Differences

This shows you the differences between two versions of the page.

--- btkb:start [2021/06/01 04:09] – seb
+++ btkb:start [2022/01/07 01:41] (current) – seb
@@ Line 1: / Line 1: @@
 ====== Blue Team Knowledge Base ======
+Blue Team members are the defenders of computer networks and systems. Below you shall find practical security guides, written to help you secure your networks and systems, and longer articles covering the theory of Cyber Defense (i.e. Cybersecurity Frameworks).
-{{ :wiki:nist-csf.png?direct&200| NIST Cybersecurity Framework}}
-As defenders we need to wear multiple hats at all times. The [[https://www.nist.gov/cyberframework|NIST Cybersecurity Framework]] defines these hats in 5 core functions: [[btkb:start#identify|Identify]], [[btkb:start#protect|Protect]], [[btkb:start#detect|Detect]], [[btkb:start#respond|Respond]], and [[btkb:start#recover|Recover]].
-Here is a 4:34 min video for an overview of the NIST CSF:
-{{youtube>J9ToNuwmyF0}}
-\\ If you don't like to orient yourself with the help of a framework, here are some links to other explanations of the defender's role:
-  * [[https://cybersecurityguide.org/resources/cyber-defense/|Introduction to Cyber Defense (cybersecurityguide.org)]]
-  * [[https://www.microsoft.com/security/blog/2020/08/06/organize-security-team-evolution-cybersecurity-roles-responsibilities/|How to organize your security team: The evolution of cybersecurity roles and responsibilities (microsoft.com)]]
-  * [[https://www.gartner.com/smarterwithgartner/build-adaptive-security-architecture-into-your-organization/|Build an adaptive security architecture into your organization (gartner.com)]]
-\\ Although you will never actually work in the below workflow, it makes sense from a theoretical perspective and lets us put everything into buckets :-)
-{{:wiki:nistcsfflow.png?nolink&800|}}
 ----
-===== Identify =====
+===== Practical Guides =====
-> // In a Nutshell: Know what you need to protect! //
+==== Desktop Security ====
-To be able to protect your networks, systems, and identities, you need to know them. And while that is easy in a small business or home network, it becomes a huge task in an enterprise network. Depending on the size of the network(s) you are supposed to protect, you will need a spreadsheet, or a fully fledged asset management tool. But before we go down that path, let's talk about the why - Here are some reasons for why you need to know your assets:
+=== General Guidelines for Desktops ===
-  * Computers are connected through networks in our days. In addition IT departments are always busy and under-resourced, so they don't secure all computers as if those would be exposed directly to the Internet. Therefore, computers on your internal networks are usually able to talk freely with each other, which allows adversary to quickly move laterally from the first compromised computer on your internal network.
+  * Use an OS that is still supported by the vendor and receives security updates regularly.
-  * Most likely you are not responsible for the configuration and maintenance of all computers on your internal networks. Therefore, you do not know what state all the computers are in and whether they have any vulnerabilities (software bugs, weak configurations), so you can address those when you put on your **Protect** function hat.
+  * Install security updates at least monthly.
-  * Without knowing all your assets you will not be able to implement detection mechanisms that make you aware of potential or real compromises, which will lead to unwanted surprises for the organization.
+  * Use a reasonably [[btkb:browsers|secure browser]].
-  * Without knowing all your networks and assets, it will be very hard to respond to incidents and contain/eradicate threats on your networks and systems.
+  * Enable the [[btkb:hostfirewall|host firewall]] that comes with the OS.
+  * Install an [[btkb:antivirus|Antivirus]] Program.
+  * Don't use the computer with administrative privileges.
+  * If the device is mobile (laptops), [[btkb:fulldiskencryption|encrypt the hard drive]].
-\\ There are 3 disciplines in the **Identify** function:
+=== Security Guides for Desktop OS ===
-  - **[[btkb::networkmgmt|Network Management]]**: Provides the knowledge about what networks you have and how they are connected or segmented. This knowledge is strategically important because it allows you to place network firewalls between the asset that you would like to protect and the adversary (who most often connects through the Internet).
+  * [[btkb:linux-desktop|Securing Linux Desktop]]
-  - **[[btkb::assetmgmt|System/Asset Management]]**: Provides the knowledge about all the computers you have. What are their hostnames, IP addresses, operating systems, etc.
+  * [[btkb:mac-os|Securing Macs]]
-  - **[[btkb::vulnmgmt|Vulnerability Management]]**: Provides the knowledge about vulnerabilities that might be present on your systems/assets.
+  * [[btkb:windows-desktop|Securing Windows Desktop]]
-\\ === Relevant Wikipedia Articles ===
+=== Advanced Desktop Security ===
-  * [[wp>Vulnerability_management|Vulnerability Management]]
+  * [[btkb:edr|Endpoint Detection & Response]]
-  * [[wp>Data_center_management#Data_center_asset_management|Data Center Asset Management]]\\
+  * [[btkb:desktopprivileges|Privilege Management]]
 ----
-===== Protect =====
+==== Server Security ====
-> // In a Nutshell: Minimize Attack Surface! //
+=== General Guidelines for Servers ===
+  * Use an OS that is still supported by the vendor and receives security updates regularly.
+  * Only install software that is actually needed for the specific role of the server.
+  * Patch all software on the server at least monthly.
+  * Enable the [[btkb:hostfirewall|host firewall]] that comes with the server's OS.
+  * Change all default password to complex and long passwords.
-Protection should be applied to Networks, Systems, and Identities.
