورت وقوع و واکنش مناسب‪6‬‬

‫‪.‬تیم های آبی بخشی از چشم انداز امنیتی دفاعی هستند‬

‫‪:‬برخی از وظایف مرتبط با امنیت دفاعی عبارتند از‬

‫آگاهی از امنیت سایبری کاربران‪ :‬آموزش کاربران در مورد امنیت سایبری به محافظت در برابر حمالت مختلفی که سیستم آنها را‬
‫‪.‬هدف قرار می دهد کمک می کند‬

‫‪.‬مستندسازی و مدیریت دارایی ها‪ :‬ما باید انواع سیستم ها و دستگاه هایی را که باید به درستی مدیریت و محافظت کنیم را بشناسیم‬
 ‫به روز رسانی و وصله سیستم ها‪ :‬اطمینان از اینکه رایانه ها‪ ،‬سرورها و دستگاه های شبکه به درستی به روز شده و در برابر‬
‫‪.‬هر گونه آسیب پذیری (ضعف) شناخته شده وصله شده اند‬

‫اجزای حیاتی امنیت پیشگیرانه هستند‪ (IPS) .‬راه اندازی دستگاه های امنیتی پیشگیرانه‪ :‬فایروال و سیستم های پیشگیری از نفوذ‬
‫هر ترافیک ‪. IPS‬فایروال ها کنترل می کنند که چه ترافیک شبکه می تواند به داخل رفته و چه چیزی از سیستم یا شبکه خارج شود‬
‫‪.‬شبکه ای را که با قوانین فعلی و امضاهای حمله مطابقت دارد مسدود می کند‬

‫راه‌اندازی دستگاه‌های ثبت و نظارت‪ :‬بدون ثبت و نظارت مناسب‪ 6‬شبکه‪ ،‬شناسایی فعالیت‌ها و نفوذهای مخرب امکان‌پذیر نخواهد‬
‫‪.‬بود‪ .‬اگر دستگاه غیرمجاز جدیدی در شبکه ما ظاهر شد‪ ،‬باید بتوانیم بدانیم‬

‫‪.‬امنیت دفاعی چیزهای بیشتری وجود دارد و لیست باال فقط چند موضوع رایج را پوشش می دهد‬

‫‪:‬در این اتاق ما موارد زیر را پوشش می دهیم‬

‫)‪ (SOC‬مرکز عملیات امنیتی‬

‫اطالعات تهدید‬

‫)‪ (DFIR‬پزشکی قانونی دیجیتال و واکنش به حوادث‬

‫تجزیه و تحلیل بدافزار‬

‫به سواالت زیر پاسخ دهید‬

‫کدام تیم روی امنیت دفاعی تمرکز دارد؟‬

‫‪Task 2 Areas of Defensive Security‬‬

‫‪In this task, we will cover two main topics related to defensive security:‬‬

‫‪‬‬ ‫‪Security Operations Center (SOC), where we cover Threat Intelligence‬‬

‫‪‬‬ ‫‪Digital Forensics and Incident Response (DFIR), where we also cover Malware Analysis‬‬

‫)‪Security Operations Center (SOC‬‬

A Security Operations Center (SOC) is a team of cyber security professionals that monitors the
network and its systems to detect malicious cyber security events. Some of the main areas of
interest for a SOC are:

 Vulnerabilities: Whenever a system vulnerability (weakness) is discovered, it is essential

to fix it by installing a proper update or patch. When a fix is not available, the necessary
measures should be taken to prevent an attacker from exploiting it. Although remediating
vulnerabilities is of vital interest to a SOC, it is not necessarily assigned to them.
 Policy violations: We can think of a security policy as a set of rules required for the
protection of the network and systems. For example, it might be a policy violation if
users start uploading confidential company data to an online storage service.
 Unauthorized activity: Consider the case where a user’s login name and password are
stolen, and the attacker uses them to log into the network. A SOC needs to detect such an
event and block it as soon as possible before further damage is done.
 Network intrusions: No matter how good your security is, there is always a chance for an
intrusion. An intrusion can occur when a user clicks on a malicious link or when an
attacker exploits a public server. Either way, when an intrusion occurs, we must detect it
as soon as possible to prevent further damage.

Security operations cover various tasks to ensure protection; one such task is threat intelligence.

