Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
btkb:start [2021/05/28 18:48] – [Security Log Monitoring] seb | btkb:start [2022/01/07 01:41] (current) – seb | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Blue Team Knowledge Base ====== | ====== Blue Team Knowledge Base ====== | ||
- | + | Blue Team members are the defenders | |
- | {{ : | + | |
- | As defenders | + | |
- | + | ||
- | Here is a 4:34 min video for an overview of the NIST CSF: | + | |
- | {{youtube> | + | |
- | + | ||
- | + | ||
- | \\ If you don't like to orient yourself with the help of a framework, here are some links to other explanations | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | + | ||
- | \\ Although you will never actually work in the below workflow, it makes sense from a theoretical perspective and lets us put everything into buckets :-) | + | |
- | + | ||
- | {{: | + | |
---- | ---- | ||
- | ===== Identify | + | ===== Practical Guides |
- | > // In a Nutshell: Know what you need to protect! // | + | ==== Desktop Security ==== |
- | To be able to protect your networks, systems, and identities, you need to know them. And while that is easy in a small business or home network, it becomes a huge task in an enterprise network. Depending on the size of the network(s) you are supposed to protect, you will need a spreadsheet, | + | === General Guidelines for Desktops === |
- | * Computers are connected through networks in our days. In addition IT departments are always busy and under-resourced, | + | * Use an OS that is still supported by the vendor and receives security updates regularly. |
- | * Most likely you are not responsible for the configuration and maintenance of all computers on your internal networks. Therefore, you do not know what state all the computers are in and whether they have any vulnerabilities (software bugs, weak configurations), | + | * Install security updates at least monthly. |
- | * Without knowing all your assets you will not be able to implement detection mechanisms that make you aware of potential or real compromises, | + | * Use a reasonably [[btkb: |
- | * Without knowing all your networks and assets, it will be very hard to respond to incidents and contain/ | + | * Enable |
+ | * Install an [[btkb: | ||
+ | * Don't use the computer with administrative privileges. | ||
+ | * If the device is mobile (laptops), [[btkb: | ||
- | \\ There are 3 disciplines in the **Identify** function: | + | === Security Guides for Desktop OS === |
- | | + | * [[btkb:linux-desktop|Securing Linux Desktop]] |
- | | + | * [[btkb:mac-os|Securing Macs]] |
- | | + | * [[btkb:windows-desktop|Securing Windows Desktop]] |
- | \\ === Relevant Wikipedia Articles | + | === Advanced Desktop Security |
- | * [[wp> | + | * [[btkb:edr|Endpoint Detection & Response]] |
- | * [[wp> | + | * [[btkb: |
---- | ---- | ||
- | ===== Protect ===== | + | ==== Server Security |
- | > // In a Nutshell: Minimize Attack Surface! // | + | === General Guidelines for Servers === |
+ | * Use an OS that is still supported by the vendor and receives security updates regularly. | ||
+ | * Only install software that is actually needed for the specific role of the server. | ||
+ | * Patch all software on the server at least monthly. | ||
+ | * Enable the [[btkb:hostfirewall|host firewall]] that comes with the server' | ||
+ | * Change all default password to complex and long passwords. | ||
- | Protection should be applied to Networks, Systems, and Identities. | + | === Security Guides for specific Servers |
- | + | * [[btkb:linux-server|Securing Linux Servers]] | |
- | ==== Network Protections ==== | + | * [[btkb:windows-server|Securing Windows Servers]] |
- | In the network layer of IT infrastructures the following protective technologies are available: | + | |
- | * [[btkb:networkfirewalls|Network Firewalls]] | + | |
- | * [[btkb: | + | |
- | * [[btkb: | + | |
- | * [[btkb: | + | |
- | + | ||
- | ==== System Protections ==== | + | |
- | Systems can be protected in Active and Passive ways. Active Protections include things like Anti-Virus solutions. Passive Protections are usually based on System Hardening practices. Here are some system protection techniques: | + | |
- | * [[btkb:av|Anti-Virus]] | + | |
- | * [[btkb:nextgenav|Next Generation Anti-Virus]] | + | |
- | * [[btkb: | + | |
- | * [[btkb: | + | |
- | * [[btkb: | + | |
- | + | ||
- | ==== Identity Protections ==== | + | |
- | Identities are user accounts in your central user directory (i.e. Active Directory) or local user accounts on your systems. User accounts can be normal user accounts or privileged user accounts. Privileged user accounts should be protected better because they often have wide-reaching permissions on many systems. Within the realm of IDentity Protection there are two main topics that are worth building programs around: | + | |
- | * [[btkb: | + | |
- | * [[btkb:pam|Privileged Access Management (PAM)]] | + | |
---- | ---- | ||
- | ===== Detect ===== | + | ===== Theory |
- | + | * [[btkb:nistcsf:start|NIST Cyber Security | |
- | > // In a Nutshell: Be the first to know that something malicious is happening in your environment! // | + | |
- | + | ||
- | There is this old quote: There are only two types of companies: The ones that have been hacked and the ones that don't know that they have been hacked. (However, now in 2021 literally everyone has been hacked.) | + | |
- | + | ||
- | Detection of suspicious and malicious activity on your networks & systems and with your identities & data will give you the opportunity to do something about it before it results in huge headaches. The two biggest technology areas within detection are network security monitoring (capture network traffic and analyze it) and security log monitoring (collect all security logs and analyze them). | + | |
- | + | ||
- | ==== Network Security Monitoring ==== | + | |
- | With the arrival of broad encryption of network traffic this discipline has changed dramatically in the last couple of years. Due to the applied cryptography to most network connections it becomes increasingly harder to analyze the payload of network packets. For this reason this technology field is currently changing towards analyzing the meta data of network traffic. Meta data of network traffic includes what types of connections have been made between which systems and how much data was exchanged. | + | |
- | + | ||
- | === Network Security Monitoring Tools === | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | + | ||
- | === Relevant Wikipedia Pages === | + | |
- | * [[wp> Intrusion_detection_system]] | + | |
- | * … | + | |
- | + | ||
- | ==== Security Log Monitoring ==== | + | |
- | The Security Log Monitoring field splits into three disciplines - The production of Logs, the Collection of Logs, and the Analysis of Logs. | + | |
- | + | ||
- | === Producing Security Logs === | + | |
- | There are many different types of security logs - Here are some examples: | + | |
- | * EDR Logs | + | |
- | * Anti-Virus Logs | + | |
- | * OS Security Logs | + | |
- | * Authentication Logs | + | |
- | * Firewall Logs | + | |
- | + | ||
- | In most cases the default settings of the Log Sources are insufficient, | + | |
- | + | ||
- | === Collecting Security Logs === | + | |
- | The collection of security logs is usually done with a Security Incident & Event Monitoring (SIEM) tool. SIEMs need a lot of storage for storing all the collected logs. Log Retention is what you use to define how much log data you keep around for how long, which will help you limiting costs. Most setups use a retention period between 30 days and 1y, with 90 days being the most practical. | + | |
- | + | ||
- | == SIEM tools == | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | + | ||
- | === Analyzing Security Logs === | + | |
---- | ---- | ||
- | ===== Respond ===== | + | ~~DISCUSSION~~ |
- | + | ||
- | > // In a Nutshell: Kick em out! // | + | |
- | + | ||
- | ---- | + | |
- | + | ||
- | ===== Recover ===== | + | |
- | + | ||
- | > // In a Nutshell: Rebuild what has been brought down and learn from what happened! // | + | |
- | + |