+=== Security Guides for specific Servers ===
+  * [[btkb:linux-server|Securing Linux Servers]]
-==== Network Protections ====
+  * [[btkb:windows-server|Securing Windows Servers]]
-In the network layer of IT infrastructures the following protective technologies are available:
-  * [[btkb:networkfirewalls|Network Firewalls]]
-  * [[btkb:ips|Intrusion Prevention Systems]]
-  * [[btkb:dnsfilter|DNS Filters]]
-  * [[btkb:waf|Web Application Firewalls]]
-\\ === Relevant Wikipedia Articles ===
-  * [[wp>Firewall_(computing)|Firewall]]
-  * [[wp>Intrusion_detection_system#Intrusion_prevention|Intrusion Prevention System]]
-  * [[wp>DNS_sinkhole|DNS Sinkhole]]
-  * [[wp>Application_firewall|Application Firewall]]
-==== System Protections ====
-Systems can be protected in Active and Passive ways. Active Protections include things like Anti-Virus solutions. Passive Protections are usually based on System Hardening practices. Here are some system protection techniques:
-  * [[btkn:backup|Autonomous automated Backups]]  (If they aren't automated it's just a snapshot, not a backup.)
-  * [[btkb:av|Anti-Virus]]
-  * [[btkb:nextgenav|Next Generation Anti-Virus]]
-  * [[btkb:edr|Endpoint Detection and Response]]
-  * [[btkb:hostfirewall|Host Firewalls]]
-  * [[btkb:System Hardening]]
-==== Identity Protections ====
-Identities are user accounts in your central user directory (i.e. Active Directory) or local user accounts on your systems. User accounts can be normal user accounts or privileged user accounts. Privileged user accounts should be protected better because they often have wide-reaching permissions on many systems. Within the realm of IDentity Protection there are two main topics that are worth building programs around:
-  * [[btkb:iam|Identity & Access Management (IAM)]]
-  * [[btkb:pam|Privileged Access Management (PAM)]]
 ----
-===== Detect =====
+===== Theory of Cyber Defense =====
+  * [[btkb:nistcsf:start|NIST Cyber Security Framework (NIST-CSF)]]
-> // In a Nutshell: Be the first to know that something malicious is happening in your environment! //
-There is this old quote: There are only two types of companies: The ones that have been hacked and the ones that don't know that they have been hacked. (However, now in 2021 literally everyone has been hacked.)
-Detection of suspicious and malicious activity on your networks & systems and with your identities & data will give you the opportunity to do something about it before it results in huge headaches. The two biggest technology areas within detection are network security monitoring (capture network traffic and analyze it) and security log monitoring (collect all security logs and analyze them).
-==== Network Security Monitoring ====
-With the arrival of broad encryption of network traffic this discipline has changed dramatically in the last couple of years. Due to the applied cryptography to most network connections it becomes increasingly harder to analyze the payload of network packets. For this reason this technology field is currently changing towards analyzing the meta data of network traffic. Meta data of network traffic includes what types of connections have been made between which systems and how much data was exchanged.
-=== Network Security Monitoring Tools ===
-  * [[https://snort.org|Snort]] (OSS)
-  * [[https://suricata-ids.org|Suricata]] (OSS)
-  * [[https://rocknsm.io|Response Operation Collection Kit]] (OSS)
-  * [[https://github.com/Security-Onion-Solutions/securityonion|Security Onion]] (OSS + ProfSvc)
-  * [[https://www.ibm.com/products/real-time-threat-identification|IBM QRadar Network Insights]]
-=== Relevant Wikipedia Pages ===
-  * [[wp> Intrusion_detection_system]]
-  * …
-==== Security Log Monitoring ====
-The Security Log Monitoring field splits into three disciplines - The production of Logs, the Collection of Logs, and the Analysis of Logs.
-=== Producing Security Logs ===
-There are many different types of security logs - Here are some examples:
-  * EDR Logs
-  * Anti-Virus Logs
-  * OS Security Logs
-  * Authentication Logs
-  * Firewall Logs
-In most cases the default settings of the Log Sources are insufficient, so they need to be configured in some way to be useful and strike the right balance of eating up system performance and providing relevant signal to the cybersecurity team.
-=== Collecting Security Logs ===
-The collection of security logs is usually done with a Security Incident & Event Monitoring (SIEM) tool. SIEMs need a lot of storage for storing all the collected logs. Log Retention is what you use to define how much log data you keep around for how long, which will help you limiting costs. Most setups use a retention period between 30 days and 1y, with 90 days being the most practical.
-== SIEM tools ==
-  * [[https://github.com/mozilla/MozDef|MozDef]] (OSS)
-  * [[https://wazuh.com|Wazuh]] (OSS)
-  * [[https://www.elastic.co/what-is/elk-stack|ELK Stack]] (OSS)
-  * [[https://cybersecurity.att.com/products/ossim|Alienvault OSSIM]]
-  * [[https://www.ibm.com/products/qradar-siem|IBM QRadar]]
-  * [[https://www.splunk.com|Splunk]]
-  * [[https://www.exabeam.com|Exabeam]]
-  * [[https://www.netwitness.com|RSA NetWitness]]
-=== Analyzing Security Logs ===
-Once Logs are being collected, the events within the logs need to be analyzed. Due to volume this task cannot really be done manually, technology is needed. There are two different types of Log Analyzers:
-  * Static Alert Rules - Create an alert when certain events or groups of events show up in the logs.
-  * ML model based Alert Rules - Machine Learning models detect abnormal behavior.
-Static Alert Rules are traditionally a feature of SIEMs. Machine Learning models are the core function of UEBAs (User & Entity Behavior Analytics). The process adapting Alert Rules to your IT environment is called [[btkb:detections|Writing Detections]].
 ----
-===== Respond =====
+~~DISCUSSION~~
-> // In a Nutshell: Kick em out! //
-----
-===== Recover =====
-> // In a Nutshell: Rebuild what has been brought down and learn from what happened! //