Threat Intelligence

In this context, intelligence refers to information you gather about actual and potential enemies.
A threat is any action that can disrupt or adversely affect a system. Threat intelligence aims to
gather information to help the company better prepare against potential adversaries. The purpose
would be to achieve a threat-informed defense. Different companies have different adversaries.
Some adversaries might seek to steal customer data from a mobile operator; however, other
adversaries are interested in halting the production in a petroleum refinery. Example adversaries
include a nation-state cyber army working for political reasons and a ransomware group acting
for financial purposes. Based on the company (target), we can expect adversaries.

Intelligence needs data. Data has to be collected, processed, and analyzed. Data collection is
done from local sources such as network logs and public sources such as forums. Processing of
data aims to arrange them into a format suitable for analysis. The analysis phase seeks to find
more information about the attackers and their motives; moreover, it aims to create a list of
recommendations and actionable steps.

Learning about your adversaries allows you to know their tactics, techniques, and procedures. As
a result of threat intelligence, we identify the threat actor (adversary), predict their activity, and
consequently, we will be able to mitigate their attacks and prepare a response strategy.

Digital Forensics and Incident Response (DFIR)

This section is about Digital Forensics and Incident Response (DFIR), and we will cover:

 Digital Forensics
 Incident Response
 Malware Analysis

Digital Forensics
Forensics is the application of science to investigate crimes and establish facts. With the use and
spread of digital systems, such as computers and smartphones, a new branch of forensics was
born to investigate related crimes: computer forensics, which later evolved into, digital forensics.

In defensive security, the focus of digital forensics shifts to analyzing evidence of an attack and
its perpetrators and other areas such as intellectual property theft, cyber espionage, and
possession of unauthorized content. Consequently, digital forensics will focus on different areas
such as:

 File System: Analyzing a digital forensics image (low-level copy) of a system’s storage
reveals much information, such as installed programs, created files, partially overwritten
files, and deleted files.
 System memory: If the attacker is running their malicious program in memory without
saving it to the disk, taking a forensic image (low-level copy) of the system memory is
the best way to analyze its contents and learn about the attack.
 System logs: Each client and server computer maintains different log files about what is
happening. Log files provide plenty of information about what happened on a system.
Some traces will be left even if the attacker tries to clear their traces.
 Network logs: Logs of the network packets that have traversed a network would help
answer more questions about whether an attack is occurring and what it entails.

Incident Response

An incident usually refers to a data breach or cyber attack; however, in some cases, it can be
something less critical, such as a misconfiguration, an intrusion attempt, or a policy violation.
Examples of a cyber attack include an attacker making our network or systems inaccessible,
defacing (changing) the public website, and data breach (stealing company data). How would
you respond to a cyber attack? Incident response specifies the methodology that should be
followed to handle such a case. The aim is to reduce damage and recover in the shortest time
possible. Ideally, you would develop a plan ready for incident response.

The four major phases of the incident response process are:

1. Preparation: This requires a team trained and ready to handle incidents. Ideally, various
measures are put in place to prevent incidents from happening in the first place.
2. Detection and Analysis: The team has the necessary resources to detect any incident;
moreover, it is essential to further analyze any detected incident to learn about its
severity.
3. Containment, Eradication, and Recovery: Once an incident is detected, it is crucial to stop
it from affecting other systems, eliminate it, and recover the affected systems. For
instance, when we notice that a system is infected with a computer virus, we would like
to stop (contain) the virus from spreading to other systems, clean (eradicate) the virus,
and ensure proper system recovery.
4. Post-Incident Activity: After successful recovery, a report is produced, and the learned
lesson is shared to prevent similar future incidents.
Malware Analysis

Malware stands for malicious software. Software refers to programs, documents, and files that
you can save on a disk or send over the network. Malware includes many types, such as:

 Virus is a piece of code (part of a program) that attaches itself to a program. It is designed
to spread from one computer to another; moreover, it works by altering, overwriting, and
deleting files once it infects a computer. The result ranges from the computer becoming
slow to unusable.
 Trojan Horse is a program that shows one desirable function but hides a malicious
function underneath. For example, a victim might download a video player from a shady
website that gives the attacker complete control over their system.
 Ransomware is a malicious program that encrypts the user’s files. Encryption makes the
files unreadable without knowing the encryption password. The attacker offers the user
the encryption password if the user is willing to pay a “ransom.”
Malware analysis aims to learn about such malicious programs using various means:

1. Static analysis works by inspecting the malicious program without running it. Usually,
this requires solid knowledge of assembly language (processor’s instruction set, i.e.,
computer’s fundamental instructions).
2. Dynamic analysis works by running the malware in a controlled environment and
monitoring its activities. It lets you observe how the malware behaves when running.